Merge branch 'stackhpc/2025.1' into cis-overcloud-non-kolla-hosts

Author: bbezak

doc/source/configuration/wazuh.rst

@@ -205,8 +205,27 @@ Reinstall the role if required:
 
 ``kayobe control host bootstrap``
 
+Secrets
+-------
+
+Wazuh requires that secrets or passwords are set for itself and the services with which it communicates.
+Wazuh secrets playbook is located in ``$KAYOBE_CONFIG_PATH/ansible/deployment/wazuh-secrets.yml``.
+Running this playbook will generate and put pertinent security items into secrets
+vault file which will be placed in ``$KAYOBE_CONFIG_PATH/deployment/wazuh-secrets.yml``.
+If using environments it ends up in ``$KAYOBE_CONFIG_PATH/environments/<env_name>/deployment/wazuh-secrets.yml``
+Remember to encrypt!
+
+Wazuh secrets template is located in ``$KAYOBE_CONFIG_PATH/ansible/templates/wazuh-secrets.yml.j2``.
+It will be used by wazuh secrets playbook to generate wazuh secrets vault file.
 
-Edit the playbook and variables to your needs:
+
+.. code-block:: console
+
+  kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/deployment/wazuh-secrets.yml
+
+.. note:: Use ``ansible-vault`` to view the secrets:
+
+  ``ansible-vault view --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh-manager/deployment/wazuh-secrets.yml``
 
 Wazuh manager configuration
 ---------------------------
@@ -242,28 +261,6 @@ You may need to modify some of the variables, including:
 
 You'll need to run ``wazuh-manager.yml`` playbook again to apply customisation.
 
-Secrets
--------
-
-Wazuh requires that secrets or passwords are set for itself and the services with which it communiticates.
-Wazuh secrets playbook is located in ``$KAYOBE_CONFIG_PATH/ansible/deployment/wazuh-secrets.yml``.
-Running this playbook will generate and put pertinent security items into secrets
-vault file which will be placed in ``$KAYOBE_CONFIG_PATH/deployment/wazuh-secrets.yml``.
-If using environments it ends up in ``$KAYOBE_CONFIG_PATH/environments/<env_name>/deployment/wazuh-secrets.yml``
-Remember to encrypt!
-
-Wazuh secrets template is located in ``$KAYOBE_CONFIG_PATH/ansible/templates/wazuh-secrets.yml.j2``.
-It will be used by wazuh secrets playbook to generate wazuh secrets vault file.
-
-
-.. code-block:: console
-
-  kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/deployment/wazuh-secrets.yml
-
-.. note:: Use ``ansible-vault`` to view the secrets:
-
-  ``ansible-vault view --vault-password-file ~/vault.password $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh-manager/deployment/wazuh-secrets.yml``
-
 Configure Wazuh Dashboard's Server Host
 ---------------------------------------
 
@@ -424,6 +421,13 @@ Verification
 The Wazuh agents should register with the Wazuh manager. This can be verified via the agents page in Wazuh Portal.
 Check CIS benchmark output in agent section.
 
+Wazuh manager removal
+---------------------
+
+The following playbook can be used to purge all Wazuh manager components from a host. This is particularly useful for Wazuh manager servers that are not hosted on an infra-vm.
+
+``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/tools/wazuh-manager-purge.yml``
+
 Additional resources
 --------------------
 

doc/source/operations/ubuntu-noble.rst

@@ -47,8 +47,10 @@ The following types of hosts will be covered in the future:
 
 .. warning::
 
-   Ceph node upgrades have not yet been performed outside of a virtualised test
-   environment. Proceed with caution.
+   Due to `Bug 66389 <https://tracker.ceph.com/issues/66389>`__, do not upgrade
+   Ceph hosts to Noble until the Ceph cluster has been upgraded to at least
+   Reef v18.2.5. Upgrading a host prematurely will prevent its Ceph daemons
+   from starting, and it will not be able to rejoin the cluster.
 
 Prerequisites
 =============
@@ -353,6 +355,8 @@ Storage
 Potential issues
 ----------------
 
+-  Ensure the Ceph cluster is running at least Reef v18.2.5.
+   Upgrading hosts with an older Ceph version will cause daemons to fail.
 -  It is recommended that you upgrade the bootstrap host last.
 -  Before upgrading the bootstrap host, it can be beneficial to backup
    ``/etc/ceph`` and ``/var/lib/ceph``, as sometimes the keys, config, etc.

doc/source/operations/upgrading-openstack.rst

@@ -132,7 +132,7 @@ For example:
       enabled: "{{ seed_pulp_container_enabled | bool }}"
 
 Ansible playbook subdirectories
---------------------------------------
+-------------------------------
 
 The playbooks under ``etc/kayobe/ansible`` have been subdivided into different
 categories to make them easier to navigate. This change may result in merge
@@ -147,6 +147,10 @@ To mitigate the impact of these changes, two scripts have been added:
 * ``tools/magic-symlink-fix.sh`` - Uses the previous script to attempt to fix
   any broken symlinks in the kayobe configuration.
 
+If playbooks are referenced in different methods other than symlinks, they'll
+need to be manually resolved by operators. (e.g. Shell scripts running
+playbooks with file paths, ``import_playbook`` command in custom playbooks)
+
 Known issues
 ============
 
@@ -370,6 +374,14 @@ You can find more information from the :ref:`beokay` documentation.
    For Rocky Linux 9, ``beokay create`` must be used with the ``--python python3.12``
    option to specify Beokay to use Python 3.12 as it is not the default.
 
+Kayobe Automation
+~~~~~~~~~~~~~~~~~
+
+For deployments using Kayobe Automation CI, the Kayobe Docker image also needs
+to be rebuilt with Python 3.12. In GitHub, run the ``Build Kayobe Docker
+Image`` workflow. In GitLab, run the ``build_kayobe_image`` pipeline. In either
+case, the image will automatically be rebuilt with Python 3.12.
+
 Preparation
 ===========
 

etc/kayobe/ansible/maintenance/cis.yml

@@ -30,7 +30,12 @@
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: 0
+        password_expire_max: 99999
+        password_expire_warn: 7
+        expires: -1
       become: true
       changed_when: false
       with_items:

etc/kayobe/ansible/requirements.yml

@@ -1,7 +1,7 @@
 ---
 collections:
   - name: stackhpc.cephadm
-    version: 1.21.0
+    version: 1.22.0
   # NOTE: Pinning pulp.squeezer to 0.0.13 because 0.0.14+ depends on the
   # pulp_glue Python library being installed.
   - name: pulp.squeezer

etc/kayobe/ansible/tools/wazuh-manager-purge.yml

@@ -0,0 +1,105 @@
+---
+# This is the playbook version of the wazuh purge tool from:
+# https://github.com/stackhpc/wazuh-server-purge
+
+- name: Purge Wazuh Server Components
+  hosts: wazuh-manager
+  become: true
+  become_user: root
+  tasks:
+# Dashboard
+    - name: Disable and stop wazuh-dashboard service
+      ansible.builtin.systemd_service:
+        name: wazuh-dashboard
+        state: stopped
+        enabled: no
+        daemon_reload: true
+      register: svc_result
+      failed_when:
+        - svc_result.failed
+        - "'Could not find the requested service' not in svc_result.msg"
+
+    - name: Remove wazuh-dashboard and files
+      ansible.builtin.package:
+        name: wazuh-dashboard
+        state: absent
+
+    - name: Remove wazuh-dashboard directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /var/lib/wazuh-dashboard
+        - /usr/share/wazuh-dashboard
+        - /etc/wazuh-dashboard
+# Manager
+    - name: Remove wazuh-manager service
+      ansible.builtin.systemd_service:
+        name: wazuh-manager
+        state: stopped
+        enabled: no
+        daemon_reload: true
+      register: svc_result
+      failed_when:
+        - svc_result.failed
+        - "'Could not find the requested service' not in svc_result.msg"
+
+    - name: Remove wazuh-manager and files
+      ansible.builtin.package:
+        name: wazuh-manager
+        state: absent
+
+    - name: Remove wazuh-manager directories
+      ansible.builtin.file:
+        path: /var/ossec
+        state: absent
+# Filebeat
+    - name: Disable and stop filebeat service
+      ansible.builtin.systemd_service:
+        name: filebeat
+        state: stopped
+        enabled: no
+        daemon_reload: true
+      register: svc_result
+      failed_when:
+        - svc_result.failed
+        - "'Could not find the requested service' not in svc_result.msg"
+
+    - name: Remove filebeat and files
+      ansible.builtin.package:
+        name: filebeat
+        state: absent
+
+    - name: Remove filebeat directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /var/lib/filebeat
+        - /usr/share/filebeat
+        - /etc/filebeat
+# Indexer
+    - name: Disable and stop wazuh-indexer service
+      ansible.builtin.systemd_service:
+        name: wazuh-indexer
+        state: stopped
+        enabled: no
+        daemon_reload: true
+      register: svc_result
+      failed_when:
+        - svc_result.failed
+        - "'Could not find the requested service' not in svc_result.msg"
+
+    - name: Remove wazuh-indexer and files
+      ansible.builtin.package:
+        name: wazuh-indexer
+        state: absent
+
+    - name: Remove wazuh-indexer directories
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /var/lib/wazuh-indexer
+        - /usr/share/wazuh-indexer
+        - /etc/wazuh-indexer

etc/kayobe/stackhpc.yml

@@ -156,11 +156,11 @@ stackhpc_repo_elrepo_9_version: "{{ stackhpc_repo_distribution }}"
 
 # Kolla source repository.
 stackhpc_kolla_source_url: "https://github.com/stackhpc/kolla"
-stackhpc_kolla_source_version: stackhpc/20.2.0.4
+stackhpc_kolla_source_version: stackhpc/20.3.0.1
 
 # Kolla Ansible source repository.
 stackhpc_kolla_ansible_source_url: "https://github.com/stackhpc/kolla-ansible"
-stackhpc_kolla_ansible_source_version: stackhpc/20.2.0.9
+stackhpc_kolla_ansible_source_version: stackhpc/20.3.0.2
 
 ###############################################################################
 # Container image registry

releasenotes/notes/cephadm-collection-update-50f9dbe301b96cc3.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Updates the ``stackhpc.cephadm`` Ansible collection to version ``1.22.0``,
+    pulling in Tentacle support and recent fixes.

requirements.txt

@@ -1,4 +1,4 @@
-kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/18.3.0.1
+kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/18.3.0.2
 ansible-modules-hashivault>=5.3.0
 pulp-glue<0.32,>=0.29.2
 jmespath