Age | Commit message (Collapse) | Author | Files | Lines |
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
This change adds a profile to deploy the Ceph MDS service and some
basic unit tests for it.
Depends-On: I558b43deaa9b243c54f3d7ae945f11dd4925eb5d
Change-Id: Iaecc3ff7acb851776c5057c42a5a513a70425d2c
Partial-Bug: #1644784
|
|
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG
If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file
Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
|
|
|
|
|
|
Ceilometer api is deprectaed in Ocata. Lets disable by default.
This can still be enabled by setting enable_legacy_ceilometer_api
param.
Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
|
|
|
|
|
|
MidoNet no longer uses the API component. It has been renamed/refactored
to "cluster" as it can be seen on the docs at
https://blog.midonet.org/introducing-midonet-cluster-services/
Also there is no need to have a Cassandra and Zookeeper dedicated
classes, as we leverage this through the use of the midonet_openstack
puppet module.
Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270
Partial-Bug: #1647302
|
|
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
|
|
This change adds rspec testing for the cinder profiles with in
puppet-tripleo. Additionally while testing, it was found that the
backends may incorrectly have an extra , included in the settings
for cinder volume when running puppet 3. This change includes a fix
the cinder volume backends to make sure we are not improperly
configuring it with a trailing comma.
Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
|
|
This replaces the services' IP-based RabbitMQ configuration and uses
FQDNs instead.
Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
|
|
|
|
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
|
|
combination alarms are completely removed in Ocata.
Remove this from tripleo.
Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
|
|
The civetweb binding format is IP:PORT; this change ensures the IP
is enclosed in brackets if IPv6.
To do so we add the bind_ip and bind_port parameters to the
rgw service class.
Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c
Co-Authored-By: Lukas Bezdicka <social@v3.sk>
Related-Bug: #1636515
|
|
|
|
This change adds rspec tests for the barbican profiles to ensure they
function as expected.
Change-Id: I73f5405ade2cc73024efbeb2cfbfc831a2120f51
|
|
We use the rabbit_hosts configuration for most of our services but we
haven't been adding the configured port. This patch appends the IP port
used provided to the service's heat template to the IPs in the list.
Note: while we could use the value set for the rabbitmq server in
rabbitmq::port, it doesn't allow for dealing with SSL. This also is also
backwards compatible with the RabbitClientPort parameters used in the
heat templates.
Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b
Closes-Bug: #1633580
|
|
Instead of using an operator to make sure we upgrade package before any
service, which causes dependency cycles with iptables puppet module,
let's do another approach where we upgrade rpms in the 'setup' stage,
which is a stage that runs before configure and running services.
In that way, we'll remove dependency cycles and make sure packages are
upgrades before configure and running TripleO services.
Change-Id: I1be83f88be1959885c980ab4f428477d412751f7
|
|
The ceilometer::db::sync is included by default in ceilometer::db but we
only want it to run on the bootstrap node. This change passes the
sync_db parameter to ceilometer::db to manage the db sync process rather
than trying to manage the inclusion of ceilometer::db::sync within the
profile class.
Change-Id: Ib56db1a90dd6fbfe7582fc57b7728df81942cce2
Closes-Bug: #1629373
|
|
This change adds rspec testing for the ceph profiles in puppet-tripleo.
Change-Id: I08954e011848d6b747735f11b3cbff5707460c26
|
|
This change adds rspec testing for the ceilometer profiles. While
writing these tests, the tripleo::profile::base::ceilometer::collector
class needed to have the hiera lookups moved to class parameters to
allow for testing the possible options around the database backend.
These tests add coverage for ipv4 and ipv6 configurations for the
collector profile as well as excluding mongodb on the backend.
Change-Id: I1abae040104e8492a9fe266de74080e1e7701731
|
|
This change adds rspec testing for the aodh profile and serves as an
example as to how to add in spec testing using hieradata to provide some
required parameters. This testing adds improved coverage for
expectations around computed configuration items as well as for
conditions around the steps within the tripleo deployment
Change-Id: Ic763a544289a222fea97020a98821c1e375651a3
|
|
|
|
This change pulls in rspec-puppet-facts to provide the basic default
facts for puppet-tripleo rspec tests. rspec-puppet-facts provides an
easy to use interface to allow for the same set of tests to be executed
with multiple sets of operating system facts. In most cases this
includes defaults for Debian/RedHat based systems. In puppet-tripleo's
case this is just RHEL/CentOS. We are removing the Fedora listing from
the metadata.json as we only support RHEL and CentOS for tripleo.
This change also updates the existing rspec tests to leverage
rspec-puppet-facts to be more consistent with how facts are defined.
Change-Id: I0ddc71799d74ee95b9828aea6a8dcb4abb4e4e62
|
|
Add more coverage in our unit testing for FQDNs.
Change-Id: I74859cdecc0d81138b2fe986883c4f7c49b8cab3
|
|
In the case of memcache servers are IPv6, make sure brackets set in the
way we construct the list of memcache server + memcache port parameter.
Also add unit-tests to test that the output is what we want in the
configuration.
Depends-On: I8d361ce9cfcfe6a3f8592b2b7991971a3c748c75
Closes-Bug: 1625335
Change-Id: I9fb8168d8fb56c9d8465d58a45fd8c6edfee6fdd
|
|
This patch shall create VFs via the PCI SYS interface.
Default value : $::os_service_default
Sample Format : ['eth0:4','eth2:128']
For values as in sample format, the sriov_numvfs config files
for eth0 and eth2 will have the values 4 and 128 respectively
The SR-IOV numvfs configuration shall be persisted in /sbin/ifup-local
so that, during the bootup of the compute nodes, the numvfs
configuration will be restored.
Change-Id: I7450b904475bdf46498d9af633416b3eba12f761
Implements: blueprint tripleo-sriov
Signed-off-by: karthik s <ksundara@redhat.com>
|
|
Adds a class to configure SELinux. The code is taken from
puppet-openstack-cloud:
https://github.com/redhat-cip/puppet-openstack-cloud
This allows to share the same code for usage by both the Undercloud and
Overcloud.
Co-Authored By: Emilien Macchi <emilien@redhat.com>
Co-Authored By: Yanis Guenane <yguenane@redhat.com>
blueprint undercloud-elements
Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
|
|
The port parameter to puppetlabs-firewall is actually deprecated[1].
This adds support for using the new parameter names dport and sport. The
port parameter is still retained in puppet-tripleo for backwards
compatibily for anyone using that interface. It is marked deprecated in
the documentation, however no deprecation warning is needed because
there is already a warning from from puppetlabs-firewall.
blueprint undercloud-elements
Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
|
|
Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.
This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.
Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
|
|
Change the workflow to be:
Upgrade all packages before any services that is notified & managed by
Puppet.
It also disable the Exec timeout so we rely on Heat timeout and not on
the 300s that are the default in Puppet [1]
Example: we upgrade and OpenStack config will change (obviously).
Puppet catalog will contain 3 important things:
* config resources
* service resources
* package-upgrade Exec resource
with that patch, what will happen:
* puppet will update config first or second and notify
services
* puppet will run package-upgrade first or second but before
the package-upgrade Exec resource
* at the very end, puppet will restart services
That way, we avoid complications with Puppet dependency cycle issues.
[1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout
Closes-Bug: 1536349
Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
|
|
This updates tripleo::packages so that when enable_upgrade
is used it will:
1) upgrade puppet managed packages (will trigger puppet dependencies)
2) then upgrade all packages via exec
3) then restart services
NOTE: the intention here is that the Exec['update-packages'] will
always execute if enable_upgrade is set. It is not idempotent
in this regard because I think we always want to execute it
if enable_upgrade is set.
Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42
Related-bug: #1522943
|
|
Switch to locp/cassandra module since it has much more options than
midonet/puppet-cassandra and it is already defined on the
openstack-puppet-modules packages in RHEL. More info:
https://bugzilla.redhat.com/show_bug.cgi?id=1285718
Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b
Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
|
|
Change-Id: Ie2f3e29005570805fbf2ca75a930fab746f5f299
Related-bug: #1517805
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
|
|
|
|
Change-Id: I10c0d35b473026a5e1ede265099f73c803402adc
Related-bug: #1517805
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
|
|
Provide TripleO overcloud manifests to deploy MidoNet and the cluster
services that needs to run.
Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
|
|
Currently firewalling is implemented in tripleo/init.pp this commit
moves it to its own scope tripleo/firewall.pp.
This is done so that in tripleo-heat-templates we can have a simple and
generic `include tripleo::firewall` in every manifest - unconditional.
The rest of the behavior will all be managed by hiera.
If a user wants to enable firewalling:
```
tripleo::firewall::manage_firewall: true
```
If a user wants to specify firewall rules:
```
tripleo::firewall::firewall_rules:
'103 mongod':
port: 27017
```
Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
|
|
* Provide a Define function which will allow to manage IPtables rules.
* Manage rules in 'pre' and 'post' Puppet stages, it allows to create
rules before and after regular Puppet stages (ie: to make sure no rule
exists *before* and everything is blocked *after* regular Puppet
stages)
Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
|