6 files changed, 59 insertions, 8 deletions

diff --git a/README.rst b/README.rst
index 6097ca85..51a21f6b 100644
--- a/README.rst
+++ b/README.rst
@@ -132,3 +132,5 @@ and should be executed according to the following table:
 +----------------+-------------+-------------+-------------+-------------+-----------------+
 | fluentd        |      X      |             |             |             |                 |
 +----------------+-------------+-------------+-------------+-------------+-----------------+
+| sensu-client   |      X      |             |             |             |                 |
++----------------+-------------+-------------+-------------+-------------+-----------------+
diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml
index 1d11859d..63e51e29 100644
--- a/ci/environments/scenario001-multinode.yaml
+++ b/ci/environments/scenario001-multinode.yaml
@@ -19,6 +19,7 @@ resource_registry:
   OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml
   OS::TripleO::Tasks::ControllerPostPuppetRestart: ../../extraconfig/tasks/post_puppet_pacemaker_restart.yaml
   OS::TripleO::Services::FluentdClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/logging/fluentd-client.yaml
+  OS::TripleO::Services::SensuClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/monitoring/sensu-client.yaml
 
 parameter_defaults:
   ControllerServices:
@@ -82,6 +83,7 @@ parameter_defaults:
     - OS::TripleO::Services::TripleoPackages
     - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::FluentdClient
+    - OS::TripleO::Services::SensuClient
 
   ControllerExtraConfig:
     nova::compute::libvirt::services::libvirt_virt_type: qemu
@@ -119,3 +121,6 @@ parameter_defaults:
   LoggingServers:
     - host: 127.0.0.1
       port: 24224
+  MonitoringRabbitHost: 127.0.0.1
+  MonitoringRabbitPort: 5676
+  MonitoringRabbitPassword: sensu
diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml
index 5aba90e8..e4d1e2a0 100644
--- a/puppet/major_upgrade_steps.j2.yaml
+++ b/puppet/major_upgrade_steps.j2.yaml
@@ -40,11 +40,6 @@ conditions:
       equals:
         - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]}
         - []
-  {{role.name}}UpgradeConfigEnabled:
-    not:
-      equals:
-        - {get_param: [role_data, {{role.name}}, upgrade_tasks]}
-        - []
 {%- endfor %}
 
 resources:
@@ -188,7 +183,6 @@ resources:
   # do, and there should be minimal performance hit (creating the
   # config is cheap compared to the time to apply the deployment).
   {%- if step > 0 %}
-    condition: {{role.name}}UpgradeConfigEnabled
     {% if role.name in enabled_roles %}
     depends_on:
       - {{role.name}}Upgrade_Step{{step -1}}
@@ -204,9 +198,13 @@ resources:
   {{role.name}}Upgrade_Step{{step}}:
     type: OS::Heat::SoftwareDeploymentGroup
     {%- if step > 0 %}
-    condition: {{role.name}}UpgradeConfigEnabled
+    # Make sure we wait that all roles have finished their own
+    # previous step before going to the next, so we can guarantee
+    # state for each steps.
     depends_on:
-      - {{role.name}}Upgrade_Step{{step -1}}
+      {%- for role_inside in enabled_roles %}
+      - {{role_inside.name}}Upgrade_Step{{step -1}}
+      {%- endfor %}
     {%- endif %}
     properties:
       name: {{role.name}}Upgrade_Step{{step}}
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index bc4380a5..9b314b2a 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,6 +39,20 @@ outputs:
             value: 5
           net.ipv4.tcp_keepalive_time:
             value: 5
+          net.ipv4.conf.default.send_redirects:
+            value: 0
+          net.ipv4.conf.all.send_redirects:
+            value: 0
+          net.ipv4.conf.default.accept_redirects:
+            value: 0
+          net.ipv4.conf.default.secure_redirects:
+            value: 0
+          net.ipv4.conf.all.secure_redirects:
+            value: 0
+          net.ipv4.conf.default.log_martians:
+            value: 1
+          net.ipv4.conf.all.log_martians:
+            value: 1
           net.nf_conntrack_max:
             value: 500000
           net.netfilter.nf_conntrack_max:
@@ -52,6 +66,10 @@ outputs:
             value: 0
           net.ipv6.conf.default.autoconf:
             value: 0
+          net.ipv6.conf.default.accept_redirects:
+            value: 0
+          net.ipv6.conf.all.accept_redirects:
+            value: 0
           net.core.netdev_max_backlog:
             value: 10000
           kernel.pid_max:
diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
new file mode 100644
index 00000000..0f226a84
--- /dev/null
+++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+  - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
+    are now set to 0 to prevent a compromised host from sending invalid ICMP
+    redirects to other router devices.
+  - The net.ipv4.conf.default.accept_redirects,
+    net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
+    are now set to 0 to prevent forged ICMP packet from altering host's routing
+    tables.
+  - The net.ipv4.conf.default.secure_redirects &
+    net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
+    of secure ICMP redirected packets.
+security:
+  - Invalide ICMP redirects may corrupt routing and have users access a system
+    set up by the attacker as opposed to a valid system.
+  - Routing tables may be altered by bogus ICMP redirect messages and send
+    packets to incorrect networks.
+  - Secure ICMP redirects are the same as ICMP redirects, except they come from
+    gateways listed on the default gateway list.
diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
new file mode 100644
index 00000000..bb2543f2
--- /dev/null
+++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
+    now set to 1 to enable logging of suspicious packets.
+security:
+  - |
+    Logging of suspicious packets allows an administrator to investigate the
+    spoofed packets sent to their system.