Cleanup for 1.0.0 release#116
Merged
Merged
Conversation
b21c16d to
ffacb23
Compare
- Switch `requirements` from `puppet` to `openvox` (>= 8 < 9) - Point `issues_url` at GitHub Issues - Drop end-of-life OS support (CentOS 8, EL7); list EL10 across all supported distros - Allow newer SIMP module dependencies (see metadata.json diff) - Sync Gemfile with current puppetsync baseline (adds OpenVox to test gems) - Drop Puppet 7 / Ruby 2.7 from GitHub Actions; use Ruby 3.2.11 with OpenVox 8 and 3.4.9 elsewhere
- Drop EOL nodesets (centos8, rhel7, oel.yml versionless, amzn2, etc.) - Add vagrant nodesets for AlmaLinux, CentOS Stream, Oracle Linux, RHEL, Rocky Linux 8/9/10 - Update default.yml to use AlmaLinux 9 + openvox8
cab23fe to
7fa4598
Compare
The "Add canonical beaker nodesets" cleanup replaced this module's custom multi-host nodesets with generic single-host ones, breaking the acceptance specs that resolve roles via only_host_with_role (server, ldapserver, permittedclient) and unknownclient in the beaker helper. Reconstruct each supported-OS nodeset as a 3-VM vagrant topology (GitLab omnibus is memory-heavy; the GitHub runner caps at ~2-3 VMs): - <os>-server roles: server, default, master (4096MB/4cpu) - <os>-permittedclient roles: client, permittedclient (512MB/1cpu) - <os>-ldapserver roles: client, unknownclient, ldapserver (1024MB/1cpu) Boxes/provider config follow the working pupmod-simp-auditd vagrant nodesets (almalinux/N etc., x86_64, openvox8 collection). Add almalinux8 to the acceptance matrix since EL8 is in operatingsystem_support. Preserves the 1.0.0 cleanup bug fixes (metadata.json, Gemfile, openvox switch) and the vagrant/libvirt acceptance job pattern matching auditd. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The rubocop cleanup in #85 collapsed the nested `module SimpGitlabBeakerHelpers; module SutVariables` into the compact `module SimpGitlabBeakerHelpers::SutVariables` form. That compact form requires the parent constant `SimpGitlabBeakerHelpers` to already be defined, but nothing defines it, so the helper file raised `uninitialized constant SimpGitlabBeakerHelpers` at load time. This caused every acceptance spec (all 5 files) to error out during load with `0 examples, 5 errors occurred outside of examples` -- the suite never ran a single test. Restore a bare `module SimpGitlabBeakerHelpers; end` declaration before the compact form so the parent constant exists. Verified the suite now loads and executes on almalinux9 (7 examples ran). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The tag/release workflow still ran under Ruby 2.7.8 with PUPPET_VERSION '~> 7' (mapped to openvox ~> 7 by the Gemfile), which cannot resolve against simp-rake-helpers >= 6.0 (requires openvox >= 8 < 9). Align with the pr_tests openvox8 lane: Ruby 3.2.11 and PUPPET_VERSION '~> 8', so the tag & release jobs don't fail after merge.
simp_gitlab was still on the 5.24 / simp-beaker-helpers 2.0 stack, so it
lacked ensure_beaker_ip_on -- on EL10 the private-network static IP is
never applied under Vagrant, so the SUTs were unreachable ('No route to
host') and acceptance could not provision. Migrate to
simp-rake-helpers ~> 6.0 / simp-beaker-helpers ~> 3.1 (voxpupuli-test
stack; drop puppetlabs_spec_helper; rubocop ~> 1.85), which brings
ensure_beaker_ip_on and lets EL10 provision and run the suite.
- puppet-lint whitespace/top-scope autofixes; autoquote the 'simp' hash key
- disable Style/OneClassPerFile for the acceptance helper (nested namespace)
Validated: unit 492 examples, 0 failures. alma10 acceptance now provisions
and reaches the tests (was a total provisioning failure). One idempotency
failure remains on alma10 -- iptables SysV service 'Provider redhat is not
functional' on systemd-only EL10 (an iptables-module issue) plus a gitlab
root-password exec -- tracked separately.
On images that don't ship firewalld preinstalled (minimal EL10), simp_firewalld no-ops because it gates management on the simplib__firewalls fact detecting firewall-cmd on PATH yet never installs the package itself (chicken-and-egg). The firewall stack then falls back to the iptables SysV service, which is non-functional on systemd-only EL10. Install firewalld in before(:suite) so the fact resolves and the SIMP firewall stack engages. No-op on EL8/EL9. See simp/pupmod-simp-simp_firewalld#102 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 'no firewall' context set `iptables::enable => false` to express "manage no firewall", but in the iptables module `false` is not "cease management" -- the class only skips management when `enable` is the string 'ignore'. With `false` it still contains iptables::service to drive the service to a stopped/disabled state and ship its /etc/init.d/iptables SysV script. That path is non-functional on systemd-only EL10 (no /etc/init.d, `redhat` service provider "not functional"), so the idempotency check errored with: Iptables::Service/Service[iptables]: Provider redhat is not functional Use `enable => 'ignore'` so the iptables class is a true no-op (no service, no init script, no firewalld). Keep `use_firewalld => false` so the beaker- reconnect ssh rule stays on the raw path (applied idempotently via iptables-nft on EL10) instead of requiring the firewalld daemon this context stops. Validated on live alma10: apply is clean and idempotent (exit 0). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 512 MB permittedclient OOMed inside the guest during `fix_errata_on`'s
`dnf`/`yum` operations (BaseOS+AppStream+EPEL metadata needs well over 512 MB),
dropping its SSH connection and killing the whole suite before any test ran
("Host 'almaN-permittedclient' connection failure running: yum ... update").
Each acceptance matrix leg runs on its own 16 GB GitHub-hosted runner with just
that OS's 3 VMs (~5.6 GB), so 1 GB here is free headroom.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Bundled Mattermost was removed from the GitLab Linux package in 19.0.
`gitlab-ctl reconfigure` now FATALs -- "Removed configurations found in
gitlab.rb. Aborting reconfigure." -- on the presence of ANY `mattermost[...]`
key, even `mattermost['enable'] = false`. simp_gitlab was forcing
`mattermost => { enable => false }` and `mattermost_nginx => { enable => false }`
into the omnibus config, so every reconfigure on a current gitlab-ce aborted
(the acceptance "works with no errors"/"is idempotent" failures on EL10).
Drop both keys from omnibus_config::gitlab so the upstream module's `undef`
defaults suppress the mattermost block entirely. The mattermost() helper is
left in place but documented as intentionally unwired. External Mattermost is
now integrated via `gitlab_rails['mattermost_host']`. Unit expectations for the
removed defaults dropped; the gitlab_options override test is unaffected.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
`String#include?` returns a Boolean, which is never nil, so `!result.stdout.include?(...).nil?` was always true -- making `root_pw_change_page` unconditionally true and the "root password change page detected" assertion impossible to pass once the 'a GitLab web service' shared example actually ran against a live GitLab. (Earlier runs never reached it: they died at gitlab-ctl reconfigure or during provisioning.) Use the Boolean results directly so the check reflects the actual page content. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
Root-caused a stack of acceptance failures (validated locally on AlmaLinux 8 under beaker + vagrant_libvirt, 55 examples / 0 failures / 9 pending): - Web-service checks: stop scraping the sign-in HTML (GitLab 19 renders the sign-in form client-side, so markers like "Forgot your password" and the form itself are gone). Assert on stable signals instead -- the /-/health liveness endpoint from the server, and HTTP status codes for access control (permitted -> 200, denied -> 403 / refused). Use --retry-connrefused so the liveness check rides out nginx restarts. - 00_pki firewall/port-777 context: bringing firewalld up races `gitlab-ctl reconfigure` (ohai transiently can't detect the host IP -> "Unable to determine node name"), and reconfigure is refreshonly so a plain re-apply won't retry it. Drive reconfigure directly, retrying until firewalld settles and it converges. - no-firewall context: use `iptables::enable => 'ignore'` (a true no-op) instead of `false`, which still drove the SysV iptables service and is non-functional on EL10. - 10_ldaps: ds389 2.0.0 `dse_config` is a flat Ds389::ConfigItem, not the old nested-by-DN structure; reformat the test hieradata. Also point the ds389 instance TLS `source` at the FakeCA test PKI so the instance can initialize its attribute-encryption system (without it the instance fails to start: "Unable to initialize attrcrypt system"). - Right-size the VMs for current GitLab/389ds: gitlab server 4->6 GB (a `gitlab-ctl reconfigure` fork OOMed at 4 GB) and permittedclient 512 MB->1 GB (dnf OOMed during fix_errata). - GitLab 19 removed the OAuth resource-owner-password (ROPC) grant, which the LDAP web-login (10_ldaps) and the whole 11_ssh_access API/SSH flow relied on. Mark those examples pending pointing at the rework issue. See #119 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
alma9's base image ships leaner than alma8's, exposing more memory/packaging
issues (alma8 + alma9 now both green locally: 55 examples, 0 failures,
9 pending):
- before(:suite) firewalld install: add `--disablerepo=epel*`. firewalld and
its deps are in BaseOS/AppStream, and loading EPEL's metadata pushes dnf past
the 1 GB client nodes, OOM-killing the install (alma8 hid this because EL8
ships firewalld preinstalled).
- ldapserver 1 GB -> 2 GB: `dnf install 389-ds-base` (pulled in by the ds389
module, which we can't pass --disablerepo to) OOMs at 1 GB with EPEL loaded.
- 10_ldaps: disable ssh's LDAP integration (`ssh::server::conf::ldap: false`).
simp_options::ldap otherwise makes ssh::server install openssh-ldap, which
was removed in EL9+ ("Unable to find a match"). This suite tests GitLab LDAP
auth, not ssh LDAP key lookup. See simp/pupmod-simp-ssh#225.
- Skip the suite on EL10: `gitlab-ctl reconfigure` fails in GitLab's own
selinux cookbook (EL10 /var/opt=/opt equivalency rejects the
/var/opt/gitlab/.ssh fcontext). Fixed upstream in GitLab 19.2
(omnibus-gitlab!9577). See #120.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
All examples are skipped on EL10 (issue #120), so skip the suite-level setup too -- otherwise a setup failure there would fail the job even though nothing runs. Makes the EL10 job reliably green-with-pending. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
EL10 is blocked upstream: `gitlab-ctl reconfigure` fails in GitLab's own selinux cookbook (EL10 treats /var/opt as an equivalency of /opt, rejecting the /var/opt/gitlab/.ssh fcontext). Fixed in GitLab 19.2 (omnibus-gitlab!9577). Rather than carry a spec-level EL10 workaround, simply remove almalinux10 from the acceptance matrix and restore it once 19.2 is available. See #120. Reverts the temporary before(:each)/before(:suite) EL10 skip guards. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
The 1 GB permittedclient OOMs on `dnf install` once EPEL metadata is loaded (e.g. net-tools) -- a *flaky* CI failure (passed one run, failed the next). It didn't reproduce locally because bare-metal KVM has more effective memory than CI's nested virtualization over a multi-hour run. 2 GB is reliable; all nodes are now >= 2 GB, closing out this OOM class. Fits comfortably on the 16 GB runner (server 6 + ldapserver 2 + client 2). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XCnDsYaJDLiP8z8tafz9Tp
nick-markowski
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cleanup pass to bring this module in line with the current SIMP baseline, get
its acceptance suite passing under current GitLab (19.x) on EL8/EL9, and track
what's blocked upstream on EL10.
End-user-visible changes
removed from the GitLab Linux package in 19.0, and
gitlab-ctl reconfigurenow aborts ("Removed configurations found in gitlab.rb") if any
mattermost/mattermost_nginxkey is present — evenenable => false.Those keys are no longer written to
gitlab.rb. To integrate an externalMattermost, set
gitlab_rails['mattermost_host'].requirementsfrompuppettoopenvox(>= 8 < 9)issues_urlat GitHub IssuesDevelopment / CI only (no runtime effect)
simp-beaker-helpers 3.1; sync Gemfile with the puppetsync baseline.
and 3.4.9 elsewhere; fix
tag_deployfor the new stack.it client-side). Use the
/-/healthendpoint + HTTP status codes forliveness and access control.
(SIMP firewall stack no-ops when firewalld isn't preinstalled — simp_firewalld#102),
with
--disablerepo=epel*so the install fits the 1 GB nodes; the no-firewallcontext uses
iptables::enable => 'ignore'(a true no-op) instead offalse,which drove the EL10-dead SysV iptables service.
gitlab-ctl reconfigureviaretry_on— bringing firewalld up races reconfigure's node-name detection.dse_configis now the flat ds389 2.0.0 form; point the instanceTLS
sourceat the test PKI (else attrcrypt init fails and the instancewon't start); disable ssh's LDAP integration in the LDAP suite
(
openssh-ldapwas removed in EL9+ — ssh::server installs openssh-ldap when LDAP enabled, but the package was removed in EL9+ pupmod-simp-ssh#225).1→2 GB, permittedclient 512 MB→1 GB (all were OOMing dnf/reconfigure).
Known-pending (tracked)
11_ssh_access API/SSH flow are marked pending. Rework to a server-side LDAP
auth check + seeded root PAT: Acceptance: GitLab 19 removed the OAuth password (ROPC) grant — rework API auth off ROPC #119.
gitlab-ctl reconfigurefails in GitLab's ownSELinux cookbook (EL10
/var/opt=/optfcontext conflict). Fixed upstream inGitLab 19.2 (omnibus-gitlab!9577); re-enable then: Acceptance: EL10 blocked by GitLab omnibus selinux fcontext bug (re-enable on GitLab 19.2) #120.
Test plan
bundle exec rake spec— 492 examples, 0 failuresbundle exec rake lint/syntax