From 4dc19266ff3c8e5455246c7b3a3e2e280ff1dae8 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 22 Jul 2024 13:24:42 +0100 Subject: [PATCH 1/8] Stop changing permissions on files on Rocky 9 A similar change was made for Ubuntu systems in #1119, but it did not apply to Rocky 9 systems. This changes brings the two into line. (cherry picked from commit ef96aa2441db052f295db7260d865cc1c4e4c14a) --- etc/kayobe/inventory/group_vars/overcloud/cis | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index c6adea094..6a31c1d41 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -61,6 +61,22 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo passwd -S root rhel9cis_rule_5_6_6: false +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +rhel9cis_rule_6_1_9: false +rhel9cis_rule_6_1_10: false +rhel9cis_rule_6_1_11: false +rhel9cis_rule_6_1_12: false +rhel9cis_rule_6_1_13: false +rhel9cis_rule_6_1_14: false +rhel9cis_rule_6_1_15: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. +rhel9cis_no_world_write_adjust: false + # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: space_left_action: syslog From 09d226c70ef4b134908b2fed0d6492de3033a3e1 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 12 Jul 2024 17:58:26 +0000 Subject: [PATCH 2/8] Stop changing permissions on files (#1119) These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. (cherry picked from commit 0d1dfe27af2c817c8238586d169b3263a8bf84cb) --- etc/kayobe/inventory/group_vars/overcloud/cis | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 6a31c1d41..59a7852cf 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -161,9 +161,22 @@ ubtu22cis_sshd: deny_users: "" deny_groups: "" -# Do not change /var/lib/docker permissions +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +ubtu22cis_rule_6_1_9: false +ubtu22cis_rule_6_1_10: false +ubtu22cis_rule_6_1_11: false +ubtu22cis_rule_6_1_12: false +ubtu22cis_rule_6_1_13: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false +ubtu22cis_no_world_write_adjust: false +ubtu22cis_suid_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: From 376928e1744c54f4606b66cbab86b3da6654b009 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 14 Sep 2023 09:41:07 +0100 Subject: [PATCH 3/8] CI: Allow logging of Rally/Tempest By default the 'Run tempest' task has no_log set to avoid revealing sensitive data. This does not apply in CI, and makes it difficult to debug failures. (cherry picked from commit 8384dc4280b974c2c2e433aca10a02efcb88f705) --- .github/workflows/stackhpc-all-in-one.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stackhpc-all-in-one.yml b/.github/workflows/stackhpc-all-in-one.yml index c1d119b15..82441b710 100644 --- a/.github/workflows/stackhpc-all-in-one.yml +++ b/.github/workflows/stackhpc-all-in-one.yml @@ -297,7 +297,7 @@ jobs: -v $(pwd)/tempest-artifacts:/stack/tempest-artifacts \ -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \ $KAYOBE_IMAGE \ - /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack + /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack -e rally_no_sensitive_log=false env: KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }} From d75074782acc8467b41c944b65badd1c2129e68d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 24 Jul 2024 14:05:44 +0200 Subject: [PATCH 4/8] Fix CVE-2024-40767 Fixes CVE-2024-40767 [1] with updated container images for Nova services. [1] https://security.openstack.org/ossa/OSSA-2024-002.html --- etc/kayobe/kolla/globals.yml | 6 +++--- releasenotes/notes/fix-cve-2024-40767-24b9b3c35f61a0c8.yaml | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-cve-2024-40767-24b9b3c35f61a0c8.yaml diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index eaa8b910a..06e4f1035 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -40,9 +40,9 @@ kayobe_image_tags: rocky: yoga-20240105T120257 ubuntu: yoga-20231114T125927 nova: - centos: yoga-20240702T105751 - rocky: yoga-20240702T105751 - ubuntu: yoga-20240702T105751 + centos: yoga-20240724T085253 + rocky: yoga-20240724T085253 + ubuntu: yoga-20240724T085253 nova_libvirt: centos: yoga-20231113T171023 rocky: yoga-20240105T120257 diff --git a/releasenotes/notes/fix-cve-2024-40767-24b9b3c35f61a0c8.yaml b/releasenotes/notes/fix-cve-2024-40767-24b9b3c35f61a0c8.yaml new file mode 100644 index 000000000..d272329ea --- /dev/null +++ b/releasenotes/notes/fix-cve-2024-40767-24b9b3c35f61a0c8.yaml @@ -0,0 +1,6 @@ +--- +critical: + - | + Fixes `CVE-2024-40767 + `_ with updated + container images for Nova services. From 5b1f0406d9917ceb5eab897b0bdeb63fb6ade9c0 Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Wed, 24 Jul 2024 16:27:39 +0100 Subject: [PATCH 5/8] CI: Bump AIO root volume size to 40GB --- terraform/aio/vm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aio/vm.tf b/terraform/aio/vm.tf index 36dfa50a5..65ec19184 100644 --- a/terraform/aio/vm.tf +++ b/terraform/aio/vm.tf @@ -35,7 +35,7 @@ variable "aio_vm_subnet" { variable "aio_vm_volume_size" { type = number - default = 35 + default = 40 } variable "aio_vm_tags" { From 4fb938c882d38ce48c86b2519b0a10dc149721ed Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 5 Aug 2024 13:02:59 +0100 Subject: [PATCH 6/8] Prevent hanging before reboot on systems running molly-guard molly-guard can be used to prevent accidental reboots, prompting the user to input the system's hostname before allowing a reboot. This does not work well with automation, however. This change adds the internal reboot executable within molly-guard to the search path to avoid this issue. --- etc/kayobe/ansible/reboot.yml | 9 +++++++++ etc/kayobe/ansible/ubuntu-upgrade.yml | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/etc/kayobe/ansible/reboot.yml b/etc/kayobe/ansible/reboot.yml index 8810afd7f..d64bd83fa 100644 --- a/etc/kayobe/ansible/reboot.yml +++ b/etc/kayobe/ansible/reboot.yml @@ -8,3 +8,12 @@ - name: Reboot and wait become: true reboot: + search_paths: + # Systems running molly-guard hang waiting for confirmation before rebooting without this. + - "/lib/molly-guard" + # Default list: + - "/sbin" + - "/bin" + - "/usr/sbin" + - "/usr/bin" + - "/usr/local/sbin" diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 66ed49643..b7cfe7338 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -40,6 +40,15 @@ reboot: reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 + search_paths: + # Systems running molly-guard hang waiting for confirmation before rebooting without this. + - "/lib/molly-guard" + # Default list: + - "/sbin" + - "/bin" + - "/usr/sbin" + - "/usr/bin" + - "/usr/local/sbin" become: true when: file_status.stat.exists @@ -101,6 +110,15 @@ reboot: reboot_timeout: "{{ reboot_timeout_s }}" connect_timeout: 600 + search_paths: + # Systems running molly-guard hang waiting for confirmation before rebooting without this. + - "/lib/molly-guard" + # Default list: + - "/sbin" + - "/bin" + - "/usr/sbin" + - "/usr/bin" + - "/usr/local/sbin" become: true - name: Update distribution facts From 382f735872d53aa923294a1853dadfc31bbd29cb Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 5 Aug 2024 13:03:54 +0100 Subject: [PATCH 7/8] Add reboot timeout to reboot playbook --- etc/kayobe/ansible/reboot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/kayobe/ansible/reboot.yml b/etc/kayobe/ansible/reboot.yml index d64bd83fa..a6deb536c 100644 --- a/etc/kayobe/ansible/reboot.yml +++ b/etc/kayobe/ansible/reboot.yml @@ -4,10 +4,13 @@ serial: "{{ lookup('env', 'ANSIBLE_SERIAL') | default(1, true) }}" tags: - reboot + vars: + reboot_timeout_s: "{{ 20 * 60 }}" tasks: - name: Reboot and wait become: true reboot: + reboot_timeout: "{{ reboot_timeout_s }}" search_paths: # Systems running molly-guard hang waiting for confirmation before rebooting without this. - "/lib/molly-guard" From d1c589bf92cd23b88db0bdb4f758e297eb5b42f2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 9 Aug 2024 17:41:22 +0100 Subject: [PATCH 8/8] CIS: Remove always tag from include_role tasks If we have the CIS hardening hook enabled and run a command such as the following: kayobe overcloud host configure -t foo where 'cis' is not in the specified tags, we see the following error: PLAY [Security hardening] ***************************************** TASK [include_role : ansible-lockdown.rhel9_cis] ****************** fatal: [controller-01]: FAILED! => msg: |- The conditional check 'ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'' failed. The error was: error while evaluating conditional (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'): 'dict object' has no attribute 'os_family'. 'dict object' has no attribute 'os_family' The error appears to be in 'etc/kayobe/ansible/cis.yml': line 35, column 7, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - include_role: ^ here This is because the include_role task has the 'always' tag, so runs despite no facts having been gathered. The always tag is not required for this task - specifying the 'cis' tag causes the role to be included. This change fixes the issue by removing the always tags from these tasks. --- etc/kayobe/ansible/cis.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml index f286aaec4..08e381010 100644 --- a/etc/kayobe/ansible/cis.yml +++ b/etc/kayobe/ansible/cis.yml @@ -32,14 +32,11 @@ - include_role: name: ansible-lockdown.rhel8_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8' - tags: always - include_role: name: ansible-lockdown.rhel9_cis when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9' - tags: always - include_role: name: ansible-lockdown.ubuntu22_cis when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22' - tags: always