Fix CIS play skipping kolla user on non-Kolla hosts (#2011)

bbezak · web-flow · commit c6c8c78c574d · 2025-12-01T11:13:11.000+01:00
Signed-off-by: Bartosz Bezak &lt;bartosz@stackhpc.com&gt;
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -20,16 +20,26 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Gather passwd entries
+      ansible.builtin.getent:
+        database: passwd
+      become: true
+
     - name: Ensure service accounts have no expiry options set
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: 0
+        password_expire_max: 99999
+        password_expire_warn: 7
+        expires: -1
       become: true
-      changed_when: false
-      with_items:
+      loop:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item in ansible_facts.getent_passwd
 
 - name: Security hardening
   hosts: cis-hardening
diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips service accounts that do not exist on the host
+    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    CIS hardening playbook skips service accounts that do not exist on the host
 +    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.