summaryrefslogtreecommitdiffstats
path: root/puppet/hieradata
diff options
context:
space:
mode:
authorDan Sneddon <dsneddon@redhat.com>2016-02-07 16:17:09 +0100
committermarios <marios@redhat.com>2016-02-18 12:05:55 +0200
commit68d18fffbeda6fc69b9f123e154e558f72b8bc3f (patch)
treea979af5f97b66172ea5ba628f5518ec45dceda8c /puppet/hieradata
parentfebe32556f87d0a9ca864bdee9db98473d5f2d74 (diff)
Add sysctl settings to disable IPv6 autoconfig and accept_ra
This change adds puppet hieradata settings which disable IPv6 autoconfiguration and accept_ra by default on all interfaces. When IPv6 is used, the interfaces are individually enabled and configured with static IP addresses. The networking on the compute host needs to be completely separate from the tenant networking, in order to safeguard the compute host and isolate tenant traffic. This change disables IPv6 autoconfiguration and acceptance of RAs by default on interfaces unless specifically enabled. Without these settings, IPv6 is enabled on all interfaces, as well as autoconfiguration and accept_ra, so when the compute host creates a bridge interface for the router (qbr-<ID>), the compute node will automatically assign an IPv6 address and will install a default IPv6 route on the bridge interface when it receives the RAs from the Neutron router. The change to turn off autoconfiguration means that interfaces will not self-assign an IPv6 address, and the change to not accept RAs is a security hardening feature. This requires that a static gateway address be declared in the network environment in the parameter ExternalNetworkDefaultRoute. Alternately, sysctl can be modified to change the accept_ra behavior for specific interfaces. Change-Id: I8a8d311a14b41baf6e7e1b8ce26a63abc2eaabef Closes-bug: 1544296
Diffstat (limited to 'puppet/hieradata')
-rw-r--r--puppet/hieradata/common.yaml5
1 files changed, 5 insertions, 0 deletions
diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml
index 52b23513..30645687 100644
--- a/puppet/hieradata/common.yaml
+++ b/puppet/hieradata/common.yaml
@@ -28,6 +28,11 @@ sysctl_settings:
value: 500000
net.netfilter.nf_conntrack_max:
value: 500000
+ # prevent neutron bridges from autoconfiguring ipv6 addresses
+ net.ipv6.conf.default.accept_ra:
+ value: 0
+ net.ipv6.conf.default.autoconf:
+ value: 0
nova::rabbit_heartbeat_timeout_threshold: 60
neutron::rabbit_heartbeat_timeout_threshold: 60