From f8ca94a5b7c7658631f5b0a9b010251ebbcff65e Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Wed, 19 Apr 2017 14:39:42 +0100
Subject: Restrict nova migration ssh tunnel

This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
  over ssh.

Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327

bp tripleo-cold-migration

Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
---
 spec/fixtures/hieradata/default.yaml | 1 +
 1 file changed, 1 insertion(+)

(limited to 'spec/fixtures/hieradata/default.yaml')

diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index 873a49e..3cf2693 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -44,3 +44,4 @@ memcached_node_ips:
 # octavia related items
 octavia::rabbit_password: 'password'
 horizon::secret_key: 'secrete'
+service_names: ['sshd']
-- 
cgit 1.2.3-korg