Merge branch 'stackhpc/2024.1' into sot-rename

Author: Alex-Welsh

.github/workflows/stackhpc-all-in-one.yml

@@ -59,6 +59,18 @@ on:
         description: Whether to perform an upgrade
         type: boolean
         default: false
+      stackhpc_cloud_tests_version:
+        description: Git version of https://github.com/stackhpc/stackhpc-cloud-tests to use for testing
+        type: string
+        default: main
+      repository:
+        description: SKC repository to checkout (convenience for external CI)
+        type: string
+        default: ${{ github.repository }}
+      github_ref:
+        description: Git ref to checkout (convenience for external CI)
+        type: string
+        default: ${{ github.ref }}
     secrets:
       KAYOBE_VAULT_PASSWORD:
         required: true
@@ -94,7 +106,8 @@ jobs:
       - name: Checkout ${{ inputs.upgrade && 'previous release' || 'current' }} config
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.upgrade && env.PREVIOUS_BRANCH || github.ref }}
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.upgrade && env.PREVIOUS_BRANCH || inputs.github_ref }}
           submodules: true
 
       - name: Output Kayobe image
@@ -367,6 +380,8 @@ jobs:
       - name: Checkout current release config
         uses: actions/checkout@v4
         with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.github_ref }}
           submodules: true
           clean: false
         if: inputs.upgrade
@@ -448,7 +463,7 @@ jobs:
             -v $(pwd)/sct-results:/stack/sct-results \
             -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY \
             $KAYOBE_IMAGE \
-            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/stackhpc-cloud-tests.yml'
+            /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/stackhpc-cloud-tests.yml' -e sot_version=${{ inputs.stackhpc_cloud_tests_version }}
         env:
           KAYOBE_AUTOMATION_SSH_PRIVATE_KEY: ${{ steps.ssh_key.outputs.ssh_key }}
 

doc/source/configuration/firewall.rst

@@ -86,7 +86,7 @@ Storage firewalld Configuration
    :caption: ``storage.yml``
 
    ###############################################################################
-   # storage node firewalld configuration.
+   # Storage node firewalld configuration.
 
    # Whether to install and enable firewalld.
    storage_firewalld_enabled: true
@@ -118,7 +118,7 @@ Monitoring firewalld Configuration
    :caption: ``monitoring.yml``
 
    ###############################################################################
-   # monitoring node firewalld configuration.
+   # Monitoring node firewalld configuration.
 
    # Whether to install and enable firewalld.
    monitoring_firewalld_enabled: true
@@ -182,7 +182,7 @@ Seed firewalld Configuration
    :caption: ``seed.yml``
 
    ###############################################################################
-   # seed node firewalld configuration.
+   # Seed node firewalld configuration.
 
    # Whether to install and enable firewalld.
    seed_firewalld_enabled: true
@@ -211,7 +211,7 @@ Seed Hypervisor firewalld Configuration
    :caption: ``seed_hypervisor.yml``
 
    ###############################################################################
-   # seed_hypervisor node firewalld configuration.
+   # Seed hypervisor node firewalld configuration.
 
    # Whether to install and enable firewalld.
    seed_hypervisor_firewalld_enabled: true

doc/source/configuration/wazuh.rst

@@ -336,11 +336,6 @@ rulesets. However, you may find you want to add more. This can be achieved via
 SKC supports this automatically, just add the policy file from this PR to
 ``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
 
-Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
-the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
-include this in your deployment, simply copy it to
-``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
-
 .. _Deploy:
 
 Deploy
@@ -354,11 +349,11 @@ If you are using the wazuh generated certificates,
 this will result in the creation of some certificates and keys (in case of custom certs adjust path to it).
 Encrypt the keys (and remember to commit to git):
 
-``ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/*.key``
+``ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/*.key $KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/*-key.pem``
 
 If using the kayobe environments feature, otherwise:
 
-``ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/ansible/wazuh/certificates/certs/*.key``
+``ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/ansible/wazuh/certificates/certs/*.key $KAYOBE_CONFIG_PATH/ansible/wazuh/certificates/certs/*-key.pem``
 
 .. _wazuh-verification:
 

etc/kayobe/ansible/growroot.yml

@@ -32,7 +32,7 @@
     - name: Check LVM status
       ansible.builtin.shell:
         executable: "/bin/bash"
-        cmd: set -o pipefail && vgdisplay | grep -q lvm2
+        cmd: set -o pipefail && vgdisplay | grep lvm2 >> /dev/null
       changed_when: false
       failed_when: false
       check_mode: false

etc/kayobe/ansible/requirements.yml

@@ -22,7 +22,7 @@ roles:
     version: 1.3.1
   - name: wazuh-ansible
     src: https://github.com/stackhpc/wazuh-ansible
-    version: stackhpc
+    version: stackhpc-v4.10.0
   - name: geerlingguy.pip
     version: 2.2.0
   - name: monolithprojects.github_actions_runner

etc/kayobe/ansible/stackhpc-cloud-tests.yml

@@ -6,7 +6,7 @@
   vars:
     sct_venv: "{{ virtualenv_path }}/sct-venv"
     sct_repo: https://github.com/stackhpc/stackhpc-cloud-tests
-    sct_version: v0.2.0
+    sct_version: main
     sct_timeout: 30
     results_path_local: "{{ lookup('env', 'HOME') }}/sct-results"
   tasks:

etc/kayobe/ansible/wazuh-manager.yml

@@ -130,6 +130,11 @@
       changed_when: false
       retries: 2
 
+    - name: Correct permissions on alerts manifest
+      ansible.builtin.file:
+        path: "/usr/share/filebeat/module/wazuh/alerts/manifest.yml"
+        mode: "go-w"
+
   handlers:
     - name: Restart wazuh
       ansible.builtin.service:

etc/kayobe/environments/ci-multinode/monitoring.yml

@@ -1,6 +1,6 @@
 ---
 ###############################################################################
-# monitoring node firewalld configuration.
+# Monitoring node firewalld configuration.
 
 # Whether to install and enable firewalld.
 monitoring_firewalld_enabled: true

etc/kayobe/environments/ci-multinode/seed-hypervisor.yml

@@ -1,6 +1,6 @@
 ---
 ###############################################################################
-# seed_hypervisor node firewalld configuration.
+# Seed hypervisor node firewalld configuration.
 
 # Whether to install and enable firewalld.
 seed_hypervisor_firewalld_enabled: true

etc/kayobe/environments/ci-multinode/seed.yml

@@ -29,7 +29,7 @@ snat_rules_manila:
 snat_rules: "{{ snat_rules_default + snat_rules_manila if (kolla_enable_manila | bool and kolla_enable_manila_backend_cephfs_native | bool) else snat_rules_default }}"
 
 ###############################################################################
-# seed node firewalld configuration.
+# Seed node firewalld configuration.
 
 # Whether to install and enable firewalld.
 seed_firewalld_enabled: "{{ kolla_enable_ovn | bool }}"

etc/kayobe/environments/ci-multinode/storage.yml

@@ -6,7 +6,7 @@ storage_lvm_groups:
   - "{{ stackhpc_lvm_group_rootvg }}"
 
 ###############################################################################
-# storage node firewalld configuration.
+# Storage node firewalld configuration.
 
 # Whether to install and enable firewalld.
 storage_firewalld_enabled: true

etc/kayobe/ipa.yml

@@ -107,6 +107,13 @@ ipa_ramdisk_upstream_url: "{{ (stackhpc_ipa_image_url + '/ipa.initramfs') if sta
 # Algorithm of checksum of Ironic deployment ramdisk image.
 #ipa_ramdisk_checksum_algorithm:
 
+# IPA download parameters
+image_download_url_username: "{{ stackhpc_release_pulp_username }}"
+image_download_url_password: "{{ stackhpc_release_pulp_password }}"
+image_download_force_basic_auth: true
+image_download_unredirected_headers:
+  - Authorization
+
 ###############################################################################
 # Ironic Python Agent (IPA) deployment configuration.
 

etc/kayobe/pulp-host-image-versions.yml

@@ -1,5 +1,5 @@
 ---
 # Overcloud host image versioning tags
 # These images must be in SMS, since they are used by our AIO CI runners
-stackhpc_rocky_9_overcloud_host_image_version: "2024.1-20240912T145502"
-stackhpc_ubuntu_jammy_overcloud_host_image_version: "2024.1-20240911T124950"
+stackhpc_rocky_9_overcloud_host_image_version: "2024.1-20241209T151515"
+stackhpc_ubuntu_jammy_overcloud_host_image_version: "2024.1-20250116T133659"

etc/kayobe/stackhpc-overcloud-dib.yml

@@ -37,7 +37,9 @@ stackhpc_overcloud_dib_elements:
 stackhpc_overcloud_dib_env_vars:
   DIB_BLOCK_DEVICE_CONFIG: "{{ stackhpc_overcloud_dib_block_device_config_uefi_lvm }}"
   DIB_BOOTLOADER_DEFAULT_CMDLINE: "nofb nomodeset gfxpayload=text net.ifnames=1 rd.auto"
-  DIB_CLOUD_INIT_DATASOURCES: "ConfigDrive"
+  DIB_GRUB_TIMEOUT: "5"
+  DIB_GRUB_TIMEOUT_STYLE: "menu"
+  DIB_CLOUD_INIT_DATASOURCES: "OpenStack, ConfigDrive"
   DIB_CONTAINERFILE_RUNTIME: "docker"
   DIB_CONTAINERFILE_NETWORK_DRIVER: "host"
   DIB_CONTAINERFILE_DOCKERFILE: "/opt/kayobe/src/stackhpc-image-elements/elements/rocky-container-stackhpc/containerfiles/9-stackhpc"

releasenotes/notes/grub_timeout_values-c39b8b1a2c34a602.yaml

@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    Change default values for ``DIB_GRUB_TIMEOUT_STYLE`` and
+    ``DIB_GRUB_TIMEOUT``. The default value for ``DIB_GRUB_TIMEOUT_STYLE``
+    will be ``menu`` and for ``DIB_GRUB_TIMEOUT`` will be ``5``.
+    Adding ConfigDrive to ``DIB_CLOUD_INIT_DATASOURCES`` var list to fix
+    cloud-init issue.

releasenotes/notes/wazuh-ansible-v4.10.0-ed5209199194cddf.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Upgrades the version of wazuh-ansible to v4.10.0. This brings in the SCA CIS
+    checks for Rocky Linux 9 by default.