Add support for fail2ban in Kayobe

L-Chams · Alex-Welsh · commit d679f16694a1 · 2026-03-23T09:13:37.000Z
Adds support for installing and configuring fail2ban in Kayobe using the robertdebock.fail2ban Ansible role https://galaxy.ansible.com/ui/standalone/roles/robertdebock/fail2ban/ Change-Id: Ic484b2c4f6e261a5173ba8f5378258068f468fa2 Signed-off-by: Leonie Chamberlin-Medd <leonie@stackhpc.com>
diff --git a/ansible/control-host-configure.yml b/ansible/control-host-configure.yml
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "time.yml"
diff --git a/ansible/fail2ban.yml b/ansible/fail2ban.yml
@@ -0,0 +1,17 @@
+---
+- name: Configure fail2ban
+  hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control
+  max_fail_percentage: >-
+    {{ fail2ban_max_fail_percentage |
+       default(host_configure_max_fail_percentage) |
+       default(kayobe_max_fail_percentage) |
+       default(100) }}
+  tags:
+    - fail2ban
+  roles:
+    - role: robertdebock.fail2ban
+      become: true
+      when: fail2ban_enabled | bool
+  vars:
+    # TODO (L-Chams): Remove fail2ban_sender override when PR https://github.com/robertdebock/ansible-role-fail2ban/pull/18 is merged.
+    fail2ban_sender: root@{{ ansible_facts.fqdn }}
diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "disable-glean.yml"
diff --git a/ansible/inventory/group_vars/all/ansible-control b/ansible/inventory/group_vars/all/ansible-control
@@ -126,6 +126,26 @@ ansible_control_firewalld_default_zone:
 # - state: enabled
 ansible_control_firewalld_rules: []
 
+###############################################################################
+# Ansible control host fail2ban configuration.
+
+# Whether to install and enable fail2ban. Default is false.
+ansible_control_fail2ban_enabled: false
+
+# List of fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration: >-
+  {{ ansible_control_fail2ban_jail_configuration_default +
+     ansible_control_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Ansible control host swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute
@@ -185,6 +185,26 @@ compute_firewalld_default_zone:
 # - state: enabled
 compute_firewalld_rules: []
 
+###############################################################################
+# Compute node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+compute_fail2ban_enabled: false
+
+# List of fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration: >-
+  {{ compute_fail2ban_jail_configuration_default +
+     compute_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Compute node host libvirt configuration.
 
diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers
@@ -224,6 +224,26 @@ controller_firewalld_default_zone:
 # - state: enabled
 controller_firewalld_rules: []
 
+###############################################################################
+# Controller node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+controller_fail2ban_enabled: false
+
+# List of fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration: >-
+  {{ controller_fail2ban_jail_configuration_default +
+     controller_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Controller node swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms
@@ -230,6 +230,26 @@ infra_vm_firewalld_default_zone:
 # - state: enabled
 infra_vm_firewalld_rules: []
 
+###############################################################################
+# Infrastructure VM node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+infra_vm_fail2ban_enabled: false
+
+# List of fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration: >-
+  {{ infra_vm_fail2ban_jail_configuration_default +
+     infra_vm_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Infrastructure VM node swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/monitoring b/ansible/inventory/group_vars/all/monitoring
@@ -124,6 +124,26 @@ monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
 # - state: enabled
 monitoring_firewalld_rules: "{{ controller_firewalld_rules }}"
 
+###############################################################################
+# Monitoring node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+monitoring_fail2ban_enabled: false
+
+# List of fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration: >-
+  {{ monitoring_fail2ban_jail_configuration_default +
+     monitoring_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Monitoring node swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed
@@ -169,6 +169,26 @@ seed_firewalld_default_zone:
 # - state: enabled
 seed_firewalld_rules: []
 
+###############################################################################
+# Seed node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+seed_fail2ban_enabled: false
+
+# List of fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration: >-
+  {{ seed_fail2ban_jail_configuration_default +
+     seed_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Seed node swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor
@@ -162,6 +162,26 @@ seed_hypervisor_firewalld_default_zone:
 # - state: enabled
 seed_hypervisor_firewalld_rules: []
 
+###############################################################################
+# Seed hypervisor node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+seed_hypervisor_fail2ban_enabled: false
+
+# List of fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration: >-
+  {{ seed_hypervisor_fail2ban_jail_configuration_default +
+     seed_hypervisor_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Seed hypervisor node swap configuration.
 
diff --git a/ansible/inventory/group_vars/all/storage b/ansible/inventory/group_vars/all/storage
@@ -173,6 +173,26 @@ storage_firewalld_default_zone:
 # - state: enabled
 storage_firewalld_rules: []
 
+###############################################################################
+# Storage node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+storage_fail2ban_enabled: false
+
+# List of fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration: >-
+  {{ storage_fail2ban_jail_configuration_default +
+    storage_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Storage node swap configuration.
 
diff --git a/ansible/inventory/group_vars/ansible-control/fail2ban b/ansible/inventory/group_vars/ansible-control/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ ansible_control_fail2ban_enabled }}"
+
+# List of fail2ban jails for the Ansible control host.
+fail2ban_jail_configuration: "{{ ansible_control_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/compute/fail2ban b/ansible/inventory/group_vars/compute/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ compute_fail2ban_enabled }}"
+
+# List of fail2ban jails for the compute node.
+fail2ban_jail_configuration: "{{ compute_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/controllers/fail2ban b/ansible/inventory/group_vars/controllers/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ controller_fail2ban_enabled }}"
+
+# List of fail2ban jails for the controller node.
+fail2ban_jail_configuration: "{{ controller_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/infra-vms/fail2ban b/ansible/inventory/group_vars/infra-vms/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ infra_vm_fail2ban_enabled }}"
+
+# List of fail2ban jails for the infrastructure VM node.
+fail2ban_jail_configuration: "{{ infra_vm_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/monitoring/fail2ban b/ansible/inventory/group_vars/monitoring/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ monitoring_fail2ban_enabled }}"
+
+# List of fail2ban jails for the monitoring node.
+fail2ban_jail_configuration: "{{ monitoring_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/seed-hypervisor/fail2ban b/ansible/inventory/group_vars/seed-hypervisor/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ seed_hypervisor_fail2ban_enabled }}"
+
+# List of fail2ban jails for the seed hypervisor node.
+fail2ban_jail_configuration: "{{ seed_hypervisor_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/seed/fail2ban b/ansible/inventory/group_vars/seed/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ seed_fail2ban_enabled }}"
+
+# List of fail2ban jails for the seed node.
+fail2ban_jail_configuration: "{{ seed_fail2ban_jail_configuration }}"
diff --git a/ansible/inventory/group_vars/storage/fail2ban b/ansible/inventory/group_vars/storage/fail2ban
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ storage_fail2ban_enabled }}"
+
+# List of fail2ban jails for the storage node.
+fail2ban_jail_configuration: "{{ storage_fail2ban_jail_configuration }}"
diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "etc-hosts.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "ip-routing.yml"
diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "ip-routing.yml"
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
@@ -691,6 +691,45 @@ follows:
 Note that despite the name, this will not actively enable UFW. It may do so in
 the future.
 
+Fail2Ban
+========
+@tags:
+  | ``fail2ban``
+
+Fail2Ban can be used to ban IP addresses that show malicious signs, such as
+ones that conduct too many failed login attempts. Kayobe can install and configure
+Fail2Ban on hosts.
+
+In order to use fail2ban, it is important to note that the user should enable
+``dnf_install_epel`` in their configuration when using Rocky Linux or CentOS.
+
+The following variables can be used to set whether to enable fail2ban:
+
+* ``ansible_control_fail2ban_enabled``
+* ``seed_hypervisor_fail2ban_enabled``
+* ``seed_fail2ban_enabled``
+* ``infra_vm_fail2ban_enabled``
+* ``compute_fail2ban_enabled``
+* ``controller_fail2ban_enabled``
+* ``monitoring_fail2ban_enabled``
+* ``storage_fail2ban_enabled``
+
+The following example demonstrates how to enable fail2ban on controllers.
+
+.. code-block:: yaml
+
+   controller_fail2ban_enabled: true
+
+The following should be added in the configuration file to set the default
+fail2ban sshd jail:
+
+.. code-block:: yaml
+
+   fail2ban_jail_configuration:
+      - option: enabled
+        value: "true"
+        section: sshd
+
 .. _configuration-hosts-tuned:
 
 Tuned
diff --git a/etc/kayobe/ansible-control.yml b/etc/kayobe/ansible-control.yml
@@ -111,6 +111,21 @@
 # - state: enabled
 #ansible_control_firewalld_rules:
 
+###############################################################################
+# Ansible control host fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+#ansible_control_fail2ban_enabled:
+
+# List of fail2ban jails for the Ansible control host.
+#ansible_control_fail2ban_jail_configuration:
+
+# List of default fail2ban jails for the Ansible control host.
+#ansible_control_fail2ban_jail_configuration_default:
+
+# List of extra fail2ban jails for the Ansible control host.
+#ansible_control_fail2ban_jail_configuration_extra:
+
 ###############################################################################
 # Ansible control host swap configuration.
 
diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml
diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml
diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml
diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml
diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml
diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml
diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml
diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
diff --git a/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml b/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml
diff --git a/requirements.yml b/requirements.yml
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
