Merge branch 'stackhpc/2023.1' into feature/2023.1/cis

Author: jovial

.github/workflows/stackhpc-container-image-build.yml

@@ -231,7 +231,7 @@ jobs:
         run: mv image-scan-output image-build-logs/image-scan-output
 
       - name: Fail if no images have passed scanning
-        run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
         if: ${{ !inputs.push-dirty }}
 
       - name: Copy clean images to push-attempt-images list

doc/source/contributor/environments/ci-builder.rst

@@ -151,6 +151,13 @@ Pulp proxy that injects an HTTP basic auth header into requests that it
 proxies. Because this proxy bypasses Pulp's authentication, it must not be
 exposed to any untrusted environment.
 
+Ensure that ``localhost`` is resolvable if Docker bridge networking is
+disabled. This may be achieved by adding the following to ``/etc/hosts``:
+
+.. parsed-literal::
+
+   127.0.0.1 localhost
+
 To deploy the proxy:
 
 .. parsed-literal::

doc/source/operations/tempest.rst

@@ -70,7 +70,7 @@ Installing Docker on Rocky:
 .. code-block:: bash
 
     sudo dnf install -y dnf-utils
-    sudo dnf-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+    sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 
 Ensure Docker is running & enabled:
@@ -101,7 +101,7 @@ Build a Kayobe automation image:
     git submodule update
     # If running on Ubuntu, the fact cache can confuse Kayobe in the Rocky-based container
     mv etc/kayobe/facts{,-old}
-    sudo DOCKER_BUILDKIT=1 docker build --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
+    sudo DOCKER_BUILDKIT=1 docker build --network host --build-arg BASE_IMAGE=rockylinux:9 --file .automation/docker/kayobe/Dockerfile --tag kayobe:latest .
 
 Configuration
 =============

doc/source/operations/upgrading.rst

@@ -132,13 +132,13 @@ Some things to watch out for:
 
  .. code-block:: sql
 
-      UPDATE trust_role
+      UPDATE trust_role as tr
       SET role_id = '<MEMBER-ROLE-ID>'
       WHERE role_id = '<OLD-ROLE-ID>'
       AND NOT EXISTS (
          SELECT 1
          FROM trust_role
-         WHERE trust_id = trust_role.trust_id
+         WHERE trust_id = tr.trust_id
             AND role_id = '<MEMBER-ROLE-ID>'
       );
 

etc/kayobe/ansible/pulp-auth-proxy.yml

@@ -8,7 +8,7 @@
     - import_role:
         name: pulp_auth_proxy
       vars:
-        pulp_auth_proxy_url: "{{ stackhpc_repo_mirror_url }}"
+        pulp_auth_proxy_url: "{{ stackhpc_release_pulp_url }}"
         pulp_auth_proxy_username: "{{ stackhpc_repo_mirror_username }}"
         pulp_auth_proxy_password: "{{ stackhpc_repo_mirror_password }}"
         pulp_auth_proxy_conf_path: "{{ base_path }}/containers/pulp_proxy"

etc/kayobe/ansible/roles/pulp_auth_proxy/README.md

@@ -15,7 +15,7 @@ any untrusted environment.
 
 ## Role variables
 
-* `pulp_auth_proxy_pulp_url`: URL of the Pulp server to proxy requests to.
+* `pulp_auth_proxy_url`: URL of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_username`: Username of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_password`: Password of the Pulp server to proxy requests to.
 * `pulp_auth_proxy_conf_path`: Path to a directory in which to write Nginx

etc/kayobe/ansible/roles/pulp_auth_proxy/defaults/main.yml

@@ -5,3 +5,4 @@ pulp_auth_proxy_password:
 pulp_auth_proxy_conf_path:
 pulp_auth_proxy_listen_ip: 127.0.0.1
 pulp_auth_proxy_listen_port: 80
+pulp_auth_proxy_network_mode:

etc/kayobe/ansible/roles/pulp_auth_proxy/tasks/main.yml

@@ -1,4 +1,24 @@
 ---
+- when: pulp_auth_proxy_network_mode is none
+  block:
+    - name: Check if Docker bridge network exists
+      community.docker.docker_host_info:
+        networks: true
+      register: docker_host_info
+
+    - name: Set a fact about the network mode
+      ansible.builtin.set_fact:
+        pulp_auth_proxy_network_mode: "{{ 'host' if docker_host_info.networks | selectattr('Driver', 'equalto', 'bridge') | list | length == 0 else 'bridge' }}"
+
+- name: Assert that localhost is resolvable when using host networking
+  assert:
+    that:
+      - "'localhost' is ansible.utils.resolvable"
+    fail_msg: >-
+      localhost must be resolvable when using Docker host networking with this container.
+      Consider adding '127.0.0.1 localhost' to /etc/hosts.
+  when: pulp_auth_proxy_network_mode == 'host'
+
 - name: "Ensure {{ pulp_auth_proxy_conf_path }} exists"
   ansible.builtin.file:
     path: "{{ pulp_auth_proxy_conf_path }}"
@@ -18,9 +38,18 @@
   community.docker.docker_container:
     name: pulp_proxy
     image: nginx:stable-alpine
+    network_mode: "{{ pulp_auth_proxy_network_mode }}"
     ports:
       - "{{ pulp_auth_proxy_listen_ip }}:{{ pulp_auth_proxy_listen_port }}:80"
     restart_policy: "no"
     restart: "{{ pulp_proxy_conf is changed }}"
     volumes:
       - "{{ pulp_auth_proxy_conf_path }}/pulp_proxy.conf:/etc/nginx/conf.d/default.conf:ro"
+
+- name: Wait for pulp_proxy container to become accessible
+  ansible.builtin.uri:
+    url: http://localhost/pulp/api/v3/status/
+  register: uri_result
+  until: uri_result is success
+  retries: 30
+  delay: 2

etc/kayobe/inventory/group_vars/overcloud/cis

@@ -115,9 +115,22 @@ ubtu22cis_sshd:
   deny_users: ""
   deny_groups: ""
 
-# Do not change /var/lib/docker permissions
+# Stop the CIS benchmark scanning all files on every filesystem since this
+# takes a long time. Related to the changing permissions block below. This
+# would normally warn you about violations, but we can use Wazuh to continually
+# monitor this.
+ubtu22cis_rule_6_1_9: false
+ubtu22cis_rule_6_1_10: false
+ubtu22cis_rule_6_1_11: false
+ubtu22cis_rule_6_1_12: false
+ubtu22cis_rule_6_1_13: false
+
+# The following rules change permissions on all files on every mounted
+# filesystem.  We do not want to change /var/lib/docker permissions.
 ubtu22cis_no_group_adjust: false
 ubtu22cis_no_owner_adjust: false
+ubtu22cis_no_world_write_adjust: false
+ubtu22cis_suid_adjust: false
 
 # Configure log rotation to prevent audit logs from filling the disk
 ubtu22cis_auditd:
@@ -133,4 +146,10 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# The way this is disabled currently breaks kolla's IPV6 check, see:
+# https://bugs.launchpad.net/kolla-ansible/+bug/2071443
+# Also matches RHEL hardening behavior.
+ubtu22cis_ipv6_required: true
+
 ##############################################################################

etc/kayobe/kolla/config/fluentd/output/00-local.conf

@@ -0,0 +1,85 @@
+{% raw %}
+{% for item in syslog_facilities | selectattr('enabled') %}
+<match syslog.{{ item.facility }}.**>
+  @type copy
+  <store>
+    @type file
+    path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}
+    append true
+    # Disable timestamp in filename for logs
+    <buffer []>
+      path /var/log/kolla/{{ item.logdir }}/{{ item.logfile }}.*.buffer
+    </buffer>
+    <format>
+      output_tag {{ item.output_tag | default(false) | lower }}
+      output_time {{ item.output_time | default(false) | lower }}
+    </format>
+  </store>
+{% if log_direct_to_elasticsearch %}
+  <store>
+       @type elasticsearch
+       host {{ elasticsearch_address }}
+       port {{ elasticsearch_port | default('9200') }}
+       scheme {{ fluentd_elasticsearch_scheme }}
+{% if fluentd_elasticsearch_path != '' %}
+       path {{ fluentd_elasticsearch_path }}
+{% endif %}
+{% if fluentd_elasticsearch_scheme == 'https' %}
+       ssl_version {{ fluentd_elasticsearch_ssl_version }}
+       ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
+       user {{ fluentd_elasticsearch_user }}
+       password {{ fluentd_elasticsearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_elasticsearch_request_timeout }}
+       suppress_type_name true
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/elasticsearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+       </buffer>
+  </store>
+{% elif log_direct_to_opensearch %}
+  <store>
+       @type opensearch
+       host {{ opensearch_address }}
+       port {{ opensearch_port }}
+       scheme {{ fluentd_opensearch_scheme }}
+{% if fluentd_opensearch_path != '' %}
+       path {{ fluentd_opensearch_path }}
+{% endif %}
+{% if fluentd_opensearch_scheme == 'https' %}
+       ssl_version {{ fluentd_opensearch_ssl_version }}
+       ssl_verify {{ fluentd_opensearch_ssl_verify }}
+{% if fluentd_opensearch_cacert | length > 0 %}
+       ca_file {{ fluentd_opensearch_cacert }}
+{% endif %}
+{% endif %}
+{% if fluentd_opensearch_user != '' and fluentd_opensearch_password != ''%}
+       user {{ fluentd_opensearch_user }}
+       password {{ fluentd_opensearch_password }}
+{% endif %}
+       logstash_format true
+       logstash_prefix {{ opensearch_log_index_prefix }}
+       reconnect_on_error true
+       request_timeout {{ fluentd_opensearch_request_timeout }}
+       suppress_type_name true
+       bulk_message_request_threshold 20M
+       <buffer>
+         @type file
+         path /var/lib/fluentd/data/opensearch.buffer/{{ item.facility }}.*
+         flush_interval 15s
+         chunk_limit_size 8M
+       </buffer>
+    </store>
+{% endif %}
+</match>
+{% endfor %}
+{% endraw %}