aboutsummaryrefslogtreecommitdiffstats
path: root/spec
AgeCommit message (Collapse)AuthorFilesLines
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-2/+15
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-12-21Adds ability to populate SSH Banner textLuke Hinds1-0/+30
A puppet manifest to allow the toggle of 'Banner' in sshd_config and enable population of an SSH login banner needed for security compliance such as DISA STIG If `Bannertext` is set as a parameter, the `Banner` key within sshd_config is toggled to `/etc/issue` and the content is copied into the `/etc/issue` file Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e Closes-Bug: #1640306
2016-12-19Merge "Disable legacy ceilometer api by default"Jenkins1-2/+14
2016-12-17Merge "Add tripleo::ui rspec tests"Jenkins1-0/+99
2016-12-09Disable legacy ceilometer api by defaultPradeep Kilambi1-2/+14
Ceilometer api is deprectaed in Ocata. Lets disable by default. This can still be enabled by setting enable_legacy_ceilometer_api param. Change-Id: Iffb8c2cfed53d8b29e777c35cee44921194239e9
2016-12-09Merge "Add cinder profile spec tests"Jenkins21-0/+1107
2016-12-09Merge "Delete MidoNet deprecated classes and their tests"Jenkins3-216/+0
2016-12-07Delete MidoNet deprecated classes and their testsAlejandro Andreu3-216/+0
MidoNet no longer uses the API component. It has been renamed/refactored to "cluster" as it can be seen on the docs at https://blog.midonet.org/introducing-midonet-cluster-services/ Also there is no need to have a Cassandra and Zookeeper dedicated classes, as we leverage this through the use of the midonet_openstack puppet module. Change-Id: I2f17aeeac2d1b121be0d445ff555320d5af5d270 Partial-Bug: #1647302
2016-12-06Add tripleo::ui rspec testsAlex Schultz1-0/+99
Change-Id: I2eb5b84dbeedde58153bceb707fd15cce8f03d5e
2016-12-05Add cinder profile spec testsAlex Schultz21-0/+1107
This change adds rspec testing for the cinder profiles with in puppet-tripleo. Additionally while testing, it was found that the backends may incorrectly have an extra , included in the settings for cinder volume when running puppet 3. This change includes a fix the cinder volume backends to make sure we are not improperly configuring it with a trailing comma. Change-Id: Ibdfee330413b6f9aecdf42a5508c21126fc05973
2016-11-28Use FQDNs for the services' RabbitMQ configurationJuan Antonio Osorio Robles9-10/+10
This replaces the services' IP-based RabbitMQ configuration and uses FQDNs instead. Change-Id: I2be81aecacf50839a029533247981f5edf59cb7f
2016-11-25Merge "Do not configure state matching when using GRE"Jenkins1-1/+3
2016-11-24Do not configure state matching when using GREBrent Eagles1-1/+3
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-11-17Remove Combination alarms supportPradeep Kilambi1-16/+0
combination alarms are completely removed in Ocata. Remove this from tripleo. Change-Id: Icdf81d2f489db33533a1a0979cba3b5a652535d5
2016-11-11Normalize civetweb binding address if IPv6Giulio Fidente1-4/+12
The civetweb binding format is IP:PORT; this change ensures the IP is enclosed in brackets if IPv6. To do so we add the bind_ip and bind_port parameters to the rgw service class. Change-Id: Ib84fa3479c2598bff7e89ad60a1c7d5f2c22c18c Co-Authored-By: Lukas Bezdicka <social@v3.sk> Related-Bug: #1636515
2016-11-11Call VF configuration from udev rulesBrent Eagles1-1/+10
When a physical function that was allocated to a guest is released back the system, it is not automatically brought "up" and the VF configuration is not restored. This patch creates a file containing some udev rules to force the VF configuration. Note: we may find that the ifup-local script is no longer required but this will require further testing. Change-Id: Ie6e78730aa0a748b3b5100ab7c7bc007d8ab176d Partial-Bug: #1639901
2016-11-01Merge "Add barbican profile rspec testing"Jenkins3-0/+166
2016-10-19Add barbican profile rspec testingAlex Schultz3-0/+166
This change adds rspec tests for the barbican profiles to ensure they function as expected. Change-Id: I73f5405ade2cc73024efbeb2cfbfc831a2120f51
2016-10-17Add port to rabbitmq node ip listBrent Eagles2-3/+3
We use the rabbit_hosts configuration for most of our services but we haven't been adding the configured port. This patch appends the IP port used provided to the service's heat template to the IPs in the list. Note: while we could use the value set for the rabbitmq server in rabbitmq::port, it doesn't allow for dealing with SSL. This also is also backwards compatible with the RabbitClientPort parameters used in the heat templates. Change-Id: I0000f039144a6b0e98c0a148dc69324f60db3d8b Closes-Bug: #1633580
2016-10-14packages: run upgrade at 'setup' stageEmilien Macchi1-3/+2
Instead of using an operator to make sure we upgrade package before any service, which causes dependency cycles with iptables puppet module, let's do another approach where we upgrade rpms in the 'setup' stage, which is a stage that runs before configure and running services. In that way, we'll remove dependency cycles and make sure packages are upgrades before configure and running TripleO services. Change-Id: I1be83f88be1959885c980ab4f428477d412751f7
2016-10-07Only run ceilometer::db::sync on bootstrap nodeAlex Schultz1-2/+7
The ceilometer::db::sync is included by default in ceilometer::db but we only want it to run on the bootstrap node. This change passes the sync_db parameter to ceilometer::db to manage the db sync process rather than trying to manage the inclusion of ceilometer::db::sync within the profile class. Change-Id: Ib56db1a90dd6fbfe7582fc57b7728df81942cce2 Closes-Bug: #1629373
2016-10-05Add ceph profile rspec testingAlex Schultz6-0/+403
This change adds rspec testing for the ceph profiles in puppet-tripleo. Change-Id: I08954e011848d6b747735f11b3cbff5707460c26
2016-09-30Add ceilometer profile rspec testingAlex Schultz5-0/+309
This change adds rspec testing for the ceilometer profiles. While writing these tests, the tripleo::profile::base::ceilometer::collector class needed to have the hiera lookups moved to class parameters to allow for testing the possible options around the database backend. These tests add coverage for ipv4 and ipv6 configurations for the collector profile as well as excluding mongodb on the backend. Change-Id: I1abae040104e8492a9fe266de74080e1e7701731
2016-09-30Add aodh profile rspec testingAlex Schultz8-1/+349
This change adds rspec testing for the aodh profile and serves as an example as to how to add in spec testing using hieradata to provide some required parameters. This testing adds improved coverage for expectations around computed configuration items as well as for conditions around the steps within the tripleo deployment Change-Id: Ic763a544289a222fea97020a98821c1e375651a3
2016-09-23Merge "Switch puppet-tripleo to use puppet-openstack_spec_helper"Jenkins1-0/+5
2016-09-23Merge "Add in rspec-puppet-facts support"Jenkins10-181/+132
2016-09-22Switch puppet-tripleo to use puppet-openstack_spec_helperEmilien Macchi1-0/+5
Align puppet-tripleo with other Puppet OpenStack modules to use puppet-openstack_spec_helper. Here are the benefits: - Allow to use Depends-On between Puppet OpenStack modules and puppet-tripleo, and unit tests will work correctly with dependencies. - Use the Puppet OpenStack gemspec file that handle gems dependencies to test the module. - Allow to re-use ruby helper that Puppet OpenStack modules have in unit tests, to avoid duplicated code. - Don't manage .fixtures.yml file, it will be generated by Puppet OpenStack tooling. TripleO dependencies will live in Puppetfile_extras. Change-Id: Ic66e9f872c57545327a9fb4b8ae86fbf0abbd8be
2016-09-21Add in rspec-puppet-facts supportAlex Schultz10-181/+132
This change pulls in rspec-puppet-facts to provide the basic default facts for puppet-tripleo rspec tests. rspec-puppet-facts provides an easy to use interface to allow for the same set of tests to be executed with multiple sets of operating system facts. In most cases this includes defaults for Debian/RedHat based systems. In puppet-tripleo's case this is just RHEL/CentOS. We are removing the Fedora listing from the metadata.json as we only support RHEL and CentOS for tripleo. This change also updates the existing rspec tests to leverage rspec-puppet-facts to be more consistent with how facts are defined. Change-Id: I0ddc71799d74ee95b9828aea6a8dcb4abb4e4e62
2016-09-21Add FQDN testcase in swift proxy profile rspec testsEmilien Macchi1-0/+15
Add more coverage in our unit testing for FQDNs. Change-Id: I74859cdecc0d81138b2fe986883c4f7c49b8cab3
2016-09-20swift: normalize memcache servers IP addressesEmilien Macchi1-0/+89
In the case of memcache servers are IPv6, make sure brackets set in the way we construct the list of memcache server + memcache port parameter. Also add unit-tests to test that the output is what we want in the configuration. Depends-On: I8d361ce9cfcfe6a3f8592b2b7991971a3c748c75 Closes-Bug: 1625335 Change-Id: I9fb8168d8fb56c9d8465d58a45fd8c6edfee6fdd
2016-08-29Configure the numvfs for SRIOV interfaceskarthik s4-0/+166
This patch shall create VFs via the PCI SYS interface. Default value : $::os_service_default Sample Format : ['eth0:4','eth2:128'] For values as in sample format, the sriov_numvfs config files for eth0 and eth2 will have the values 4 and 128 respectively The SR-IOV numvfs configuration shall be persisted in /sbin/ifup-local so that, during the bootup of the compute nodes, the numvfs configuration will be restored. Change-Id: I7450b904475bdf46498d9af633416b3eba12f761 Implements: blueprint tripleo-sriov Signed-off-by: karthik s <ksundara@redhat.com>
2016-07-25Unit tests for HAproxy dual stackEmilien Macchi1-0/+72
Change-Id: I6a959609523bd7fa681cd86522a56fff7c92352b
2016-05-25Add lookup_hiera_hash functionGiulio Fidente4-0/+31
The lookup_hiera_hash function is meant to lookup for the value of a given key from a given Hiera hash. In the manifests this is possible by saving the value of the hash in a variable first but when driving lookups from the Heat templates we can't do it. Change-Id: Ie31bb70314db44a0a18e86090cc74aa4df5de169
2016-05-05Add tripleo::selinuxJames Slagle1-0/+106
Adds a class to configure SELinux. The code is taken from puppet-openstack-cloud: https://github.com/redhat-cip/puppet-openstack-cloud This allows to share the same code for usage by both the Undercloud and Overcloud. Co-Authored By: Emilien Macchi <emilien@redhat.com> Co-Authored By: Yanis Guenane <yguenane@redhat.com> blueprint undercloud-elements Change-Id: If214005df733d41c2fa4e197df247d8a14baaa14
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle1-2/+16
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-20Add destination parameter to firewall ruleJames Slagle1-1/+6
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2016-02-18Merge "packages: secure upgrade workflow from dependency cycles"Jenkins1-5/+1
2016-01-22Drop webmock dependencyEmilien Macchi1-1/+0
webmock is not used anywhere in puppet-tripleo, let's clean it. Change-Id: Idd8646e69e31a63791a345765c459d094a23f813
2016-01-20packages: secure upgrade workflow from dependency cyclesEmilien Macchi1-5/+1
Change the workflow to be: Upgrade all packages before any services that is notified & managed by Puppet. It also disable the Exec timeout so we rely on Heat timeout and not on the 300s that are the default in Puppet [1] Example: we upgrade and OpenStack config will change (obviously). Puppet catalog will contain 3 important things: * config resources * service resources * package-upgrade Exec resource with that patch, what will happen: * puppet will update config first or second and notify services * puppet will run package-upgrade first or second but before the package-upgrade Exec resource * at the very end, puppet will restart services That way, we avoid complications with Puppet dependency cycle issues. [1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout Closes-Bug: 1536349 Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
2015-12-23Upgrade all packages after puppet managed onesDan Prince1-0/+52
This updates tripleo::packages so that when enable_upgrade is used it will: 1) upgrade puppet managed packages (will trigger puppet dependencies) 2) then upgrade all packages via exec 3) then restart services NOTE: the intention here is that the Exec['update-packages'] will always execute if enable_upgrade is set. It is not idempotent in this regard because I think we always want to execute it if enable_upgrade is set. Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42 Related-bug: #1522943
2015-12-14Modify cassandra dependencyJaume Devesa1-7/+16
Switch to locp/cassandra module since it has much more options than midonet/puppet-cassandra and it is already defined on the openstack-puppet-modules packages in RHEL. More info: https://bugzilla.redhat.com/show_bug.cgi?id=1285718 Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
2015-12-08Merge "Fix unit tests failing against Puppet 4.3.x"Jenkins1-0/+1
2015-12-08Fix unit tests failing against Puppet 4.3.xGael Chamoulaud1-0/+1
Change-Id: Ie2f3e29005570805fbf2ca75a930fab746f5f299 Related-bug: #1517805 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-12-01Remove `validate_ip_address` validator.Jaume Devesa1-46/+0
It is already merged on the puppetlabs-stdlib module: https://github.com/puppetlabs/puppetlabs-stdlib/commit/88a9a314c3e9cccbea5add95081655f2c14ec4c1 And we don't need to carry with this validation anymore. Change-Id: I2cee12e7601c546e616e2c249157e7739af29490
2015-11-30Merge "Fix unit tests failing against Puppet 4.3.0"Jenkins1-1/+4
2015-11-25Fix unit tests failing against Puppet 4.3.0Gael Chamoulaud1-1/+4
Change-Id: I10c0d35b473026a5e1ede265099f73c803402adc Related-bug: #1517805 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-11-23MidoNet services manifestsJaume Devesa6-0/+343
Provide TripleO overcloud manifests to deploy MidoNet and the cluster services that needs to run. Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
2015-09-11Merge "Initial msync run for all Puppet OpenStack modules"Jenkins7-0/+112
2015-09-03Add package_manifest resource.Dan Prince1-0/+37
This patch converts the write_package_names function into a proper resource. Using the write_package_names only works if the function comes last in the puppet manifest. By making the same functionality a custom resource we allow for it to exist anywhere in the manifest and provide the same functionality. The new syntax would be: package_manifest{'/tmp/foo': ensure => present} Co-Authored-By: Martin Mágr <mmagr@redhat.com> Change-Id: If3e03b1983fed47082fac8ce63f975557dbc503c
2015-08-18Initial msync run for all Puppet OpenStack modulesCody Herriges7-0/+112
This patch is the initial modulesync run, it impacts: * gitignore: just a sync between projects * gemfile: - update and allow to setup facter version and gem source - split beaker gems with a dedicated group - switch to rspec-puppet 2.2.0 * rakefile: - use the new syntax for lint configuration - add a acceptance target * acceptance: - sync nodesets - update tests in order to use zuul-cloner * spec: added rspec coverage report Change-Id: Iadefbe2cc0525224e9917c6712712c67ce1e0fff