Merge pull request #2138 from craigcomstock/ent-13804

craigcomstock · web-flow · commit 07bf484e24d0 · 2026-03-13T08:28:01.000-05:00
fix: build host policy: fail2ban install requires epel-release for all redhat-based platforms
diff --git a/ci/cfengine-build-host-setup.cf b/ci/cfengine-build-host-setup.cf
@@ -126,16 +126,14 @@ bundle agent cfengine_build_host_setup
       "xfsprogs";
 
 # note that shellcheck, fakeroot and ccache require epel-release to be installed
-    !(redhat_8|centos_8).(redhat|centos).(yum_dnf_conf_ok)::
+# epel-release is installed by distribution package in rhel-7 and by URL for rhel-8+ later in commands section
+    (redhat_7|centos_7).(yum_dnf_conf_ok)::
       "epel-release"
-        comment => "centos-8/rhel-8 at least in AWS has no epel-release package to install so later we will install with downloaded rpm from dl.fedoraproject.org";
+        classes => results( "bundle", "epel_release" );
 
-    !(redhat_7|centos_7|redhat_8|centos_8).(yum_dnf_conf_ok)::
-      "fail2ban"
-        comment => "Ban IPs with repeated failed SSH auth attempts";
-    (redhat_7|centos_7|redhat_8|centos_8).(yum_dnf_conf_ok)::
+    !(redhat_7|centos_7).(redhat|centos).(yum_dnf_conf_ok).epel_release_ok::
       "fail2ban-server"
-        comment => "Ban IPs with repeated failed SSH auth attempts. On centos-7 .noarch must be specified as there are conflicting sub-packages attempted with legacy packages promise as fail2ban-*.*.";
+        comment => "Ban IPs with repeated failed SSH auth attempts. On centos/rhel 8+ we must specify individual packages instead of just fail2ban as package method will append -*.* which would include conflicting shorewall and shorewall-lite packages.";
       "fail2ban-sendmail";
       "fail2ban-firewalld";
       "ccache";
@@ -211,14 +209,15 @@ bundle agent cfengine_build_host_setup
     linux::
       "have_tmp_mount" expression => returnszero("mount | grep '/tmp'", "useshell");
       "have_coredumpctl" expression => returnszero("command -v coredumpctl", "useshell");
-      "missing_opt_jdk21" expression => not(fileexists("/opt/jdk-21.0.8"));
+      "missing_java" expression => not(fileexists("/usr/bin/java"));
     (redhat|centos).!(redhat_6|centos_6|redhat_7|centos_7)::
       "yum_conf_ok" expression => returnszero("grep best=False /etc/yum.conf >/dev/null", "useshell");
     redhat_6|centos_6|redhat_7|centos_7::
       "yum_conf_ok" expression => "any"; # rhel/centos-6 and 7 do not support --nobest or best property in yum.conf
     redhat_8|centos_8::
       "have_fakeroot" expression => returnszero("command -v fakeroot >/dev/null", "useshell");
-      "epel_release_installed" expression => returnszero("yum info --installed epel-release", "useshell");
+    (redhat|centos)::
+      "epel_release_ok" expression => returnszero("yum info --installed epel-release", "useshell");
     (redhat_8|centos_8).have_perl::
       "have_data_dumper" expression => returnszero("cpan -l | grep Data::Dumper", "useshell");
       "have_data_dumper_names" expression => returnszero("cpan -l | grep Data::Dumper::Names", "useshell");
@@ -247,16 +246,17 @@ bundle agent cfengine_build_host_setup
       "sysctl kernel.core_pattern='|/lib/systemd/systemd-coredump %p %u %g %s %t %e'" -> { "ENT-12669" }
         comment => "Ensure that core_pattern is proper for systemd-coredump if coredumpctl is present.",
         contain => in_shell;
-    missing_opt_jdk21::
+    missing_java::
       "sh $(this.promise_dirname)/linux-install-jdk21.sh" contain => in_shell;
     (redhat_7|centos_7|redhat_8|centos_8|redhat_9|redhat_10).(!have_development_tools).(yum_dnf_conf_ok)::
       "yum groups install -y 'Development Tools'" contain => in_shell;
     (redhat_8|centos_8).!have_fakeroot:: # special fakeroot, missing from _8 an d up?
       "sudo rpm -iv https://kojipkgs.fedoraproject.org//packages/fakeroot/1.23/1.fc29/x86_64/fakeroot-1.23-1.fc29.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/fakeroot/1.23/1.fc29/x86_64/fakeroot-libs-1.23-1.fc29.x86_64.rpm"
         contain => in_shell;
-    (redhat_8|centos_8).!epel_release_installed::
-      "yum install --assumeyes https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm"
-        comment => "TODO: check a sha for the epel-release-latest-8.noarch.rpm file",
+    (redhat|centos).!(redhat_7|centos_7).!epel_release_ok::
+      "yum install --assumeyes https://dl.fedoraproject.org/pub/epel/epel-release-latest-${sys.os_version_major}.noarch.rpm"
+        comment => "rhel-7 installs this with a packages promise. TODO: check a sha for the download URL somehow?",
+        classes => results( "bundle", "epel_release" ),
         contain => in_shell;
     (redhat_8|centos_8).!have_data_dumper.have_perl::
       "cpan Data::Dumper"
