summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.rst6
-rw-r--r--ci/environments/multinode-3nodes.yaml2
-rw-r--r--ci/environments/scenario001-multinode.yaml11
-rw-r--r--docker/services/ironic-conductor.yaml5
-rw-r--r--puppet/major_upgrade_steps.j2.yaml14
-rw-r--r--puppet/services/kernel.yaml18
-rw-r--r--puppet/services/swift-proxy.yaml33
-rw-r--r--releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml19
-rw-r--r--releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml9
9 files changed, 101 insertions, 16 deletions
diff --git a/README.rst b/README.rst
index e2b59c59..51a21f6b 100644
--- a/README.rst
+++ b/README.rst
@@ -128,3 +128,9 @@ and should be executed according to the following table:
+----------------+-------------+-------------+-------------+-------------+-----------------+
| manila | | | | X | |
+----------------+-------------+-------------+-------------+-------------+-----------------+
+| collectd | X | | | | |
++----------------+-------------+-------------+-------------+-------------+-----------------+
+| fluentd | X | | | | |
++----------------+-------------+-------------+-------------+-------------+-----------------+
+| sensu-client | X | | | | |
++----------------+-------------+-------------+-------------+-------------+-----------------+
diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml
index d6e2376a..8307db96 100644
--- a/ci/environments/multinode-3nodes.yaml
+++ b/ci/environments/multinode-3nodes.yaml
@@ -24,7 +24,6 @@
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CinderApi
- OS::TripleO::Services::CinderScheduler
- - OS::TripleO::Services::Core
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::Keystone
- OS::TripleO::Services::GlanceApi
@@ -63,7 +62,6 @@
- OS::TripleO::Services::CACerts
- OS::TripleO::Services::CinderBackup
- OS::TripleO::Services::CinderVolume
- - OS::TripleO::Services::Core
- OS::TripleO::Services::Kernel
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient
diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml
index 29ca3898..63e51e29 100644
--- a/ci/environments/scenario001-multinode.yaml
+++ b/ci/environments/scenario001-multinode.yaml
@@ -18,6 +18,8 @@ resource_registry:
OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml
OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml
OS::TripleO::Tasks::ControllerPostPuppetRestart: ../../extraconfig/tasks/post_puppet_pacemaker_restart.yaml
+ OS::TripleO::Services::FluentdClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/logging/fluentd-client.yaml
+ OS::TripleO::Services::SensuClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/monitoring/sensu-client.yaml
parameter_defaults:
ControllerServices:
@@ -80,6 +82,9 @@ parameter_defaults:
- OS::TripleO::Services::Congress
- OS::TripleO::Services::TripleoPackages
- OS::TripleO::Services::TripleoFirewall
+ - OS::TripleO::Services::FluentdClient
+ - OS::TripleO::Services::SensuClient
+
ControllerExtraConfig:
nova::compute::libvirt::services::libvirt_virt_type: qemu
nova::compute::libvirt::libvirt_virt_type: qemu
@@ -113,3 +118,9 @@ parameter_defaults:
******************************************************************
CollectdExtraPlugins:
- rrdtool
+ LoggingServers:
+ - host: 127.0.0.1
+ port: 24224
+ MonitoringRabbitHost: 127.0.0.1
+ MonitoringRabbitPort: 5676
+ MonitoringRabbitPassword: sensu
diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml
index f07fb47c..3047f30b 100644
--- a/docker/services/ironic-conductor.yaml
+++ b/docker/services/ironic-conductor.yaml
@@ -72,10 +72,7 @@ outputs:
/var/lib/kolla/config_files/ironic_conductor.json:
command: /usr/bin/ironic-conductor
permissions:
- - path: /var/lib/ironic/httpboot
- owner: ironic:ironic
- recurse: true
- - path: /var/lib/ironic/tftpboot
+ - path: /var/lib/ironic
owner: ironic:ironic
recurse: true
docker_config:
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index 5aba90e8..e4d1e2a0 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -40,11 +40,6 @@ conditions:
equals:
- {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
- []
- {{role.name}}UpgradeConfigEnabled:
- not:
- equals:
- - {get_param: [role_data, {{role.name}}, upgrade_tasks]}
- - []
{%- endfor %}
resources:
@@ -188,7 +183,6 @@ resources:
# do, and there should be minimal performance hit (creating the
# config is cheap compared to the time to apply the deployment).
{%- if step > 0 %}
- condition: {{role.name}}UpgradeConfigEnabled
{% if role.name in enabled_roles %}
depends_on:
- {{role.name}}Upgrade_Step{{step -1}}
@@ -204,9 +198,13 @@ resources:
{{role.name}}Upgrade_Step{{step}}:
type: OS::Heat::SoftwareDeploymentGroup
{%- if step > 0 %}
- condition: {{role.name}}UpgradeConfigEnabled
+ # Make sure we wait that all roles have finished their own
+ # previous step before going to the next, so we can guarantee
+ # state for each steps.
depends_on:
- - {{role.name}}Upgrade_Step{{step -1}}
+ {%- for role_inside in enabled_roles %}
+ - {{role_inside.name}}Upgrade_Step{{step -1}}
+ {%- endfor %}
{%- endif %}
properties:
name: {{role.name}}Upgrade_Step{{step}}
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index bc4380a5..9b314b2a 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,6 +39,20 @@ outputs:
value: 5
net.ipv4.tcp_keepalive_time:
value: 5
+ net.ipv4.conf.default.send_redirects:
+ value: 0
+ net.ipv4.conf.all.send_redirects:
+ value: 0
+ net.ipv4.conf.default.accept_redirects:
+ value: 0
+ net.ipv4.conf.default.secure_redirects:
+ value: 0
+ net.ipv4.conf.all.secure_redirects:
+ value: 0
+ net.ipv4.conf.default.log_martians:
+ value: 1
+ net.ipv4.conf.all.log_martians:
+ value: 1
net.nf_conntrack_max:
value: 500000
net.netfilter.nf_conntrack_max:
@@ -52,6 +66,10 @@ outputs:
value: 0
net.ipv6.conf.default.autoconf:
value: 0
+ net.ipv6.conf.default.accept_redirects:
+ value: 0
+ net.ipv6.conf.all.accept_redirects:
+ value: 0
net.core.netdev_max_backlog:
value: 10000
kernel.pid_max:
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 0c3cc1ec..0ecc942c 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -63,10 +63,14 @@ parameters:
Rabbit client subscriber parameter to specify
an SSL connection to the RabbitMQ host.
type: string
+ EnableInternalTLS:
+ type: boolean
+ default: false
conditions:
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
resources:
SwiftBase:
@@ -76,6 +80,14 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+ TLSProxyBase:
+ type: OS::TripleO::Services::TLSProxyBase
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
outputs:
role_data:
description: Role data for the Swift proxy service.
@@ -85,7 +97,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [SwiftBase, role_data, config_settings]
-
+ - get_attr: [TLSProxyBase, role_data, config_settings]
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
swift::proxy::authtoken::password: {get_param: SwiftPassword}
@@ -146,7 +158,22 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- swift::proxy::proxy_local_net_ip: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+ tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, SwiftProxyNetwork]
+ tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+ tripleo::profile::base::swift::proxy::tls_proxy_port:
+ get_param: [EndpointMap, SwiftInternal, port]
+ swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
+ swift::proxy::proxy_local_net_ip:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
step_config: |
include ::tripleo::profile::base::swift::proxy
service_config_settings:
@@ -169,3 +196,5 @@ outputs:
- name: Stop swift_proxy service
tags: step1
service: name=openstack-swift-proxy state=stopped
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
new file mode 100644
index 00000000..0f226a84
--- /dev/null
+++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+ - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
+ are now set to 0 to prevent a compromised host from sending invalid ICMP
+ redirects to other router devices.
+ - The net.ipv4.conf.default.accept_redirects,
+ net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
+ are now set to 0 to prevent forged ICMP packet from altering host's routing
+ tables.
+ - The net.ipv4.conf.default.secure_redirects &
+ net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
+ of secure ICMP redirected packets.
+security:
+ - Invalide ICMP redirects may corrupt routing and have users access a system
+ set up by the attacker as opposed to a valid system.
+ - Routing tables may be altered by bogus ICMP redirect messages and send
+ packets to incorrect networks.
+ - Secure ICMP redirects are the same as ICMP redirects, except they come from
+ gateways listed on the default gateway list.
diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
new file mode 100644
index 00000000..bb2543f2
--- /dev/null
+++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+ - |
+ The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
+ now set to 1 to enable logging of suspicious packets.
+security:
+ - |
+ Logging of suspicious packets allows an administrator to investigate the
+ spoofed packets sent to their system.