Skip to content

2023.1: zed merge #1230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Aug 16, 2024
Merged

2023.1: zed merge #1230

merged 20 commits into from
Aug 16, 2024

Conversation

markgoddard
Copy link
Contributor

  • Stop changing permissions on files on Rocky 9
  • Stop changing permissions on files (Stop changing permissions on files #1119)
  • CI: Allow logging of Rally/Tempest
  • Fix CVE-2024-40767
  • CI: Bump AIO root volume size to 40GB
  • Build nova from our fork
  • Prevent hanging before reboot on systems running molly-guard
  • Add reboot timeout to reboot playbook
  • CIS: Remove always tag from include_role tasks

markgoddard and others added 19 commits July 23, 2024 09:03
@markgoddard
Stop changing permissions on files on Rocky 9
4dc1926 
A similar change was made for Ubuntu systems in #1119, but it did not
apply to Rocky 9 systems. This changes brings the two into line.

(cherry picked from commit ef96aa2)
@jovial @markgoddard
Stop changing permissions on files (#1119)
09d226c 
These are causing changes to docker overlay filesystems with
possible unintended consequences. It is also really slow to loop
through so many files in ansible.

(cherry picked from commit 0d1dfe2)
@markgoddard
Merge pull request #1189 from stackhpc/zed-yoga-merge
67530fd 
zed: yoga merge
@markgoddard @priteau
CI: Allow logging of Rally/Tempest
376928e 
By default the 'Run tempest' task has no_log set to avoid revealing
sensitive data. This does not apply in CI, and makes it difficult to
debug failures.

(cherry picked from commit 8384dc4)
@priteau
Merge pull request #1193 from stackhpc/rally-logging
1a1210c 
CI: Allow logging of Rally/Tempest
@priteau
Fix CVE-2024-40767
d750747 
Fixes CVE-2024-40767 [1] with updated container images for Nova
services.

[1] https://security.openstack.org/ossa/OSSA-2024-002.html
@m-bull
CI: Bump AIO root volume size to 40GB
5b1f040
@markgoddard
Merge pull request #1195 from stackhpc/yoga-bump=aio-disk
cdfad6a 
CI: Bump AIO root volume size to 40GB
@m-bull
Merge branch 'stackhpc/yoga' into yoga-ossa-2024-002
41812df
@priteau
Merge pull request #1191 from stackhpc/yoga-ossa-2024-002
e25cc4c 
Fix CVE-2024-40767
@priteau
Build nova from our fork
97c3d43 
This is necessary to address OSSA-2024-002 [1] until patches are merged
upstream.

[1] https://security.openstack.org/ossa/OSSA-2024-002.html
@markgoddard
Merge pull request #1200 from stackhpc/zed-nova
41936eb 
Build nova from our fork
@markgoddard
Prevent hanging before reboot on systems running molly-guard
4fb938c 
molly-guard can be used to prevent accidental reboots, prompting the
user to input the system's hostname before allowing a reboot. This does
not work well with automation, however.

This change adds the internal reboot executable within molly-guard to
the search path to avoid this issue.
@markgoddard
Add reboot timeout to reboot playbook
382f735
@markgoddard
Merge pull request #1209 from stackhpc/yoga-molly-guard
9b9971d 
yoga: Fix reboot hang on systems with molly-guard, add timeout variable
@markgoddard
Merge pull request #1180 from stackhpc/yoga-backports
f8ed8c1 
yoga: Stop changing permissions on files in CIS
@markgoddard
CIS: Remove always tag from include_role tasks
d1c589b 
If we have the CIS hardening hook enabled and run a command such as the
following:

  kayobe overcloud host configure -t foo

where 'cis' is not in the specified tags, we see the following error:

  PLAY [Security hardening] *****************************************
  TASK [include_role : ansible-lockdown.rhel9_cis] ******************
  fatal: [controller-01]: FAILED! =>
    msg: |-
      The conditional check 'ansible_facts.os_family == 'RedHat' and
      ansible_facts.distribution_major_version == '9'' failed. The error
      was: error while evaluating conditional (ansible_facts.os_family
      == 'RedHat' and ansible_facts.distribution_major_version == '9'):
      'dict object' has no attribute 'os_family'. 'dict object' has no
      attribute 'os_family'

      The error appears to be in 'etc/kayobe/ansible/cis.yml': line 35,
      column 7, but may be elsewhere in the file depending on the exact
      syntax problem.

      The offending line appears to be:

          - include_role:
            ^ here

This is because the include_role task has the 'always' tag, so runs
despite no facts having been gathered.

The always tag is not required for this task - specifying the 'cis' tag
causes the role to be included. This change fixes the issue by removing
the always tags from these tasks.
@markgoddard
Merge pull request #1220 from stackhpc/yoga-cis-no-always
2aa9d60 
CIS: Remove always tag from include_role tasks
@markgoddard
Merge stackhpc/yoga into stackhpc/zed
07fdce6
@markgoddard markgoddard requested a review from a team as a code owner August 16, 2024 13:58
@markgoddard markgoddard self-assigned this Aug 16, 2024
@markgoddard markgoddard merged commit f30b309 into stackhpc/2023.1 Aug 16, 2024
12 checks passed
@markgoddard markgoddard deleted the 2023.1-zed-merge branch August 16, 2024 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh approved these changes

Assignees

@markgoddard markgoddard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@markgoddard @Alex-Welsh @jovial @priteau @m-bull