Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE 2023 41914 #320

Merged
merged 11 commits into from
Oct 20, 2023
Merged

Fix CVE 2023 41914 #320

merged 11 commits into from
Oct 20, 2023

Conversation

sjpb
Copy link
Collaborator

@sjpb sjpb commented Oct 20, 2023
edited
Loading

  • Provides a new role 'cve-2023-41914' and playbook ansible/adhoc/cve-2023-41914.yml to mitigate Slurm CVE-2023-41914. IMPORTANT: See ansible/roles/cve-2023-41914/README.md for full details.
  • Builds new fat image openhpc-231020-1357-b5d8b056 incorporating above fix.

Note CI tests the new fatimage works properly, but doesn't test the fix of a live system.

Tested on a live system as follows:

  • Put up cluster at commit 089d85c, ran hpctests (so slurmdbd had some data), ran adhoc/cve-2023-41914.yml, ran hpctests again
  • Checked:
    • All 8x jobs (4x before cve playbook, 4x after) visible in slurm jobs dashboard
    • OOD portal page works
    • OOD shell works
    • Remote desktop works
    • Jupyter works

@sjpb sjpb mentioned this pull request Oct 20, 2023
Closed
@sjpb
Copy link
Collaborator Author

sjpb commented Oct 20, 2023

Building image openhpc-231020-0951-c147d9ca in https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/6586148645/job/17893915770

@sjpb sjpb marked this pull request as ready for review October 20, 2023 10:06
@sjpb sjpb requested a review from a team as a code owner October 20, 2023 10:06
@sjpb
Copy link
Collaborator Author

sjpb commented Oct 20, 2023

Built image openhpc-231020-1032-c89fa839 in https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/6586572875/job/17895144942

@sjpb
Copy link
Collaborator Author

sjpb commented Oct 20, 2023

CI failed on SMSlabs because rebuilds are broken.

m-bull
m-bull requested changes Oct 20, 2023
View reviewed changes
ansible/roles/cve-2023-41914/defaults/main.yml Show resolved Hide resolved
ansible/fatimage.yml Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/install-rpms.yml Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/install-rpms.yml Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/install-rpms.yml Outdated Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/pre-upgrade.yml Outdated Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/pre-upgrade.yml Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/shutdown.yml Outdated Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/validate.yml Outdated Show resolved Hide resolved
ansible/roles/cve-2023-41914/tasks/validate.yml Show resolved Hide resolved
@sjpb
Copy link
Collaborator Author

sjpb commented Oct 20, 2023
edited
Loading

Image build openhpc-231020-1357-b5d8b056 (on arcus): https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/6588674103/job/17901488163

@sjpb
Copy link
Collaborator Author

sjpb commented Oct 20, 2023

Repeated test of creating cluster with pre-PR image, running site.yml, hpctests.yml, the cve adhoc, then hpctests.yml again. Could see all 8x jobs in sacct.

@sjpb sjpb requested a review from m-bull October 20, 2023 15:40
@sjpb sjpb merged commit f03c89f into main Oct 20, 2023
@sjpb sjpb deleted the fix/CVE-2023-41914-v2 branch October 20, 2023 15:58
@sjpb sjpb restored the fix/CVE-2023-41914-v2 branch October 24, 2023 08:16
@sjpb sjpb mentioned this pull request Oct 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m-bull m-bull m-bull approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sjpb @m-bull