Skip to content

Add support for RedHat 9 #705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 57 commits into from
Oct 7, 2025
Merged

Add support for RedHat 9 #705

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
a70f1cb
Adds RHEL9 Dockerfile and related files
Jul 30, 2025
17999ce
Adds RHEL9 to the ansible roles
Aug 1, 2025
dd816d8
Import the redhat 9 gpg key
Aug 1, 2025
0184164
RHEL 9: SELinux-friendly Nix install flow and container-wide policy; …
cbaxley Aug 11, 2025
01e536c
Modified SELinux policy to use container_policy module
cbaxley Aug 11, 2025
6844a7e
Adds a script to fix SELinux contexts for quadlet units on RHEL 9
cbaxley Aug 13, 2025
46eb603
Adds the quadlet fix script
cbaxley Aug 14, 2025
3bcf34c
Fixes the SELinux install to only install when selinux_available is true
Aug 14, 2025
0637501
Collects the SELinux setup tasks into a single role
cbaxley Aug 14, 2025
bf4c4a5
Adds container-selinux package to base role if selinux is available
cbaxley Aug 14, 2025
9603043
Fixes errors in SELinux policy and setup
cbaxley Aug 18, 2025
d416ad8
Break out the selinux policies for nix and podman
cbaxley Aug 18, 2025
ee521f4
Setting further selinux policies for redhat 9.1
cbaxley Aug 19, 2025
7361220
Fixes the expand_rhel_disk.sh script
cbaxley Aug 20, 2025
e3b942d
Adds SELinux context fixes for Nix store packages
cbaxley Aug 20, 2025
b823d7a
Load the SELinux policy for Podman Quadlet and restorecon the files
cbaxley Aug 20, 2025
f6521f7
Reorder SELinux tasks to ensure proper context restoration
cbaxley Aug 20, 2025
62bbe47
Adds RHEL 9.1 to the docker workflow
Aug 21, 2025
cc0ec18
Merge branch 'develop' into cbaxley-563-redhat-9-1
cbaxley Aug 21, 2025
abcd1dc
Updates the expand_rhel_disk.sh script to double the root partition s…
cbaxley Aug 22, 2025
6e596a8
Rename Wazuh dashboard files: remove 'dumped' from filenames
Aug 22, 2025
4836fb0
Merge branch 'cbaxley-563-redhat-9-1' of https://github.com/cisagov/L…
Aug 22, 2025
e088fdd
Merge branch 'develop' into cbaxley-563-redhat-9-1
cbaxley Aug 22, 2025
a3b7be2
Adds a new installer for RHEL 9
cbaxley Aug 22, 2025
8817487
Updates the RHEL 9 pipeline to use the new installer
cbaxley Aug 22, 2025
8184a87
Updates the RHEL 9 installer to use the --yes flag for the expand_rhe…
cbaxley Aug 22, 2025
bfe32e5
Update to run all tests on RHEL 9
cbaxley Aug 22, 2025
0216c41
Remove caddy from the certificate setup
cbaxley Aug 22, 2025
e180155
Adds RHEL 9 cluster workflow
cbaxley Aug 26, 2025
ebfaa4f
Adds RHEL remote installation instructions
Aug 26, 2025
9b46794
Merge branch 'develop' into cbaxley-563-redhat-9-1
cbaxley Aug 26, 2025
1de310c
Adds RHEL cluster workflow to trigger on PRs
Aug 26, 2025
47cf622
Adds RHEL cluster workflow to trigger on PRs
Aug 26, 2025
25e3fd6
Fixes Azure Windows agent installation output parsing
Aug 27, 2025
10a741c
Checks Azure Windows agent installation output for errors
Aug 27, 2025
1bf4faf
Passes the azure environment variables to the Azure Windows agent ins…
Aug 27, 2025
ada98b8
Uses the default ip instead of the AZURE_IP environment variable
Aug 27, 2025
ce00735
Updates some of the tools and documentation for testing
Aug 28, 2025
05f75d9
Clean up SELinux setup and vars
cbaxley Aug 29, 2025
fd6d745
Updates the example args for the azure linux network script
Aug 29, 2025
c9a0dea
Change install.sh to install EPEL repository on RHEL9
Sep 2, 2025
3764b7a
Adds CodeReady Builder for RHEL 9
Sep 2, 2025
2303d77
Sbom generator fixes for Red Hat 9
Sep 4, 2025
fac65cb
Adds script to configure Red Hat firewall
cbaxley Sep 11, 2025
3886a39
Adds nftables configuration script for Red Hat 9
cbaxley Sep 11, 2025
817c5bb
Change sudo use in configure_lme_nftables.sh
cbaxley Sep 12, 2025
2b31794
Lme certs required iptables when running in a docker container
Sep 15, 2025
8f04f0a
Adds connectivity tests
cbaxley Sep 16, 2025
5a65abb
Merge remote-tracking branch 'refs/remotes/origin/cbaxley-563-redhat-…
cbaxley Sep 16, 2025
13716d7
Cleans up some stuff in the RHEL9 Dockerfile
cbaxley Sep 17, 2025
5b57837
Cleans up the firewall scripts to make them more robust
cbaxley Sep 17, 2025
155cf0e
Updates gitignore to ignore all output logs and password files
cbaxley Sep 24, 2025
71f46dd
Broaden nftables configuration
cbaxley Sep 24, 2025
ec01a81
Adds the recommendation to restart the system after applying the fire…
Sep 25, 2025
13bfdec
Remove libsemanage-devel from SELinux policy tools
cbaxley Sep 26, 2025
1228a27
Merge branch 'cbaxley-563-redhat-9-1' of https://github.com/cisagov/L…
cbaxley Sep 26, 2025
1c0680d
Allow user to choose ansible installation method on redhat based distros
Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/cluster.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ on:
- ukwest
- northeurope
- westeurope
operating_system:
description: 'Operating system for Azure VM'
required: true
default: 'ubuntu'
type: choice
options:
- ubuntu

jobs:
build-and-test-cluster:
Expand Down
34 changes: 24 additions & 10 deletions .github/workflows/cluster_redhat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
name: Cluster RedHat

on:
pull_request:
branches:
- '*'
workflow_dispatch:
inputs:
azure_region:
Expand Down Expand Up @@ -222,18 +225,29 @@ jobs:
echo "Policy ID and Enrollment Token retrieved successfully"

- name: Install the Elastic Agent on Windows Azure VM
env:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_SECRET }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers/lib/ && \
chmod +x install_agent_windows_azure.sh && \
./install_agent_windows_azure.sh \
--resource-group pipe-${{ env.UNIQUE_ID }} \
--vm-name ws1 \
--hostip ${{ env.AZURE_IP }} \
--token ${{ env.ENROLLMENT_TOKEN }} \
--version ${{ env.ELASTIC_AGENT_VERSION }}
"
docker compose -p ${{ env.UNIQUE_ID }} exec -T \
-e AZURE_CLIENT_ID \
-e AZURE_CLIENT_SECRET \
-e AZURE_TENANT_ID \
-e AZURE_SUBSCRIPTION_ID \
pipeline bash -c "
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID && \
cd /home/lme-user/LME/testing/v2/installers/lib/ && \
chmod +x install_agent_windows_azure.sh && \
./install_agent_windows_azure.sh \
--resource-group pipe-${{ env.UNIQUE_ID }} \
--vm-name ws1 \
--token ${{ env.ENROLLMENT_TOKEN }} \
--version ${{ env.ELASTIC_AGENT_VERSION }} \
--debug
"

- name: Check if the Windows Elastic agent is reporting
env:
Expand Down
249 changes: 249 additions & 0 deletions .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ name: Docker Pipeline
# sudo act --bind --workflows .github/workflows/docker.yml --job build-24-04 --secret-file .env
# or
# sudo act --bind --workflows .github/workflows/docker.yml --job build-d12-10 --secret-file .env
# or
# sudo act --bind --workflows .github/workflows/docker.yml --job build-rhel9 --secret-file .env
on:
workflow_dispatch:
inputs:
Expand Down Expand Up @@ -769,6 +771,253 @@ jobs:
az group delete --name pipe-${{ env.UNIQUE_ID }} --yes --no-wait
"

- name: Stop and remove containers
if: always()
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} down
docker system prune -af

build-rhel9:
runs-on: self-hosted

env:
UNIQUE_ID: ${{ github.run_number }}_rhel9_${{ github.run_id }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
CONTAINER_TYPE: "rhel9"
AZURE_IP: ""
IP_ADDRESS: ""

steps:
- name: Generate random number
shell: bash
run: |
RANDOM_NUM=$(shuf -i 1000000000-9999999999 -n 1)
echo "UNIQUE_ID=${RANDOM_NUM}_rhel9_${{ github.run_number }}" >> $GITHUB_ENV

- name: Checkout repository
uses: actions/[email protected]

- name: Get branch name
shell: bash
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
else
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
fi

- name: Set the environment for docker compose
run: |
cd testing/v2/development
echo "HOST_UID=$(id -u)" > .env
echo "HOST_GID=$(id -g)" >> .env
echo "HOST_IP=10.1.0.5" >> .env
PUBLIC_IP=$(curl -s https://api.ipify.org)
echo "IP_ADDRESS=$PUBLIC_IP" >> $GITHUB_ENV


- name: Start pipeline container
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} up -d pipeline

- name: Install Python requirements
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers/azure && \
pip install -r requirements.txt
"

- name: Build an Azure instance
env:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_SECRET }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T \
-e AZURE_CLIENT_ID \
-e AZURE_CLIENT_SECRET \
-e AZURE_TENANT_ID \
-e AZURE_SUBSCRIPTION_ID \
pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
python3 ./azure/build_azure_linux_network.py \
-g pipe-${{ env.UNIQUE_ID }} \
-s 0.0.0.0/0 \
-vs Standard_B4s_v2 \
-l ${{ inputs.azure_region || 'centralus' }} \
-ast 23:00 \
-y
"
#-s ${{ env.IP_ADDRESS }}/32 \

- name: Retrieve Azure IP
run: |
cd testing/v2/development
AZURE_IP=$(docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "cat /home/lme-user/LME/testing/v2/installers/pipe-${{ env.UNIQUE_ID }}.ip.txt")
echo "AZURE_IP=$AZURE_IP" >> $GITHUB_ENV
echo "Azure IP: $AZURE_IP"
echo "Azure IP retrieved successfully"

- name: Retrieve Azure Password
run: |
cd testing/v2/development
AZURE_PASS=$(docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "cat /home/lme-user/LME/testing/v2/installers/pipe-${{ env.UNIQUE_ID }}.password.txt")
echo "AZURE_PASS=$AZURE_PASS" >> $GITHUB_ENV
echo "Azure Password retrieved successfully"

# wait for the azure instance to be ready
- name: Wait for Azure instance to be ready
run: |
sleep 30

- name: Copy SSH Key to Azure instance
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
./lib/copy_ssh_key.sh lme-user ${{ env.AZURE_IP }} /home/lme-user/LME/testing/v2/installers/pipe-${{ env.UNIQUE_ID }}.password.txt
"

- name: Clone repository on Azure instance
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
if [ ! -d LME ]; then
git clone https://github.com/cisagov/LME.git;
fi
cd LME
if [ \"${{ env.BRANCH_NAME }}\" != \"main\" ]; then
git fetch
git checkout ${{ env.BRANCH_NAME }}
fi
'
"

- name: Install Docker on Azure instance
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS 'chmod +x ~/LME/docker/install_latest_docker_in_ubuntu.sh && \
sudo ~/LME/docker/install_latest_docker_in_ubuntu.sh && \
sudo usermod -aG docker \$USER && \
sudo systemctl enable docker && \
sudo systemctl start docker'
"

- name: Install test prerequisites on Azure instance
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd LME/testing/tests && \
sudo apt-get update && \
sudo apt-get install -y python3.10-venv && \
wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
sudo apt install -y ./google-chrome-stable_current_amd64.deb && \
python3 -m venv venv && \
source venv/bin/activate && \
pip install -r requirements.txt
'
"

- name: Test Docker container
run: |
cd testing/v2/development

# Set environment
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/docker/${{ env.CONTAINER_TYPE }}
echo \"HOST_IP=10.1.0.5\" > .env
'
"

# Build container
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/docker/${{ env.CONTAINER_TYPE }}
sudo docker compose up -d
'
"

# Deploy LME
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/docker/${{ env.CONTAINER_TYPE }}
sudo docker compose exec -T lme bash -c \"NON_INTERACTIVE=true AUTO_CREATE_ENV=true /root/LME/install.sh -i 10.1.0.5 -d\"
'
"

# Extract passwords
ES_PASSWORD=$(docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/docker/${{ env.CONTAINER_TYPE }}
SECRETS=\$(sudo docker compose exec -T lme bash -c \". ~/LME/scripts/extract_secrets.sh -p\")
echo \"\$SECRETS\" | grep \"^elastic=\" | cut -d= -f2-
'
")

KIBANA_PASSWORD=$(docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/docker/${{ env.CONTAINER_TYPE }}
SECRETS=\$(sudo docker compose exec -T lme bash -c \". ~/LME/scripts/extract_secrets.sh -p\")
echo \"\$SECRETS\" | grep \"^kibana_system=\" | cut -d= -f2-
'
")

# Run tests
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
sleep 360
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
ssh lme-user@\$IP_ADDRESS '
cd ~/LME/testing/tests
echo \"Container: ${{ env.CONTAINER_TYPE }}\" > .env
echo \"ELASTIC_PASSWORD=$ES_PASSWORD\" >> .env
echo \"KIBANA_PASSWORD=$KIBANA_PASSWORD\" >> .env
echo \"elastic=$ES_PASSWORD\" >> .env
source venv/bin/activate
echo \"Running tests for container ${{ env.CONTAINER_TYPE }}\"
pytest -v api_tests/linux_only/ selenium_tests/linux_only/
'
"

- name: Cleanup Azure resources
if: always()
env:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_SECRET: ${{ secrets.AZURE_SECRET }}
AZURE_TENANT: ${{ secrets.AZURE_TENANT }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
run: |
cd testing/v2/development
docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_SECRET --tenant $AZURE_TENANT
az group delete --name pipe-${{ env.UNIQUE_ID }} --yes --no-wait
"

- name: Stop and remove containers
if: always()
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/linux_only.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ jobs:
echo elastic=\"$ES_PASSWORD\" >> .env && \
cat .env && \
source venv/bin/activate && \
pytest -v api_tests/linux_only/ selenium_tests/linux_only/'
pytest -v api_tests/linux_only/ selenium_tests/linux_only/ api_tests/connectivity/'
"

- name: Cleanup Azure resources
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/linux_only_redhat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ jobs:
ls -la && \
cd /home/lme-user/LME/testing/v2/installers && \
IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
./install_v2/install.sh lme-user \$IP_ADDRESS "pipe-${{ env.UNIQUE_ID }}.password.txt" ${{ env.BRANCH_NAME }}
./install_v2/install_rhel.sh lme-user \$IP_ADDRESS "pipe-${{ env.UNIQUE_ID }}.password.txt" ${{ env.BRANCH_NAME }}
"

- name: Retrieve Elastic password
Expand Down Expand Up @@ -153,7 +153,7 @@ jobs:
echo elastic=\"$ES_PASSWORD\" >> .env && \
cat .env && \
source venv/bin/activate && \
pytest -v api_tests/linux_only/ selenium_tests/linux_only/'
pytest -v api_tests/linux_only/ selenium_tests/linux_only/ api_tests/connectivity/'
"

- name: Cleanup Azure resources
Expand Down
9 changes: 7 additions & 2 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ lme.conf
/testing/tests/.env
**/.pytest_cache/
**/__pycache__/
/testing/*.password.txt
/testing/**/*.password.txt
/testing/configure/azure_scripts/config.ps1
/testing/configure.zip
/testing/*.output.log
/testing/**/*.output.log
/testing/tests/report.html
testing/tests/assets/style.css
.history/
Expand All @@ -45,3 +45,8 @@ testing/upgrade_testing/
.cache/
.venv/
*.env
cloud.md

# SELinux build artifacts
ansible/roles/base/files/selinux/*.mod
ansible/roles/base/files/selinux/*.pp
Loading