feat: ensure crypto-policices are managed before yumrepos

- ensure crypto_policies are set before creating yum yumrepos - ensure that they rpmdb is rebuilt after upgrading to el9
2024-12-08 20:26:09 +11:00 · 2024-12-08 20:26:09 +11:00 · 024924d677
commit 024924d677
parent dbccaea24b
2 changed files with 16 additions and 9 deletions
--- a/site/profiles/manifests/defaults.pp
+++ b/site/profiles/manifests/defaults.pp
@ -9,8 +9,9 @@ class profiles::defaults {

  Package {
    ensure  => present,
-    require => Class['profiles::base::repos']
-
+    require => [
+      Class['profiles::base::repos'],
+    ]
  }

  File {
@ -34,7 +35,10 @@ class profiles::defaults {
    ensure     => 'present',
    enabled    => 1,
    gpgcheck   => 1,
-    require    => Class['profiles::pki::vaultca'],
+    require    => [
+      Class['profiles::pki::vaultca'],
+      Class['crypto_policies'],
+    ],
    notify     => Exec['dnf_makecache'],
  }
 }
--- a/site/profiles/manifests/yum/global.pp
+++ b/site/profiles/manifests/yum/global.pp
@ -16,12 +16,15 @@ class profiles::yum::global (
    purge => $purge,
  }

-  #exec {'purge_almalinux_default_repos':
-  #  command => 'rm -f /etc/yum.repos.d/almalinux*.repo',
-  #  path    => ['/bin', '/usr/bin'],
-  #  onlyif  => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .',
-  #  before  => Resources['yumrepo'],
-  #}
+  # el9 needs to rpmdb rebuild after crypto-policies
+  if $facts['os']['release']['major'] == '9' {
+    exec { 'rebuild_rpmdb':
+      command => '/usr/bin/rpmdb --rebuilddb && /usr/bin/touch /root/almalinux9_upgrade_rebuilddb_flag',
+      unless  => '/usr/bin/test -f /root/almalinux9_upgrade_rebuilddb_flag',
+      timeout => 180,
+      require => Class['crypto_policies'],
+    }
+  }

  # download all gpg keys if a repo defines it
  $repos.each |$name, $repo| {