diff options
author | Dan Sneddon <dsneddon@redhat.com> | 2016-02-07 16:17:09 +0100 |
---|---|---|
committer | marios <marios@redhat.com> | 2016-02-18 12:05:55 +0200 |
commit | 68d18fffbeda6fc69b9f123e154e558f72b8bc3f (patch) | |
tree | a979af5f97b66172ea5ba628f5518ec45dceda8c /puppet | |
parent | febe32556f87d0a9ca864bdee9db98473d5f2d74 (diff) |
Add sysctl settings to disable IPv6 autoconfig and accept_ra
This change adds puppet hieradata settings which disable IPv6
autoconfiguration and accept_ra by default on all interfaces.
When IPv6 is used, the interfaces are individually enabled and
configured with static IP addresses.
The networking on the compute host needs to be completely
separate from the tenant networking, in order to safeguard the
compute host and isolate tenant traffic. This change disables
IPv6 autoconfiguration and acceptance of RAs by default on
interfaces unless specifically enabled.
Without these settings, IPv6 is enabled on all interfaces, as well
as autoconfiguration and accept_ra, so when the compute host
creates a bridge interface for the router (qbr-<ID>), the
compute node will automatically assign an IPv6 address and will
install a default IPv6 route on the bridge interface when it
receives the RAs from the Neutron router.
The change to turn off autoconfiguration means that interfaces
will not self-assign an IPv6 address, and the change to not accept
RAs is a security hardening feature. This requires that a
static gateway address be declared in the network environment
in the parameter ExternalNetworkDefaultRoute. Alternately, sysctl
can be modified to change the accept_ra behavior for specific
interfaces.
Change-Id: I8a8d311a14b41baf6e7e1b8ce26a63abc2eaabef
Closes-bug: 1544296
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/hieradata/common.yaml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml index 52b23513..30645687 100644 --- a/puppet/hieradata/common.yaml +++ b/puppet/hieradata/common.yaml @@ -28,6 +28,11 @@ sysctl_settings: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.default.accept_ra: + value: 0 + net.ipv6.conf.default.autoconf: + value: 0 nova::rabbit_heartbeat_timeout_threshold: 60 neutron::rabbit_heartbeat_timeout_threshold: 60 |