bug: When using CIS hardening, the task of copying the systcl config fails under certain conditions

[Evantage-WS]

Summary

When enabling cis, with "cis-1.23", which is deprecated btw, it is "cis" now, it fails when copying the sysctl values in - name: Copy systemctl config file for kernel hardening. My download is not in /usr/local/share, but in /opt/rke2/share/rke2/rke2-cis-sysctl.conf. This because of the following:

#   - INSTALL_RKE2_TAR_PREFIX
#     Installation prefix when using the tar installation method.
#     Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
#     in which case /opt/rke2 is used instead.

Tested on SLES 15.5

Issue Type

Bug Report

Ansible Version

ansible [core 2.16.2]
  config file = None
  configured module search path = ['/Users/wvanderstek/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/wvanderstek/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.1 (main, Dec  7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.1.0.2.5)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
  jinja version = 3.1.3
  libyaml = True

Steps to Reproduce

 rke2_cis_profile: "cis-1.23"

on a machine with the following conditions:

#   - INSTALL_RKE2_TAR_PREFIX
#     Installation prefix when using the tar installation method.
#     Default is /usr/local, unless /usr/local is read-only or has a dedicated mount point,
#     in which case /opt/rke2 is used instead.

Expected Results

Looks in both directories for the file

Actual Results

Unable to find /usr/local/share/rke2/rke2-cis-sysctl.conf

[jLemmings]

Facing the same issue, should be fixxed when following PR is approved: #206

[Evantage-WS]

Just tested, looks like it is resolved. Thanks @jLemmings!

[Evantage-WS]

Unfortunally, it is still failing.

module.create_vms.null_resource.execute_ansible_create_playbooks[0] (local-exec): fatal: [testproxmox-m1]: FAILED! => {"changed": false, "msg": "Source /usr/local/share/rke2/rke2-cis-sysctl.conf not found"}

This happens because the test is done if usr_local.stat.writeable = True, instead of testing that /usr/local is read-only or has a dedicated mount point. In my case it is a dedicated mountpoint (default with Suse Linux)

[jLemmings]

@Evantage-WS looking into it and will come up with a new PR.

[jLemmings]

@Evantage-WS does it work for you after the last PR? Working great for me on multiple RHEL9 hosts which are CIS hardened.

[Evantage-WS]

Hi @jLemmings,

Sorry, but no. It is still failing, I entered some feedback in the merge, see #213 (comment)

Thanks!

[jLemmings]

@Evantage-WS what OS are you running? I was not aware of the mountpoint binary which makes it a bit nicer. What is the output of grep '/usr/local ' /proc/mounts on your node?

[Evantage-WS]

Hi @jLemmings, I am running openSUSE 15.6 and Suse Linux Enterprise Server (SLES) 15.5

output is (with and without space in path

k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts
k3s-clusterx-m1:~ # 

k3s-clusterx-m1:~ # grep '/usr/local' /proc/mounts
k3s-clusterx-m1:~ # 

[jLemmings]

The space is there on purpose to not match appended '/'. What are the return codes of both commands?

[Evantage-WS]

k3s-clusterx-m1:~ # grep '/usr/local ' /proc/mounts
k3s-clusterx-m1:~ # echo $?
1

[jLemmings]

Oh the condition should be an "or" and not an "and" statement: https://github.com/lablabs/ansible-role-rke2/blob/main/tasks/cis.yml#L23

Am i right assuming you do not have a separate /usr/local partition but the it is read only?

[Evantage-WS]

@jLemmings yes, correct