Skip to content

Fix CIS play skipping kolla user on non-Kolla hosts #2011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 1, 2025
Merged

Fix CIS play skipping kolla user on non-Kolla hosts #2011

merged 2 commits into from
Dec 1, 2025
+18 −3

Conversation

@bbezak
Copy link
Member

@bbezak bbezak commented Nov 28, 2025

For example non-hyperconverged Ceph nodes are not member of kolla inventory, at it fails there:

PRE PATCH:

TASK [Ensure service accounts have no expiry options set] *********************************************************************************************************************************
Thursday 27 November 2025  13:00:42 +0000 (0:00:00.075)       0:00:12.333 *****
ok: [ctrl-02] => (item=stack)
ok: [ctrl-03] => (item=stack)
ok: [ctrl-01] => (item=stack)
ok: [ceph-03] => (item=stack)
ok: [ceph-02] => (item=stack)
ok: [ceph-04] => (item=stack)
ok: [ceph-01] => (item=stack)
ok: [ctrl-02] => (item=kolla)
ok: [ctrl-03] => (item=kolla)
ok: [ctrl-01] => (item=kolla)
failed: [ceph-03] (item=kolla) =>
    ansible_loop_var: item
    changed: false
    cmd:
    - chage
    - -m
    - '0'
    - -M
    - '99999'
    - -W
    - '7'
    - -I
    - '-1'
    - kolla
    delta: '0:00:00.007108'
    end: '2025-11-27 14:00:42.557068'
    item: kolla
    msg: non-zero return code
    rc: 1
    start: '2025-11-27 14:00:42.549960'
    stderr: 'chage: user ''kolla'' does not exist in /etc/passwd'
    stderr_lines: <omitted>
    stdout: ''
    stdout_lines: <omitted>


POST PATCH:

TASK [Ensure service accounts have no expiry options set] *********************************************************************************************************************************
Thursday 27 November 2025  20:31:47 +0100 (0:00:00.074)       0:00:01.471 *****
ok: [ctrl-01] => (item=stack)
ok: [ctrl-02] => (item=stack)
ok: [ctrl-03] => (item=stack)
ok: [os-seed] => (item=stack)
ok: [ceph-04] => (item=stack)
ok: [ceph-01] => (item=stack)
ok: [ceph-02] => (item=stack)
ok: [ceph-03] => (item=stack)
skipping: [ceph-04] => (item=kolla)
skipping: [ceph-01] => (item=kolla)
skipping: [ceph-02] => (item=kolla)
skipping: [ceph-03] => (item=kolla)
ok: [ctrl-01] => (item=kolla)
ok: [ctrl-02] => (item=kolla)
ok: [ctrl-03] => (item=kolla)
ok: [os-seed] => (item=kolla)

inspired by https://github.com/openstack/kayobe/blob/645a3074063f9df8c958c2b241d62b3fa4aef9ea/ansible/kolla-ansible-user.yml#L19

@bbezak bbezak requested a review from a team as a code owner November 28, 2025 08:38
gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 28, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request fixes an issue where the CIS hardening playbook would fail on hosts that are not part of the Kolla inventory, because it tried to modify the kolla user which does not exist on those hosts. The fix introduces a condition to skip the task for the kolla user on such hosts.

The approach taken is to build a list of hosts in the Kolla inventory and check against it. While this works, I've suggested a more robust and idiomatic Ansible approach using the getent module to check for user existence directly on the target host. This simplifies the code and removes a dependency on inventory structure variables.

@bbezak
Fix CIS play skipping kolla user on non-Kolla hosts
a712732 
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
@bbezak bbezak force-pushed the cis-overcloud-non-kolla-hosts branch from 3f9c6f7 to a712732 Compare December 1, 2025 09:42
@bbezak
Copy link
Member Author

bbezak commented Dec 1, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly fixes an issue where the CIS hardening playbook would fail on hosts where the kolla user does not exist. The approach of using ansible.builtin.getent to gather user information and then conditionally running the chage command is clean and idiomatic for Ansible. The changes are logical and well-implemented. I have one suggestion to improve future maintainability.

@bbezak bbezak force-pushed the cis-overcloud-non-kolla-hosts branch from 5255c8f to 06047d1 Compare December 1, 2025 10:03
@bbezak bbezak force-pushed the cis-overcloud-non-kolla-hosts branch from 06047d1 to 6c33726 Compare December 1, 2025 10:06
@bbezak bbezak merged commit c6c8c78 into stackhpc/2025.1 Dec 1, 2025
21 of 22 checks passed
@bbezak bbezak deleted the cis-overcloud-non-kolla-hosts branch December 1, 2025 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnasiadka mnasiadka mnasiadka approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bbezak @mnasiadka