-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade the base AMI to Fedora 41 #129
base: develop
Are you sure you want to change the base?
Conversation
013791c
to
47cd223
Compare
f806e19
to
dbc931e
Compare
e3efc0d
to
3af363c
Compare
I attempted to upgrade our staging COOL environment to use the new Fedora 40 AMI, but the replica creation process failed at the KRA stage. |
β¦journald This is being done for testing purposes and can be reverted once cisagov/ansible-role-persist-journald#40 has been merged.
β¦ch-agent This is being done for testing purposes and can be reverted once cisagov/ansible-role-cloudwatch-agent#58 has been merged.
This is being done for testing purposes and can be reverted once cisagov/ansible-role-hardening-2#3 is merged.
This can be done now that cisagov/ansible-role-hardening-2#3 has been merged.
β¦-agent We can do this now that cisagov/ansible-role-cloudwatch-agent#58 has been merged.
β¦urnald We can do this now that cisagov/ansible-role-persist-journald#40 has been merged.
ffaa2e6
to
df7baad
Compare
This project uses community.general.ufw, which is packaged into ansible, so it requires this dependency.
This is being done for testing purposes and this change can be reverted once cisagov/ansible-role-upgrade#66 is merged.
a88650b
to
4bca549
Compare
This is necessary because the base AMI we use does not come with the python3-libdnf5 package preinstalled. Since Ansible detects dnf5 as the package manage on Fedora 41 and above, this package must be installed before Ansible can be run.
76b584a
to
5a440e7
Compare
Since the scripts are being run under bash there is no need for them to be executable.
β¦d-security-updates This is being done for testing purposes and this change can be reverted once cisagov/ansible-role-automated-security-updates#38 is merged.
We can do this now that cisagov/ansible-role-upgrade#66 has been merged.
β¦security-updates We can do this now that cisagov/ansible-role-automated-security-updates#38 has been merged.
I attempted to upgrade our COOL staging environment to use the new Fedora 41 AMI, but the instance failed to start up properly. It did not respond to pings and the CloudWatch Agent did not start up correctly. The changes in cisagov/freeipa-server-tf-module#86 appear to remedy this. I will fully test by again attempting to upgrade our COOL staging environment in the coming days. |
This is a temporary measure so that we can login via the user on the serial console to debug why the AMI is not booting up correctly.
There is no need to do this because before hardening /tmp has not yet had the noexec bit set.
eaa98b4
to
5705ef1
Compare
I was wrong. The changes in cisagov/freeipa-server-tf-module#86 do not remedy the situation. |
π£ Description
This pull request upgrades the base AMI from Fedora 39 to Fedora 41.
π Motivation and context
Resolves #127.
π§ͺ Testing
Not yet...
β Pre-approval checklist
β Pre-merge checklist
/etc/systemd/journald.conf
directlyΒ ansible-role-persist-journald#40 has been merged./etc/systemd/journald.conf
directlyΒ ansible-role-cloudwatch-agent#58 has been merged.auditd.service
is restartedΒ ansible-role-hardening-2#3 has been merged.dnf5
package managerΒ ansible-role-upgrade#66 has been merged.dnf5
package managerΒ ansible-role-automated-security-updates#38 has been merged.β Post-merge checklist