Skip to content

Commit

Permalink
Merge pull request #563 from sap-linuxlab/hotfix-cve-2023-5764
Browse files Browse the repository at this point in the history
Hotfix CVE 2023 5764
  • Loading branch information
berndfinger authored Dec 22, 2023
2 parents 5b92075 + fea8934 commit f41c5fe
Show file tree
Hide file tree
Showing 8 changed files with 169 additions and 26 deletions.
49 changes: 29 additions & 20 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,42 @@ community.sap_install Release Notes
.. contents:: Topics


v1.3.3
======

Release Summary
---------------

| Release Date: 2023-12-22
| collection: Make the preconfigure and sap_hana_install roles compatible with CVE-2023-5764
v1.3.2
======

Release Summary
---------------

| Release Date: 2023-09-29
sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
sap_hana_install: Bug fix for SELinux disable when SLES4SAP
sap_install_media_detect: Feature add for NFS compatibility
sap_install_media_detect: Feature add for idempotency
sap_install_media_detect: Feature add for new file detection after code restructure
sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
sap_storage_setup: Feature add for Multipathing detection
sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
sap_storage_setup: Bug fix for packages on SLES and Google Cloud
sap_swpm: Bug fix for RDBMS var name
sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
| sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
| sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
| sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
| sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
| sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
| sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
| sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
| sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
| sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
| sap_hana_install: Bug fix for SELinux disable when SLES4SAP
| sap_install_media_detect: Feature add for NFS compatibility
| sap_install_media_detect: Feature add for idempotency
| sap_install_media_detect: Feature add for new file detection after code restructure
| sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
| sap_storage_setup: Feature add for Multipathing detection
| sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
| sap_storage_setup: Bug fix for packages on SLES and Google Cloud
| sap_swpm: Bug fix for RDBMS var name
| sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
| sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
v1.3.1
======
Expand Down
21 changes: 21 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,27 @@ This Ansible Collection executes various SAP Software installations for differen
- Install Linux Pacemaker, configure Pacemaker Fencing Agents and Pacemaker Resource Agents
- Set HA/DR with distributed SAP System installations (i.e. ERS)

### Note

Starting with `ansible-core` versions 2.16.1, 2.15.8, and 2.14.12, templating operations inside the `that` statement of `assert` tasks
are no longer allowed.

A typical error message is:
```
fatal: [host01]: FAILED! =>
msg: 'The conditional check ''13 <= 128'' failed. The error was: Conditional is marked as unsafe, and cannot be evaluated.'
```

This version of the collection ensures the compatibility with the above mentioned versions of `ansible-core` for the following roles:
- sap_general_preconfigure
- sap_netweaver_preconfigure
- sap_hana_preconfigure
- sap_hana_install

When running the preconfigure roles with the above mentioned versions of `ansible-core` and with the parameters
`sap_general_preconfigure_assert`, `sap_netweaver_preconfigure_assert`, or `sap_hana_preconfigure_assert`, the roles will abort
in the first `assert` task which contains a templating operation.

## Contents

An Ansible Playbook can call either an Ansible Role, or the individual Ansible Modules:
Expand Down
110 changes: 109 additions & 1 deletion changelogs/changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,112 @@ releases:
| Add SAP HANA Two-Node Scale-Up Cluster Installation
'
release_date: '2022-07-06'
release_date: '2022-06-30'
1.2.0:
changes:
release_summary: '| Release Date: 2022-12-20
| Consolidate sap_ha_install_pacemaker, sap_ha_prepare_pacemaker, and sap_ha_set_hana into new sap_ha_pacemaker_cluster role
| Use the ha_cluster Linux System Role and its enhanced features in the new role sap_ha_pacemaker_cluster
| Improve SID and instance checking in role sap_hana_install
| Enable modifying SELinux file labels for SAP directories
| Upgrade SAP SWPM handling for compatibility with more scenarios when generating inifile.params
| Add Ansible Role for basic Oracle DB installations for SAP
| Various minor enhancements
| Various fixes
'
release_date: '2022-12-20'
1.2.1:
changes:
release_summary: '| Release Date: 2023-01-26
| A few minor fixes
'
release_date: '2023-01-26'
1.2.2:
changes:
release_summary: '| Release Date: 2023-02-01
| Fix for sap_hana_preconfigure on SLES when tuned is not installed
'
release_date: '2023-02-01'
1.2.3:
changes:
release_summary: '| Release Date: 2023-04-25
| sap_hana_preconfigure: Some modifications for HANA on RHEL 9
| sap_ha_pacemaker_cluster: Compatibility for custom stonith resource definitions containing more than one element
| sap_hana_preconfigure: Be more flexible with IBM service and productivity tools
'
release_date: '2023-04-25'
1.3.0:
changes:
release_summary: '| Release Date: 2023-07-21
| sap_general_preconfigure: Updates for new IBM Power packages with RHEL
| sap_hana_preconfigure: Updates for new IBM Power packages with RHEL
| sap_hana_install: Default Log Mode to normal and not Overwrite
| sap_ha_pacemaker_cluster: Detection of and compatibility for additional Infrastructure Platforms
| sap_ha_pacemaker_cluster: SAP NetWeaver compatibility added
| sap_install_media_detect: Restructure and add execution controls
| sap_storage_setup: Overhaul/Rewrite with breaking changes
| sap_storage_setup: SAP NetWeaver and NFS compatibility added
| sap_swpm: Minor alterations from High Availability test scenarios
| collection: Sample Playbooks updated
'
release_date: '2023-07-21'
1.3.1:
changes:
release_summary: '| Release Date: 2023-08-14
| sap_ha_pacemaker_cluster: Improved AWS constructs based on feedback
| sap_ha_pacemaker_cluster: Improved no STONITH resource definition handling
| sap_hana_install: Bug fix for arg spec on deprecated vars
| sap_hostagent: Bug fix for media handling
| sap_install_media_detect: Improved handling based on feedback
| sap_storage_setup: Bug fix for existing storage devices
| sap_swpm: Make full log output optional and replace with sapcontrol log final status
| collection: Bug fix for sample Ansible Playbooks
'
release_date: '2023-08-14'
1.3.2:
changes:
release_summary: '| Release Date: 2023-09-29
| sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
| sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
| sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
| sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
| sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
| sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
| sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
| sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
| sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
| sap_hana_install: Bug fix for SELinux disable when SLES4SAP
| sap_install_media_detect: Feature add for NFS compatibility
| sap_install_media_detect: Feature add for idempotency
| sap_install_media_detect: Feature add for new file detection after code restructure
| sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
| sap_storage_setup: Feature add for Multipathing detection
| sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
| sap_storage_setup: Bug fix for packages on SLES and Google Cloud
| sap_swpm: Bug fix for RDBMS var name
| sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
| sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
'
release_date: '2023-09-29'
1.3.3:
changes:
release_summary: '| Release Date: 2023-12-22
| collection: Make the preconfigure and sap_hana_install roles compatible with CVE-2023-5764
'
release_date: '2023-12-22'
2 changes: 1 addition & 1 deletion galaxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ namespace: community
name: sap_install

# The version of the collection. Must be compatible with semantic versioning
version: 1.3.2
version: 1.3.3

# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
readme: README.md
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,5 +50,5 @@

- name: "Ensure that the length of the hostname is not longer than 'sap_general_preconfigure_max_hostname_length'"
ansible.builtin.assert:
that: "{{ sap_hostname | length | int }} <= {{ sap_general_preconfigure_max_hostname_length | int }}"
that: (sap_hostname | length | int) <= (sap_general_preconfigure_max_hostname_length | int)
msg: "The length of the hostname is {{ sap_hostname | length | int }} but must be less or equal to {{ sap_general_preconfigure_max_hostname_length }} (variable 'sap_general_preconfigure_max_hostname_length')!"
2 changes: 1 addition & 1 deletion roles/sap_hana_install/tasks/hana_addhosts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@

- name: SAP HANA Add Hosts - Assert that the additional hosts are not shown in hdblcm --list_systems
ansible.builtin.assert:
that: "'{{ line_item }}' not in __sap_hana_install_register_hdblcm_list_systems.stdout"
that: line_item not in __sap_hana_install_register_hdblcm_list_systems.stdout
fail_msg:
- "FAIL: Host '{{ line_item }}' is already part of system '{{ sap_hana_install_sid }}'"
- "Because of this, the addhost operation will not be performed."
Expand Down
7 changes: 6 additions & 1 deletion roles/sap_hana_install/tasks/hana_exists.yml
Original file line number Diff line number Diff line change
Expand Up @@ -140,9 +140,14 @@
changed_when: no
failed_when: no

- name: SAP HANA Checks - Define new variable for the assertion
ansible.builtin.set_fact:
__sap_hana_install_existing_sapsys_gid: "{{ __sap_hana_install_register_getent_group_sapsys.stdout.split(':')[2] }}"
when: __sap_hana_install_register_getent_group_sapsys.rc == 0

- name: SAP HANA Checks - In case there is a group 'sapsys', assert that its group ID is identical to 'sap_hana_install_groupid'
ansible.builtin.assert:
that: "{{ __sap_hana_install_register_getent_group_sapsys.stdout.split(':')[2] }} == {{ sap_hana_install_groupid }}"
that: (__sap_hana_install_existing_sapsys_gid | int) == (sap_hana_install_groupid | int)
success_msg: "PASS: The group ID of 'sapsys' is identical to the value of variable
sap_hana_install_groupid, which is '{{ sap_hana_install_groupid }}'"
fail_msg: "FAIL: Group 'sapsys' exists but with a different group ID than '{{ sap_hana_install_groupid }}'
Expand Down
2 changes: 1 addition & 1 deletion roles/sap_hana_preconfigure/tasks/RedHat/installation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

- name: Ensure that the system is running a RHEL release which is supported for SAP HANA
ansible.builtin.assert:
that: ansible_distribution_version in "{{ sap_hana_preconfigure_supported_rhel_minor_releases }}"
that: ansible_distribution_version in sap_hana_preconfigure_supported_rhel_minor_releases
fail_msg: "The RHEL release {{ ansible_distribution_version }} is not supported for SAP HANA!"
success_msg: "The RHEL release {{ ansible_distribution_version }} is supported for SAP HANA."
ignore_errors: "{{ not sap_hana_preconfigure_min_rhel_release_check }}"
Expand Down

0 comments on commit f41c5fe

Please sign in to comment.