From ac221ad4c311fbdcacb5543449bbba291906d9b9 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Fri, 12 Jul 2024 13:35:16 +0100 Subject: [PATCH 01/10] Correct cve-2024-6387 reno --- .../notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml index b90480105..8de5f7a7f 100644 --- a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml +++ b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml @@ -2,4 +2,4 @@ security: - | Adds a custom Apt repository to address `CVE-2024-6387 - `__ in OpenSSH. From 771b736be9a5b9c1993ec16c09b0be1c29fe37b4 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Fri, 12 Jul 2024 11:56:27 +0100 Subject: [PATCH 02/10] Split Ubuntu Docker CE package into Focal/Jammy --- etc/kayobe/apt.yml | 4 ++-- .../environments/ci-aio/stackhpc-ci.yml | 3 ++- .../environments/ci-builder/stackhpc-ci.yml | 3 ++- .../environments/ci-multinode/stackhpc-ci.yml | 3 ++- etc/kayobe/pulp-repo-versions.yml | 3 ++- etc/kayobe/pulp.yml | 20 +++++++++++++------ etc/kayobe/stackhpc.yml | 10 +++++++--- .../notes/docker-bump-dc4e85668ee69a21.yaml | 11 ++++++++++ 8 files changed, 42 insertions(+), 15 deletions(-) create mode 100644 releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index b23104087..d1369aaa7 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -61,8 +61,8 @@ stackhpc_apt_repositories: components: upload architecture: amd64 trusted: yes - - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}" - suites: "{{ ansible_facts.distribution_release }}" + - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" + suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml index e3fd39b1f..c66dece44 100644 --- a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml @@ -51,7 +51,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml index 57825f73c..821be0208 100644 --- a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml @@ -74,7 +74,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml index 3563364c8..b4dc79200 100644 --- a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml +++ b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml @@ -48,7 +48,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}" stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}" stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}" stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}" stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}" diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index 914b00fde..be33dd15d 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -16,7 +16,8 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022 -stackhpc_pulp_repo_docker_ce_ubuntu_version: 20231020T014922 +stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20240122T172142 +stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240122T172142 stackhpc_pulp_repo_docker_version: 20230919T015626 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311 diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml index 207c1f0eb..5b2e3d9e0 100644 --- a/etc/kayobe/pulp.yml +++ b/etc/kayobe/pulp.yml @@ -132,13 +132,21 @@ stackhpc_pulp_deb_repos: required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Third-party repositories - - name: "Docker CE for Ubuntu" - url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}" - distribution_name: "docker-ce-for-ubuntu-" - base_path: "docker-ce/ubuntu/" - distributions: "focal jammy" + - name: "Docker CE for Ubuntu Focal" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-focal/{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}" + distribution_name: "docker-ce-for-ubuntu-focal-" + base_path: "docker-ce/ubuntu-focal/" + distributions: "focal" components: "stable" - required: "{{ stackhpc_pulp_sync_ubuntu_focal or stackhpc_pulp_sync_ubuntu_jammy | bool }}" + required: "{{ stackhpc_pulp_sync_ubuntu_focal | bool }}" + + - name: "Docker CE for Ubuntu Jammy" + url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-jammy/{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}" + distribution_name: "docker-ce-for-ubuntu-jammy-" + base_path: "docker-ce/ubuntu-jammy/" + distributions: "jammy" + components: "stable" + required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}" # Publication format is a subset of distribution. stackhpc_pulp_publication_deb_development: "{{ stackhpc_pulp_distribution_deb_development }}" diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml index b74648178..6cf6bc99a 100644 --- a/etc/kayobe/stackhpc.yml +++ b/etc/kayobe/stackhpc.yml @@ -55,9 +55,13 @@ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}" stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}" -# Docker CE for Ubuntu -stackhpc_repo_docker_ce_ubuntu_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu/{{ stackhpc_repo_docker_ce_ubuntu_version }}" -stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_repo_distribution }}" +# Docker CE for Ubuntu Focal +stackhpc_repo_docker_ce_ubuntu_focal_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-focal/{{ stackhpc_repo_docker_ce_ubuntu_focal_version }}" +stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_repo_distribution }}" + +# Docker CE for Ubuntu Jammy +stackhpc_repo_docker_ce_ubuntu_jammy_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-jammy/{{ stackhpc_repo_docker_ce_ubuntu_jammy_version }}" +stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}" ############################################################################### # RPMs diff --git a/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml new file mode 100644 index 000000000..3563d6d3a --- /dev/null +++ b/releasenotes/notes/docker-bump-dc4e85668ee69a21.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + The Docker CE package for Ubuntu has been bumped from ``5:24.0.6-1`` to + ``5:25.0.0-1`` This is a side effect of separating out the repos for Docker + CE for Ubuntu Jammy/Focal. +fixes: + - | + Separated out repos for Docker CE for Ubuntu Jammy/Focal. This fixes a Pulp + sync issue where two "identical" repository versions existed with different + checksums. From 6a5920c0db154eff527224b7d57e61872e2f16f4 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 12 Jul 2024 17:56:20 +0000 Subject: [PATCH 03/10] Disables password expiration and inactivity policies (#1106) * Disables password expiration and inactivity policies This was causing the kayobe and kolla service accounts to be locked out of the system. * Remove flag that configures password expiry warning --- etc/kayobe/ansible/cis.yml | 11 +++++++++++ etc/kayobe/inventory/group_vars/overcloud/cis | 17 +++++++++++++++++ ...isable-password-expiry-3c296c72d36cd9da.yaml | 7 +++++++ 3 files changed, 35 insertions(+) create mode 100644 releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index ffb31c2fe..f286aaec4 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -18,6 +18,17 @@ state: absent when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' + - name: Ensure service accounts have no expiry options set + # This is to workaround an issue where we set the expiry to 365 days on kayobe + # service accounts in a previous iteration of the CIS benchmark hardening + # defaults. This should restore the defaults and can eventually be removed. + command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }} + become: true + changed_when: false + with_items: + - "{{ kayobe_ansible_user }}" + - "{{ kolla_ansible_user }}" + - include_role: name: ansible-lockdown.rhel8_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index b20843d37..c6adea094 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -75,6 +75,10 @@ rhel9cis_max_log_file_size: 1024 # `rhel9cis_bootloader_password_hash` rhel9cis_set_boot_pass: false +# NOTICE: rule disabled otherwise rule will prevent access to accounts +# as it will expire passwords older than one year. +rhel9cis_rule_5_6_1_1: false + ############################################################################## # Ubuntu Jammy CIS Hardening Configuration @@ -159,4 +163,17 @@ ubtu22cis_max_log_file_size: 1024 # ubtu22cis_bootloader_password_hash ubtu22cis_rule_1_4_1: false ubtu22cis_rule_1_4_3: false + +# Disable: Ensure minimum days between password changes is configured +ubtu22cis_rule_5_5_1_1: false + +# Disable: Ensure password expiration is 365 days or less +ubtu22cis_rule_5_5_1_2: false + +# Disable: Ensure inactive password lock is 30 days or less +ubtu22cis_rule_5_5_1_4: false + +# Disable: Ensure all users last password change date is in the past +ubtu22cis_rule_5_5_1_5: false + ############################################################################## diff --git a/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml new file mode 100644 index 000000000..3ad5e55b9 --- /dev/null +++ b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml @@ -0,0 +1,7 @@ +--- +critical: + - | + Disables password expiration and inactivity policies. This caused the kayobe + and kolla service accounts to be locked out of the system. You should re-apply + the CIS benchmark hardening playbook as soon as possible to avoid being locked + out of your system. From bde14270185fb83e3f05f61447bdab7cb270ce7c Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:12:04 +0100 Subject: [PATCH 04/10] Remove Kolla Ansible docker repo file on Jammy upgrade When switching from Kolla Ansible repositories to release train, we need to remove the docker.list file that was added by Kolla Ansible. --- etc/kayobe/ansible/ubuntu-upgrade.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 928e1c52d..c345fcb05 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -88,6 +88,13 @@ state: absent become: true + - name: Ensure Kolla Ansible Docker repo definition does not exist + file: + path: /etc/apt/sources.list.d/docker.list + state: absent + become: true + when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0 + - name: Reboot and wait reboot: reboot_timeout: 1200 From ce12cc0976d7bbea7072f85cbe7de64c45b7c1eb Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:13:32 +0100 Subject: [PATCH 05/10] Make reboot timeout configurable in Ubuntu Jammy upgrade --- etc/kayobe/ansible/ubuntu-upgrade.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index c345fcb05..66ed49643 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -5,6 +5,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Assert that hosts are running Ubuntu Focal assert: @@ -37,7 +38,7 @@ - name: Reboot to apply updates reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true when: file_status.stat.exists @@ -81,6 +82,7 @@ hosts: overcloud:infra-vms:seed:seed-hypervisor vars: ansible_python_interpreter: /usr/bin/python3 + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Ensure Jammy repo definitions do not exist in sources.list blockinfile: @@ -97,7 +99,7 @@ - name: Reboot and wait reboot: - reboot_timeout: 1200 + reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 become: true From 033a7a9fcfb35bbbcc1ca8ad9c581c11fd3eae67 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 16 Jul 2024 11:51:31 +0100 Subject: [PATCH 06/10] Only enable Apt CVE-2024-6387 repo on Jammy hosts The fix is not required on Focal, and the package is not compatible. --- etc/kayobe/apt.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml index d1369aaa7..15a4bb7e6 100644 --- a/etc/kayobe/apt.yml +++ b/etc/kayobe/apt.yml @@ -52,25 +52,29 @@ stackhpc_apt_repositories: suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}" suites: "{{ ansible_facts.distribution_release }}-security" components: main restricted universe multiverse architecture: amd64 + required: true - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}" suites: "pulp" components: upload architecture: amd64 trusted: yes + required: "{{ ansible_facts.distribution_release == 'jammy' }}" - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}" suites: "{{ ansible_facts.distribution_release }}" components: stable signed_by: docker.asc architecture: amd64 + required: true # Do not replace apt configuration for non-overcloud hosts. This can result in # errors if apt reconfiguration is performed before local repository mirrors # are deployed. -apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}" +apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}" # Whether to disable repositories in /etc/apt/sources.list. This may be used # when replacing the distribution repositories via apt_repositories. From ab2a53230ec02b605b0bc77bf0a85697ec083f38 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 22 Jul 2024 13:13:37 +0100 Subject: [PATCH 07/10] ci-multinode: Add failing refstack tests to skip list In Yoga and Zed there are 2 tests that fail due to using internal TLS but no external TLS. This breaks some URLs in API responses. This change adds them to skip lists. This should be reverted in Antelope, since it supports external TLS in multinodes. --- .automation.conf/config.sh | 1 + .../tempest/skip-lists/ci-multinode-platform.2022.11 | 2 ++ .automation.conf/tempest/skip-lists/ci-multinode-tempest-full | 2 ++ 3 files changed, 5 insertions(+) create mode 100644 .automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 diff --git a/.automation.conf/config.sh b/.automation.conf/config.sh index 84b11dd07..23fd5d819 100644 --- a/.automation.conf/config.sh +++ b/.automation.conf/config.sh @@ -24,6 +24,7 @@ if [ ! -z ${KAYOBE_ENVIRONMENT:+x} ]; then # SMSLab is currently running with 1G switches. This causes tests using volumes and images to fail if # the concurrency is set too high. export TEMPEST_CONCURRENCY=1 + export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST="ci-multinode-platform.2022.11" # Uncomment this to perform a full tempest test # export KAYOBE_AUTOMATION_TEMPEST_LOADLIST=tempest-full # export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST=ci-multinode-tempest-full diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 new file mode 100644 index 000000000..7f3276e64 --- /dev/null +++ b/.automation.conf/tempest/skip-lists/ci-multinode-platform.2022.11 @@ -0,0 +1,2 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" diff --git a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full index 94c494687..bb3ad2f71 100644 --- a/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full +++ b/.automation.conf/tempest/skip-lists/ci-multinode-tempest-full @@ -1 +1,3 @@ +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS" +tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS" tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_subnet_details.*: "Cirros image doesn't have '/var/run/udhcpc.eth0.pid" From 3d6ac12e2a6a90a7148a8aba684c0ebd90f86b7d Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 6 Jun 2024 12:45:37 +0100 Subject: [PATCH 08/10] Bump stackhpc.hashicorp role to 2.5.0 This brings in a useful idempotency fix for Vault deployment. (cherry picked from commit bf535c6e82bcffd462b144b621a1c84b352b3f4a) --- etc/kayobe/ansible/requirements.yml | 2 +- releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 92c3faecd..29018d01d 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -9,7 +9,7 @@ collections: - name: stackhpc.pulp version: 0.4.1 - name: stackhpc.hashicorp - version: 2.4.0 + version: 2.5.0 - name: stackhpc.kayobe_workflows version: 1.0.3 roles: diff --git a/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml new file mode 100644 index 000000000..d56f6593e --- /dev/null +++ b/releasenotes/notes/hcp-2.5.0-8e30c7b1910f2bd2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updates the ``stackhpc.hashicorp`` Ansible collection to 2.5.0. This brings + in an idempotency fix for generating certificates. From 4dc19266ff3c8e5455246c7b3a3e2e280ff1dae8 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 22 Jul 2024 13:24:42 +0100 Subject: [PATCH 09/10] Stop changing permissions on files on Rocky 9 A similar change was made for Ubuntu systems in #1119, but it did not apply to Rocky 9 systems. This changes brings the two into line. (cherry picked from commit ef96aa2441db052f295db7260d865cc1c4e4c14a) --- etc/kayobe/inventory/group_vars/overcloud/cis | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index c6adea094..6a31c1d41 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -61,6 +61,22 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo passwd -S root rhel9cis_rule_5_6_6: false +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +rhel9cis_rule_6_1_9: false +rhel9cis_rule_6_1_10: false +rhel9cis_rule_6_1_11: false +rhel9cis_rule_6_1_12: false +rhel9cis_rule_6_1_13: false +rhel9cis_rule_6_1_14: false +rhel9cis_rule_6_1_15: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. +rhel9cis_no_world_write_adjust: false + # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: space_left_action: syslog From 09d226c70ef4b134908b2fed0d6492de3033a3e1 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 12 Jul 2024 17:58:26 +0000 Subject: [PATCH 10/10] Stop changing permissions on files (#1119) These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. (cherry picked from commit 0d1dfe27af2c817c8238586d169b3263a8bf84cb) --- etc/kayobe/inventory/group_vars/overcloud/cis | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 6a31c1d41..59a7852cf 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -161,9 +161,22 @@ ubtu22cis_sshd: deny_users: "" deny_groups: "" -# Do not change /var/lib/docker permissions +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +ubtu22cis_rule_6_1_9: false +ubtu22cis_rule_6_1_10: false +ubtu22cis_rule_6_1_11: false +ubtu22cis_rule_6_1_12: false +ubtu22cis_rule_6_1_13: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false +ubtu22cis_no_world_write_adjust: false +ubtu22cis_suid_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: