spec/acceptance/nodesets/default.yml in simp-rake-helpers-5.7.1 vs spec/acceptance/nodesets/default.yml in simp-rake-helpers-5.8.0

@@ -16,15 +16,40 @@
       - 'yum install -y facter rubygem-json'
       # simp build-deps
       - 'yum install -y rpm-build augeas-devel createrepo genisoimage git gnupg2 libicu-devel libxml2 libxml2-devel libxslt libxslt-devel rpmdevtools which'
       # rvm build-deps
       - 'yum install -y libyaml-devel glibc-headers autoconf gcc-c++ glibc-devel readline-devel libffi-devel openssl-devel automake libtool bison sqlite-devel'
-      - 'runuser build_user -l -c "{ gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3; } || { gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB ; }"'
-      - 'runuser build_user -l -c "curl -sSL https://get.rvm.io | bash -s stable"'
+
+      #
+      # Do our best to get one of the keys from at one of the servers, and to
+      # trust the right ones if the GPG keyservers return bad keys
+      #
+      # These are the keys we want:
+      #
+      #  409B6B1796C275462A1703113804BB82D39DC0E3 # mpapis@gmail.com
+      #  7D2BAF1CF37B13E2069D6956105BD0E739499BDB # piotr.kuczynski@gmail.com
+      #
+      # See:
+      #   - https://rvm.io/rvm/security
+      #   - https://github.com/rvm/rvm/blob/master/docs/gpg.md
+      #   - https://github.com/rvm/rvm/issues/4449
+      #   - https://github.com/rvm/rvm/issues/4250
+      #   - https://seclists.org/oss-sec/2018/q3/174
+      #
+      # NOTE (mostly to self): In addition to RVM's documented procedures,
+      # importing from https://keybase.io/mpapis may be a practical
+      # alternative for 409B6B1796C275462A1703113804BB82D39DC0E3:
+      #
+      #    curl https://keybase.io/mpapis/pgp_keys.asc | gpg2 --import
+      #
+      - 'runuser build_user -l -c "for i in {1..5}; do { gpg2 --keyserver  hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 || gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3; } && break || sleep 1; done"' 
+      - 'runuser build_user -l -c "for i in {1..5}; do { gpg2 --keyserver  hkp://pool.sks-keyservers.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB || gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB; } && break || sleep 1; done"'
+#      - 'runuser build_user -l -c "gpg2 --refresh-keys"'
+      - 'runuser build_user -l -c "curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer -o rvm-installer && curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer.asc -o rvm-installer.asc && gpg2 --verify rvm-installer.asc rvm-installer && bash rvm-installer"'
       - 'runuser build_user -l -c "rvm install 2.4"'
       - 'runuser build_user -l -c "rvm use --default 2.4"'
-      - 'runuser build_user -l -c "rvm all do gem install bundler"'
+      - 'runuser build_user -l -c "rvm all do gem install bundler -v \"~> 1.16\""'
     mount_folders:
       folder1:
         host_path: ./
         container_path: /host_files
     docker_preserve_image: true
@@ -37,22 +62,51 @@
     image: centos:7
     docker_cmd: '/sbin/sshd; tail -f /dev/null'
     docker_image_commands:
       - 'yum install -y epel-release'
       - 'ln -sf /bin/true /usr/bin/systemctl'
+      # Work around regression in beaker-docker
+      # https://github.com/puppetlabs/beaker-docker/pull/15/files
+      - 'yum install -y sudo openssh-server openssh-clients'
+      - "sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config"
+      - "sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config"
+      - "sed -ri 's/^#?UseDNS .*/UseDNS no/' /etc/ssh/sshd_config"
       - "echo 'Defaults:build_user !requiretty' >> /etc/sudoers"
       - "echo 'build_user ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers"
       - 'useradd -b /home -m -c "Build User" -s /bin/bash -U build_user'
       - 'yum install -y facter rubygem-json'
       # simp build-deps
       - 'yum install -y rpm-build augeas-devel createrepo genisoimage git gnupg2 libicu-devel libxml2 libxml2-devel libxslt libxslt-devel rpmdevtools clamav-update which'
+
       # rvm build-deps
-      - 'yum install -y libyaml-devel glibc-headers autoconf gcc-c++ glibc-devel readline-devel libffi-devel openssl-devel automake libtool bison sqlite-devel'
-      - 'runuser build_user -l -c "{ gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3; } || { gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB ; }"'
-      - 'runuser build_user -l -c "curl -sSL https://get.rvm.io | bash -s stable"'
+      #
+      # Do our best to get one of the keys from at one of the servers, and to
+      # trust the right ones if the GPG keyservers return bad keys
+      #
+      # These are the keys we want:
+      #
+      #  409B6B1796C275462A1703113804BB82D39DC0E3 # mpapis@gmail.com
+      #  7D2BAF1CF37B13E2069D6956105BD0E739499BDB # piotr.kuczynski@gmail.com
+      #
+      # See:
+      #   - https://rvm.io/rvm/security
+      #   - https://github.com/rvm/rvm/blob/master/docs/gpg.md
+      #   - https://github.com/rvm/rvm/issues/4449
+      #   - https://github.com/rvm/rvm/issues/4250
+      #   - https://seclists.org/oss-sec/2018/q3/174
+      #
+      # NOTE (mostly to self): In addition to RVM's documented procedures,
+      # importing from https://keybase.io/mpapis may be a practical
+      # alternative for 409B6B1796C275462A1703113804BB82D39DC0E3:
+      #
+      #    curl https://keybase.io/mpapis/pgp_keys.asc | gpg2 --import
+      #
+      - 'runuser build_user -l -c "for i in {1..5}; do { gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3; } && { gpg2 --keyserver hkp://pgp.mit.edu --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB || gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 7D2BAF1CF37B13E2069D6956105BD0E739499BDB; } && break || sleep 1; done"'
+      - 'runuser build_user -l -c "gpg2 --refresh-keys"'
+      - 'runuser build_user -l -c "curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer -o rvm-installer && curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer.asc -o rvm-installer.asc && gpg2 --verify rvm-installer.asc rvm-installer && bash rvm-installer"'
       - 'runuser build_user -l -c "rvm install 2.4"'
       - 'runuser build_user -l -c "rvm use --default 2.4"'
-      - 'runuser build_user -l -c "rvm all do gem install bundler"'
+      - 'runuser build_user -l -c "rvm all do gem install bundler -v \"~> 1.16\""'
       - 'yum install -y rpm-sign'
     mount_folders:
       folder1:
         host_path: ./
         container_path: /host_files