summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xdeployed-server/scripts/get-occ-config.sh2
-rw-r--r--docker/services/keystone.yaml55
-rw-r--r--docker/services/nova-api.yaml3
-rw-r--r--environments/deployed-server-environment.j2.yaml11
-rw-r--r--environments/deployed-server-environment.yaml4
-rw-r--r--overcloud.j2.yaml24
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml11
8 files changed, 48 insertions, 64 deletions
diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh
index 6c196f97..d0cc4dff 100755
--- a/deployed-server/scripts/get-occ-config.sh
+++ b/deployed-server/scripts/get-occ-config.sh
@@ -63,7 +63,7 @@ for role in $OVERCLOUD_ROLES; do
rg_stack=$(openstack stack resource show overcloud $role -c physical_resource_id -f value)
done
- stacks=$(openstack stack resource list $rg_stack -c physical_resource_id -f value)
+ stacks=$(openstack stack resource list $rg_stack -c resource_name -c physical_resource_id -f json | jq -r "sort_by(.resource_name) | .[] | .physical_resource_id")
i=0
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index b7da3cb8..0597b906 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -46,9 +46,6 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
-conditions:
- keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
-
outputs:
role_data:
description: Role data for the Keystone API role.
@@ -76,53 +73,6 @@ outputs:
kolla_config:
/var/lib/kolla/config_files/keystone.json:
command: /usr/sbin/httpd -DFOREGROUND
- config_files:
- - dest: /etc/keystone/keystone.conf
- owner: keystone
- perm: '0640'
- source: /var/lib/kolla/config_files/src/etc/keystone/keystone.conf
- - dest: /etc/keystone/credential-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/0
- - dest: /etc/keystone/credential-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/credential-keys/1
- - dest: /etc/keystone/fernet-keys/0
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/0
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/keystone/fernet-keys/1
- owner: keystone
- perm: '0600'
- source: /var/lib/kolla/config_files/src/etc/keystone/fernet-keys/1
- optional: {if: [keystone_fernet_tokens, false, true]}
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_admin.conf
- - dest: /etc/httpd/conf.d/10-keystone_wsgi_main.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf.d/10-keystone_wsgi_main.conf
- - dest: /etc/httpd/conf/httpd.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/httpd.conf
- - dest: /etc/httpd/conf/ports.conf
- owner: root
- perm: '0644'
- source: /var/lib/kolla/config_files/src/etc/httpd/conf/ports.conf
- - dest: /var/www/cgi-bin/keystone/keystone-admin
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-admin
- - dest: /var/www/cgi-bin/keystone/keystone-public
- owner: keystone
- perm: '0644'
- source: /var/lib/kolla/config_files/src/var/www/cgi-bin/keystone/keystone-public
docker_config:
step_3:
keystone-init-log:
@@ -140,8 +90,9 @@ outputs:
detach: false
volumes: &keystone_volumes
- /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/keystone/:/var/lib/kolla/config_files/src:ro
- - /var/lib/config-data/keystone/etc/httpd/conf.modules.d:/etc/httpd/conf.modules.d:ro
+ - /var/lib/config-data/keystone/var/www/:/var/www/:ro
+ - /var/lib/config-data/keystone/etc/keystone/:/etc/keystone/:ro
+ - /var/lib/config-data/keystone/etc/httpd/:/etc/httpd/:ro
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 9e203b7a..e5c78d6c 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -134,8 +134,9 @@ outputs:
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ step_5:
nova_api_discover_hosts:
- start_order: 3
+ start_order: 1
image: *nova_api_image
net: host
detach: false
diff --git a/environments/deployed-server-environment.j2.yaml b/environments/deployed-server-environment.j2.yaml
new file mode 100644
index 00000000..327934da
--- /dev/null
+++ b/environments/deployed-server-environment.j2.yaml
@@ -0,0 +1,11 @@
+resource_registry:
+ OS::TripleO::Server: ../deployed-server/deployed-server.yaml
+ OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
+ OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
+
+{% for role in roles %}
+ # Default nic config mappings
+ OS::TripleO::{{role.name}}::Net::SoftwareConfig: ../net-config-static.yaml
+{% endfor %}
+
+ OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: ../net-config-static-bridge.yaml
diff --git a/environments/deployed-server-environment.yaml b/environments/deployed-server-environment.yaml
deleted file mode 100644
index 7bc1bd9b..00000000
--- a/environments/deployed-server-environment.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-resource_registry:
- OS::TripleO::Server: ../deployed-server/deployed-server.yaml
- OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port
- OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index e99f770f..7b780112 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -579,12 +579,24 @@ resources:
PingTestIps:
list_join:
- ' '
- - - {get_attr: [{{primary_role_name}}, resource.0.external_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.internal_api_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.storage_mgmt_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.tenant_ip_address]}
- - {get_attr: [{{primary_role_name}}, resource.0.management_ip_address]}
+ - - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, external_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, internal_api_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, storage_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, storage_mgmt_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, tenant_ip_address]}
+ - yaql:
+ expression: coalesce($.data, []).first(null)
+ data: {get_attr: [Controller, management_ip_address]}
UpdateWorkflow:
type: OS::TripleO::Tasks::UpdateWorkflow
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..ee4c771f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -56,5 +56,7 @@ outputs:
value: 10000
kernel.pid_max:
value: {get_param: KernelPidMax}
+ kernel.dmesg_restrict:
+ value: 1
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
new file mode 100644
index 00000000..c24e8921
--- /dev/null
+++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+ - |
+ The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive
+ kernel address information with unprivileged access. Deployments that set
+ or depend on values other than 1 for kernel.dmesg_restrict may be affected
+ by upgrading.
+security:
+ - |
+ Kernel syslog contains sensitive kernel address information, setting
+ kernel.dmesg_restrict to avoid unprivileged access to this information.