From db816d3d0b7e0cc440aa456a7bdb9ece9988ecee Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 29 Jun 2018 10:38:23 +0200 Subject: [PATCH 1/2] Vagrant/Puppet: prevent man-in-the-middle attacks --- .puppet/manifests/puppet.sh | 2 +- .puppet/modules/epel/manifests/init.pp | 2 +- .puppet/modules/icinga_packages/manifests/init.pp | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.puppet/manifests/puppet.sh b/.puppet/manifests/puppet.sh index 01463be51..7afe4db36 100644 --- a/.puppet/manifests/puppet.sh +++ b/.puppet/manifests/puppet.sh @@ -10,7 +10,7 @@ RELEASEVER=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release)) case $RELEASEVER in 6|7) - PUPPET="http://yum.puppetlabs.com/puppetlabs-release-el-${RELEASEVER}.noarch.rpm" + PUPPET="https://yum.puppetlabs.com/puppetlabs-release-el-${RELEASEVER}.noarch.rpm" ;; *) echo "Unknown release version: $RELEASEVER" >&2 diff --git a/.puppet/modules/epel/manifests/init.pp b/.puppet/modules/epel/manifests/init.pp index 2792ff918..eb888ea6b 100644 --- a/.puppet/modules/epel/manifests/init.pp +++ b/.puppet/modules/epel/manifests/init.pp @@ -15,7 +15,7 @@ class epel { yumrepo { 'epel': - mirrorlist => "http://mirrors.fedoraproject.org/mirrorlist?repo=epel-${::operatingsystemmajrelease}&arch=${::architecture}", + mirrorlist => "https://mirrors.fedoraproject.org/mirrorlist?repo=epel-${::operatingsystemmajrelease}&arch=${::architecture}", enabled => '1', gpgcheck => '0', descr => "Extra Packages for Enterprise Linux ${::operatingsystemmajrelease} - ${::architecture}" diff --git a/.puppet/modules/icinga_packages/manifests/init.pp b/.puppet/modules/icinga_packages/manifests/init.pp index a63d5052b..cee3ccced 100644 --- a/.puppet/modules/icinga_packages/manifests/init.pp +++ b/.puppet/modules/icinga_packages/manifests/init.pp @@ -8,10 +8,10 @@ # class icinga_packages { yumrepo { 'icinga_packages': - baseurl => "http://packages.icinga.com/epel/${::operatingsystemmajrelease}/snapshot/", + baseurl => "https://packages.icinga.com/epel/${::operatingsystemmajrelease}/snapshot/", enabled => '1', gpgcheck => '1', - gpgkey => 'http://packages.icinga.com/icinga.key', + gpgkey => 'https://packages.icinga.com/icinga.key', descr => "Icinga Repository - ${::architecture}" } } From 088e907f9ef571359dd7a3930e27545e9f06a362 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 29 Jun 2018 11:05:06 +0200 Subject: [PATCH 2/2] Vagrant/Puppet: prevent man-in-the-middle attacks via the EPEL repo --- .puppet/modules/epel/manifests/init.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.puppet/modules/epel/manifests/init.pp b/.puppet/modules/epel/manifests/init.pp index eb888ea6b..71fb8972f 100644 --- a/.puppet/modules/epel/manifests/init.pp +++ b/.puppet/modules/epel/manifests/init.pp @@ -13,12 +13,12 @@ # include epel # class epel { - - yumrepo { 'epel': - mirrorlist => "https://mirrors.fedoraproject.org/mirrorlist?repo=epel-${::operatingsystemmajrelease}&arch=${::architecture}", - enabled => '1', - gpgcheck => '0', - descr => "Extra Packages for Enterprise Linux ${::operatingsystemmajrelease} - ${::architecture}" + exec { 'rpm --import RPM-GPG-KEY-EPEL': + command => '/bin/rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7', + } + -> exec { 'yum install epel-release-latest': + command => '/bin/yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', + creates => '/etc/yum.repos.d/epel.repo', } }