lablabs
bug: When using CIS hardening, the task of copying the systcl config fails under certain conditions
Summary
When enabling cis, with "cis-1.23", which is deprecated btw, it is "cis" now, it fails when copying the sysctl values in - name: Copy systemctl config file for kernel hardening. My download is not in /usr/local/share, but in /opt/rke2/share/rke2/rke2-cis-sysctl.conf. This because of the following:
# - INSTALL_RKE2_TAR_PREFIX
# Installation prefix when using the tar installation method.
# Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
# in which case /opt/rke2 is used instead.
Tested on SLES 15.5
Issue Type
Bug Report
Ansible Version
ansible [core 2.16.2]
config file = None
configured module search path = ['/Users/wvanderstek/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
ansible collection location = /Users/wvanderstek/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.12.1 (main, Dec 7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.1.0.2.5)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
jinja version = 3.1.3
libyaml = True
Steps to Reproduce
rke2_cis_profile: "cis-1.23"
on a machine with the following conditions:
# - INSTALL_RKE2_TAR_PREFIX
# Installation prefix when using the tar installation method.
# Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
# in which case /opt/rke2 is used instead.
Expected Results
Looks in both directories for the file
Actual Results
Unable to find /usr/local/share/rke2/rke2-cis-sysctl.conf
Facing the same issue, should be fixxed when following PR is approved: https://github.com/lablabs/ansible-role-rke2/pull/206
Unfortunally, it is still failing.
module.create_vms.null_resource.execute_ansible_create_playbooks[0] (local-exec): fatal: [testproxmox-m1]: FAILED! => {"changed": false, "msg": "Source /usr/local/share/rke2/rke2-cis-sysctl.conf not found"}
This happens because the test is done if usr_local.stat.writeable = True, instead of testing that /usr/local is read-only or has a dedicated mount point. In my case it is a dedicated mountpoint (default with Suse Linux)
@Evantage-WS does it work for you after the last PR? Working great for me on multiple RHEL9 hosts which are CIS hardened.
Hi @jLemmings,
Sorry, but no. It is still failing, I entered some feedback in the merge, see https://github.com/lablabs/ansible-role-rke2/pull/213#issuecomment-2118442466
Thanks!
@Evantage-WS what OS are you running? I was not aware of the mountpoint binary which makes it a bit nicer. What is the output of grep '/usr/local ' /proc/mounts on your node?
Hi @jLemmings, I am running openSUSE 15.6 and Suse Linux Enterprise Server (SLES) 15.5
output is (with and without space in path
k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts
k3s-clusterx-m1:~ #
k3s-clusterx-m1:~ # grep '/usr/local' /proc/mounts
k3s-clusterx-m1:~ #
The space is there on purpose to not match appended '/'. What are the return codes of both commands?
k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts k3s-clusterx-m1:~ # echo $? 1
Oh the condition should be an "or" and not an "and" statement: https://github.com/lablabs/ansible-role-rke2/blob/main/tasks/cis.yml#L23
Am i right assuming you do not have a separate /usr/local partition but the it is read only?