Merge branch 'stackhpc/2023.1' into INFRA-629

GregWhiteyBialas · web-flow · commit 1979659875f0 · 2024-07-10T14:49:48.000+02:00
diff --git a/doc/source/contributor/environments/ci-builder.rst b/doc/source/contributor/environments/ci-builder.rst
@@ -151,6 +151,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it
 proxies. Because this proxy bypasses Pulp's authentication, it must not be
 exposed to any untrusted environment.
 
+Ensure that ``localhost`` is resolvable if Docker bridge networking is
+disabled. This may be achieved by adding the following to ``/etc/hosts``:
+
+.. parsed-literal::
+
+   127.0.0.1 localhost
+
 To deploy the proxy:
 
 .. parsed-literal::
diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst
@@ -132,13 +132,13 @@ Some things to watch out for:
 
  .. code-block:: sql
 
-      UPDATE trust_role
+      UPDATE trust_role as tr
       SET role_id = '<MEMBER-ROLE-ID>'
       WHERE role_id = '<OLD-ROLE-ID>'
       AND NOT EXISTS (
          SELECT 1
          FROM trust_role
-         WHERE trust_id = trust_role.trust_id
+         WHERE trust_id = tr.trust_id
             AND role_id = '<MEMBER-ROLE-ID>'
       );
 
diff --git a/etc/kayobe/ansible/pulp-auth-proxy.yml b/etc/kayobe/ansible/pulp-auth-proxy.yml
@@ -8,7 +8,7 @@
     - import_role:
         name: pulp_auth_proxy
       vars:
-        pulp_auth_proxy_url: "{{ stackhpc_repo_mirror_url }}"
+        pulp_auth_proxy_url: "{{ stackhpc_release_pulp_url }}"
         pulp_auth_proxy_username: "{{ stackhpc_repo_mirror_username }}"
         pulp_auth_proxy_password: "{{ stackhpc_repo_mirror_password }}"
         pulp_auth_proxy_conf_path: "{{ base_path }}/containers/pulp_proxy"
diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md b/etc/kayobe/ansible/roles/pulp_auth_proxy/README.md
@@ -15,7 +15,7 @@ any untrusted environment.
 
 ## Role variables
 
-* `pulp_auth_proxy_pulp_url`: URL of the Pulp server to proxy requests to.
+* `pulp_auth_proxy_url`: URL of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_username`: Username of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_password`: Password of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_conf_path`: Path to a directory in which to write Nginx
diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml
@@ -5,3 +5,4 @@ pulp_auth_proxy_password:
 pulp_auth_proxy_conf_path:
 pulp_auth_proxy_listen_ip: 127.0.0.1
 pulp_auth_proxy_listen_port: 80
+pulp_auth_proxy_network_mode:
diff --git a/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml b/etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml
@@ -1,4 +1,24 @@
 ---
+- when: pulp_auth_proxy_network_mode is none
+  block:
+    - name: Check if Docker bridge network exists
+      community.docker.docker_host_info:
+        networks: true
+      register: docker_host_info
+
+    - name: Set a fact about the network mode
+      ansible.builtin.set_fact:
+        pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}"
+
+- name: Assert that localhost is resolvable when using host networking
+  assert:
+    that:
+      - "'localhost' is ansible.utils.resolvable"
+    fail_msg: >-
+      localhost must be resolvable when using Docker host networking with this container.
+      Consider adding '127.0.0.1 localhost' to /etc/hosts.
+  when: pulp_auth_proxy_network_mode == 'host'
+
 - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists"
   ansible.builtin.file:
     path: "{{ pulp_auth_proxy_conf_path }}"
@@ -18,9 +38,18 @@
   community.docker.docker_container:
     name: pulp_proxy
     image: nginx:stable-alpine
+    network_mode: "{{ pulp_auth_proxy_network_mode }}"
     ports:
       - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80"
     restart_policy: "no"
     restart: "{{ pulp_proxy_conf is changed }}"
     volumes:
       - "{{ pulp_auth_proxy_conf_path }}/pulp_proxy.conf:/etc/nginx/conf.d/default.conf:ro"
+
+- name: Wait for pulp_proxy container to become accessible
+  ansible.builtin.uri:
+    url: http://localhost/pulp/api/v3/status/
+  register: uri_result
+  until: uri_result is success
+  retries: 30
+  delay: 2
diff --git a/etc/kayobe/kolla/config/fluentd/output/00-local.conf b/etc/kayobe/kolla/config/fluentd/output/00-local.conf
@@ -0,0 +1,85 @@
+{% raw %}
+{% for item in syslog_facilities | selectattr('enabled') %}
+<match syslog.{{ item.facility }}.**>
+  @type copy
+  <store>
+    @type file
+    path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}
+    append true
+    # Disable timestamp in filename for logs
+    <buffer []>
+      path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}.*.buffer
+    </buffer>
+    <format>
+      output_tag {{ item.output_tag | default(false) | lower }}
+      output_time {{ item.output_time | default(false) | lower }}
+    </format>
+  </store>
+{% if log_direct_to_elasticsearch %}
+  <store>
+       @type elasticsearch
+       host {{ elasticsearch_address }}
+       port {{ elasticsearch_port | default('9200') }}
+       scheme {{ fluentd_elasticsearch_scheme }}
+{% if fluentd_elasticsearch_path != '' %}
+       path {{ fluentd_elasticsearch_path }}
+{% endif %}
+{% if fluentd_elasticsearch_scheme == 'https' %}
+       ssl_version {{ fluentd_elasticsearch_ssl_version }}
+       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
+       user {{ fluentd_elasticsearch_user }}
+       password {{ fluentd_elasticsearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_elasticsearch_request_timeout }}
+       suppress_type_name true
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/elasticsearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+       </buffer>
+  </store>
+{% elif log_direct_to_opensearch %}
+  <store>
+       @type opensearch
+       host {{ opensearch_address }}
+       port {{ opensearch_port }}
+       scheme {{ fluentd_opensearch_scheme }}
+{% if fluentd_opensearch_path != '' %}
+       path {{ fluentd_opensearch_path }}
+{% endif %}
+{% if fluentd_opensearch_scheme == 'https' %}
+       ssl_version {{ fluentd_opensearch_ssl_version }}
+       ssl_verify {{ fluentd_opensearch_ssl_verify }}
+{% if fluentd_opensearch_cacert | length > 0 %}
+       ca_file {{ fluentd_opensearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_opensearch_user != '' and fluentd_opensearch_password != ''%}
+       user {{ fluentd_opensearch_user }}
+       password {{ fluentd_opensearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_opensearch_request_timeout }}
+       suppress_type_name true
+       bulk_message_request_threshold 20M
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/opensearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+         chunk_limit_size 8M
+       </buffer>
+    </store>
+{% endif %}
+</match>
+{% endfor %}
+{% endraw %}
diff --git a/etc/kayobe/kolla/config/fluentd/output/03-opensearch.conf b/etc/kayobe/kolla/config/fluentd/output/03-opensearch.conf
@@ -0,0 +1,51 @@
+{% raw %}
+{% if enable_caso | bool and inventory_hostname in groups['caso'] %}
+<match apel.events>
+    @type copy
+    <store>
+       @type opensearch
+       host { opensearch_address }}
+       port {{ opensearch_port }}
+       logstash_format true
+       logstash_prefix apel
+       flush_interval 15s
+    </store>
+</match>
+{% endif %}
+
+<match **>
+    @type copy
+    <store>
+       @type opensearch
+       host {{ opensearch_address }}
+       port {{ opensearch_port }}
+       scheme {{ fluentd_opensearch_scheme }}
+{% if fluentd_opensearch_path != '' %}
+       path {{ fluentd_opensearch_path }}
+{% endif %}
+{% if fluentd_opensearch_scheme == 'https' %}
+       ssl_version {{ fluentd_opensearch_ssl_version }}
+       ssl_verify {{ fluentd_opensearch_ssl_verify }}
+{% if fluentd_opensearch_cacert | length > 0 %}
+       ca_file {{ fluentd_opensearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_opensearch_user != '' and fluentd_opensearch_password != ''%}
+       user {{ fluentd_opensearch_user }}
+       password {{ fluentd_opensearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_opensearch_request_timeout }}
+       suppress_type_name true
+       bulk_message_request_threshold 20M
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/opensearch.buffer/openstack.*
+         flush_interval 15s
+         chunk_limit_size 8M
+       </buffer>
+    </store>
+</match>
+{% endraw %}
diff --git a/etc/kayobe/kolla/config/prometheus/fluentd.rules b/etc/kayobe/kolla/config/prometheus/fluentd.rules
@@ -0,0 +1,13 @@
+{% raw %}
+groups:
+- name: Fluentd
+  rules:
+  - alert: FluentdBufferTooLarge
+    expr: (fluentd_output_status_buffer_total_bytes / 1024^2) > 128
+    for: 15m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Fluentd at {{ $labels.instance }} reports large queue buffers"
+      description: "Fluentd queue buffers on {{ $labels.instance }} are using {{ $value }} MiB."
+{% endraw %}
diff --git a/etc/kayobe/kolla/config/prometheus/prometheus-blackbox-exporter.yml b/etc/kayobe/kolla/config/prometheus/prometheus-blackbox-exporter.yml
@@ -27,7 +27,7 @@ modules:
       - expect: "^SSH-2.0-"
   icmp:
     prober: icmp
-  http_2xx_os_dashboards:
+  http_2xx_opensearch_dashboards:
     prober: http
     timeout: 5s
     http:
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -31,7 +31,7 @@ stackhpc_pulp_repo_rocky_9_3_baseos_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_crb_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_extras_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_highavailability_version: 20240404T012937
-stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240705T092559
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240708T235303
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240418T070026
 stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240418T043733
 stackhpc_pulp_repo_ubuntu_jammy_version: 20240418T043733
diff --git a/releasenotes/notes/fix-blackbox-opensearch-dashboard-d973b43c557c8103.yaml b/releasenotes/notes/fix-blackbox-opensearch-dashboard-d973b43c557c8103.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed incorrect Opensearch Dashboards Prometheus Blackbox Exporter
+    configuration.
diff --git a/releasenotes/notes/fluentd-buffer-too-large-alert-682893410855387f.yaml b/releasenotes/notes/fluentd-buffer-too-large-alert-682893410855387f.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds a new Prometheus alert ``FluentdBufferTooLarge`` which is raised when
+    the total size of queue buffers grows above 128 MiB.
diff --git a/releasenotes/notes/rl9-security-common-cve-2024-6409-d36de799a29c3f74.yaml b/releasenotes/notes/rl9-security-common-cve-2024-6409-d36de799a29c3f74.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Updates the Rocky Linux 9 SIG Security Common repository to address
+    `CVE-2024-6409 <https://sig-security.rocky.page/issues/CVE-2024-6409/>`__
+    in OpenSSH.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    Fixed incorrect Opensearch Dashboards Prometheus Blackbox Exporter
 +    configuration.