diff --git a/.etckeeper b/.etckeeper index ffe24e2..19c1806 100755 --- a/.etckeeper +++ b/.etckeeper @@ -269,14 +269,10 @@ maybe chmod 0644 'clamd.conf.rpmnew' maybe chown 'amavis' 'clamd.conf.rpmsave' maybe chgrp 'amavis' 'clamd.conf.rpmsave' maybe chmod 0644 'clamd.conf.rpmsave' -maybe chown 'amavis' 'clamd.d' -maybe chgrp 'amavis' 'clamd.d' maybe chmod 0755 'clamd.d' maybe chown 'amavis' 'clamd.d/amavisd.conf' maybe chgrp 'amavis' 'clamd.d/amavisd.conf' maybe chmod 0644 'clamd.d/amavisd.conf' -maybe chown 'amavis' 'clamd.d/scan.conf' -maybe chgrp 'amavis' 'clamd.d/scan.conf' maybe chmod 0644 'clamd.d/scan.conf' maybe chown 'amavis' 'clamd.d/scan.conf.rpmnew' maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmnew' @@ -937,6 +933,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf' maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew' maybe chmod 0644 'httpd/conf.d/php.conf' maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf' +maybe chmod 0644 'httpd/conf.d/ssl.conf' maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled' maybe chmod 0644 'httpd/conf.d/userdir.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf' @@ -3100,6 +3097,14 @@ maybe chgrp 'mock' 'mock/oraclelinux-8-aarch64.cfg' maybe chmod 0644 'mock/oraclelinux-8-aarch64.cfg' maybe chgrp 'mock' 'mock/oraclelinux-8-x86_64.cfg' maybe chmod 0644 'mock/oraclelinux-8-x86_64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-epel-7-aarch64.cfg' +maybe chmod 0644 'mock/oraclelinux-epel-7-aarch64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-epel-7-x86_64.cfg' +maybe chmod 0644 'mock/oraclelinux-epel-7-x86_64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-epel-8-aarch64.cfg' +maybe chmod 0644 'mock/oraclelinux-epel-8-aarch64.cfg' +maybe chgrp 'mock' 'mock/oraclelinux-epel-8-x86_64.cfg' +maybe chmod 0644 'mock/oraclelinux-epel-8-x86_64.cfg' maybe chgrp 'mock' 'mock/rhel-7-aarch64.cfg' maybe chmod 0644 'mock/rhel-7-aarch64.cfg' maybe chgrp 'mock' 'mock/rhel-7-ppc64.cfg' @@ -3183,6 +3188,10 @@ maybe chgrp 'mock' 'mock/templates/oraclelinux-7.tpl' maybe chmod 0644 'mock/templates/oraclelinux-7.tpl' maybe chgrp 'mock' 'mock/templates/oraclelinux-8.tpl' maybe chmod 0644 'mock/templates/oraclelinux-8.tpl' +maybe chgrp 'mock' 'mock/templates/oraclelinux-epel-7.tpl' +maybe chmod 0644 'mock/templates/oraclelinux-epel-7.tpl' +maybe chgrp 'mock' 'mock/templates/oraclelinux-epel-8.tpl' +maybe chmod 0644 'mock/templates/oraclelinux-epel-8.tpl' maybe chgrp 'mock' 'mock/templates/rhel-7.tpl' maybe chmod 0644 'mock/templates/rhel-7.tpl' maybe chgrp 'mock' 'mock/templates/rhel-8.tpl' diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf new file mode 100644 index 0000000..d28adf3 --- /dev/null +++ b/httpd/conf.d/ssl.conf @@ -0,0 +1,203 @@ +# +# When we also provide SSL we have to listen to the +# standard HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# List the protocol versions which clients are allowed to connect with. +# The OpenSSL system profile is used by default. See +# update-crypto-policies(8) for more details. +#SSLProtocol all -SSLv3 +#SSLProxyProtocol all -SSLv3 + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. +SSLCipherSuite PROFILE=SYSTEM +SSLProxyCipherSuite PROFILE=SYSTEM + +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is sent and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/mock/oraclelinux-epel-7-aarch64.cfg b/mock/oraclelinux-epel-7-aarch64.cfg new file mode 100644 index 0000000..81eb807 --- /dev/null +++ b/mock/oraclelinux-epel-7-aarch64.cfg @@ -0,0 +1,6 @@ +include('templates/oraclelinux-7.tpl') +include('templates/oraclelinux-epel-7.tpl') + +config_opts['root'] = 'oraclelinux-7-aarch64' +config_opts['target_arch'] = 'aarch64' +config_opts['legal_host_arches'] = ('aarch64',) diff --git a/mock/oraclelinux-epel-7-x86_64.cfg b/mock/oraclelinux-epel-7-x86_64.cfg new file mode 100644 index 0000000..c04e0cf --- /dev/null +++ b/mock/oraclelinux-epel-7-x86_64.cfg @@ -0,0 +1,6 @@ +include('templates/oraclelinux-7.tpl') +include('templates/oraclelinux-epel-7.tpl') + +config_opts['root'] = 'oraclelinux-7-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) diff --git a/mock/oraclelinux-epel-8-aarch64.cfg b/mock/oraclelinux-epel-8-aarch64.cfg new file mode 100644 index 0000000..fbaba46 --- /dev/null +++ b/mock/oraclelinux-epel-8-aarch64.cfg @@ -0,0 +1,6 @@ +include('templates/oraclelinux-8.tpl') +include('templates/oraclelinux-epel-8.tpl') + +config_opts['root'] = 'oraclelinux-8-aarch64' +config_opts['target_arch'] = 'aarch64' +config_opts['legal_host_arches'] = ('aarch64',) diff --git a/mock/oraclelinux-epel-8-x86_64.cfg b/mock/oraclelinux-epel-8-x86_64.cfg new file mode 100644 index 0000000..a091e54 --- /dev/null +++ b/mock/oraclelinux-epel-8-x86_64.cfg @@ -0,0 +1,6 @@ +include('templates/oraclelinux-8.tpl') +include('templates/oraclelinux-epel-8.tpl') + +config_opts['root'] = 'oraclelinux-8-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) diff --git a/mock/templates/centos-stream-9.tpl b/mock/templates/centos-stream-9.tpl index fa7ef6d..d4554de 100644 --- a/mock/templates/centos-stream-9.tpl +++ b/mock/templates/centos-stream-9.tpl @@ -4,8 +4,7 @@ config_opts['releasever'] = '9' config_opts['package_manager'] = 'dnf' config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -# TODO: flip to 'stream9' tag once available -config_opts['bootstrap_image'] = 'quay.io/centos/centos:stream9-development' +config_opts['bootstrap_image'] = 'quay.io/centos/centos:stream9' config_opts['dnf.conf'] = """ [main] @@ -15,7 +14,7 @@ reposdir=/dev/null logfile=/var/log/yum.log retries=20 obsoletes=1 -gpgcheck=1 +gpgcheck=0 assumeyes=1 syslog_ident=mock syslog_device= @@ -27,22 +26,61 @@ user_agent={{ user_agent }} [baseos] name=CentOS Stream $releasever - BaseOS -#baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/BaseOS/$basearch/os/ +#baseurl=http://mirror.stream.centos.org/$releasever-stream/BaseOS/$basearch/os/ metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-$releasever-stream&arch=$basearch gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=1 skip_if_unavailable=False [appstream] name=CentOS Stream $releasever - AppStream -#baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/AppStream/$basearch/os/ +#baseurl=http://mirror.stream.centos.org/$releasever-stream/AppStream/$basearch/os/ metalink=https://mirrors.centos.org/metalink?repo=centos-appstream-$releasever-stream&arch=$basearch -enabled=1 gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=1 +skip_if_unavailable=False [crb] name=CentOS Stream $releasever - CRB -#baseurl=https://composes.stream.centos.org/production/latest-CentOS-Stream/compose/CRB/$basearch/os/ +#baseurl=http://mirror.stream.centos.org/$releasever-stream/CRB/$basearch/os/ metalink=https://mirrors.centos.org/metalink?repo=centos-crb-$releasever-stream&arch=$basearch -enabled=1 gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=1 +skip_if_unavailable=False + +[highavailability] +name=CentOS Stream $releasever - HighAvailability +#baseurl=http://mirror.stream.centos.org/$releasever-stream/HighAvailability/$basearch/os/ +metalink=https://mirrors.centos.org/metalink?repo=centos-highavailability-$releasever-stream&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=0 + +[nfv] +name=CentOS Stream $releasever - NFV +#baseurl=http://mirror.stream.centos.org/$releasever-stream/NFV/$basearch/os/ +metalink=https://mirrors.centos.org/metalink?repo=centos-nfv-$releasever-stream&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=0 + +[rt] +name=CentOS Stream $releasever - RT +#baseurl=http://mirror.stream.centos.org/$releasever-stream/RT/$basearch/os/ +metalink=https://mirrors.centos.org/metalink?repo=centos-rt-$releasever-stream&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=0 + +[resilientstorage] +name=CentOS Stream $releasever - ResilientStorage +#baseurl=http://mirror.stream.centos.org/$releasever-stream/ResilientStorage/$basearch/os/ +metalink=https://mirrors.centos.org/metalink?repo=centos-resilientstorage-$releasever-stream&arch=$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official +gpgcheck=1 +enabled=0 + """ diff --git a/mock/templates/oraclelinux-7.tpl b/mock/templates/oraclelinux-7.tpl index bacb686..eab159b 100644 --- a/mock/templates/oraclelinux-7.tpl +++ b/mock/templates/oraclelinux-7.tpl @@ -1,6 +1,6 @@ # This list is taken from 'epel-7-x86_64' @buildsys-build group, minus the # 'epel-*' specific stuff. -config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make patch redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz' +config_opts['chroot_setup_cmd'] = 'install bash bzip2 coreutils cpio diffutils findutils gawk gcc gcc-c++ grep gzip info make oraclelinux-release patch redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz' config_opts['dist'] = 'el7' # only useful for --resultdir variable subst config_opts['releasever'] = '7' diff --git a/mock/templates/oraclelinux-8.tpl b/mock/templates/oraclelinux-8.tpl index 67f8d8f..cdd9b6b 100644 --- a/mock/templates/oraclelinux-8.tpl +++ b/mock/templates/oraclelinux-8.tpl @@ -1,4 +1,4 @@ -config_opts['chroot_setup_cmd'] = 'install tar gcc-c++ redhat-rpm-config redhat-release which xz sed make bzip2 gzip gcc coreutils unzip shadow-utils diffutils cpio bash gawk rpm-build info patch util-linux findutils grep' +config_opts['chroot_setup_cmd'] = 'install tar gcc-c++ redhat-rpm-config redhat-release oraclelinux-release which xz sed make bzip2 gzip gcc coreutils unzip shadow-utils diffutils cpio bash gawk rpm-build info patch util-linux findutils grep' config_opts['dist'] = 'el8' # only useful for --resultdir variable subst config_opts['releasever'] = '8' config_opts['package_manager'] = 'dnf' diff --git a/mock/templates/oraclelinux-epel-7.tpl b/mock/templates/oraclelinux-epel-7.tpl new file mode 100644 index 0000000..45acb12 --- /dev/null +++ b/mock/templates/oraclelinux-epel-7.tpl @@ -0,0 +1,11 @@ +config_opts['chroot_setup_cmd'] = 'install @buildsys-build' + +config_opts['yum.conf'] += """ + +[ol7_epel] +name=Oracle Linux 7 EPEL ($basearch) +baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/developer_EPEL/$basearch/ +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle +gpgcheck=1 +enabled=1 +""" diff --git a/mock/templates/oraclelinux-epel-8.tpl b/mock/templates/oraclelinux-epel-8.tpl new file mode 100644 index 0000000..dced3a9 --- /dev/null +++ b/mock/templates/oraclelinux-epel-8.tpl @@ -0,0 +1,14 @@ +config_opts['chroot_setup_cmd'] += " epel-rpm-macros" + +config_opts['dnf.conf'] += """ + +# repos + +[ol8_epel] +name=Oracle Linux 8 EPEL ($basearch) +baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/developer/EPEL/$basearch +gpgkey=file:///usr/share/distribution-gpg-keys/oraclelinux/RPM-GPG-KEY-oracle-ol8 +gpgcheck=1 +enabled=1 + +""" diff --git a/yum.repos.d/mysecureshell.repo b/yum.repos.d/mysecureshell.repo index 0b72b7f..68a4bd9 100644 --- a/yum.repos.d/mysecureshell.repo +++ b/yum.repos.d/mysecureshell.repo @@ -1,5 +1,5 @@ [mysecureshell] name=MySecureShell baseurl=http://mysecureshell.free.fr/repository/index.php/fedora/19/ -enabled=1 +enabled=0 gpgcheck=0 diff --git a/yum.repos.d/remi-safe.repo b/yum.repos.d/remi-safe.repo index ab9d481..30879f1 100644 --- a/yum.repos.d/remi-safe.repo +++ b/yum.repos.d/remi-safe.repo @@ -7,7 +7,7 @@ name=Safe Remi's RPM repository for Enterprise Linux 8 - $basearch #baseurl=http://rpms.remirepo.net/enterprise/8/safe/$basearch/ #mirrorlist=https://rpms.remirepo.net/enterprise/8/safe/$basearch/httpsmirror mirrorlist=http://cdn.remirepo.net/enterprise/8/safe/$basearch/mirror -enabled=1 +enabled=0 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el8