From a712732bdf4466b9bf8645ebd32226c17a8863d8 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Fri, 28 Nov 2025 09:28:25 +0100 Subject: [PATCH] Fix CIS play skipping kolla user on non-Kolla hosts Signed-off-by: Bartosz Bezak --- etc/kayobe/ansible/maintenance/cis.yml | 7 +++++++ .../cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml | 5 +++++ 2 files changed, 12 insertions(+) create mode 100644 releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml index e73666755..aa98b67c6 100644 --- a/etc/kayobe/ansible/maintenance/cis.yml +++ b/etc/kayobe/ansible/maintenance/cis.yml @@ -20,6 +20,12 @@ state: present when: ansible_facts.distribution == 'Ubuntu' + - name: Gather passwd entries + ansible.builtin.getent: + database: passwd + become: true + changed_when: false + - name: Ensure service accounts have no expiry options set # This is to workaround an issue where we set the expiry to 365 days on kayobe # service accounts in a previous iteration of the CIS benchmark hardening @@ -30,6 +36,7 @@ with_items: - "{{ kayobe_ansible_user }}" - "{{ kolla_ansible_user }}" + when: item in ansible_facts.getent_passwd - name: Security hardening hosts: cis-hardening diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml new file mode 100644 index 000000000..339fe93fd --- /dev/null +++ b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + CIS hardening playbook skips service accounts that do not exist on the host + (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.