Add IPv6 disable option

This will give user the ability to set these values, if IPv6 is not to be used, it's recommended that it be disabled to reduce the attack surface of the system. Change-Id: Ib3142cce49b93a421ca142a59961ce49a77e66b1 Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
author: zshi <zshi@redhat.com> 2017-04-06 18:11:26 +0800
committer: zshi <zshi@redhat.com> 2017-04-11 15:29:04 +0800
commit: d22484d389b1e2f5e9dd9ea6d9f4196effa31f1c (patch)
tree: 04be32083bd352266c8f2d03163ea5237339b5c2 /puppet
parent: e10ddcc3d2cbbd27b77a528a643adf7ca334c08e (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 9b314b2a..12255614 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -22,6 +22,10 @@ parameters:
     default: 1048576
     description: Configures sysctl kernel.pid_max key
     type: number
+  KernelDisableIPv6:
+    default: 0
+    description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+    type: number
 
 outputs:
   role_data:
@@ -57,6 +61,10 @@ outputs:
             value: 500000
           net.netfilter.nf_conntrack_max:
             value: 500000
+          net.ipv6.conf.default.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
+          net.ipv6.conf.all.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
           # prevent neutron bridges from autoconfiguring ipv6 addresses
           net.ipv6.conf.all.accept_ra:
             value: 0
author	zshi <zshi@redhat.com>	2017-04-06 18:11:26 +0800
committer	zshi <zshi@redhat.com>	2017-04-11 15:29:04 +0800
commit	d22484d389b1e2f5e9dd9ea6d9f4196effa31f1c (patch)
tree	04be32083bd352266c8f2d03163ea5237339b5c2 /puppet
parent	e10ddcc3d2cbbd27b77a528a643adf7ca334c08e (diff)