From f8ca94a5b7c7658631f5b0a9b010251ebbcff65e Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Wed, 19 Apr 2017 14:39:42 +0100 Subject: Restrict nova migration ssh tunnel This change enhances the security of the migration ssh tunnel: - The ssh authorized_keys file is only writeable by root. - Creates a new user for migration instead of using root/nova. - Disables SSH forwarding for this user. - Optionally restricts the networks that this user can connect from. - Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Requires the openstack-nova-migration package from https://review.rdoproject.org/r/6327 bp tripleo-cold-migration Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 --- spec/fixtures/hieradata/default.yaml | 1 + 1 file changed, 1 insertion(+) (limited to 'spec/fixtures') diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index 873a49e..3cf2693 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -44,3 +44,4 @@ memcached_node_ips: # octavia related items octavia::rabbit_password: 'password' horizon::secret_key: 'secrete' +service_names: ['sshd'] -- cgit 1.2.3-korg