From d580a67ea439b3c0482dbfc815f9fb8f22a642da Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 17 Dec 2024 17:27:22 +0000 Subject: [PATCH 1/7] Update Ubuntu package repo versions --- etc/kayobe/pulp-repo-versions.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index daae0cd7e..672980bfb 100644 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -7,7 +7,7 @@ stackhpc_pulp_repo_centos_stream_9_openstack_caracal_version: 20241212T022636 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318 stackhpc_pulp_repo_centos_stream_9_storage_ceph_reef_version: 20240923T233036 stackhpc_pulp_repo_ceph_reef_debian_version: 20240925T152022 -stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20240910T001721 +stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20241218T154614 stackhpc_pulp_repo_elrepo_9_version: 20241129T235743 stackhpc_pulp_repo_epel_9_version: 20241216T235733 stackhpc_pulp_repo_grafana_version: 20241216T002739 @@ -46,6 +46,6 @@ stackhpc_pulp_repo_rocky_9_5_crb_version: 20241217T005008 stackhpc_pulp_repo_rocky_9_5_extras_version: 20241216T004230 stackhpc_pulp_repo_rocky_9_5_highavailability_version: 20241202T003154 stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20241127T003858 -stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20240911T041957 -stackhpc_pulp_repo_ubuntu_jammy_security_version: 20240924T064114 -stackhpc_pulp_repo_ubuntu_jammy_version: 20240924T064114 +stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20241217T045049 +stackhpc_pulp_repo_ubuntu_jammy_security_version: 20241217T071258 +stackhpc_pulp_repo_ubuntu_jammy_version: 20241217T071258 From 2526d3990579dd15893e0c133c402267c3a76928 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 7 Jan 2025 10:01:24 +0000 Subject: [PATCH 2/7] Ubuntu container refresh Dec 2024 --- etc/kayobe/kolla-image-tags.yml | 26 +------------------ ...ntu-refresh-december-998f4c2d2bd0032b.yaml | 5 ++++ 2 files changed, 6 insertions(+), 25 deletions(-) create mode 100644 releasenotes/notes/ubuntu-refresh-december-998f4c2d2bd0032b.yaml diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index fa582ada9..9d6d7580e 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -5,28 +5,4 @@ kolla_image_tags: openstack: rocky-9: 2024.1-rocky-9-20241218T141751 - ubuntu-jammy: 2024.1-ubuntu-jammy-20240917T091559 - blazar: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241125T093138 - cinder: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241204T081836 - nova: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540 - neutron: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241203T232519 - octavia: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241004T094540 - horizon: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241202T210927 - bifrost: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241128T162336 - ironic: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 - ironic_dnsmasq: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 - ironic_neutron_agent: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241023T143407 - letsencrypt: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241206T090120 - grafana: - ubuntu-jammy: 2024.1-ubuntu-jammy-20241128T123708 + ubuntu-jammy: 2024.1-ubuntu-jammy-20241218T141809 diff --git a/releasenotes/notes/ubuntu-refresh-december-998f4c2d2bd0032b.yaml b/releasenotes/notes/ubuntu-refresh-december-998f4c2d2bd0032b.yaml new file mode 100644 index 000000000..a98acb505 --- /dev/null +++ b/releasenotes/notes/ubuntu-refresh-december-998f4c2d2bd0032b.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Refreshed all Ubuntu host package versions and contianer images for + December 2024. From 42724cb11634b67f2801020a0672ef6833cf233e Mon Sep 17 00:00:00 2001 From: Grzegorz Koper Date: Wed, 8 Jan 2025 13:52:26 +0100 Subject: [PATCH 3/7] feat(wazuh): Add JVM proxy configuration for Slack notifications Add JVM proxy settings to wazuh-indexer configuration to enable OpenSearch Dashboard Slack notifications when running behind a proxy. The configuration: - Sets both HTTP and HTTPS proxy host and port from http_proxy_url - Triggers wazuh-indexer restart when proxy settings change http_proxy_url needs to be defined before running wazuh-manager.yml --- etc/kayobe/ansible/wazuh-manager.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/etc/kayobe/ansible/wazuh-manager.yml b/etc/kayobe/ansible/wazuh-manager.yml index d4013ebd6..868af5786 100644 --- a/etc/kayobe/ansible/wazuh-manager.yml +++ b/etc/kayobe/ansible/wazuh-manager.yml @@ -116,6 +116,23 @@ notify: - Restart wazuh + - name: Add JVM proxy settings to wazuh-indexer + blockinfile: + path: "/etc/wazuh-indexer/jvm.options" + state: present + owner: root + group: wazuh + marker: "# {mark} ANSIBLE MANAGED BLOCK JVM PROXY SETTINGS" + block: | + -Dhttp.proxyHost={{ http_proxy_url | urlsplit('hostname') }} + -Dhttp.proxyPort={{ http_proxy_url | urlsplit('port') }} + -Dhttps.proxyHost={{ http_proxy_url | urlsplit('hostname') }} + -Dhttps.proxyPort={{ http_proxy_url | urlsplit('port') }} + backup: yes + when: http_proxy_url is defined + notify: + - Restart wazuh-indexer + - name: Perform health check against filebeat command: filebeat test output changed_when: false @@ -126,3 +143,8 @@ service: name: wazuh-manager state: restarted + + - name: Restart wazuh-indexer + service: + name: wazuh-indexer + state: restarted From cab8fa02dcbe4f3a1f4db5cc90314f65fbc455c7 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Sat, 28 Dec 2024 13:17:13 +0000 Subject: [PATCH 4/7] Add minor upgrade option to MN deploy workflow --- .github/workflows/multinode-inputs.py | 6 +++--- .github/workflows/stackhpc-multinode.yml | 12 ++++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/multinode-inputs.py b/.github/workflows/multinode-inputs.py index c64b73544..6971bf778 100644 --- a/.github/workflows/multinode-inputs.py +++ b/.github/workflows/multinode-inputs.py @@ -26,7 +26,7 @@ class Scenario: openstack_release: OpenStackRelease os_release: OSRelease neutron_plugin: str - upgrade: bool + upgrade: str ROCKY_9 = OSRelease("rocky", "9", "cloud-user") @@ -50,7 +50,7 @@ def random_scenario() -> Scenario: openstack_release = random.choice(OPENSTACK_RELEASES) os_release = random.choice(openstack_release.os_releases) neutron_plugin = random.choice(NEUTRON_PLUGINS) - upgrade = random.random() > 0.6 + upgrade = 'major' if random.random() > 0.6 else 'none' return Scenario(openstack_release, os_release, neutron_plugin, upgrade) @@ -62,7 +62,7 @@ def generate_inputs(scenario: Scenario) -> t.Dict[str, str]: "os_release": scenario.os_release.release, "ssh_username": scenario.os_release.ssh_username, "neutron_plugin": scenario.neutron_plugin, - "upgrade": str(scenario.upgrade).lower(), + "upgrade": scenario.upgrade, "stackhpc_kayobe_config_version": branch, "stackhpc_kayobe_config_previous_version": previous_branch, } diff --git a/.github/workflows/stackhpc-multinode.yml b/.github/workflows/stackhpc-multinode.yml index 3ec055bb4..321346ec8 100644 --- a/.github/workflows/stackhpc-multinode.yml +++ b/.github/workflows/stackhpc-multinode.yml @@ -27,8 +27,12 @@ name: Multinode - ovs upgrade: description: Whether to perform an upgrade - type: boolean - default: false + default: none + type: choice + options: + - none + - minor + - major break_on: description: When to break execution for manual interaction type: choice @@ -52,7 +56,7 @@ name: Multinode jobs: multinode: name: Multinode - uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.2.0 + uses: stackhpc/stackhpc-openstack-gh-workflows/.github/workflows/multinode.yml@1.4.0 with: multinode_name: ${{ inputs.multinode_name }} os_distribution: ${{ inputs.os_distribution }} @@ -66,6 +70,6 @@ jobs: ssh_key: ${{ inputs.ssh_key }} stackhpc_kayobe_config_version: ${{ github.ref_name }} # NOTE(upgrade): Reference the PREVIOUS release here. - stackhpc_kayobe_config_previous_version: stackhpc/2023.1 + stackhpc_kayobe_config_previous_version: ${{ inputs.upgrade == 'major' && 'stackhpc/2023.1' || 'stackhpc/2024.1' }} terraform_kayobe_multinode_version: ${{ inputs.terraform_kayobe_multinode_version }} secrets: inherit From dbe0ca3aad2618447fe9bda5e4980c7227aef373 Mon Sep 17 00:00:00 2001 From: Grzegorz Koper Date: Wed, 8 Jan 2025 14:08:04 +0100 Subject: [PATCH 5/7] Remove proxy configuration from Wazuh manager playbook The proxy configuration block in ossec.conf is being removed as it was incorrectly placed. The proxy settings in ossec-init.conf do not affect the vulnerability detector functionality. --- etc/kayobe/ansible/wazuh-manager.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/etc/kayobe/ansible/wazuh-manager.yml b/etc/kayobe/ansible/wazuh-manager.yml index d4013ebd6..d7d295d15 100644 --- a/etc/kayobe/ansible/wazuh-manager.yml +++ b/etc/kayobe/ansible/wazuh-manager.yml @@ -102,20 +102,6 @@ notify: - Restart wazuh - - name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector - blockinfile: - path: "/var/ossec/etc/ossec.conf" - state: present - owner: root - group: ossec - block: | - HTTPS_PROXY={{ http_proxy_url }} - HTTP_PROXY={{ http_proxy_url }} - backup: yes - when: http_proxy_url is defined - notify: - - Restart wazuh - - name: Perform health check against filebeat command: filebeat test output changed_when: false From 1027fd8b99562db3b490d8d1eee24980b8b00f69 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Wed, 8 Jan 2025 09:37:01 +0000 Subject: [PATCH 6/7] Bump Cephadm collection --- etc/kayobe/ansible/requirements.yml | 2 +- .../bump-ansible-collection-cephadm-2a6c988a34b192a6.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-ansible-collection-cephadm-2a6c988a34b192a6.yaml diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 72d083a61..cb7b65c37 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -1,7 +1,7 @@ --- collections: - name: stackhpc.cephadm - version: 1.18.0 + version: 1.19.1 # NOTE: Pinning pulp.squeezer to 0.0.13 because 0.0.14+ depends on the # pulp_glue Python library being installed. - name: pulp.squeezer diff --git a/releasenotes/notes/bump-ansible-collection-cephadm-2a6c988a34b192a6.yaml b/releasenotes/notes/bump-ansible-collection-cephadm-2a6c988a34b192a6.yaml new file mode 100644 index 000000000..dbc6dd22e --- /dev/null +++ b/releasenotes/notes/bump-ansible-collection-cephadm-2a6c988a34b192a6.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Updates the StackHPC Cephadm Ansible collection from 1.18.0 to 1.19.1. From 195e3e39dff2ff4e846ec5f221a4a7420de44bdf Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Wed, 8 Jan 2025 10:42:35 +0000 Subject: [PATCH 7/7] Fix dangerous wazuh secrets templating --- etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 index 583c1efa4..8294edec7 100644 --- a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 +++ b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 @@ -3,12 +3,12 @@ # Store these securely and use lookups here secrets_wazuh: # Wazuh agent authd pass - authd_pass: "{{ secrets_wazuh.authd_pass | default(lookup('password', '/dev/null'), true) }}" + authd_pass: '{{ secrets_wazuh.authd_pass | default(lookup("password", "/dev/null"), true) }}' # Strengthen default wazuh api user pass wazuh_api_users: - username: "wazuh" - password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30, override_special=override_special_characters)) }}" + password: '{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup("community.general.random_string", min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30, override_special=override_special_characters)) }}' # OpenSearch 'admin' user pass - opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}" + opendistro_admin_password: '{{ secrets_wazuh.opendistro_admin_password | default(lookup("password", "/dev/null"), true) }}' # OpenSearch 'kibanaserver' user pass - opendistro_kibana_password: "{{ secrets_wazuh.opendistro_kibana_password | default(lookup('password', '/dev/null'), true) }}" + opendistro_kibana_password: '{{ secrets_wazuh.opendistro_kibana_password | default(lookup("password", "/dev/null"), true) }}'