From c9155826f4c88465bde7e2df3623a31416a832af Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 2 Feb 2022 09:19:01 +0000
Subject: [PATCH] Remove special handling of pre-Bullseye Debian distros
---
roles/float-base-docker/tasks/podman_debian.yml | 4 ----
roles/float-base-docker/templates/run.sh.j2 | 5 -----
roles/float-base-docker/templates/systemd.j2 | 4 ----
roles/float-base/tasks/apt.yml | 13 ++++++-------
roles/float-base/tasks/harden.yml | 2 +-
roles/float-base/tasks/prometheus.yml | 7 -------
roles/float-base/templates/sources.list.j2 | 5 -----
.../float-infra-dns/templates/bind/named.conf.local | 11 -----------
.../templates/bind/named.conf.options | 3 ---
roles/float-infra-haproxy/templates/haproxy.cfg.j2 | 2 --
roles/float-infra-nginx/templates/nginx-upstream.j2 | 2 --
11 files changed, 7 insertions(+), 51 deletions(-)
diff --git a/roles/float-base-docker/tasks/podman_debian.yml b/roles/float-base-docker/tasks/podman_debian.yml
index ba4e212f..3ed64cc6 100644
--- a/roles/float-base-docker/tasks/podman_debian.yml
+++ b/roles/float-base-docker/tasks/podman_debian.yml
@@ -3,10 +3,6 @@
# Install Podman using packages from the Debian distribution
# (available starting with Bullseye).
-- fail:
- msg: "Debian packages for Podman are only present in Bullseye"
- when: "float_debian_dist in ('stretch', 'buster')"
-
- name: Remove podman Kubic repository key
file:
path: "/etc/apt/trusted.gpg.d/kubic.gpg"
diff --git a/roles/float-base-docker/templates/run.sh.j2 b/roles/float-base-docker/templates/run.sh.j2
index e8afd0f7..4e087808 100644
--- a/roles/float-base-docker/templates/run.sh.j2
+++ b/roles/float-base-docker/templates/run.sh.j2
@@ -114,12 +114,7 @@ done
# option to get rid of the useless 'podman' process.
{% if container_runtime == 'podman' %}
exec /usr/bin/podman run \
-{% if float_debian_dist in ('stretch', 'buster') %}
- --cgroup-manager=cgroupfs \
- --cgroup-parent /system.slice/docker-{{ item.tag }}.service \
-{% else %}
--cgroups=disabled \
-{% endif %}
--replace \
--sdnotify=conmon \
{% elif container_runtime == 'docker' %}
diff --git a/roles/float-base-docker/templates/systemd.j2 b/roles/float-base-docker/templates/systemd.j2
index 4ed55446..1d45fc12 100644
--- a/roles/float-base-docker/templates/systemd.j2
+++ b/roles/float-base-docker/templates/systemd.j2
@@ -21,12 +21,8 @@ SyslogIdentifier={{ item.service }}-{{ item.container.name }}
{% if item.container.resources is defined %}
{% if item.container.resources.ram is defined %}
MemoryMax={{ item.container.resources.ram }}
-{% if float_debian_dist == 'buster' %}
-ExecStartPost=+/bin/sh -c "echo 0 > /sys/fs/cgroup/memory/system.slice/%n/memory.swappiness"
-{% else %}
MemorySwapMax=0
{% endif %}
-{% endif %}
{% if item.container.resources.cpu is defined %}
CPUQuota={{ 100 * item.container.resources.cpu }}%
{% endif %}
diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 688c869f..5a0a5fb5 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -83,13 +83,11 @@
state: present
when: "testing|default(True)"
-# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
-# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
-- name: Force mtail version on buster
- copy:
- src: "mtail.apt-preferences"
- dest: "/etc/apt/preferences.d/99float-syslog"
- when: float_debian_dist == 'buster'
+# Remove legacy stretch/buster mtail package pin.
+- name: Cleanup mtail package pin
+ file:
+ path: "/etc/apt/preferences.d/99float-syslog"
+ state: absent
- name: Install base packages
apt:
@@ -124,6 +122,7 @@
- auditd
- audisp-json
- prometheus-node-exporter
+ - prometheus-node-exporter-collectors
- assetmon
- name: Install extra packages
diff --git a/roles/float-base/tasks/harden.yml b/roles/float-base/tasks/harden.yml
index aa3de565..3202889f 100644
--- a/roles/float-base/tasks/harden.yml
+++ b/roles/float-base/tasks/harden.yml
@@ -63,7 +63,7 @@
- name: Audispd plugins configured
copy:
src: "audit/plugins.d/{{ item }}"
- dest: "/etc/{{ 'audisp' if float_debian_dist in ('stretch', 'buster') else 'audit' }}/plugins.d/{{ item }}"
+ dest: "/etc/audit/plugins.d/{{ item }}"
with_items:
- syslog.conf
- json.conf
diff --git a/roles/float-base/tasks/prometheus.yml b/roles/float-base/tasks/prometheus.yml
index 8fd76e92..3b63c70b 100644
--- a/roles/float-base/tasks/prometheus.yml
+++ b/roles/float-base/tasks/prometheus.yml
@@ -7,13 +7,6 @@
notify:
- reload prometheus-node-exporter
-- name: Install prometheus node extra package
- apt:
- name:
- - prometheus-node-exporter-collectors
- state: present
- when: "float_debian_dist not in ('stretch', 'buster')"
-
- name: Add static metrics
template:
src: "{{ item }}.j2"
diff --git a/roles/float-base/templates/sources.list.j2 b/roles/float-base/templates/sources.list.j2
index de7b2e13..939e9edc 100644
--- a/roles/float-base/templates/sources.list.j2
+++ b/roles/float-base/templates/sources.list.j2
@@ -1,10 +1,5 @@
{% if apt_sources_list_override is defined %}{{ apt_sources_list_override }}{% else %}
deb http://deb.debian.org/debian {{ float_debian_dist }} main contrib non-free
deb http://deb.debian.org/debian {{ float_debian_dist }}-updates main contrib non-free
-{% if float_debian_dist in ('stretch', 'buster') %}
-deb http://deb.debian.org/debian {{ float_debian_dist }}-backports main
-deb http://security.debian.org/ {{ float_debian_dist }}/updates main contrib non-free
-{% else %}
deb http://security.debian.org/debian-security {{ float_debian_dist }}-security main contrib non-free
{% endif %}
-{% endif %}
diff --git a/roles/float-infra-dns/templates/bind/named.conf.local b/roles/float-infra-dns/templates/bind/named.conf.local
index 08eb7af0..baa7da72 100644
--- a/roles/float-infra-dns/templates/bind/named.conf.local
+++ b/roles/float-infra-dns/templates/bind/named.conf.local
@@ -8,10 +8,6 @@ view "internal-in" in {
{% endfor %}
};
recursion yes;
-{% if float_debian_dist == 'buster' %}
- additional-from-auth yes;
- additional-from-cache yes;
-{% endif %}
zone-statistics no;
// Send minimal responses, to avoid problems with the Spamassassin
@@ -33,13 +29,6 @@ view "external-in" in {
recursion no;
zone-statistics yes;
-{% if float_debian_dist == 'buster' %}
- // Do not trust the cache when generating additional records
- // for our authoritative zones.
- additional-from-auth no;
- additional-from-cache no;
-
-{% endif %}
// Include manually-maintained zones.
include "/etc/bind/named.conf.external-custom-zones";
diff --git a/roles/float-infra-dns/templates/bind/named.conf.options b/roles/float-infra-dns/templates/bind/named.conf.options
index c15c35f3..fb34501e 100644
--- a/roles/float-infra-dns/templates/bind/named.conf.options
+++ b/roles/float-infra-dns/templates/bind/named.conf.options
@@ -28,9 +28,6 @@ options {
listen-on-v6 { any; };
{% endif %}
-{% if float_debian_dist == 'buster' %}
- dnssec-enable yes;
-{% endif %}
dnssec-validation auto;
notify no;
diff --git a/roles/float-infra-haproxy/templates/haproxy.cfg.j2 b/roles/float-infra-haproxy/templates/haproxy.cfg.j2
index e8dce8b4..4fe5770d 100644
--- a/roles/float-infra-haproxy/templates/haproxy.cfg.j2
+++ b/roles/float-infra-haproxy/templates/haproxy.cfg.j2
@@ -4,11 +4,9 @@ global
group haproxy
chroot /var/lib/haproxy
daemon
-{% if float_debian_dist != 'buster' %}
# use journald-compatibile short format, and don't send 'emerg' level out
# http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.1-log
log stdout format short local4 info alert
-{% endif %}
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
defaults
diff --git a/roles/float-infra-nginx/templates/nginx-upstream.j2 b/roles/float-infra-nginx/templates/nginx-upstream.j2
index caae9648..1b3e6bc9 100644
--- a/roles/float-infra-nginx/templates/nginx-upstream.j2
+++ b/roles/float-infra-nginx/templates/nginx-upstream.j2
@@ -15,10 +15,8 @@ upstream {{ upstream.name }}{% if shard %}_{{ shard }}{% endif %} {
{% endif %}
keepalive 8;
-{% if float_debian_dist != 'buster' %}
keepalive_timeout 300s;
keepalive_requests 1000;
-{% endif %}
}
{% endmacro %}
--
GitLab