support: del deb8/ubuntu1404/opensuse150/opensuse151, add opensuse153

Remove support for EOL OSes: - Debian 8 - Ubuntu 14.04 - OpenSUSE 15.0 - OpenSUSE 15.1 Add support for: - OpenSUSE 15.3
5 years ago · 2f1e3fbfa8
parent d400ceeb9f
commit 2f1e3fbfa8
10 changed files with 14 additions and 159 deletions
--- a/README.md
+++ b/README.md
@ -72,21 +72,19 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `

 Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:

- Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
+- Debian 10 (Buster), 9 (Stretch)
 - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*\*
+- Ubuntu LTS 20.04, 18.04, 16.04
+- OpenSUSE Leap 15.3\*, 15.2\*

 \*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of `pamtester`, `pam-google-authenticator`, or both. Of course, you may compile those yourself.
 Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments.

-\*\*: OpenSUSE Leap 15.0 randomly hits a segfault when [updating system packages](https://bugzilla.opensuse.org/show_bug.cgi?id=1146027), we had to remove it from our automated tests workflow.
-
 The following OS are also tested with each release:

- FreeBSD/HardenedBSD 13.0\*\*\*
+- FreeBSD/HardenedBSD 13.0\*\*

-\*\*\*: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0.
+\*\*: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0.

 Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA:

--- a/bin/admin/fixrights.sh
+++ b/bin/admin/fixrights.sh
@ -27,7 +27,6 @@ find "$basedir" -name .git -prune -o -name contrib -prune -o -type f -print0 | x
 find "$basedir"/bin/ ! -name "*.json" -print0 | xargs -r0 chmod 0755
 chmod 0644 "$basedir"/bin/dev/perlcriticrc
 chmod 0700 "$basedir"/bin/admin/install
-chmod 0700 "$basedir"/contrib
 chmod 0700 "$basedir"/bin/sudogen
 chmod 0700 "$basedir"/tests
 test -d "$basedir"/install && chmod 0700 "$basedir"/install
--- a/contrib/libterm-readline-gnu-perl-jessiefix.patch
+++ b/contrib/libterm-readline-gnu-perl-jessiefix.patch
@ -1,14 +0,0 @@
--- /usr/lib/x86_64-linux-gnu/perl5/5.20/Term/ReadLine/Gnu/XS.pm        2014-08-15 14:13:27.000000000 +0200
-+++ /usr/lib/x86_64-linux-gnu/perl5/5.20/Term/ReadLine/Gnu/XS.pm        2011-11-15 04:36:04.000000000 +0100
-@@ -581,7 +580,10 @@
-        return undef unless defined $_matches[0];
-     }
- 
-    return $_matches[$_i];
-+    for (; $_i <= $#_matches; $_i++) {
-+        return $_matches[$_i] if ($_matches[$_i] =~ /^\Q$text/);
-+    }
-+    return undef;
- }
- 
- 1;
--- a/doc/sphinx/installation/advanced.rst
+++ b/doc/sphinx/installation/advanced.rst
@ -228,19 +228,6 @@ On the master
 Misc
 ====

-Fix buggy ReadLine under Debian Jessie
-**************************************
-
-Unfortunately, the version of `libterm-readline-gnu-perl` of Debian Jessie is bugged.
-The version of Wheezy (7) and Stretch (9) are correct, only Jessie (8) is affected.
-This impacts the ``interactive`` mode of the bastion, namely the autocomplete feature, if you want to apply a quickfix on your system, you can use this:
-
-.. code-block:: shell
-
-    patch -p0 -d / -r - < /opt/bastion/contrib/libterm-readline-gnu-perl-jessiefix.patch
-
-Now, as Debian Jessie is quite old, the proper solution is probably not to use it!
-
 Create SSHFP records
 ********************

--- a/doc/sphinx/installation/basic.rst
+++ b/doc/sphinx/installation/basic.rst
@ -26,21 +26,19 @@ We published a Puppet module to handle The Bastion configuration and prerequisit

 The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:

- Debian 10 (Buster), 9 (Stretch), 8 (Jessie)
+- Debian 10 (Buster), 9 (Stretch)
 - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908)
- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\*
- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*\*
+- Ubuntu LTS 20.04, 18.04, 16.04
+- OpenSUSE Leap 15.3\*, 15.2\*

 \*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of ``pamtester``, ``pam-google-authenticator``, or both. Of course, you may compile those yourself.
 Any other so-called `modern` Linux version are not tested with each release, but should work with no or minor adjustments.

-\*\*: OpenSUSE Leap 15.0 randomly hits a segfault when `updating system packages <https://bugzilla.opensuse.org/show_bug.cgi?id=1146027>`_, we had to remove it from our automated tests workflow.
-
 The following OS are also tested with each release:

- FreeBSD/HardenedBSD 12.1\*\*\*
+- FreeBSD/HardenedBSD 12.1\*\*

-\*\*\*: Note that these have partial MFA support, due to their reduced set of available ``pam`` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1.
+\*\*: Note that these have partial MFA support, due to their reduced set of available ``pam`` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1.

 Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA:

--- a/docker/Dockerfile.debian8
+++ b/docker/Dockerfile.debian8
@ -1,30 +0,0 @@
-FROM debian:jessie
-LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
-
-# cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
-RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
-RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
-RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
-
-# handle locales
-RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
-
-# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
-RUN test -e /etc/syslog-ng/syslog-ng.conf && \
-    sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
-
-# at each modification of our code, we'll start from here thanks to build cache
-COPY . /opt/bastion
-
-# tests that the environment works
-RUN ["/opt/bastion/bin/dev/perl-check.sh"]
-
-# setup ssh/sshd config and setup bastion install
-RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
-
-# start at entrypoint
-ENTRYPOINT /opt/bastion/docker/entrypoint.sh
-
-# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
--- a/docker/Dockerfile.opensuse152
+++ b/docker/Dockerfile.opensuse152
@ -1,4 +1,4 @@
-FROM opensuse/leap:15.2
+FROM opensuse/leap:15
 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"

 # cache builds efficiently: just copy the scripts to install packages first
@ -19,9 +19,10 @@ COPY . /opt/bastion
 RUN ["/opt/bastion/bin/dev/perl-check.sh"]

 # setup ssh/sshd config and setup bastion install
-RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
+RUN ["/opt/bastion/bin/admin/install","--new-install"]

 # start at entrypoint
 ENTRYPOINT /opt/bastion/docker/entrypoint.sh

-# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
+# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0
+# TESTFROM opensuse/leap:15.2 opensuse/leap:15.3
--- a/docker/Dockerfile.opensuse150
+++ b/docker/Dockerfile.opensuse150
@ -1,27 +0,0 @@
-FROM opensuse/leap:15.0
-LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
-
-# cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
-RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
-RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
-RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
-
-# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
-RUN test -e /etc/syslog-ng/syslog-ng.conf && \
-    sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
-
-# at each modification of our code, we'll start from here thanks to build cache
-COPY . /opt/bastion
-
-# tests that the environment works
-RUN ["/opt/bastion/bin/dev/perl-check.sh"]
-
-# setup ssh/sshd config and setup bastion install
-RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
-
-# start at entrypoint
-ENTRYPOINT /opt/bastion/docker/entrypoint.sh
-
-# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
--- a/docker/Dockerfile.opensuse151
+++ b/docker/Dockerfile.opensuse151
@ -1,27 +0,0 @@
-FROM opensuse/leap:15.1
-LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
-
-# cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
-RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
-RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
-RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
-
-# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
-RUN test -e /etc/syslog-ng/syslog-ng.conf && \
-    sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
-
-# at each modification of our code, we'll start from here thanks to build cache
-COPY . /opt/bastion
-
-# tests that the environment works
-RUN ["/opt/bastion/bin/dev/perl-check.sh"]
-
-# setup ssh/sshd config and setup bastion install
-RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
-
-# start at entrypoint
-ENTRYPOINT /opt/bastion/docker/entrypoint.sh
-
-# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1
--- a/docker/Dockerfile.ubuntu1404
+++ b/docker/Dockerfile.ubuntu1404
@ -1,30 +0,0 @@
-FROM ubuntu:14.04
-LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
-
-# cache builds efficiently: just copy the scripts to install packages first
-COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
-COPY lib/shell                                                                                       /opt/bastion/lib/shell/
-RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
-RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
-RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
-
-# handle locales
-RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
-
-# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
-RUN test -e /etc/syslog-ng/syslog-ng.conf && \
-    sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
-
-# at each modification of our code, we'll start from here thanks to build cache
-COPY . /opt/bastion
-
-# tests that the environment works
-RUN ["/opt/bastion/bin/dev/perl-check.sh"]
-
-# setup ssh/sshd config and setup bastion install
-RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
-
-# start at entrypoint
-ENTRYPOINT /opt/bastion/docker/entrypoint.sh
-
-# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1