Skip to content

Cleanup for 1.0.0 release#116

Merged
silug merged 18 commits into
masterfrom
cleanup-major-release
Jul 8, 2026
Merged

Cleanup for 1.0.0 release#116
silug merged 18 commits into
masterfrom
cleanup-major-release

Conversation

@silug

@silug silug commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Cleanup pass to bring this module in line with the current SIMP baseline, get
its acceptance suite passing under current GitLab (19.x) on EL8/EL9, and track
what's blocked upstream on EL10.

End-user-visible changes

  • GitLab 19.0 compatibility: stop configuring bundled Mattermost. It was
    removed from the GitLab Linux package in 19.0, and gitlab-ctl reconfigure
    now aborts ("Removed configurations found in gitlab.rb") if any
    mattermost/mattermost_nginx key is present — even enable => false.
    Those keys are no longer written to gitlab.rb. To integrate an external
    Mattermost, set gitlab_rails['mattermost_host'].
  • Switch requirements from puppet to openvox (>= 8 < 9)
  • Point issues_url at GitHub Issues
  • Drop end-of-life OS support (CentOS 8, EL7); list EL10 across all supported distros
  • Allow newer SIMP module dependencies (see metadata.json diff)

Development / CI only (no runtime effect)

  • Migrate the test stack to simp-rake-helpers 6.x / voxpupuli-test /
    simp-beaker-helpers 3.1; sync Gemfile with the puppetsync baseline.
  • Drop Puppet 7 / Ruby 2.7 from GitHub Actions; use Ruby 3.2.11 with OpenVox 8
    and 3.4.9 elsewhere; fix tag_deploy for the new stack.
  • Acceptance web checks no longer scrape the sign-in HTML (GitLab 19 renders
    it client-side). Use the /-/health endpoint + HTTP status codes for
    liveness and access control.
  • firewalld / EL10 iptables: install firewalld before the first Puppet run
    (SIMP firewall stack no-ops when firewalld isn't preinstalled — simp_firewalld#102),
    with --disablerepo=epel* so the install fits the 1 GB nodes; the no-firewall
    context uses iptables::enable => 'ignore' (a true no-op) instead of false,
    which drove the EL10-dead SysV iptables service.
  • firewall + custom-port context: drive gitlab-ctl reconfigure via
    retry_on — bringing firewalld up races reconfigure's node-name detection.
  • 389ds: dse_config is now the flat ds389 2.0.0 form; point the instance
    TLS source at the test PKI (else attrcrypt init fails and the instance
    won't start); disable ssh's LDAP integration in the LDAP suite
    (openssh-ldap was removed in EL9+ — ssh::server installs openssh-ldap when LDAP enabled, but the package was removed in EL9+ pupmod-simp-ssh#225).
  • VM right-sizing for current GitLab/389ds: gitlab server 4→6 GB, ldapserver
    1→2 GB, permittedclient 512 MB→1 GB (all were OOMing dnf/reconfigure).

Known-pending (tracked)

Test plan

@op-ct op-ct added this to Org Triage Jun 8, 2026
@silug silug changed the title Cleanup for 0.13.2 release Cleanup for 1.0.0 release Jun 8, 2026
@silug silug force-pushed the cleanup-major-release branch from b21c16d to ffacb23 Compare June 8, 2026 19:47
silug added 2 commits June 26, 2026 14:55
- Switch `requirements` from `puppet` to `openvox` (>= 8 < 9)
- Point `issues_url` at GitHub Issues
- Drop end-of-life OS support (CentOS 8, EL7); list EL10 across all supported distros
- Allow newer SIMP module dependencies (see metadata.json diff)
- Sync Gemfile with current puppetsync baseline (adds OpenVox to test gems)
- Drop Puppet 7 / Ruby 2.7 from GitHub Actions; use Ruby 3.2.11 with OpenVox 8 and 3.4.9 elsewhere
- Drop EOL nodesets (centos8, rhel7, oel.yml versionless, amzn2, etc.)
- Add vagrant nodesets for AlmaLinux, CentOS Stream, Oracle Linux, RHEL, Rocky Linux 8/9/10
- Update default.yml to use AlmaLinux 9 + openvox8
@silug silug force-pushed the cleanup-major-release branch from cab23fe to 7fa4598 Compare June 26, 2026 14:58
silug and others added 16 commits June 29, 2026 14:22
The "Add canonical beaker nodesets" cleanup replaced this module's
custom multi-host nodesets with generic single-host ones, breaking the
acceptance specs that resolve roles via only_host_with_role (server,
ldapserver, permittedclient) and unknownclient in the beaker helper.

Reconstruct each supported-OS nodeset as a 3-VM vagrant topology
(GitLab omnibus is memory-heavy; the GitHub runner caps at ~2-3 VMs):
  - <os>-server         roles: server, default, master  (4096MB/4cpu)
  - <os>-permittedclient roles: client, permittedclient  (512MB/1cpu)
  - <os>-ldapserver     roles: client, unknownclient, ldapserver (1024MB/1cpu)

Boxes/provider config follow the working pupmod-simp-auditd vagrant
nodesets (almalinux/N etc., x86_64, openvox8 collection). Add almalinux8
to the acceptance matrix since EL8 is in operatingsystem_support.

Preserves the 1.0.0 cleanup bug fixes (metadata.json, Gemfile, openvox
switch) and the vagrant/libvirt acceptance job pattern matching auditd.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The rubocop cleanup in #85 collapsed the nested
`module SimpGitlabBeakerHelpers; module SutVariables` into the compact
`module SimpGitlabBeakerHelpers::SutVariables` form. That compact form
requires the parent constant `SimpGitlabBeakerHelpers` to already be
defined, but nothing defines it, so the helper file raised
`uninitialized constant SimpGitlabBeakerHelpers` at load time. This
caused every acceptance spec (all 5 files) to error out during load
with `0 examples, 5 errors occurred outside of examples` -- the suite
never ran a single test.

Restore a bare `module SimpGitlabBeakerHelpers; end` declaration before
the compact form so the parent constant exists. Verified the suite now
loads and executes on almalinux9 (7 examples ran).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The tag/release workflow still ran under Ruby 2.7.8 with
PUPPET_VERSION '~> 7' (mapped to openvox ~> 7 by the Gemfile), which
cannot resolve against simp-rake-helpers >= 6.0 (requires openvox
>= 8 < 9). Align with the pr_tests openvox8 lane: Ruby 3.2.11 and
PUPPET_VERSION '~> 8', so the tag & release jobs don't fail after merge.
simp_gitlab was still on the 5.24 / simp-beaker-helpers 2.0 stack, so it
lacked ensure_beaker_ip_on -- on EL10 the private-network static IP is
never applied under Vagrant, so the SUTs were unreachable ('No route to
host') and acceptance could not provision. Migrate to
simp-rake-helpers ~> 6.0 / simp-beaker-helpers ~> 3.1 (voxpupuli-test
stack; drop puppetlabs_spec_helper; rubocop ~> 1.85), which brings
ensure_beaker_ip_on and lets EL10 provision and run the suite.

- puppet-lint whitespace/top-scope autofixes; autoquote the 'simp' hash key
- disable Style/OneClassPerFile for the acceptance helper (nested namespace)

Validated: unit 492 examples, 0 failures. alma10 acceptance now provisions
and reaches the tests (was a total provisioning failure). One idempotency
failure remains on alma10 -- iptables SysV service 'Provider redhat is not
functional' on systemd-only EL10 (an iptables-module issue) plus a gitlab
root-password exec -- tracked separately.
On images that don't ship firewalld preinstalled (minimal EL10),
simp_firewalld no-ops because it gates management on the
simplib__firewalls fact detecting firewall-cmd on PATH yet never
installs the package itself (chicken-and-egg). The firewall stack then
falls back to the iptables SysV service, which is non-functional on
systemd-only EL10. Install firewalld in before(:suite) so the fact
resolves and the SIMP firewall stack engages. No-op on EL8/EL9.

See simp/pupmod-simp-simp_firewalld#102

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 'no firewall' context set `iptables::enable => false` to express "manage
no firewall", but in the iptables module `false` is not "cease management" --
the class only skips management when `enable` is the string 'ignore'. With
`false` it still contains iptables::service to drive the service to a
stopped/disabled state and ship its /etc/init.d/iptables SysV script. That
path is non-functional on systemd-only EL10 (no /etc/init.d, `redhat` service
provider "not functional"), so the idempotency check errored with:

  Iptables::Service/Service[iptables]: Provider redhat is not functional

Use `enable => 'ignore'` so the iptables class is a true no-op (no service, no
init script, no firewalld). Keep `use_firewalld => false` so the beaker-
reconnect ssh rule stays on the raw path (applied idempotently via iptables-nft
on EL10) instead of requiring the firewalld daemon this context stops.

Validated on live alma10: apply is clean and idempotent (exit 0).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 512 MB permittedclient OOMed inside the guest during `fix_errata_on`'s
`dnf`/`yum` operations (BaseOS+AppStream+EPEL metadata needs well over 512 MB),
dropping its SSH connection and killing the whole suite before any test ran
("Host 'almaN-permittedclient' connection failure running: yum ... update").
Each acceptance matrix leg runs on its own 16 GB GitHub-hosted runner with just
that OS's 3 VMs (~5.6 GB), so 1 GB here is free headroom.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Bundled Mattermost was removed from the GitLab Linux package in 19.0.
`gitlab-ctl reconfigure` now FATALs -- "Removed configurations found in
gitlab.rb. Aborting reconfigure." -- on the presence of ANY `mattermost[...]`
key, even `mattermost['enable'] = false`. simp_gitlab was forcing
`mattermost => { enable => false }` and `mattermost_nginx => { enable => false }`
into the omnibus config, so every reconfigure on a current gitlab-ce aborted
(the acceptance "works with no errors"/"is idempotent" failures on EL10).

Drop both keys from omnibus_config::gitlab so the upstream module's `undef`
defaults suppress the mattermost block entirely. The mattermost() helper is
left in place but documented as intentionally unwired. External Mattermost is
now integrated via `gitlab_rails['mattermost_host']`. Unit expectations for the
removed defaults dropped; the gitlab_options override test is unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
`String#include?` returns a Boolean, which is never nil, so
`!result.stdout.include?(...).nil?` was always true -- making
`root_pw_change_page` unconditionally true and the
"root password change page detected" assertion impossible to pass once the
'a GitLab web service' shared example actually ran against a live GitLab.
(Earlier runs never reached it: they died at gitlab-ctl reconfigure or during
provisioning.) Use the Boolean results directly so the check reflects the
actual page content.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Root-caused a stack of acceptance failures (validated locally on AlmaLinux 8
under beaker + vagrant_libvirt, 55 examples / 0 failures / 9 pending):

- Web-service checks: stop scraping the sign-in HTML (GitLab 19 renders the
  sign-in form client-side, so markers like "Forgot your password" and the
  form itself are gone). Assert on stable signals instead -- the /-/health
  liveness endpoint from the server, and HTTP status codes for access control
  (permitted -> 200, denied -> 403 / refused). Use --retry-connrefused so the
  liveness check rides out nginx restarts.

- 00_pki firewall/port-777 context: bringing firewalld up races
  `gitlab-ctl reconfigure` (ohai transiently can't detect the host IP ->
  "Unable to determine node name"), and reconfigure is refreshonly so a plain
  re-apply won't retry it. Drive reconfigure directly, retrying until firewalld
  settles and it converges.

- no-firewall context: use `iptables::enable => 'ignore'` (a true no-op)
  instead of `false`, which still drove the SysV iptables service and is
  non-functional on EL10.

- 10_ldaps: ds389 2.0.0 `dse_config` is a flat Ds389::ConfigItem, not the old
  nested-by-DN structure; reformat the test hieradata. Also point the ds389
  instance TLS `source` at the FakeCA test PKI so the instance can initialize
  its attribute-encryption system (without it the instance fails to start:
  "Unable to initialize attrcrypt system").

- Right-size the VMs for current GitLab/389ds: gitlab server 4->6 GB (a
  `gitlab-ctl reconfigure` fork OOMed at 4 GB) and permittedclient 512 MB->1 GB
  (dnf OOMed during fix_errata).

- GitLab 19 removed the OAuth resource-owner-password (ROPC) grant, which the
  LDAP web-login (10_ldaps) and the whole 11_ssh_access API/SSH flow relied on.
  Mark those examples pending pointing at the rework issue.
  See #119

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
alma9's base image ships leaner than alma8's, exposing more memory/packaging
issues (alma8 + alma9 now both green locally: 55 examples, 0 failures,
9 pending):

- before(:suite) firewalld install: add `--disablerepo=epel*`. firewalld and
  its deps are in BaseOS/AppStream, and loading EPEL's metadata pushes dnf past
  the 1 GB client nodes, OOM-killing the install (alma8 hid this because EL8
  ships firewalld preinstalled).

- ldapserver 1 GB -> 2 GB: `dnf install 389-ds-base` (pulled in by the ds389
  module, which we can't pass --disablerepo to) OOMs at 1 GB with EPEL loaded.

- 10_ldaps: disable ssh's LDAP integration (`ssh::server::conf::ldap: false`).
  simp_options::ldap otherwise makes ssh::server install openssh-ldap, which
  was removed in EL9+ ("Unable to find a match"). This suite tests GitLab LDAP
  auth, not ssh LDAP key lookup. See simp/pupmod-simp-ssh#225.

- Skip the suite on EL10: `gitlab-ctl reconfigure` fails in GitLab's own
  selinux cookbook (EL10 /var/opt=/opt equivalency rejects the
  /var/opt/gitlab/.ssh fcontext). Fixed upstream in GitLab 19.2
  (omnibus-gitlab!9577). See #120.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
All examples are skipped on EL10 (issue #120), so skip the suite-level setup
too -- otherwise a setup failure there would fail the job even though nothing
runs. Makes the EL10 job reliably green-with-pending.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
EL10 is blocked upstream: `gitlab-ctl reconfigure` fails in GitLab's own
selinux cookbook (EL10 treats /var/opt as an equivalency of /opt, rejecting the
/var/opt/gitlab/.ssh fcontext). Fixed in GitLab 19.2 (omnibus-gitlab!9577).
Rather than carry a spec-level EL10 workaround, simply remove almalinux10 from
the acceptance matrix and restore it once 19.2 is available. See #120.

Reverts the temporary before(:each)/before(:suite) EL10 skip guards.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 1 GB permittedclient OOMs on `dnf install` once EPEL metadata is loaded
(e.g. net-tools) -- a *flaky* CI failure (passed one run, failed the next). It
didn't reproduce locally because bare-metal KVM has more effective memory than
CI's nested virtualization over a multi-hour run. 2 GB is reliable; all nodes
are now >= 2 GB, closing out this OOM class. Fits comfortably on the 16 GB
runner (server 6 + ldapserver 2 + client 2).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
@silug silug merged commit a181708 into master Jul 8, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from New to Done in Org Triage Jul 8, 2026
@silug silug deleted the cleanup-major-release branch July 8, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants