Merge branch 'stackhpc/2023.1' into feature/2023.1/cis

Author: jovial

.github/workflows/stackhpc-container-image-build.yml

@@ -231,7 +231,7 @@ jobs:
         run: mv image-scan-output image-build-logs/image-scan-output
 
       - name: Fail if no images have passed scanning
-        run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
         if: ${{ !inputs.push-dirty }}
 
       - name: Copy clean images to push-attempt-images list

doc/source/contributor/environments/ci-builder.rst

@@ -151,6 +151,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it
 proxies. Because this proxy bypasses Pulp's authentication, it must not be
 exposed to any untrusted environment.
 
+Ensure that ``localhost`` is resolvable if Docker bridge networking is
+disabled. This may be achieved by adding the following to ``/etc/hosts``:
+
+.. parsed-literal::
+
+   127.0.0.1 localhost
+
 To deploy the proxy:
 
 .. parsed-literal::

doc/source/operations/tempest.rst

@@ -70,7 +70,7 @@ Installing Docker on Rocky:
 .. code-block:: bash
 
     sudo dnf install -y dnf-utils
-    sudo dnf-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+    sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
 Ensure Docker is running & enabled:
@@ -101,7 +101,7 @@ Build a Kayobe automation image:
     git submodule update
     # If running on Ubuntu, the fact cache can confuse Kayobe in the Rocky-based container
     mv etc/kayobe/facts{,-old}
-    sudo DOCKER_BUILDKIT=1 docker build --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
+    sudo DOCKER_BUILDKIT=1 docker build --network host --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
 
 Configuration
 =============

doc/source/operations/upgrading.rst

@@ -132,13 +132,13 @@ Some things to watch out for:
 
  .. code-block:: sql
 
-      UPDATE trust_role
+      UPDATE trust_role as tr
       SET role_id = '<MEMBER-ROLE-ID>'
       WHERE role_id = '<OLD-ROLE-ID>'
       AND NOT EXISTS (
          SELECT 1
          FROM trust_role
-         WHERE trust_id = trust_role.trust_id
+         WHERE trust_id = tr.trust_id
             AND role_id = '<MEMBER-ROLE-ID>'
       );
 

etc/kayobe/ansible/pulp-auth-proxy.yml

@@ -8,7 +8,7 @@
     - import_role:
         name: pulp_auth_proxy
       vars:
-        pulp_auth_proxy_url: "{{ stackhpc_repo_mirror_url }}"
+        pulp_auth_proxy_url: "{{ stackhpc_release_pulp_url }}"
         pulp_auth_proxy_username: "{{ stackhpc_repo_mirror_username }}"
         pulp_auth_proxy_password: "{{ stackhpc_repo_mirror_password }}"
         pulp_auth_proxy_conf_path: "{{ base_path }}/containers/pulp_proxy"

etc/kayobe/ansible/roles/pulp_auth_proxy/README.md

@@ -15,7 +15,7 @@ any untrusted environment.
 
 ## Role variables
 
-* `pulp_auth_proxy_pulp_url`: URL of the Pulp server to proxy requests to.
+* `pulp_auth_proxy_url`: URL of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_username`: Username of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_password`: Password of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_conf_path`: Path to a directory in which to write Nginx

etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml

@@ -5,3 +5,4 @@ pulp_auth_proxy_password:
 pulp_auth_proxy_conf_path:
 pulp_auth_proxy_listen_ip: 127.0.0.1
 pulp_auth_proxy_listen_port: 80
+pulp_auth_proxy_network_mode:

etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml

@@ -1,4 +1,24 @@
 ---
+- when: pulp_auth_proxy_network_mode is none
+  block:
+    - name: Check if Docker bridge network exists
+      community.docker.docker_host_info:
+        networks: true
+      register: docker_host_info
+
+    - name: Set a fact about the network mode
+      ansible.builtin.set_fact:
+        pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}"
+
+- name: Assert that localhost is resolvable when using host networking
+  assert:
+    that:
+      - "'localhost' is ansible.utils.resolvable"
+    fail_msg: >-
+      localhost must be resolvable when using Docker host networking with this container.
+      Consider adding '127.0.0.1 localhost' to /etc/hosts.
+  when: pulp_auth_proxy_network_mode == 'host'
+
 - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists"
   ansible.builtin.file:
     path: "{{ pulp_auth_proxy_conf_path }}"
@@ -18,9 +38,18 @@
   community.docker.docker_container:
     name: pulp_proxy
     image: nginx:stable-alpine
+    network_mode: "{{ pulp_auth_proxy_network_mode }}"
     ports:
       - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80"
     restart_policy: "no"
     restart: "{{ pulp_proxy_conf is changed }}"
     volumes:
       - "{{ pulp_auth_proxy_conf_path }}/pulp_proxy.conf:/etc/nginx/conf.d/default.conf:ro"
+
+- name: Wait for pulp_proxy container to become accessible
+  ansible.builtin.uri:
+    url: http://localhost/pulp/api/v3/status/
+  register: uri_result
+  until: uri_result is success
+  retries: 30
+  delay: 2

etc/kayobe/inventory/group_vars/overcloud/cis

@@ -115,9 +115,22 @@ ubtu22cis_sshd:
   deny_users: ""
   deny_groups: ""
 
-# Do not change /var/lib/docker permissions
+# Stop the CIS benchmark scanning all files on every filesystem since this
+# takes a long time. Related to the changing permissions block below. This
+# would normally warn you about violations, but we can use Wazuh to continually
+# monitor this.
+ubtu22cis_rule_6_1_9: false
+ubtu22cis_rule_6_1_10: false
+ubtu22cis_rule_6_1_11: false
+ubtu22cis_rule_6_1_12: false
+ubtu22cis_rule_6_1_13: false
+
+# The following rules change permissions on all files on every mounted
+# filesystem.  We do not want to change /var/lib/docker permissions.
 ubtu22cis_no_group_adjust: false
 ubtu22cis_no_owner_adjust: false
+ubtu22cis_no_world_write_adjust: false
+ubtu22cis_suid_adjust: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu22cis_auditd:
@@ -133,4 +146,10 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# The way this is disabled currently breaks kolla's IPV6 check, see:
+# https://bugs.launchpad.net/kolla-ansible/+bug/2071443
+# Also matches RHEL hardening behavior.
+ubtu22cis_ipv6_required: true
+
 ##############################################################################

etc/kayobe/kolla/config/fluentd/output/00-local.conf

@@ -0,0 +1,85 @@
+{% raw %}
+{% for item in syslog_facilities | selectattr('enabled') %}
+<match syslog.{{ item.facility }}.**>
+  @type copy
+  <store>
+    @type file
+    path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}
+    append true
+    # Disable timestamp in filename for logs
+    <buffer []>
+      path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}.*.buffer
+    </buffer>
+    <format>
+      output_tag {{ item.output_tag | default(false) | lower }}
+      output_time {{ item.output_time | default(false) | lower }}
+    </format>
+  </store>
+{% if log_direct_to_elasticsearch %}
+  <store>
+       @type elasticsearch
+       host {{ elasticsearch_address }}
+       port {{ elasticsearch_port | default('9200') }}
+       scheme {{ fluentd_elasticsearch_scheme }}
+{% if fluentd_elasticsearch_path != '' %}
+       path {{ fluentd_elasticsearch_path }}
+{% endif %}
+{% if fluentd_elasticsearch_scheme == 'https' %}
+       ssl_version {{ fluentd_elasticsearch_ssl_version }}
+       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
+       user {{ fluentd_elasticsearch_user }}
+       password {{ fluentd_elasticsearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_elasticsearch_request_timeout }}
+       suppress_type_name true
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/elasticsearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+       </buffer>
+  </store>
+{% elif log_direct_to_opensearch %}
+  <store>
+       @type opensearch
+       host {{ opensearch_address }}
+       port {{ opensearch_port }}
+       scheme {{ fluentd_opensearch_scheme }}
+{% if fluentd_opensearch_path != '' %}
+       path {{ fluentd_opensearch_path }}
+{% endif %}
+{% if fluentd_opensearch_scheme == 'https' %}
+       ssl_version {{ fluentd_opensearch_ssl_version }}
+       ssl_verify {{ fluentd_opensearch_ssl_verify }}
+{% if fluentd_opensearch_cacert | length > 0 %}
+       ca_file {{ fluentd_opensearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_opensearch_user != '' and fluentd_opensearch_password != ''%}
+       user {{ fluentd_opensearch_user }}
+       password {{ fluentd_opensearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_opensearch_request_timeout }}
+       suppress_type_name true
+       bulk_message_request_threshold 20M
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/opensearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+         chunk_limit_size 8M
+       </buffer>
+    </store>
+{% endif %}
+</match>
+{% endfor %}
+{% endraw %}

etc/kayobe/kolla/config/fluentd/output/03-opensearch.conf

@@ -0,0 +1,51 @@
+{% raw %}
+{% if enable_caso | bool and inventory_hostname in groups['caso'] %}
+<match apel.events>
+    @type copy
+    <store>
+       @type opensearch
+       host { opensearch_address }}
+       port {{ opensearch_port }}
+       logstash_format true
+       logstash_prefix apel
+       flush_interval 15s
+    </store>
+</match>
+{% endif %}
+
+<match **>
+    @type copy
+    <store>
+       @type opensearch
+       host {{ opensearch_address }}
+       port {{ opensearch_port }}
+       scheme {{ fluentd_opensearch_scheme }}
+{% if fluentd_opensearch_path != '' %}
+       path {{ fluentd_opensearch_path }}
+{% endif %}
+{% if fluentd_opensearch_scheme == 'https' %}
+       ssl_version {{ fluentd_opensearch_ssl_version }}
+       ssl_verify {{ fluentd_opensearch_ssl_verify }}
+{% if fluentd_opensearch_cacert | length > 0 %}
+       ca_file {{ fluentd_opensearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_opensearch_user != '' and fluentd_opensearch_password != ''%}
+       user {{ fluentd_opensearch_user }}
+       password {{ fluentd_opensearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_opensearch_request_timeout }}
+       suppress_type_name true
+       bulk_message_request_threshold 20M
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/opensearch.buffer/openstack.*
+         flush_interval 15s
+         chunk_limit_size 8M
+       </buffer>
+    </store>
+</match>
+{% endraw %}

etc/kayobe/kolla/config/prometheus/fluentd.rules

@@ -0,0 +1,13 @@
+{% raw %}
+groups:
+- name: Fluentd
+  rules:
+  - alert: FluentdBufferTooLarge
+    expr: (fluentd_output_status_buffer_total_bytes / 1024^2) > 128
+    for: 15m
+    labels:
+      severity: warning
+    annotations:
+      summary: "Fluentd at {{ $labels.instance }} reports large queue buffers"
+      description: "Fluentd queue buffers on {{ $labels.instance }} are using {{ $value }} MiB."
+{% endraw %}

etc/kayobe/kolla/config/prometheus/prometheus-blackbox-exporter.yml

@@ -27,7 +27,7 @@ modules:
       - expect: "^SSH-2.0-"
   icmp:
     prober: icmp
-  http_2xx_os_dashboards:
+  http_2xx_opensearch_dashboards:
     prober: http
     timeout: 5s
     http:

etc/kayobe/pulp-repo-versions.yml

@@ -31,7 +31,7 @@ stackhpc_pulp_repo_rocky_9_3_baseos_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_crb_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_extras_version: 20240413T014042
 stackhpc_pulp_repo_rocky_9_3_highavailability_version: 20240404T012937
-stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240705T092559
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20240708T235303
 stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240418T070026
 stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240418T043733
 stackhpc_pulp_repo_ubuntu_jammy_version: 20240418T043733

releasenotes/notes/cis-do-not-disable-ipv6-98bd79ad86555f51.yaml

@@ -0,0 +1,12 @@
+---
+fixes:
+  - |
+    IPV6 is no longer disabled by default in the Ubuntu CIS hardening.  If
+    using the old behaviour you may hit `2071443
+    <https://bugs.launchpad.net/kolla-ansible/+bug/2071443>`.
+upgrade:
+  - |
+    To match the new CIS benchmark defaults on Ubuntu, you should remove
+    the ``ipv6.disable=1`` kernel command line option. If you wish to carry
+    on with the current settings, change ``ubtu22cis_ipv6_required`` to
+    ``false``.

releasenotes/notes/fix-blackbox-opensearch-dashboard-d973b43c557c8103.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed incorrect Opensearch Dashboards Prometheus Blackbox Exporter
+    configuration.

releasenotes/notes/fluentd-buffer-too-large-alert-682893410855387f.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds a new Prometheus alert ``FluentdBufferTooLarge`` which is raised when
+    the total size of queue buffers grows above 128 MiB.

releasenotes/notes/rl9-security-common-cve-2024-6409-d36de799a29c3f74.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Updates the Rocky Linux 9 SIG Security Common repository to address
+    `CVE-2024-6409 <https://sig-security.rocky.page/issues/CVE-2024-6409/>`__
+    in OpenSSH.