Skip to content

Commit

Permalink
Releases watchmaker 0.16.6 (#1036)
Browse files Browse the repository at this point in the history
Releases watchmaker 0.16.6
  • Loading branch information
lorengordon authored Dec 5, 2019
2 parents d2125b0 + 3ecd58e commit c34c7c9
Show file tree
Hide file tree
Showing 26 changed files with 129 additions and 81 deletions.
2 changes: 1 addition & 1 deletion .bumpversion.cfg
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[bumpversion]
current_version = 0.16.5
current_version = 0.16.6
commit = False
tag = False
tag_name = {new_version}
Expand Down
10 changes: 3 additions & 7 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,10 @@
image: ${IMAGE}

before_script:
- sudo yum -y install python36 python36-libs python36-setuptools
- sudo python3.6 -m ensurepip --upgrade
- test -f /usr/bin/pip3 || sudo ln -sf /usr/local/bin/pip3 /usr/bin/pip3
- sudo pip3 install --upgrade -r requirements/docs.txt
- sudo pip3 install -e .

pages:
stage: deploy
before_script:
- pip3 install --upgrade -r requirements/docs.txt
- pip3 install -e .
script:
- sphinx-build -a -E -b html docs public
artifacts:
Expand Down
40 changes: 40 additions & 0 deletions .mergify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
pull_request_rules:
- name: automatic approve dependabot pull requests
conditions:
- author~=dependabot\[bot\]|dependabot-preview\[bot\]
- status-success=continuous-integration/travis-ci/pr
- status-success=continuous-integration/appveyor/pr
- status-success=codecov/project
- status-success=codecov/patch
actions:
review:
type: APPROVE
# For salt-formula updates, trigger codebuild, merge on codebuild status
- name: write issue comment to start codebuild job
conditions:
- author~=dependabot\[bot\]|dependabot-preview\[bot\]
- label=submodules
- "#approved-reviews-by>=1"
actions:
comment:
message: go codebuild go

- name: automatic merge for dependabot pull requests
conditions:
- author~=dependabot\[bot\]|dependabot-preview\[bot\]
- label=submodules
- status-success=codebuild/pr
- "#approved-reviews-by>=1"
actions:
merge:
method: merge

# For regular dependabot pr, automatically merge on approve
- name: automatic merge for dependabot pull requests
conditions:
- author~=dependabot\[bot\]|dependabot-preview\[bot\]
- "#approved-reviews-by>=1"
- label!=submodules
actions:
merge:
method: merge
11 changes: 3 additions & 8 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,6 @@ before_script:
after_failure:
- more .tox/log/* | cat
- more .tox/*/log/* | cat
before_cache:
- rm -rf $HOME/.cache/pip/log
cache:
directories:
- "$HOME/.cache/pip"
notifications:
email:
on_success: never
Expand All @@ -67,7 +62,7 @@ jobs:
env:
- TOXENV=docs
- stage: deploy
if: branch = develop OR tag is present
if: type != pull_request AND (branch = develop OR tag is present)
python: 2.7
install: pip install m2r
script: echo "Deploying..."
Expand All @@ -90,7 +85,7 @@ jobs:
on:
tags: true
- stage: deploy
if: branch in (env(RELEASE_BRANCH), develop) OR tag is present
if: type != pull_request AND (branch in (master, develop) OR tag is present)
python: 3.6
install:
- echo "Install"
Expand All @@ -110,7 +105,7 @@ jobs:
script: satsuki
skip_cleanup: true
on:
branch: $RELEASE_BRANCH
branch: master
- provider: s3
bucket: $RELEASE_BUCKET
upload-dir: $S3_KEYFIX
Expand Down
13 changes: 12 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
## Changelog

### 0.16.6

**Commit Delta**: [Change from 0.16.5 release](https://github.com/plus3it/watchmaker/compare/0.16.5...0.16.6)

**Released**: 2019.12.04

**Summary**:

* Uses CDN URLs for watchmaker config and content, instead of direct S3 URLs
* Pins `backoff` dependency when running on Python 3.4 or earlier

### 0.16.5

**Commit Delta**: [Change from 0.16.4 release](https://github.com/plus3it/watchmaker/compare/0.16.4...0.16.5)
Expand Down Expand Up @@ -298,7 +309,7 @@

* Provides standalone packages that bundle the Python runtime together with
Watchmaker and its dependencies
- See <https://watchmaker.readthedocs.io/en/stable/installation.html>
- See <https://watchmaker.cloudarmor.io/en/stable/installation.html>
* ash-linux-formula
- (el7) Ensures packages are up-to-date
- (el7) Ensures firewalld is installed and running
Expand Down
1 change: 1 addition & 0 deletions MANIFEST.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ include .coveragerc
include .editorconfig
include .gitmodules
include .pylintrc
include .mergify.yml

include AUTHORS.md
include CHANGELOG.md
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ services.
## Documentation

For more information on installing and using Watchmaker, go to
<https://watchmaker.readthedocs.io>.
<https://watchmaker.cloudarmor.io>.
4 changes: 2 additions & 2 deletions azure-pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ jobs:
sourceFolder: $(deployStage)\standalone\dist\
- task: S3Upload@1
displayName: upload standalone binaries to s3 (release)
condition: eq(variables['build.sourceBranch'], 'refs/tags/*')
condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
inputs:
awsCredentials: dev-lab
targetFolder: $(keyPrefix)
Expand All @@ -145,4 +145,4 @@ jobs:
python -m pip install -r $(deployStage)\$(deployArtifactName)\deploy.txt
satsuki
displayName: deploy to github with satsuki
condition: eq(variables['build.sourceBranch'], 'refs/tags/*')
condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
2 changes: 1 addition & 1 deletion docs/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,6 @@
linkcheck_ignore = [
r'https://github.com/plus3it/watchmaker/compare/(\d+\.){3}\.(\.\d+){3}',
r'https://github.com/plus3it/watchmaker/compare/(\d+\.){3}\.(\.x){3}',
r'https://s3.amazonaws.com/watchmaker/releases/(.*)$',
r'https://watchmaker.cloudarmor.io/releases/(.*)$',
r'https://docs\.saltstack\.com/en/latest/ref/modules/all/[a-z\.]*#[a-z\.]*'
]
10 changes: 5 additions & 5 deletions docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ all:
computer_name: None
environment: None
ou_path: None
salt_content: https://s3.amazonaws.com/watchmaker/salt-content.zip
salt_content: None
salt_states: Highstate
user_formulas:
# To add extra formulas, specify them as a map of
Expand All @@ -177,16 +177,16 @@ linux:
- redhat
- centos
el_version: 6
url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el6.repo
url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el6.repo
- dist: amazon
el_version: 6
url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-amzn.repo
url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-amzn.repo
#SaltEL7:
- dist:
- redhat
- centos
el_version: 7
url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el7.repo
url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el7.repo
- salt:
salt_debug_log: None
install_method: yum
Expand All @@ -197,7 +197,7 @@ linux:
windows:
- salt:
salt_debug_log: None
installer_url: https://s3.amazonaws.com/watchmaker/repo/saltstack/salt/windows/Salt-Minion-2016.11.6-AMD64-Setup.exe
installer_url: https://watchmaker.cloudarmor.io/repo/saltstack/salt/windows/Salt-Minion-2016.11.6-AMD64-Setup.exe
```

[0]: https://yaml.org/spec/1.2/spec.html
Expand Down
6 changes: 3 additions & 3 deletions docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ present, the value is passed directly to the `exclude` option of the
To use this option with watchmaker from the command line, pass the argument
`--exclude-states <sls_glob>`. For example:

```
```shell
# Exclude the state "foo" with an exact match
watchmaker --exclude-states foo

Expand All @@ -91,7 +91,7 @@ using the `-c|--config-dir` argument:

For example:

```
```shell
# -c|--config-dir
salt-call -c /opt/watchmaker/salt state.show_top
```
Expand Down Expand Up @@ -131,7 +131,7 @@ In order to install pip in Python 2.6, you can get it from:
Once a Python 2.6-compatible ``pip`` version is installed, you can install
compatible versions of the other packages like this:

```
```shell
pip install --upgrade "pip<10" "wheel<0.30.0" "setuptools<37"
```

Expand Down
32 changes: 16 additions & 16 deletions docs/findings/el7.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

The "stock" `/etc/ssh/sshd_config` file typically contains a commented-out line for the `LogLevel` parameter similar to the following:

~~~
```shell
[...elided...]

#SyslogFacility AUTH
Expand All @@ -23,19 +23,19 @@ SyslogFacility AUTHPRIV
# Authentication:

[...elided...]
~~~
```

When the vendor includes a commented-out parameter-value in the configuration-file, it signifies that the paramter is set to the value shown on the commented out line. This can be further confirmed by consulting the associated manual page (see: |sshdconfig|_):

~~~
```shell
LogLevel
Gives the verbosity level that is used when logging messages from
sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with a DEBUG level
violates the privacy of users and is not recommended.
~~~
```

Note: _If it is desired to alter from the default_, it is typically recommended to change to `VERBOSE` — particularly if key-based logins are in use. This setting will cause the SSH daemon to record the fingerprints of presented-keys.

Expand Down Expand Up @@ -64,17 +64,17 @@ Some scanners implement an "intentional fail" for this audit-item. This is desig

This automation has the underlying assumption that all RPM-managed SUID files — be it by the OS vendor or the provider of the software _hosted by_ the OS — is implicitly authorized. A way to quickly-verify compliance with this assumption is to execute:

~~~bash
```bash
for SUID in $( find / -user root -perm -4000 -print 2> /dev/null )
do
printf "%s: " "${SUID}"
rpm --qf '%{name}\t%{vendor}\n' -qf "$SUID"
done | awk '{printf("%-40s\t%-12s\t%s\n",$1,$2,$3)}'
~~~
```

Executing the above will output a list similar to:

~~~
```bash
/usr/bin/passwd: passwd CentOS
/usr/bin/pkexec: polkit CentOS
/usr/bin/crontab: cronie CentOS
Expand All @@ -92,7 +92,7 @@ Executing the above will output a list similar to:
/usr/sbin/unix_chkpwd: pam CentOS
/usr/lib/polkit-1/polkit-agent-helper-1: polkit CentOS
/usr/libexec/dbus-1/dbus-daemon-launch-helper: dbus CentOS
~~~
```

If any listed files are not displayed as being from the OS-vendor (typically "CentOS" or "RedHat") or the vendor of the hosted application, investigate further to determine if the file meets site-specific authorization-criteria.

Expand All @@ -106,10 +106,10 @@ Third-party security scanners will frequently call out missing filesystem mount

This is a scan error — most likely due to an improperly-formatted search-expression. The watchmaker utilities set the `noexec` Option for `/dev/shm` Pseudo-Filesystem in the `/etc/fstab` configuration file. This can be verified with the following commands.

~~~
```bash
grep -E '\s\/dev\/shm\s.*noexec' /proc/mounts
grep -E '\s\/dev\/shm\s.*noexec' /etc/fstab
~~~
```

The above verifies that the mounted `/dev/shm` has the desired mount-option set and that the setting will persist after a reboot.

Expand All @@ -121,10 +121,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil

To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:

~~~
```bash
grep -E '\s\/tmp\s.*nodev' /proc/mounts
grep nodev /etc/systemd/system/tmp.mount.d/options.conf
~~~
```

The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.

Expand All @@ -136,10 +136,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil

To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:

~~~
```bash
grep -E '\s\/tmp\s.*noexec' /proc/mounts
grep noexec /etc/systemd/system/tmp.mount.d/options.conf
~~~
```

The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.

Expand All @@ -151,10 +151,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil

To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:

~~~
```bash
grep -E '\s\/tmp\s.*nosuid' /proc/mounts
grep nosuid /etc/systemd/system/tmp.mount.d/options.conf
~~~
```

The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.

Expand Down
16 changes: 8 additions & 8 deletions docs/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,29 +81,29 @@ Linux.
and corresponding SHA256 hashes. To access versions on S3, construct a
URL using these examples for version 0.9.7:
* https://s3.amazonaws.com/watchmaker/releases/0.9.7/watchmaker-0.9.7-standalone-linux-x86_64
* https://s3.amazonaws.com/watchmaker/releases/0.9.7/watchmaker-0.9.7-standalone-windows-amd64.exe
* https://watchmaker.cloudarmor.io/releases/0.9.7/watchmaker-0.9.7-standalone-linux-x86_64
* https://watchmaker.cloudarmor.io/releases/0.9.7/watchmaker-0.9.7-standalone-windows-amd64.exe
* Links to the latest versions of Watchmaker and SHA hashes on S3 are:
* https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-linux-x86_64
* https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-sha256-linux-x86_64.json
* https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-windows-amd64.exe
* https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-sha256-windows-amd64.json
* https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-linux-x86_64
* https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-sha256-linux-x86_64.json
* https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-windows-amd64.exe
* https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-sha256-windows-amd64.json
* From PowerShell, the Windows package can be downloaded
as follows:
```ps1con
PS C:\wam> $url = "https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-windows-amd64.exe"
PS C:\wam> $url = "https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-windows-amd64.exe"
PS C:\wam> (New-Object System.Net.WebClient).DownloadFile($url, "watchmaker.exe")
```
* From the command line, the Linux package can be downloaded
as follows:
```console
# curl -so watchmaker https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-linux-x86_64
# curl -so watchmaker https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-linux-x86_64
```
* For the latest package, the version of Watchmaker can be determined by
Expand Down
Loading

0 comments on commit c34c7c9

Please sign in to comment.