Merge branch 'stackhpc/2025.1' into filebeat_fix

g0rgamesh · web-flow · commit 8ad7a45ad430 · 2025-12-02T10:42:13.000+01:00
diff --git a/doc/source/operations/bifrost-hardware-inventory-management.rst b/doc/source/operations/bifrost-hardware-inventory-management.rst
@@ -239,6 +239,7 @@ The ADVise tool assumes that hardware introspection data has already been gather
 The ``extra-hardware`` disk builder element enabled when building the IPA image for the required data to be available.
 
 To build ipa image with extra-hardware  you need to edit ``ipa.yml`` and add this:
+
 .. code-block:: console
 
    # Whether to build IPA images from source.
diff --git a/doc/source/operations/gpu-in-openstack.rst b/doc/source/operations/gpu-in-openstack.rst
@@ -65,12 +65,13 @@ configuration or trigger the playbook manually:
 
     kayobe overcloud host configure --limit compute_a100,compute_v100,compute_multi_gpu
     # OR
-    kayobe playbook run --playbook $KAYOBE_CONFIG_PATH/ansible/maintenance/pci-passthrough.yml --limit compute_a100,compute_v100,compute_multi_gpu
+    kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/maintenance/pci-passthrough.yml --limit compute_a100,compute_v100,compute_multi_gpu
 
 The playbook will apply the necessary configuraion and reboot the hosts if
 required.
 
 Once host configuration is complete, deploy Nova:
+
 .. code-block:: console
 
     kayobe overcloud service deploy -kt nova
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -20,16 +20,26 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Gather passwd entries
+      ansible.builtin.getent:
+        database: passwd
+      become: true
+
     - name: Ensure service accounts have no expiry options set
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: 0
+        password_expire_max: 99999
+        password_expire_warn: 7
+        expires: -1
       become: true
-      changed_when: false
-      with_items:
+      loop:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item in ansible_facts.getent_passwd
 
 - name: Security hardening
   hosts: cis-hardening
diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips service accounts that do not exist on the host
+    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    CIS hardening playbook skips service accounts that do not exist on the host
 +    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.