Fix CIS play skipping kolla user on non-Kolla hosts

bbezak · bbezak · commit a712732bdf44 · 2025-12-01T10:42:33.000+01:00
Signed-off-by: Bartosz Bezak &lt;bartosz@stackhpc.com&gt;
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -20,6 +20,12 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Gather passwd entries
+      ansible.builtin.getent:
+        database: passwd
+      become: true
+      changed_when: false
+
     - name: Ensure service accounts have no expiry options set
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
@@ -30,6 +36,7 @@
       with_items:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item in ansible_facts.getent_passwd
 
 - name: Security hardening
   hosts: cis-hardening
diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips service accounts that do not exist on the host
+    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    CIS hardening playbook skips service accounts that do not exist on the host
 +    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.