Age | Commit message (Collapse) | Author | Files | Lines |
|
* Disable Kernel Parameter for Sending ICMP Redirects:
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host
to send invalid ICMP redirects to other router devices
in an attempt to corrupt routing and have users access
a system set up by the attacker as opposed to a valid
system.
* Disable Kernel Parameter for Accepting ICMP Redirects:
- net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect
messages to maliciously alter the system routing tables
and get them to send packets to incorrect networks and
allow your system packets to be captured.
* Disable Kernel Parameter for secure ICMP Redirects:
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP
redirects, except they come from gateways listed on
the default gateway list. It is assumed that these
gateways are known to your system, and that they are
likely to be secure.
* Enable Kernel Parameter to log suspicious packets:
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets
allows an administrator to investigate the possibility
that an attacker is sending spoofed packets to their system.
* Ensure IPv6 redirects are not accepted by Default
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP
redirects as they could be tricked into routing traffic to
compromised machines. Setting hard routes within the system
(usually a single default route to a trusted router) protects
the system from bad routes.
Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
|
|
Note: since it replaces rabbitmq, in order to aim for the smallest
amount of changes the service_name is called 'rabbitmq' so all the
other services do not need additional logic to use qdr.
Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608
Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
|
|
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Change-Id: I86fd68da7b2d96590f21a8511fa1a23dcf1a6dda
|
|
|
|
|
|
|
|
Attempt to check galera's cluster status fails when galera service
is not running on the same node.
Change-Id: I27fb0841d85cd0dc86e92ac2e21eedf5f8f863ab
|
|
|
|
|
|
Hiera value of nova::compute::pci_passthrough should be a string.
It has been modified to JSON with the heira hook changes. Modifying
it again back to string.
Closes-Bug: #1675036
Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
|
|
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
Change-Id: I9a19aff24dede2bea3bf2959afa7adde00817ee0
Related-Bug: #1676491
|
|
In Ocata and later, the port binding controller for ODL was changed by
default to be the pseudo agent controller, which requires a new feature
"host config" for OVS. This patch modifies the default to use
network-topology, which will work without any new host config features
implemented (previous way of port binding).
Closes-Bug: 1675211
Depends-On: I5004fdeb238dea81bc4f7e9437843a8a080d5b46
Change-Id: I6a6969d1d6b8d8b8ac31fecd57af85eb653245d2
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
This patch again removes hard coded role references to
the overcloud.yaml template that was added in
fd15a091f7ab6927833275df17b96ecacc2b1827. This
breaks the composable undercloud work (undercloud-containers ci job as
well).
Change-Id: Ie30b2573dc4d2b45ebc0afc0e0d73bfdf41e4d4b
Closes-bug: #1676528
|
|
Simplify the config of the keystone service by mounting in the
configurations instead of specifying them all in kolla config.
This is change is useful to limit the side effects of generating the
config files and running the container is two separate steps as config
directories are now bind-mounted inside the container instead of having
files being copied to the container. We've seen examples of Apache's
mod_ssl configuration file present on the container preventing it to
start when puppet configured apache not to load the ssl module (in case
TLS is disabled).
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Ie33ffc7c2b1acf3e4e505d38efb104bf013f2ce6
|
|
|
|
|
|
gnocchi metricd and statsd are broken due to recent change
to support keystone v3. see I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
We need swift auth url to have suffix so it knows what endpoint
to use.
Change-Id: I753f37e121b95813e345f200ad3f3e75ec4bd7e1
|
|
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
|
|
Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings and metadata_settings this way in an attempt to save
resources.
Change-Id: Ic25f84a81aefef91b3ab8db2bc864853ee82c8aa
|
|
When the firewall is enabled with ipv6, the default rules set is
taken as not ipv6 firewall was present for Newton. This make
communication impossible until puppet is run again.
This ensures that no rules are loaded when the firewall is enabled.
This mimic this patch[1]
[1] https://github.com/openstack/tripleo-heat-templates/commit/ae8aac36143d5dadb08af0d275f513678909dcc7
Change-Id: Id878b5caae666a799c89c8466ce46b9ecb86d9f7
Closes-Bug: #1675782
|
|
Previously only the first two intial fernet keys were mounted into the
container. This is not practical, however, as doing key rotation will
generate more entries in this repository. So instead we mount the whole
directory, which would allow us to do rotation in the base host and
seamlessly affect the container as well.
Change-Id: I7763a09e57fe6a7867ffd079ab0b9222374c38c8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This change ensures that that openstack-nova-compute is
stopped and disabled during the upgrade process.
Closes-Bug: 1675814
Change-Id: Ifd2557b11e4317f1e76e459e8de4162116578eff
|