From 9238d539b1bdf309c978ce60576c53749c05c8b2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 12 Mar 2026 13:58:16 -0500 Subject: [PATCH 1/2] fix: build host policy: fail2ban install requires epel-release for all redhat-based platforms Ticket: ENT-13804 Changelog: none --- ci/cfengine-build-host-setup.cf | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index 03e34d297..81d873ef6 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -126,16 +126,14 @@ bundle agent cfengine_build_host_setup "xfsprogs"; # note that shellcheck, fakeroot and ccache require epel-release to be installed - !(redhat_8|centos_8).(redhat|centos).(yum_dnf_conf_ok):: +# epel-release is installed by distribution package in rhel-7 and by URL for rhel-8+ later in commands section + (redhat_7|centos_7).(yum_dnf_conf_ok):: "epel-release" - comment => "centos-8/rhel-8 at least in AWS has no epel-release package to install so later we will install with downloaded rpm from dl.fedoraproject.org"; + classes => results( "bundle", "epel_release" ); - !(redhat_7|centos_7|redhat_8|centos_8).(yum_dnf_conf_ok):: - "fail2ban" - comment => "Ban IPs with repeated failed SSH auth attempts"; - (redhat_7|centos_7|redhat_8|centos_8).(yum_dnf_conf_ok):: + !(redhat_7|centos_7).(redhat|centos).(yum_dnf_conf_ok).epel_release_ok:: "fail2ban-server" - comment => "Ban IPs with repeated failed SSH auth attempts. On centos-7 .noarch must be specified as there are conflicting sub-packages attempted with legacy packages promise as fail2ban-*.*."; + comment => "Ban IPs with repeated failed SSH auth attempts. On centos/rhel 8+ we must specify individual packages instead of just fail2ban as package method will append -*.* which would include conflicting shorewall and shorewall-lite packages."; "fail2ban-sendmail"; "fail2ban-firewalld"; "ccache"; @@ -218,7 +216,8 @@ bundle agent cfengine_build_host_setup "yum_conf_ok" expression => "any"; # rhel/centos-6 and 7 do not support --nobest or best property in yum.conf redhat_8|centos_8:: "have_fakeroot" expression => returnszero("command -v fakeroot >/dev/null", "useshell"); - "epel_release_installed" expression => returnszero("yum info --installed epel-release", "useshell"); + (redhat|centos):: + "epel_release_ok" expression => returnszero("yum info --installed epel-release", "useshell"); (redhat_8|centos_8).have_perl:: "have_data_dumper" expression => returnszero("cpan -l | grep Data::Dumper", "useshell"); "have_data_dumper_names" expression => returnszero("cpan -l | grep Data::Dumper::Names", "useshell"); @@ -254,9 +253,10 @@ bundle agent cfengine_build_host_setup (redhat_8|centos_8).!have_fakeroot:: # special fakeroot, missing from _8 an d up? "sudo rpm -iv https://kojipkgs.fedoraproject.org//packages/fakeroot/1.23/1.fc29/x86_64/fakeroot-1.23-1.fc29.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/fakeroot/1.23/1.fc29/x86_64/fakeroot-libs-1.23-1.fc29.x86_64.rpm" contain => in_shell; - (redhat_8|centos_8).!epel_release_installed:: - "yum install --assumeyes https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm" - comment => "TODO: check a sha for the epel-release-latest-8.noarch.rpm file", + (redhat|centos).!(redhat_7|centos_7).!epel_release_ok:: + "yum install --assumeyes https://dl.fedoraproject.org/pub/epel/epel-release-latest-${sys.os_version_major}.noarch.rpm" + comment => "rhel-7 installs this with a packages promise. TODO: check a sha for the download URL somehow?", + classes => results( "bundle", "epel_release" ), contain => in_shell; (redhat_8|centos_8).!have_data_dumper.have_perl:: "cpan Data::Dumper" From 5d523dbfba68e2e8ac88594f389961a4183092d6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 12 Mar 2026 22:57:09 -0500 Subject: [PATCH 2/2] fix: Adjusted build host policy to install jdk once Ticket: ENT-13804 Changelog: none --- ci/cfengine-build-host-setup.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf index 81d873ef6..1739e3a13 100644 --- a/ci/cfengine-build-host-setup.cf +++ b/ci/cfengine-build-host-setup.cf @@ -209,7 +209,7 @@ bundle agent cfengine_build_host_setup linux:: "have_tmp_mount" expression => returnszero("mount | grep '/tmp'", "useshell"); "have_coredumpctl" expression => returnszero("command -v coredumpctl", "useshell"); - "missing_opt_jdk21" expression => not(fileexists("/opt/jdk-21.0.8")); + "missing_java" expression => not(fileexists("/usr/bin/java")); (redhat|centos).!(redhat_6|centos_6|redhat_7|centos_7):: "yum_conf_ok" expression => returnszero("grep best=False /etc/yum.conf >/dev/null", "useshell"); redhat_6|centos_6|redhat_7|centos_7:: @@ -246,7 +246,7 @@ bundle agent cfengine_build_host_setup "sysctl kernel.core_pattern='|/lib/systemd/systemd-coredump %p %u %g %s %t %e'" -> { "ENT-12669" } comment => "Ensure that core_pattern is proper for systemd-coredump if coredumpctl is present.", contain => in_shell; - missing_opt_jdk21:: + missing_java:: "sh $(this.promise_dirname)/linux-install-jdk21.sh" contain => in_shell; (redhat_7|centos_7|redhat_8|centos_8|redhat_9|redhat_10).(!have_development_tools).(yum_dnf_conf_ok):: "yum groups install -y 'Development Tools'" contain => in_shell;