diff options
| -rwxr-xr-x | deployed-server/scripts/get-occ-config.sh | 2 | ||||
| -rw-r--r-- | environments/deployed-server-environment.j2.yaml | 11 | ||||
| -rw-r--r-- | environments/deployed-server-environment.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/kernel.yaml | 2 | ||||
| -rw-r--r-- | releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml | 11 |
5 files changed, 25 insertions, 5 deletions
diff --git a/deployed-server/scripts/get-occ-config.sh b/deployed-server/scripts/get-occ-config.sh index 6c196f97..d0cc4dff 100755 --- a/deployed-server/scripts/get-occ-config.sh +++ b/deployed-server/scripts/get-occ-config.sh @@ -63,7 +63,7 @@ for role in $OVERCLOUD_ROLES; do rg_stack=$(openstack stack resource show overcloud $role -c physical_resource_id -f value) done - stacks=$(openstack stack resource list $rg_stack -c physical_resource_id -f value) + stacks=$(openstack stack resource list $rg_stack -c resource_name -c physical_resource_id -f json | jq -r "sort_by(.resource_name) | .[] | .physical_resource_id") i=0 diff --git a/environments/deployed-server-environment.j2.yaml b/environments/deployed-server-environment.j2.yaml new file mode 100644 index 00000000..327934da --- /dev/null +++ b/environments/deployed-server-environment.j2.yaml @@ -0,0 +1,11 @@ +resource_registry: + OS::TripleO::Server: ../deployed-server/deployed-server.yaml + OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port + OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None + +{% for role in roles %} + # Default nic config mappings + OS::TripleO::{{role.name}}::Net::SoftwareConfig: ../net-config-static.yaml +{% endfor %} + + OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig: ../net-config-static-bridge.yaml diff --git a/environments/deployed-server-environment.yaml b/environments/deployed-server-environment.yaml deleted file mode 100644 index 7bc1bd9b..00000000 --- a/environments/deployed-server-environment.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resource_registry: - OS::TripleO::Server: ../deployed-server/deployed-server.yaml - OS::TripleO::DeployedServer::ControlPlanePort: OS::Neutron::Port - OS::TripleO::DeployedServer::Bootstrap: OS::Heat::None diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index fec455d1..ee4c771f 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -56,5 +56,7 @@ outputs: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} + kernel.dmesg_restrict: + value: 1 step_config: | include ::tripleo::profile::base::kernel diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml new file mode 100644 index 00000000..c24e8921 --- /dev/null +++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive + kernel address information with unprivileged access. Deployments that set + or depend on values other than 1 for kernel.dmesg_restrict may be affected + by upgrading. +security: + - | + Kernel syslog contains sensitive kernel address information, setting + kernel.dmesg_restrict to avoid unprivileged access to this information. |