OpenStack-Ansible

Can't initialize AIDE during subsequent playbook runs

Bug #1616281 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Major Hayden

Bug Description

AIDE isn't initialized by default because it can cause a lot of system load when it does its first check of a new system. If a deployer applies the security hardening role with ``initialize_aide`` set to False (the default), it won't be initialized. However, if they set it to True and re-run the playbook, AIDE is already configured and the handler to initialize AIDE won't execute.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (master)

Fix proposed to branch: master
Review: https://review.openstack.org/359554

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (master)

Reviewed: https://review.openstack.org/359554
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=578ce32998d889cf3ea63260fc3ca2f99e8ea91d
Submitter: Jenkins
Branch: master

commit 578ce32998d889cf3ea63260fc3ca2f99e8ea91d
Author: Major Hayden <email address hidden>
Date: Tue Aug 23 22:12:31 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Closes-bug: 1616281

    Change-Id: I85d65738fde064b06b1147c529b22c3f44a33e94

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/361239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/361242

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-security (liberty)

Change abandoned by Major Hayden (<email address hidden>) on branch: liberty
Review: https://review.openstack.org/361242
Reason: Need to adjust this backport in Mitaka a bit.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (stable/mitaka)

Reviewed: https://review.openstack.org/361239
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=c16d11786a2a95fc5079ae35e0222bf5d49bb3a3
Submitter: Jenkins
Branch: stable/mitaka

commit c16d11786a2a95fc5079ae35e0222bf5d49bb3a3
Author: Major Hayden <email address hidden>
Date: Mon Aug 29 11:11:09 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Manual backport of two reviews:
      * https://review.openstack.org/#/c/359554/
      * https://review.openstack.org/#/c/361460/

    Closes-bug: 1616281
    Depends-on: I60aa62ff688d32c14031773d35af29b3cf6b6fd6
    Change-Id: I170eb3898b4336333b1fbe663ec4f069823898e0

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/362828

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-security 14.0.0.0b3

This issue was fixed in the openstack/openstack-ansible-security 14.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (liberty)

Reviewed: https://review.openstack.org/362828
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=6c9eb50fd64cb791a73ef778315f9a52b8c434c8
Submitter: Jenkins
Branch: liberty

commit 6c9eb50fd64cb791a73ef778315f9a52b8c434c8
Author: Major Hayden <email address hidden>
Date: Mon Aug 29 11:11:09 2016 -0500

    Ensure AIDE initializes on subsequent runs

    If a deployer installs AIDE the first time they apply the role
    without initializing AIDE and they want to initialize it later,
    the handler that does the initialization never fires.

    This patch does a few things:

      - Ensures AIDE initialization if the initialize_aide bool is True
      - Doesn't intialize the AIDE db if it already exists
      - Moves the new db into place on Red Hat systems
      - Moves the AIDE tasks into its own file with tags
      - Prevents AIDE from trawling through /var

    Manual backport of two reviews:
      * https://review.openstack.org/#/c/359554/
      * https://review.openstack.org/#/c/361460/

    Closes-Bug: 1616281
    Backport-of: I170eb3898b4336333b1fbe663ec4f069823898e0
    Change-Id: Iaedcce1d6416f2224f44376336c23702e6152a00

tags: added: in-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-security 13.3.4

This issue was fixed in the openstack/openstack-ansible-security 13.3.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-security 12.2.4

This issue was fixed in the openstack/openstack-ansible-security 12.2.4 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.