Security Vulnerability Updates (r7 dsr7)

Updated Files in Stx 7.0
Continuation of Updates in: https://review.opendev.org/c/starlingx/docs/+/865605

Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Change-Id: Ic3a3b120340d390bc75c928d222608cbe0f313d0

doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst

@@ -8,18 +8,23 @@ Run Ansible Backup Playbook Locally on the Controller
 
 In this method the Ansible Backup playbook is run on the active controller.
 
-Use the following command to run the Ansible Backup playbook and back up the
+Use one of the following commands to run the Ansible Backup playbook and back up the
 |prod| configuration, data, and user container images in registry.local data:
 
 .. code-block:: none
 
     ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/backup.yml -e "ansible_become_pass=<sysadmin password> admin_password=<sysadmin password>" -e "backup_user_local_registry=true"
 
-The <admin_password> and <ansible_become_pass> need to be set  correctly
-using the ``-e`` option on the command line, or an override file, or in the
-Ansible secret file.
+    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/backup.yml --ask-vault-pass -e "override_files_dir=$HOME/override_dir"
 
-An example of override file follows:
+The <admin_password> and <ansible_become_pass> need to be set correctly
+using the ``-e`` option on the command line, with an override file secured with
+ansible-vault (recommended).
+
+For example, create your override file with the :command:`ansible-vault create $HOME/override_dir/localhost-backup.yaml`
+command and copy the following lines into the file. You will be prompted for a
+password to protect/encrypt the file. Use the :command:`ansible-vault edit $HOME/override_dir/localhost-backup.yaml`
+command if the file needs to be edited after it is created.
 
 .. code-block:: none
 
@@ -43,8 +48,8 @@ The output files will be named:
 
 -   inventory_hostname_dc_vault_backup_timestamp.tgz
 
-The variables prefix can be overridden using the ``-e`` option on the command
-line or by using an override file.
+The output files' prefixes can be overridden with the following variables
+using the ``-e`` option on the command line or by using an override file.
 
 .. _running-ansible-backup-playbook-locally-on-the-controller-ul-rdp-gyh-pmb:
 

doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst

@@ -59,7 +59,7 @@ and target it at controller-0.
 #.  Switch to the <overrides> directory created previously.
 
 #.  Create a new secret file encrypted with Ansible-Vault using the
-    :command:`ansible-vault create secrets.yml` command.
+    :command:`ansible-vault create $HOME/override_dir/secrets.yml` command.
 
     Set and confirm a new Ansible-Vault password. Ansible will open an editing
     window where you can enter your desired contents.
@@ -82,7 +82,7 @@ and target it at controller-0.
 
     Save your changes and quit the editor. If you need to make additional
     changes, you can use the command :command:`ansible-vault edit
-    override_dir/secrets.yml`.
+    $HOME/override_dir/secrets.yml`.
 
 #.  Run Ansible Backup playbook:
 

doc/source/deploy_install_guides/r7_release/bare_metal/aio_duplex_install_kubernetes.rst

@@ -96,19 +96,30 @@ Bootstrap system on controller-0
    Specify the user configuration override file for the Ansible bootstrap
    playbook using one of the following methods:
 
+   .. note::
+
+      This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml)
+      contains security sensitive information, use the
+      :command:`ansible-vault create $HOME/localhost.yml` command to create it.
+      You will be prompted for a password to protect/encrypt the file.
+      Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the
+      file needs to be edited after it is created.
+
    #. Use a copy of the default.yml file listed above to provide your overrides.
 
       The default.yml file lists all available parameters for bootstrap
       configuration with a brief description for each parameter in the file
       comments.
 
-      To use this method, copy the default.yml file listed above to
-      ``$HOME/localhost.yml`` and edit the configurable values as desired.
+      To use this method, run the :command:`ansible-vault create $HOME/localhost.yml`
+      command and copy the contents of the ``default.yml`` file into the
+      ansible-vault editor, and edit the configurable values as required.
 
    #. Create a minimal user configuration override file.
 
-      To use this method, create your override file at ``$HOME/localhost.yml``
-      and provide the minimum required parameters for the deployment
+      To use this method, create your override file with
+      the :command:`ansible-vault create $HOME/localhost.yml`
+      command and provide the minimum required parameters for the deployment
       configuration as shown in the example below. Use the OAM IP SUBNET and IP
       ADDRESSing applicable to your deployment environment.
 
@@ -178,7 +189,6 @@ Bootstrap system on controller-0
          docker_no_proxy:
             - 1.2.3.4
 
-
       Refer to :ref:`Ansible Bootstrap Configurations <ansible_bootstrap_configs_r7>`
       for information on additional Ansible bootstrap configurations for advanced
       Ansible bootstrap scenarios.
@@ -189,7 +199,7 @@ Bootstrap system on controller-0
 
    ::
 
-      ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
+      ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
 
    Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes,
    depending on the performance of the host machine.

doc/source/deploy_install_guides/r7_release/bare_metal/aio_simplex_install_kubernetes.rst

@@ -96,21 +96,32 @@ Bootstrap system on controller-0
    Specify the user configuration override file for the Ansible bootstrap
    playbook using one of the following methods:
 
+   .. note::
+
+      This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml)
+      contains security sensitive information, use the
+      :command:`ansible-vault create $HOME/localhost.yml` command to create it.
+      You will be prompted for a password to protect/encrypt the file.
+      Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the
+      file needs to be edited after it is created.
+
    #. Use a copy of the default.yml file listed above to provide your overrides.
 
       The default.yml file lists all available parameters for bootstrap
       configuration with a brief description for each parameter in the file
       comments.
 
-      To use this method, copy the default.yml file listed above to
-      ``$HOME/localhost.yml`` and edit the configurable values as desired.
+      To use this method, run the :command:`ansible-vault create $HOME/localhost.yml`
+      command and copy the contents of the ``default.yml`` file into the
+      ansible-vault editor, and edit the configurable values as required.
 
    #. Create a minimal user configuration override file.
 
-      To use this method, create your override file at ``$HOME/localhost.yml``
-      and provide the minimum required parameters for the deployment
-      configuration as shown in the example below. Use the |OAM| IP SUBNET and
-      IP ADDRESSing applicable to your deployment environment.
+      To use this method, create your override file with
+      the :command:`ansible-vault create $HOME/localhost.yml`
+      command and provide the minimum required parameters for the deployment
+      configuration as shown in the example below. Use the OAM IP SUBNET and IP
+      ADDRESSing applicable to your deployment environment.
 
       .. include:: /_includes/min-bootstrap-overrides-simplex.rest
 
@@ -190,7 +201,7 @@ Bootstrap system on controller-0
 
    ::
 
-      ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
+      ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
 
    Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes,
    depending on the performance of the host machine.

doc/source/deploy_install_guides/r7_release/bare_metal/controller_storage_install_kubernetes.rst

@@ -95,19 +95,30 @@ Bootstrap system on controller-0
    Specify the user configuration override file for the Ansible bootstrap
    playbook using one of the following methods:
 
+   .. note::
+
+      This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml)
+      contains security sensitive information, use the
+      :command:`ansible-vault create $HOME/localhost.yml` command to create it.
+      You will be prompted for a password to protect/encrypt the file.
+      Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the
+      file needs to be edited after it is created.
+
    #. Use a copy of the default.yml file listed above to provide your overrides.
 
       The default.yml file lists all available parameters for bootstrap
       configuration with a brief description for each parameter in the file
       comments.
 
-      To use this method, copy the default.yml file listed above to
-      ``$HOME/localhost.yml`` and edit the configurable values as desired.
+      To use this method, run the :command:`ansible-vault create $HOME/localhost.yml`
+      command and copy the contents of the ``default.yml`` file into the
+      ansible-vault editor, and edit the configurable values as required.
 
    #. Create a minimal user configuration override file.
 
-      To use this method, create your override file at ``$HOME/localhost.yml``
-      and provide the minimum required parameters for the deployment
+      To use this method, create your override file with
+      the :command:`ansible-vault create $HOME/localhost.yml`
+      command and provide the minimum required parameters for the deployment
       configuration as shown in the example below. Use the OAM IP SUBNET and IP
       ADDRESSing applicable to your deployment environment.
 
@@ -187,7 +198,7 @@ Bootstrap system on controller-0
 
    ::
 
-      ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
+      ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml
 
    Wait for Ansible bootstrap playbook to complete.
    This can take 5-10 minutes, depending on the performance of the host machine.

doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst

@@ -80,10 +80,10 @@ using the ansible playbook.
 
 .. rubric:: |proc|
 
-#.  Create a configuration file and specify the |OAM| unit IP addresses and
-    the ansible ssh password in the **migrate-subcloud1-overrides-EXAMPLE.yml**
-    file. The existing |OAM| IP address of the |AIO-SX| system will be used as
-    the |OAM| floating IP address of the new |AIO-DX| system.
+#.  Use the :command:`ansible-vault create migrate-subcloud1-overrides-EXAMPLE.yml`
+    command to securely specify the |OAM| unit IP addresses and the ansible
+    ssh password. The existing |OAM| IP address of the |AIO-SX| system will be
+    used as the |OAM| floating IP address of the new |AIO-DX| system.
 
     In the following example, 10.10.10.13 and 10.10.10.14 are the new |OAM| unit
     IP addresses for controller-0 and controller-1 respectively.
@@ -96,6 +96,9 @@ using the ansible playbook.
           "external_oam_node_1_address": "10.10.10.14",
           }
 
+    Use the :command:`ansible-vault edit migrate-subcloud1-overrides-EXAMPLE.yml`
+    command if the file needs to be edited after it is created.
+
 #.  On the system controller, run the ansible playbook to migrate the |AIO-SX|
     subcloud to an |AIO-DX|.
 
@@ -103,7 +106,7 @@ using the ansible playbook.
 
     .. code-block:: none
 
-        ~(keystone_admin)$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml -e @migrate-subcloud1-overrides-EXAMPLE.yml -i subcloud1, -v
+        ~(keystone_admin)$ ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml -e @migrate-subcloud1-overrides-EXAMPLE.yml -i subcloud1, -v
 
     The ansible playbook will lock the subcloud's controller-0, if it not
     already locked, apply the configuration changes to convert the subcloud to

doc/source/storage/kubernetes/configure-an-external-netapp-deployment-as-the-storage-backend.rst

@@ -93,8 +93,10 @@ procedure.
 
     You can make changes-in-place to your existing localhost.yml file
     or create another in an alternative location. In either case, you
-    also have the option of using an ansible vault named secrets.yml
-    for sensitive data. The alternative must be named localhost.yaml.
+    also have the option of using an ansible vault to secure/encrypt the
+    localhost.yaml file containing sensitive data, i.e, using
+    :command:`ansible-vault create $HOME/localhost.yml` or :command:`ansible-vault edit $HOME/localhost.yml`
+    commands.
 
     The following parameters are mandatory:
 
@@ -225,7 +227,7 @@ procedure.
 
     .. code-block:: none
 
-        ansible-playbook /usr/share/ansible/stx-ansible/playbooks/install_netapp_backend.yml -e "override_files_dir=</home/sysadmin/mynetappconfig>"
+        ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/install_netapp_backend.yml -e "override_files_dir=</home/sysadmin/mynetappconfig>"
 
     Upon successful launch, there will be one Trident pod running on
     each node, plus an extra pod for the REST API running on one of the