Merge branch 'stackhpc/2023.1' into INFRA-629

dougszumski · web-flow · commit 2498700f5fb1 · 2024-07-12T12:06:27.000+01:00
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -231,7 +231,7 @@ jobs:
         run: mv image-scan-output image-build-logs/image-scan-output
 
       - name: Fail if no images have passed scanning
-        run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
         if: ${{ !inputs.push-dirty }}
 
       - name: Copy clean images to push-attempt-images list
diff --git a/doc/source/operations/tempest.rst b/doc/source/operations/tempest.rst
@@ -70,7 +70,7 @@ Installing Docker on Rocky:
 .. code-block:: bash
 
     sudo dnf install -y dnf-utils
-    sudo dnf-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+    sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
 Ensure Docker is running & enabled:
@@ -101,7 +101,7 @@ Build a Kayobe automation image:
     git submodule update
     # If running on Ubuntu, the fact cache can confuse Kayobe in the Rocky-based container
     mv etc/kayobe/facts{,-old}
-    sudo DOCKER_BUILDKIT=1 docker build --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
+    sudo DOCKER_BUILDKIT=1 docker build --network host --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
 
 Configuration
 =============
diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis
@@ -133,4 +133,10 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# The way this is disabled currently breaks kolla's IPV6 check, see:
+# https://bugs.launchpad.net/kolla-ansible/+bug/2071443
+# Also matches RHEL hardening behavior.
+ubtu22cis_ipv6_required: true
+
 ##############################################################################
diff --git a/releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml b/releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml
@@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    IPV6 is no longer disabled by default in the Ubuntu CIS hardening.  If
+    using the old behaviour you may hit `2071443
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2071443>`.
+upgrade:
+  - |
+    To match the new CIS benchmark defaults on Ubuntu, you should remove
+    the ``ipv6.disable=1`` kernel command line option. If you wish to carry
+    on with the current settings, change ``ubtu22cis_ipv6_required`` to
+    ``false``.
