diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-04-12 16:39:47 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-04-12 16:39:47 +0000 |
commit | 2f230e077577fe63d710f6aade4920d83c17de65 (patch) | |
tree | 62ed871c0f7cbc75902bcd490e9fc200e48542b2 | |
parent | af4f4caf70d9493c2a0719ff06c8b46d302e362c (diff) | |
parent | d22484d389b1e2f5e9dd9ea6d9f4196effa31f1c (diff) |
Merge "Add IPv6 disable option"
-rw-r--r-- | puppet/services/kernel.yaml | 8 | ||||
-rw-r--r-- | releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml | 7 |
2 files changed, 15 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index 94b15d4b..2a335b67 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -22,6 +22,10 @@ parameters: default: 1048576 description: Configures sysctl kernel.pid_max key type: number + KernelDisableIPv6: + default: 0 + description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys + type: number outputs: role_data: @@ -57,6 +61,10 @@ outputs: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + net.ipv6.conf.default.disable_ipv6: + value: {get_param: KernelDisableIPv6} + net.ipv6.conf.all.disable_ipv6: + value: {get_param: KernelDisableIPv6} # prevent neutron bridges from autoconfiguring ipv6 addresses net.ipv6.conf.all.accept_ra: value: 0 diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml new file mode 100644 index 00000000..8b57f587 --- /dev/null +++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Add IPv6 disable option and make it configurable for user to disable IPv6 + when it's not used, this will descrease the risk of ipv6 attack. + Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 + will be explicitly set to the default value (0) which is enabled. |