diff --git a/.automation.conf/config.sh b/.automation.conf/config.sh index 84b11dd07..23fd5d819 100644 --- a/.automation.conf/config.sh +++ b/.automation.conf/config.sh @@ -24,6 +24,7 @@ if [ ! -z ${KAYOBE_ENVIRONMENT:+x} ]; then # SMSLab is currently running with 1G switches. This causes tests using volumes and images to fail if # the concurrency is set too high. export TEMPEST_CONCURRENCY=1 + export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST="ci-multinode-platform.2022.11" # Uncomment this to perform a full tempest test # export KAYOBE_AUTOMATION_TEMPEST_LOADLIST=tempest-full # export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST=ci-multinode-tempest-full diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 new file mode 100644 index 000000000..7f3276e64 --- /dev/null +++ b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 @@ -0,0 +1,2 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full index 94c494687..bb3ad2f71 100644 --- a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full +++ b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full @@ -1 +1,3 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_subnet_details.*: "Cirros image doesn't have '/var/run/udhcpc.eth0.pid" diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ffb31c2fe..f286aaec4 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -18,6 +18,17 @@ state: absent when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + - name: Ensure service accounts have no expiry options set + # This is to workaround an issue where we set the expiry to 365 days on kayobe + # service accounts in a previous iteration of the CIS benchmark hardening + # defaults. This should restore the defaults and can eventually be removed. + command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }} + become: true + changed_when: false + with_items: + - "{{ kayobe_ansible_user }}" + - "{{ kolla_ansible_user }}" + - include_role: name: ansible-lockdown.rhel8_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 92c3faecd..29018d01d 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,7 +9,7 @@ collections: - name: stackhpc.pulp version: 0.4.1 - name: stackhpc.hashicorp - version: 2.4.0 + version: 2.5.0 - name: stackhpc.kayobe_workflows version: 1.0.3 roles: diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 928e1c52d..66ed49643 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -5,6 +5,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Assert that hosts are running Ubuntu Focal assert: @@ -37,7 +38,7 @@ - name: Reboot to apply updates reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true when: file_status.stat.exists @@ -81,6 +82,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Ensure Jammy repo definitions do not exist in sources.list blockinfile: @@ -88,9 +90,16 @@ state: absent become: true + - name: Ensure Kolla Ansible Docker repo definition does not exist + file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0 + - name: Reboot and wait reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index b23104087..15a4bb7e6 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -52,25 +52,29 @@ stackhpc_apt_repositories: suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}" suites: "{{ ansible_facts.distribution_release }}-security" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}" suites: "pulp" components: upload architecture: amd64 trusted: yes - - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}" - suites: "{{ ansible_facts.distribution_release }}" + required: "{{ ansible_facts.distribution_release == 'jammy' }}" + - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" + suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 + required: true # Do not replace apt configuration for non-overcloud hosts. This can result in # errors if apt reconfiguration is performed before local repository mirrors # are deployed. -apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}" +apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}" # Whether to disable repositories in /etc/apt/sources.list. This may be used # when replacing the distribution repositories via apt_repositories. diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml index e3fd39b1f..c66dece44 100644 --- a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml @@ -51,7 +51,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml index 57825f73c..821be0208 100644 --- a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml @@ -74,7 +74,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml index 3563364c8..b4dc79200 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml @@ -48,7 +48,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index b20843d37..59a7852cf 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -61,6 +61,22 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo passwd -S root rhel9cis_rule_5_6_6: false +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +rhel9cis_rule_6_1_9: false +rhel9cis_rule_6_1_10: false +rhel9cis_rule_6_1_11: false +rhel9cis_rule_6_1_12: false +rhel9cis_rule_6_1_13: false +rhel9cis_rule_6_1_14: false +rhel9cis_rule_6_1_15: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. +rhel9cis_no_world_write_adjust: false + # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: space_left_action: syslog @@ -75,6 +91,10 @@ rhel9cis_max_log_file_size: 1024 # `rhel9cis_bootloader_password_hash` rhel9cis_set_boot_pass: false +# NOTICE: rule disabled otherwise rule will prevent access to accounts +# as it will expire passwords older than one year. +rhel9cis_rule_5_6_1_1: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration @@ -141,9 +161,22 @@ ubtu22cis_sshd: deny_users: "" deny_groups: "" -# Do not change /var/lib/docker permissions +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +ubtu22cis_rule_6_1_9: false +ubtu22cis_rule_6_1_10: false +ubtu22cis_rule_6_1_11: false +ubtu22cis_rule_6_1_12: false +ubtu22cis_rule_6_1_13: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false +ubtu22cis_no_world_write_adjust: false +ubtu22cis_suid_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: @@ -159,4 +192,17 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false + +# Disable: Ensure minimum days between password changes is configured +ubtu22cis_rule_5_5_1_1: false + +# Disable: Ensure password expiration is 365 days or less +ubtu22cis_rule_5_5_1_2: false + +# Disable: Ensure inactive password lock is 30 days or less +ubtu22cis_rule_5_5_1_4: false + +# Disable: Ensure all users last password change date is in the past +ubtu22cis_rule_5_5_1_5: false + ############################################################################## diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index 914b00fde..be33dd15d 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -16,7 +16,8 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022 -stackhpc_pulp_repo_docker_ce_ubuntu_version: 20231020T014922 +stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20240122T172142 +stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240122T172142 stackhpc_pulp_repo_docker_version: 20230919T015626 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311 diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 207c1f0eb..5b2e3d9e0 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -132,13 +132,21 @@ stackhpc_pulp_deb_repos: required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Third-party repositories - - name: "Docker CE for Ubuntu" - url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" - distribution_name: "docker-ce-for-ubuntu-" - base_path: "docker-ce/ubuntu/" - distributions: "focal jammy" + - name: "Docker CE for Ubuntu Focal" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-focal/{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" + distribution_name: "docker-ce-for-ubuntu-focal-" + base_path: "docker-ce/ubuntu-focal/" + distributions: "focal" components: "stable" - required: "{{ stackhpc_pulp_sync_ubuntu_focal or stackhpc_pulp_sync_ubuntu_jammy | bool }}" + required: "{{ stackhpc_pulp_sync_ubuntu_focal | bool }}" + + - name: "Docker CE for Ubuntu Jammy" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-jammy/{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" + distribution_name: "docker-ce-for-ubuntu-jammy-" + base_path: "docker-ce/ubuntu-jammy/" + distributions: "jammy" + components: "stable" + required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Publication format is a subset of distribution. stackhpc_pulp_publication_deb_development: "{{ stackhpc_pulp_distribution_deb_development }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index b74648178..6cf6bc99a 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -55,9 +55,13 @@ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}" stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}" -# Docker CE for Ubuntu -stackhpc_repo_docker_ce_ubuntu_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu/{{ stackhpc_repo_docker_ce_ubuntu_version }}" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_repo_distribution }}" +# Docker CE for Ubuntu Focal +stackhpc_repo_docker_ce_ubuntu_focal_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-focal/{{ stackhpc_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_repo_distribution }}" + +# Docker CE for Ubuntu Jammy +stackhpc_repo_docker_ce_ubuntu_jammy_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-jammy/{{ stackhpc_repo_docker_ce_ubuntu_jammy_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}" ############################################################################### # RPMs diff --git a/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml new file mode 100644 index 000000000..3ad5e55b9 --- /dev/null +++ b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml @@ -0,0 +1,7 @@ +--- +critical: + - | + Disables password expiration and inactivity policies. This caused the kayobe + and kolla service accounts to be locked out of the system. You should re-apply + the CIS benchmark hardening playbook as soon as possible to avoid being locked + out of your system. diff --git a/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml new file mode 100644 index 000000000..3563d6d3a --- /dev/null +++ b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + The Docker CE package for Ubuntu has been bumped from ``5:24.0.6-1`` to + ``5:25.0.0-1`` This is a side effect of separating out the repos for Docker + CE for Ubuntu Jammy/Focal. +fixes: + - | + Separated out repos for Docker CE for Ubuntu Jammy/Focal. This fixes a Pulp + sync issue where two "identical" repository versions existed with different + checksums. diff --git a/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml new file mode 100644 index 000000000..d56f6593e --- /dev/null +++ b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updates the ``stackhpc.hashicorp`` Ansible collection to 2.5.0. This brings + in an idempotency fix for generating certificates. diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml index b90480105..8de5f7a7f 100644 --- a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml +++ b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml @@ -2,4 +2,4 @@ security: - | Adds a custom Apt repository to address `CVE-2024-6387 - `__ in OpenSSH.