Upgrade prometheus stack to latest LTS versions (#943)

* CVE-2025-68121 go crypto/tls issue

* Ignore Python 2.7.5 vulnerabilities in filebeat and opensearch

python is not used at runtime in these images

* Ignore CVE-2021-38297 in prometheus tools

* Ignore issues in rescue kernel

It's not normally booted

* Ignore CVE-2022-21797 requirements-dev.txt

* Ignore CVE-2023-24531 CVE-2023-29402 CVE-2023-29405

go env and go commands not used

* Ignore CVE-2023-3128 Azure AD not used

* Ignore CVE-2024-24790 not affected by ip IsPrivate filtering

* Ignore CVE-2024-8986 not self-built grafana components

* Ignore CVE-2025-22871 not servers forwarding data

* Ignore CVE-2026-33186 -- not running go gRPC server

* Bump ark repo timestamps

* Ignore CVE-2024-45337 opensearch datasource no ssh

* Ignore CVE-2026-33937 Handlebars.compile() javascript injection

reviewed Handlebars.compile usage for vulnerability: not affected

* Rebuilt images from latest timestamps

* Switch to prometheus-community prometheus

* Prevent prometheus configuration in fatimage build

* Set node_exporter 1.11.1, prometheus 3.5.2, alertmanager 0.31.1

* Switch to prometheus.prometheus.alertmanager

Warning: there are some config file changes and variable changes

* Store alertmanager db in appliances_state_dir

for persistence accross rebuilds.

* Remove obsolete links to cloudalchemy roles in doc and comments

* Bump images

* Adjust grype.yaml following prometheus stack upgrade

* Bump alertmanager 0.32.0 to fix CVE

* Ignore CVE-2026-33186 (GO-2026-4762) for ondemand-dex

We don't enable the gRPC interface in deployments

* Ignore CVE-2024-45337 in apptainer's gocryptfs

It doesn't use ssh

* TMP: Ignore CVE-2026-39324 in OpenOnDemand

Preliminary checks indicate OOD is not affected

* TMP: exclude podman images

Pending an update of the opensearch/filebeat and mysql images

docker.io/opensearchproject/opensearch  2.9.0
docker.io/library/mysql                 8.0.30
docker.elastic.co/beats/filebeat-oss    7.12.1

* Latest timestamps

* Rebuilt images

* Ensure our .grype.yaml is used

* Revert "Ensure our .grype.yaml is used"

This reverts commit 287421b.

* move path-based ignores to excludes

* Change ignores to use the GHSA when it's the primary ID in grype

otherwise they still appear in the table output.
Could also change the table output to CVE with the same effect

* TMP: mask grafana vulnerability

* Fix forgotten reference to local alertmanager role

* Checked Rocky Linux 8 rclone vulnerabilities

v1.57.0-DEV with go1.16.12

* GH: output image name and id to summary

* GH: show scanned image name in summary

* GH: more output to summary

* Remove leftover parts of cockpit

CVE-2026-4631 Cockpit's remote login lack of sanitization.

It couldn't be exploited before because we removed cockpit-ws
(in bootstrap.yml) so cockpit web interface is not present.

* grype: remove unused files instead of ignoring

* Fix Cleanup /tmp

there was no expansion in the command: needs to be a shell

* Remove .grype.yaml comment now that /tmp is correctly cleaned-up

* Remove unused packer ansible skip-tags

* Use python3.9 interpreter for mysql role

to install a recent version of pymysql.
This is less intrusive than trying to use python3.9 interpreter as much as possible
(need to use platform-python anyway for firewalld and selinux python bindings, which is python 3.6 on RL8)

* Note that ansible.posix.firewalld need platform-python

in our ansible/roles/firewalld, called from bootstrap.yml
This was discovered when trying to use python3.9 as ansible interpreter
as much as possible on RL8

* Upgrade prometheus to latest LTS 3.5.3

* Update alertmanager to latest 0.32.1

* Rebuilt images

* Ignore CVE-2026-27143 - go compiler overflow check loops induction vars

Ignoring at the moment since projects have not had time to rebuild yet.
There is a very high level of false positive on general tools
(just check the stdlib version) and no known exploitation.
See https://access.redhat.com/security/cve/cve-2026-27143 for status

* Ignore CVE-2026-41176 and CVE-2026-41179 rclone rcd,--rc vulnerabilities

We don't run rclone with remote control

* Use python3.9 interpreter for stackhpc.openhpc upgrade.yml

* Replace rclone binary with a no-op script

as a precaution against the many vulnerabilities reported by grype

* Rebuilt prometheus-slurm-exporter (0.22)

* Rebuilt images

* Remove grype ignore prometheus-slurm-exporter

Rebuilt 0.22 version is now free of those

* Use tagged version of stackhpc/prometheus-community-ansible

Author: elelaysh

.github/workflows/fatimage.yml

@@ -53,8 +53,8 @@ jobs:
 
       - name: Record settings for CI cloud
         run: |
-          echo "CI_CLOUD: ${CI_CLOUD}"
-          echo "PACKER_ON_ERROR: ${PACKER_ON_ERROR}"
+          echo "CI_CLOUD: ${CI_CLOUD}" | tee -a "$GITHUB_STEP_SUMMARY"
+          echo "PACKER_ON_ERROR | tee -a ${PACKER_ON_ERROR}"
 
       - name: Setup ssh
         run: |
@@ -120,8 +120,8 @@ jobs:
             sleep 5
           done
           IMAGE_NAME=$(openstack image show -f value -c name "$IMAGE_ID")
-          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
-          echo "image-id=$IMAGE_ID" >> "$GITHUB_OUTPUT"
+          echo "image-name=${IMAGE_NAME}" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
+          echo "image-id=$IMAGE_ID" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
           echo "$IMAGE_ID" > image-id.txt
           echo "$IMAGE_NAME" > image-name.txt
 

.github/workflows/nightly-cleanup.yml

@@ -28,7 +28,7 @@ jobs:
 
       - name: Record which cloud CI is running on
         run: |
-          echo "CI_CLOUD: ${CI_CLOUD}"
+          echo "CI_CLOUD: ${CI_CLOUD}" | tee -a "$GITHUB_STEP_SUMMARY"
 
       - name: Setup environment
         run: |

.github/workflows/scan.yml

@@ -70,7 +70,7 @@ jobs:
         run: |
           IMAGE_NAME=$(jq --arg version "$MATRIX_BUILD" -r '.cluster_image[$version]' "$JSON_PATH")
           echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
-          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "image-name=${IMAGE_NAME}" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
         env:
           MATRIX_BUILD: ${{ matrix.build }}
           JSON_PATH: ${{ env.JSON_PATH }}

.github/workflows/workflow-cleanup.yml

@@ -34,8 +34,8 @@ jobs:
 
       - name: Input Variables
         run: |
-          echo "CI_CLOUD: ${CI_CLOUD}"
-          echo "CLUSTER_NAME: ${CLUSTER_NAME}"
+          echo "CI_CLOUD: ${CI_CLOUD}" | tee -a "$GITHUB_STEP_SUMMARY"
+          echo "CLUSTER_NAME: ${CLUSTER_NAME}" | tee -a "$GITHUB_STEP_SUMMARY"
 
       - name: Check Cluster Name not empty
         run: |

.grype.yaml

@@ -0,0 +1,191 @@
+---
+# ignore rules for grype, with justification
+ignore:
+
+# go crypto/tls vulnerability: programs not used with TLS
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /usr/bin/ondemand_exporter
+  # prometheus 3.5.1 still has an older go runtime
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/local/bin/prometheus"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/local/bin/promtool"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/sbin/ondemand-dex"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/sbin/ondemand-dex-session"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/share/grafana/bin/grafana"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/share/grafana/bin/grafana-cli"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/share/grafana/bin/grafana-server"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /var/lib/podman/.local/share/containers/storage/overlay/b51397a6db0ae651df3ffd51be823f98a26ab18ac7033847fedbac792798ae18/diff/usr/share/filebeat/filebeat
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /var/lib/podman/.local/share/containers/storage/overlay/efeebaada56fcf04784f6d67852667327a8e50d18bbf9aea6d3556865e894f59/diff/usr/local/bin/gosu
+
+#  go crypto/tls vulnerability: programs used with trusted TLS servers
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /usr/local/bin/alertmanager
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# go compiler bug introduces potential unverified memory access wr loops with induction variables on under or overflow
+  - vulnerability: CVE-2026-27143
+
+# system dep, what can we do?
+  - vulnerability: CVE-2025-68121
+    package:
+      name: podman
+  - vulnerability: CVE-2025-68121
+    package:
+      location: /usr/bin/podman
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/libexec/podman/**"
+
+# go crypto/tls vulnerability: programs run by users not admins
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/bin/apptainer"
+  - vulnerability: CVE-2025-68121
+    package:
+      location: "/usr/libexec/apptainer/**"
+
+# Python 2.7 vulnerabilities in filebeat and opensearch ignored: python not used at runtime
+# CVE-2014-4650 CGIHTTPServer module in Python 2.7.5, in filebeat and opensearch images
+# CVE-2016-0718, CVE-2016-9063 Expat
+# CVE-2017-1000158 integer overflow in the PyString_DecodeEscape
+# CVE-2018-1000802 Command Injection vulnerability in shutil
+  - package: # filebeat
+      location: /var/lib/podman/.local/share/containers/storage/overlay/174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02/diff/usr/bin/python2.7
+  - package: # filebeat
+      location: /var/lib/podman/.local/share/containers/storage/overlay/174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02/diff/usr/lib64/libpython2.7.so.1.0
+  - package: # filebeat
+      location: /var/lib/podman/.local/share/containers/storage/overlay/6b0b788550f0cdfdceded05ec82b17c5bd3801b6a7795fecb4a18d1103d5d548/diff/usr/bin/python2.7
+  - package: # filebeat
+      location: /var/lib/podman/.local/share/containers/storage/overlay/6b0b788550f0cdfdceded05ec82b17c5bd3801b6a7795fecb4a18d1103d5d548/diff/usr/lib64/libpython2.7.so.1.0
+  - package: # opensearch
+      location: /var/lib/podman/.local/share/containers/storage/overlay/6042fe893e2746bb7637efe59d35909d895c9060b43950db261e692ad3dfb834/diff/usr/bin/python2.7
+  - package: # opensearch
+      location: /var/lib/podman/.local/share/containers/storage/overlay/6042fe893e2746bb7637efe59d35909d895c9060b43950db261e692ad3dfb834/diff/usr/lib64/libpython2.7.so.1.0
+
+# kernel rescue image: won't be booted
+# CVE-2021-43267, CVE-2021-47378, ...
+  - package:
+      location: /boot/vmlinuz-0-rescue-*
+
+# CVE-2023-24531 `go env` command is not used
+  - vulnerability: CVE-2023-24531
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2023-3128 grafana Azure AD auth bypass by spoofing -- not used
+  - vulnerability: GHSA-mpv3-g8m3-3fjc
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2024-24790 IsPrivate, IsLoopback, etc broken for IPv4-mapped IPv6 addresses -- not affected
+  - vulnerability: CVE-2024-24790
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2024-8986 Grafana plugin SDK Information Leakage about git source repository -- not affected
+  - vulnerability: GHSA-xxxw-3j6h-q7h6
+    package:
+      location: /usr/share/grafana/bin/grafana
+  - vulnerability: GHSA-xxxw-3j6h-q7h6
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2025-22871 request smuggling in net/http server (bare LF) -- no server forwarding chunked data here
+  - vulnerability: CVE-2025-22871
+    package:
+      location: /usr/bin/ondemand_exporter
+  - vulnerability: CVE-2025-22871
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2026-33186 (GO-2026-4762) gRPC-Go server auth bypass -- not running go server
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/bin/apptainer
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/local/bin/amtool
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/local/bin/promtool
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2026-33186 (GO-2026-4762) gRPC-Go server auth bypass -- no auth to start with
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/local/bin/prometheus
+
+# CVE-2026-33186 (GO-2026-4762) gRPC-Go server auth bypass -- not affected in our deployments
+# XXX: grpc version bump is in DEX master but it needs a new DEX release before OOD release to produce the ondemand-dex package
+# DEX doesn't use grpc/authz but has custom interceptors. I couldn't tell if it's vulnerable to the attack.
+# Regardless, the gRPC API is off by default (https://dexidp.io/docs/configuration/api/#configuration)
+# Our deployments don't enable it. Check for the commented-out `grpc:` block in `/etc/ood/dex/config.yaml` to confirm.
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/sbin/ondemand-dex
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/sbin/ondemand-dex-session
+
+
+# CVE-2026-33186 (GO-2026-4762) gRPC-Go server auth bypass -- TMP disable to check ignores are working
+# FIXME: should upgrade grafana to  Grafana 12.4.2
+  - vulnerability: GHSA-p77j-4mvh-x3m3
+    package:
+      location: /usr/share/grafana/bin/grafana
+
+# CVE-2024-45337 (GO-2024-3321) Misuse of ServerConfig.PublicKeyCallback -- not using ssh
+  - vulnerability: GHSA-v778-237x-gjrc
+    package:
+      location: /usr/libexec/apptainer/bin/gocryptfs
+  - vulnerability: GHSA-v778-237x-gjrc
+    package:
+      location: /var/lib/grafana/plugins/grafana-opensearch-datasource/gpx_opensearch-datasource_linux_amd64
+
+# CVE-2026-33937 Handlebars.compile() javascript injection
+# Handlebars.compile() is only used by the shell app via hbs. All uses seem safe:
+#  - protected by `typeof input !== 'string'` as https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
+#  - or from string by directly reading a file on disk
+  - vulnerability: GHSA-2w6w-674q-4c4q
+    package:
+      location: /var/www/ood/apps/sys/shell/yarn.lock
+# Handlebars.compile() is only used by webpack.config.js and input from string by directly reading a file on disk
+  - vulnerability: GHSA-2w6w-674q-4c4q
+    package:
+      location: /opt/jupyter-py39/lib/python3.9/site-packages/jupyterlab/staging/yarn.lock
+
+# CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
+# Preliminary checks indicate OOD is not affected, as a Ruby on Rails application.
+  - vulnerability: GHSA-33qg-7wpp-89cq
+    package:
+      location: /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.1.4-1/specifications/rack-session-2.1.1.gemspec
+  - vulnerability: GHSA-33qg-7wpp-89cq
+    package:
+      location: /var/www/ood/apps/sys/dashboard/Gemfile.lock
+
+# Exclude podman images from scan, pending MySQL+OpenSearch+Filebeat upgrade
+exclude:
+  - /var/lib/podman/.local/share/**

ansible/bootstrap.yml

@@ -218,7 +218,7 @@
   tags: cockpit
   tasks:
     - name: Remove RHEL cockpit # noqa: no-changed-when
-      ansible.builtin.command: dnf -y remove cockpit-ws
+      ansible.builtin.command: dnf -y remove cockpit-ws cockpit-system cockpit-bridge
       register: dnf_remove_output
       ignore_errors: true # Avoid failing if a lock or other error happens
 

ansible/cleanup.yml

@@ -38,7 +38,7 @@
   ansible.builtin.command: cloud-init clean --logs --seed
 
 - name: Cleanup /tmp # noqa: no-changed-when
-  ansible.builtin.command: rm -rf /tmp/*
+  ansible.builtin.shell: rm -rvf /tmp/*
 
 - name: Delete files triggering vulnerability scans
   ansible.builtin.file:
@@ -53,6 +53,23 @@
     # chrony role: only used for role dev, venv never created on disk
     - /etc/ansible-init/playbooks/roles/mrlesmithjr.chrony/poetry.lock
     - /etc/ansible-init/playbooks/roles/mrlesmithjr.chrony/requirements.txt
+    - /etc/ansible-init/playbooks/roles/mrlesmithjr.chrony/requirements-dev.txt
+    # netbox collection: only used for role dev
+    - /usr/lib/ansible-init/lib/python3.9/site-packages/ansible_collections/netbox/netbox/poetry.lock
+    # esbuild in OOD
+    - /var/www/ood/apps/sys/dashboard/node_modules/@esbuild/linux-x64/bin/esbuild
+    - /usr/lib/rstudio-server/bin/quarto/bin/tools/x86_64/esbuild
+
+- name: Replace rclone with a no-op script
+  ansible.builtin.copy:
+    content: |
+      #!/bin/sh
+      echo "The rclone executable has been removed in ansible-slurm-appliance images due to too many security warnings." 1>&2
+      exit 1
+    dest: /usr/bin/rclone
+    owner: root
+    group: root
+    mode: "0555"
 
 - name: Stop journald
   # Stop journald from writing data to the journal after we have cleared it.

ansible/fatimage.yml

@@ -188,9 +188,9 @@
       when: "'filebeat' in group_names"
 
     - ansible.builtin.import_role:
-        # can't only run cloudalchemy.node_exporter/tasks/install.yml as needs vars from preflight.yml and triggers service start
+        # no prometheus.prometheus.node_exporter/tasks/install.yml
         # however starting node exporter is ok
-        name: cloudalchemy.node_exporter
+        name: prometheus.prometheus.node_exporter
       when: "'node_exporter' in group_names"
 
     - name: Open Ondemand exporter
@@ -206,8 +206,15 @@
 
     - name: Install alertmanager
       ansible.builtin.include_role:
-        name: alertmanager
-        tasks_from: install.yml
+        name: prometheus.prometheus.alertmanager
+      vars:
+        alertmanager_skip_configure: true
+        # must be overridden because the alertmanager password is undefined at this staged
+        # so it won't pass "Validating arguments against arg spec 'main'"
+        alertmanager_web_config:
+          basic_auth_users: {}
+          http_server_config: {}
+          tls_server_config: {}
       when: "'alertmanager' in group_names"
 
     - name: Download HPL source
@@ -221,58 +228,12 @@
   gather_facts: true
   tasks:
     - ansible.builtin.import_role:
-        name: cloudalchemy.prometheus
-        tasks_from: preflight.yml
-
-    # can't run cloudalchemy.prometheus/tasks/install.yml as it triggers a unit start
-    # so below is a partial extraction of this:
-    - name: Create prometheus system group
-      ansible.builtin.group:
-        name: prometheus
-        system: true
-        state: present
-
-    - name: Create prometheus system user
-      ansible.builtin.user:
-        name: prometheus
-        system: true
-        shell: "/usr/sbin/nologin"
-        group: prometheus
-        createhome: false
-        home: "{{ prometheus_db_dir }}"
-
-    - name: Download prometheus binary to local folder
-      become: false
-      ansible.builtin.get_url:
-        # yamllint disable-line rule:line-length
-        url: "https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-{{ go_arch }}.tar.gz"
-        dest: "/tmp/prometheus-{{ prometheus_version }}.linux-{{ go_arch }}.tar.gz"
-        checksum: "sha256:{{ __prometheus_checksum }}"
-        mode: "0644"
-      register: _download_archive
-      until: _download_archive is succeeded
-      retries: 5
-      delay: 2
-
-    - name: Unpack prometheus binaries
-      become: false
-      ansible.builtin.unarchive:
-        remote_src: true
-        src: "/tmp/prometheus-{{ prometheus_version }}.linux-{{ go_arch }}.tar.gz"
-        dest: "/tmp"
-        creates: "/tmp/prometheus-{{ prometheus_version }}.linux-{{ go_arch }}/prometheus"
-
-    - name: Propagate official prometheus and promtool binaries
-      ansible.builtin.copy:
-        remote_src: true
-        src: "/tmp/prometheus-{{ prometheus_version }}.linux-{{ go_arch }}/{{ item }}"
-        dest: "{{ _prometheus_binary_install_dir }}/{{ item }}"
-        mode: "0755"
-        owner: root
-        group: root
-      with_items:
-        - prometheus
-        - promtool
+        name: prometheus.prometheus.prometheus
+      vars:
+        prometheus_skip_configure: true
+        # prometheus_alert_rules contain undefined variables at this time, causing
+        # an assertion failure in arg check
+        prometheus_alert_rules: []
 
 - hosts: grafana
   become: true

ansible/filter_plugins/utils.py

@@ -12,7 +12,7 @@
 
 
 def prometheus_node_exporter_targets(hosts, hostvars, env_key, group):
-    """Return a mapping in cloudalchemy.nodeexporter prometheus_targets
+    """Return a mapping in prometheus.prometheus.prometheus prometheus_targets
     format.
 
     hosts: list of inventory_hostnames