charm-ovn-central

ovn-central charm does not support cis_level2 hardened machines

Bug #2067270 reported by Muhammad Ahmad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
charm-ovn-central
New
Undecided
Unassigned
memcached-charm
New
Undecided
Unassigned

Bug Description

The ovn-central and memcached charms fail on install hook on the cis_level2 hardened machines:

#################### Juju/Machine Logs #######################
$ juju status ovn-central -m openstack
...

Unit Workload Agent Machine Public address Ports Message
ovn-central/0 error idle 4/lxd/3 10.128.169.116 hook failed: "install"
ovn-central/1* error idle 6/lxd/3 10.128.169.78 hook failed: "install"
ovn-central/2 error idle 8/lxd/3 10.128.169.111 hook failed: "install"

$ vi /var/log/juju/unit-ovn-central-2.log

FileNotFoundError: [Errno 2] No such file or directory: 'ufw'

2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 Traceback (most recent call last):
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/charm/hooks/install", line 22, in <module>
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 main()
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charms/reactive/__init__.py", line 74, in main
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 bus.dispatch(restricted=restricted_mode)
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charms/reactive/bus.py", line 390, in dispatch
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 _invoke(other_handlers)
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charms/reactive/bus.py", line 359, in _invoke
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 handler.invoke()
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charms/reactive/bus.py", line 181, in invoke
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 self._action(*args)
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/charm/reactive/ovn_central_handlers.py", line 77, in initialize_firewall
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 ovn_charm.initialize_firewall()
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/charm/lib/charm/openstack/ovn_central.py", line 740, in initialize_firewall
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 ch_ufw.enable()
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charmhelpers/contrib/network/ufw.py", line 131, in enable
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 if is_enabled():
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/var/lib/juju/agents/unit-ovn-central-2/.venv/lib/python3.10/site-packages/charmhelpers/contrib/network/ufw.py", line 62, in is_enabled
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 output = subprocess.check_output(['ufw', 'status'],
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 421, in check_output
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 503, in run
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 with Popen(*popenargs, **kwargs) as process:
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 971, in __init__
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 self._execute_child(args, executable, preexec_fn, close_fds,
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 1863, in _execute_child
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 raise child_exception_type(errno_num, err_msg, err_filename)
2024-05-24 13:22:43 WARNING unit.ovn-central/2.install logger.go:60 FileNotFoundError: [Errno 2] No such file or directory: 'ufw'
2024-05-24 13:22:43 ERROR juju.worker.uniter.operation runhook.go:180 hook "install" (via explicit, bespoke hook script) failed: exit status 1

# Memcached is failing due to same reason
$ juju debug-log --include memcached -m openstack
...
unit-memcached-2: 11:13:44 WARNING unit.memcached/2.install FileNotFoundError: [Errno 2] No such file or directory: 'ufw'
unit-memcached-2: 11:13:44 ERROR juju.worker.uniter.operation hook "install" (via explicit, bespoke hook script) failed: exit status 1
unit-memcached-2: 11:13:44 INFO juju.worker.uniter awaiting error resolution for "install" hook

#################### Reason for install hook Failure #######################

Machines have no ufw package because of the following CIS rule in level2 hardening profile:

<!--3.5.2.2 Ensure ufw is uninstalled or disabled with nftables (Automated)-->
    <select idref="xccdf_org.ssgproject.content_rule_package_ufw_removed" selected="true"/>

$ sudo vi /var/log/apt/history.log
...
Start-Date: 2024-05-24 13:09:06
Commandline: apt-get remove -y ufw
Remove: ufw:amd64 (0.36.1-4ubuntu0.1)
End-Date: 2024-05-24 13:09:07

This is a critical bug as it is not trivial to provide a workaround !

Revision history for this message
Muhammad Ahmad (ahmadfsbd) wrote :

Using the following as a workaround for now:

juju exec -m openstack -a ovn-central -- sudo apt install ufw
juju exec -m openstack -a memcached -- sudo apt install ufw
juju resolved --all -m openstack

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.