stackhpc · markgoddard · Jul 12, 2024 · Jul 12, 2024 · Jul 12, 2024 · Jul 12, 2024
@@ -24,6 +24,7 @@ if [ ! -z ${KAYOBE_ENVIRONMENT:+x} ]; then
     # SMSLab is currently running with 1G switches. This causes tests using volumes and images to fail if
     # the concurrency is set too high.
     export TEMPEST_CONCURRENCY=1
+    export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST="ci-multinode-platform.2022.11"
     # Uncomment this to perform a full tempest test
     # export KAYOBE_AUTOMATION_TEMPEST_LOADLIST=tempest-full
     # export KAYOBE_AUTOMATION_TEMPEST_SKIPLIST=ci-multinode-tempest-full

@@ -0,0 +1,2 @@
+tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS"
+tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS"
@@ -1 +1,3 @@
+tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS"
+tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS"
 tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_subnet_details.*: "Cirros image doesn't have '/var/run/udhcpc.eth0.pid"
@@ -18,6 +18,17 @@
         state: absent
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
 
+    - name: Ensure service accounts have no expiry options set
+      # This is to workaround an issue where we set the expiry to 365 days on kayobe
+      # service accounts in a previous iteration of the CIS benchmark hardening
+      # defaults. This should restore the defaults and can eventually be removed.
+      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      become: true
+      changed_when: false
+      with_items:
+        - "{{ kayobe_ansible_user }}"
+        - "{{ kolla_ansible_user }}"
+
     - include_role:
         name: ansible-lockdown.rhel8_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'

@@ -9,7 +9,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.4.1
   - name: stackhpc.hashicorp
-    version: 2.4.0
+    version: 2.5.0
   - name: stackhpc.kayobe_workflows
     version: 1.0.3
 roles:

@@ -5,6 +5,7 @@
   hosts: overcloud:infra-vms:seed:seed-hypervisor
   vars:
     ansible_python_interpreter: /usr/bin/python3
+    reboot_timeout_s: "{{ 20 * 60 }}"
   tasks:
     - name: Assert that hosts are running Ubuntu Focal
       assert:
@@ -37,7 +38,7 @@
 
     - name: Reboot to apply updates
       reboot:
-        reboot_timeout: 1200
+        reboot_timeout: "{{ reboot_timeout_s }}"
         connect_timeout: 600
       become: true
       when: file_status.stat.exists
@@ -81,16 +82,24 @@
   hosts: overcloud:infra-vms:seed:seed-hypervisor
   vars:
     ansible_python_interpreter: /usr/bin/python3
+    reboot_timeout_s: "{{ 20 * 60 }}"
   tasks:
     - name: Ensure Jammy repo definitions do not exist in sources.list
       blockinfile:
         path: /etc/apt/sources.list
         state: absent
       become: true
 
+    - name: Ensure Kolla Ansible Docker repo definition does not exist
+      file:
+        path: /etc/apt/sources.list.d/docker.list
+        state: absent
+      become: true
+      when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0
+
     - name: Reboot and wait
       reboot:
-        reboot_timeout: 1200
+        reboot_timeout: "{{ reboot_timeout_s }}"
         connect_timeout: 600
       become: true
 

@@ -52,25 +52,29 @@ stackhpc_apt_repositories:
     suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports"
     components: main restricted universe multiverse
     architecture: amd64
+    required: true
   - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}"
     suites: "{{ ansible_facts.distribution_release }}-security"
     components: main restricted universe multiverse
     architecture: amd64
+    required: true
   - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}"
     suites: "pulp"
     components: upload
     architecture: amd64
     trusted: yes
-  - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}"
-    suites: "{{ ansible_facts.distribution_release }}"
+    required: "{{ ansible_facts.distribution_release == 'jammy' }}"
+  - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}"
+    suites: "{{ ansible_facts.distribution_release  }}"
     components: stable
     signed_by: docker.asc
     architecture: amd64
+    required: true
 
 # Do not replace apt configuration for non-overcloud hosts. This can result in
 # errors if apt reconfiguration is performed before local repository mirrors
 # are deployed.
-apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}"
+apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}"
 
 # Whether to disable repositories in /etc/apt/sources.list. This may be used
 # when replacing the distribution repositories via apt_repositories.

@@ -51,7 +51,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
 stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"

@@ -74,7 +74,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
 stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"

@@ -48,7 +48,8 @@ stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
 stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"

@@ -61,6 +61,22 @@ rhel9cis_rule_5_3_4: false
 # Please double-check yourself with: sudo passwd -S root
 rhel9cis_rule_5_6_6: false
 
+# Stop the CIS benchmark scanning all files on every filesystem since this
+# takes a long time. Related to the changing permissions block below. This
+# would normally warn you about violations, but we can use Wazuh to continually
+# monitor this.
+rhel9cis_rule_6_1_9: false
+rhel9cis_rule_6_1_10: false
+rhel9cis_rule_6_1_11: false
+rhel9cis_rule_6_1_12: false
+rhel9cis_rule_6_1_13: false
+rhel9cis_rule_6_1_14: false
+rhel9cis_rule_6_1_15: false
+
+# The following rules change permissions on all files on every mounted
+# filesystem.  We do not want to change /var/lib/docker permissions.
+rhel9cis_no_world_write_adjust: false
+
 # Configure log rotation to prevent audit logs from filling the disk
 rhel9cis_auditd:
   space_left_action: syslog
@@ -75,6 +91,10 @@ rhel9cis_max_log_file_size: 1024
 # `rhel9cis_bootloader_password_hash`
 rhel9cis_set_boot_pass: false
 
+# NOTICE: rule disabled otherwise rule will prevent access to accounts
+# as it will expire passwords older than one year.
+rhel9cis_rule_5_6_1_1: false
+
 ##############################################################################
 # Ubuntu Jammy CIS Hardening Configuration
 
@@ -141,9 +161,22 @@ ubtu22cis_sshd:
   deny_users: ""
   deny_groups: ""
 
-# Do not change /var/lib/docker permissions
+# Stop the CIS benchmark scanning all files on every filesystem since this
+# takes a long time. Related to the changing permissions block below. This
+# would normally warn you about violations, but we can use Wazuh to continually
+# monitor this.
+ubtu22cis_rule_6_1_9: false
+ubtu22cis_rule_6_1_10: false
+ubtu22cis_rule_6_1_11: false
+ubtu22cis_rule_6_1_12: false
+ubtu22cis_rule_6_1_13: false
+
+# The following rules change permissions on all files on every mounted
+# filesystem.  We do not want to change /var/lib/docker permissions.
 ubtu22cis_no_group_adjust: false
 ubtu22cis_no_owner_adjust: false
+ubtu22cis_no_world_write_adjust: false
+ubtu22cis_suid_adjust: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu22cis_auditd:
@@ -159,4 +192,17 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# Disable: Ensure minimum days between password changes is configured
+ubtu22cis_rule_5_5_1_1: false
+
+# Disable: Ensure password expiration is 365 days or less
+ubtu22cis_rule_5_5_1_2: false
+
+# Disable: Ensure inactive password lock is 30 days or less
+ubtu22cis_rule_5_5_1_4: false
+
+# Disable: Ensure all users last password change date is in the past
+ubtu22cis_rule_5_5_1_5: false
+
 ##############################################################################
@@ -16,7 +16,8 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202
 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742
 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022
-stackhpc_pulp_repo_docker_ce_ubuntu_version: 20231020T014922
+stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20240122T172142
+stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240122T172142
 stackhpc_pulp_repo_docker_version: 20230919T015626
 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815
 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311

@@ -132,13 +132,21 @@ stackhpc_pulp_deb_repos:
     required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
 
   # Third-party repositories
-  - name: "Docker CE for Ubuntu"
-    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
-    distribution_name: "docker-ce-for-ubuntu-"
-    base_path: "docker-ce/ubuntu/"
-    distributions: "focal jammy"
+  - name: "Docker CE for Ubuntu Focal"
+    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-focal/{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+    distribution_name: "docker-ce-for-ubuntu-focal-"
+    base_path: "docker-ce/ubuntu-focal/"
+    distributions: "focal"
     components: "stable"
-    required: "{{ stackhpc_pulp_sync_ubuntu_focal or stackhpc_pulp_sync_ubuntu_jammy | bool }}"
+    required: "{{ stackhpc_pulp_sync_ubuntu_focal | bool }}"
+
+  - name: "Docker CE for Ubuntu Jammy"
+    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-jammy/{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
+    distribution_name: "docker-ce-for-ubuntu-jammy-"
+    base_path: "docker-ce/ubuntu-jammy/"
+    distributions: "jammy"
+    components: "stable"
+    required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
 
 # Publication format is a subset of distribution.
 stackhpc_pulp_publication_deb_development: "{{ stackhpc_pulp_distribution_deb_development }}"

@@ -55,9 +55,13 @@ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution
 stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}"
 stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}"
 
-# Docker CE for Ubuntu
-stackhpc_repo_docker_ce_ubuntu_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu/{{ stackhpc_repo_docker_ce_ubuntu_version }}"
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_repo_distribution }}"
+# Docker CE for Ubuntu Focal
+stackhpc_repo_docker_ce_ubuntu_focal_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-focal/{{ stackhpc_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_repo_distribution }}"
+
+# Docker CE for Ubuntu Jammy
+stackhpc_repo_docker_ce_ubuntu_jammy_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-jammy/{{ stackhpc_repo_docker_ce_ubuntu_jammy_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}"
 
 ###############################################################################
 # RPMs

@@ -0,0 +1,7 @@
+---
+critical:
+  - |
+    Disables password expiration and inactivity policies. This caused the kayobe
+    and kolla service accounts to be locked out of the system. You should re-apply
+    the CIS benchmark hardening playbook as soon as possible to avoid being locked
+    out of your system.
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    The Docker CE package for Ubuntu has been bumped from ``5:24.0.6-1`` to
+    ``5:25.0.0-1`` This is a side effect of separating out the repos for Docker
+    CE for Ubuntu Jammy/Focal.
+fixes:
+  - |
+    Separated out repos for Docker CE for Ubuntu Jammy/Focal. This fixes a Pulp
+    sync issue where two "identical" repository versions existed with different
+    checksums. 
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Updates the ``stackhpc.hashicorp`` Ansible collection to 2.5.0. This brings
+    in an idempotency fix for generating certificates.
@@ -2,4 +2,4 @@
 security:
   - |
     Adds a custom Apt repository to address `CVE-2024-6387
-    <https://ubuntu.com/security/CVE-2024-6387`__ in OpenSSH.
+    <https://ubuntu.com/security/CVE-2024-6387>`__ in OpenSSH.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_pagination: "Fails without public TLS"
		tempest.api.volume.test_volumes_list.VolumesListTestJSON.test_volume_list_details_pagination: "Fails without public TLS"