initial lift to 18.04

ewdurbin · ewdurbin · commit 8d621fdaf0b0 · 2019-02-13T12:10:59.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 /pillar/prod/secrets
+/ubuntu-bionic-18.04-cloudimg-console.log
 
 *.py[cod]
 
diff --git a/Vagrantfile b/Vagrantfile
@@ -30,7 +30,7 @@ MASTER2 = "#{SUBNET2}.2"
 
 
 Vagrant.configure("2") do |config|
-  config.vm.box = "ubuntu/trusty64"
+  config.vm.box = "ubuntu/bionic64"
 
   config.vm.define "salt-master" do |s_config|
     s_config.vm.hostname = "salt-master.vagrant.psf.io"
@@ -47,8 +47,8 @@ Vagrant.configure("2") do |config|
 
     # Provision the salt-master.
     s_config.vm.provision :shell, :inline => <<-HEREDOC
-      wget -O - https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
-      echo 'deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main' > /etc/apt/sources.list.d/saltstack.list
+      wget -O - https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
+      echo 'deb http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic main' > /etc/apt/sources.list.d/saltstack.list
     HEREDOC
 
     s_config.vm.provision :shell, :inline => <<-HEREDOC
@@ -77,13 +77,13 @@ Vagrant.configure("2") do |config|
       server = server_c[:name]
       roles = server_c.fetch :roles, [server]
       box = server_c.fetch :box, nil
-      codename = server_c.fetch :codename, "trusty"
+      codename = server_c.fetch :codename, "bionic"
       ports = server_c.fetch :ports, []
     else
       server = server_c
       roles = [server_c]
       box = nil
-      codename = "trusty"
+      codename = "bionic"
       ports = []
     end
 
@@ -101,16 +101,10 @@ Vagrant.configure("2") do |config|
       end
 
       # Provision the salt-minion
-      if codename == "trusty"
+      if codename == "bionic"
         s_config.vm.provision :shell, :inline => <<-HEREDOC
-          wget -O - https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
-          echo 'deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main' > /etc/apt/sources.list.d/saltstack.list
-        HEREDOC
-      end
-      if codename == "xenial"
-        s_config.vm.provision :shell, :inline => <<-HEREDOC
-          wget -O - https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
-          echo 'deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main' > /etc/apt/sources.list.d/saltstack.list
+          wget -O - https://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
+          echo 'deb http://repo.saltstack.com/py3/ubuntu/18.04/amd64/latest bionic main' > /etc/apt/sources.list.d/saltstack.list
         HEREDOC
       end
 
diff --git a/salt/_extensions/pillar/ca.py b/salt/_extensions/pillar/ca.py
@@ -123,18 +123,18 @@ def create_ca(cacert_path, ca_name,
     ca.set_pubkey(key)
 
     ca.add_extensions([
-        OpenSSL.crypto.X509Extension('basicConstraints', True,
-                                     'CA:TRUE, pathlen:0'),
-        OpenSSL.crypto.X509Extension('keyUsage', True,
-                                     'keyCertSign, cRLSign'),
-        OpenSSL.crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
+        OpenSSL.crypto.X509Extension(b'basicConstraints', True,
+                                     b'CA:TRUE, pathlen:0'),
+        OpenSSL.crypto.X509Extension(b'keyUsage', True,
+                                     b'keyCertSign, cRLSign'),
+        OpenSSL.crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash',
                                      subject=ca)])
 
     ca.add_extensions([
         OpenSSL.crypto.X509Extension(
-            'authorityKeyIdentifier',
+            b'authorityKeyIdentifier',
             False,
-            'issuer:always,keyid:always',
+            b'issuer:always,keyid:always',
             issuer=ca)])
     ca.sign(key, digest)
 
@@ -192,7 +192,7 @@ def create_ca_signed_cert(cacert_path, ca_name,
                 fp.read(),
             )
         not_after = datetime.datetime.strptime(
-            cert.get_notAfter(),
+            cert.get_notAfter().decode(),
             "%Y%m%d%H%M%SZ",
         )
         ttl = (not_after - datetime.datetime.utcnow()).total_seconds()
@@ -252,10 +252,10 @@ def create_ca_signed_cert(cacert_path, ca_name,
 
     cert.add_extensions([
         OpenSSL.crypto.X509Extension(
-            "keyUsage", True, "digitalSignature, keyEncipherment",
+            b"keyUsage", True, b"digitalSignature, keyEncipherment",
         ),
         OpenSSL.crypto.X509Extension(
-            "extendedKeyUsage", False, ", ".join(usage),
+            b"extendedKeyUsage", False, ", ".join(usage).encode(),
         ),
     ])
 
diff --git a/salt/base/repo.sls b/salt/base/repo.sls
@@ -5,24 +5,18 @@
     - dir_mode: 755
     - file_mode: 644
 
-
-apt-transport-https:
-  pkg.installed:
-    - order: 2
-
-
-psf:
-  pkgrepo.managed:
-    - name: "deb https://packagecloud.io/psf/infra/ubuntu/ {{ grains['oscodename'] }} main"
-    - file: /etc/apt/sources.list.d/psf.list
-    - key_url: salt://base/config/APT-GPG-KEY-PSF
-    - require:
-      - pkg: apt-transport-https
-
-# Make source list globally readable.
-/etc/apt/sources.list.d/psf.list:
-  file.managed:
-    - mode: 644
-    - replace: False
-    - require:
-      - pkgrepo: psf
+#psf:
+#  pkgrepo.managed:
+#    - name: "deb https://packagecloud.io/psf/infra/ubuntu/ {{ grains['oscodename'] }} main"
+#    - file: /etc/apt/sources.list.d/psf.list
+#    - key_url: salt://base/config/APT-GPG-KEY-PSF
+#    - require:
+#      - pkg: apt-transport-https
+#
+## Make source list globally readable.
+#/etc/apt/sources.list.d/psf.list:
+#  file.managed:
+#    - mode: 644
+#    - replace: False
+#    - require:
+#      - pkgrepo: psf
diff --git a/salt/base/salt.sls b/salt/base/salt.sls
@@ -4,13 +4,16 @@ python-requests:
 python-msgpack:
   pkg.latest
 
+python3-pip:
+  pkg.latest
+
 {% if grains["os"] == "Ubuntu" %}
 salt-2018.3:
   pkgrepo.managed:
     - humanname: repo.saltstack.org
-    - name: deb http://repo.saltstack.com/apt/ubuntu/{{ grains["osrelease"] }}/{{ grains["osarch"] }}/2018.3 {{ grains["oscodename"] }} main
+    - name: deb http://repo.saltstack.com/py3/ubuntu/{{ grains["osrelease"] }}/{{ grains["osarch"] }}/2018.3 {{ grains["oscodename"] }} main
     - file: /etc/apt/sources.list.d/saltstack.list
-    - key_url: https://repo.saltstack.com/apt/ubuntu/14.04/amd64/2018.3/SALTSTACK-GPG-KEY.pub
+    - key_url: https://repo.saltstack.com/py3/ubuntu/18.04/amd64/2018.3/SALTSTACK-GPG-KEY.pub
 {% endif %}
 
 
diff --git a/salt/dns/init.sls b/salt/dns/init.sls
@@ -1,5 +1,5 @@
-python-dyn:
-  pkg.installed
+dyn:
+  pip.installed
 
 
 {% set ipv4_addrs = salt["mine.get"]("*", "ipv4_addrs") %}
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
@@ -28,29 +28,17 @@
 
 iptables-persistent:
   pkg.installed:
-    {% if grains["oscodename"] == "xenial" %}
     - name: netfilter-persistent
-    {% else %}
-    - name: iptables-persistent
-    {% endif %}
 
   service.enabled:
-    {% if grains["oscodename"] == "xenial" %}
     - name: netfilter-persistent
-    {% else %}
-    - name: iptables-persistent
-    {% endif %}
     - require:
       - file: /etc/iptables/rules.v4
       - file: /etc/iptables/rules.v6
 
   module.watch:
     - name: service.restart
-    {% if grains["oscodename"] == "xenial" %}
     - m_name: netfilter-persistent
-    {% else %}
-    - m_name: iptables-persistent
-    {% endif %}
     - watch:
       - file: /etc/iptables/rules.v4
       - file: /etc/iptables/rules.v6
diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls
@@ -1,7 +1,3 @@
-include:
-  - monitoring.client.collectors.nginx
-
-
 nginx:
   pkgrepo.managed:
     - name: deb http://nginx.org/packages/ubuntu/ {{ grains.oscodename }} nginx
diff --git a/salt/ssh/configs/sshd_config.jinja b/salt/ssh/configs/sshd_config.jinja
@@ -49,7 +49,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.
 # Note: We might need to add the SHA1 versions of these MACs for older clients
 # Note: Once https://github.com/paramiko/paramiko/pull/356 is released try to
 #       remove hmac-sha1.
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
 
 # Restrict ourselves to only secure KEXs
 # Note: We might need to add the DH-SHA1 versions of these MACs for older clients
diff --git a/salt/top.sls b/salt/top.sls
@@ -6,14 +6,12 @@ base:
     - base.repo
     - base.salt
     - base.sanity
-    - consul
     - groups
     - users
     - ssh
     - firewall
     - sudoers
     - backup.client
-    - monitoring.client
     - unattended-upgrades
     - tls
     - rsyslog
diff --git a/salt/users/init.sls b/salt/users/init.sls
@@ -40,7 +40,7 @@ include:
 
   user.present:
     - name: {{ user_name }}
-    - fullname: {{ user_config["fullname"].decode('utf-8') }}
+    - fullname: {{ user_config["fullname"] }}
     - home: /home/psf-users/{{ user_name }}
     - createhome: True
     - shell: {{ user_config.get("shell", "/bin/bash") }}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`/pillar/prod/secrets`
	`2`	`+/ubuntu-bionic-18.04-cloudimg-console.log`
`2`	`3`
`3`	`4`	`*.py[cod]`
`4`	`5`