Age | Commit message (Collapse) | Author | Files | Lines |
|
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
|
|
Unprivileged access to the kernel syslog can expose sensitive
kernel address information.
Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2
Signed-off-by: zshi <zshi@redhat.com>
|
|
When using conntrack there is a need to load the
ip_conntrack_proto_sctp module for SCTP to work.
Closes-bug: 1664192
Change-Id: Ic58f5327401c3ab2215acd8b9ce699f555e8c5e4
|
|
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.
This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.
Change-Id: Ib415e7290fea27447460baa280291492df197e54
|
|
In some scenarios we reach the kernel.pid_max value, this change
adds a parameter to the Kernel service for configuration of the
sysctl key and defaults it to 1048576.
Change-Id: Id8f3e6b7ed9846022898d7158fe9180418847085
Closes-Bug: #1639191
|
|
The current kernel sysctl settings modify the
net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
to both be '0'. However, this is overridden by the settings in
net.ipv6.conf.all, so no matter what setting is in the ifcfg file
for the IPv6 interface, autoconfiguration and accept_ra will be
enabled. This causes a security vulnerability where rogue RAs
could be used to intercept traffic from the controllers.
This change sets both default and all settings to '0' for IPv6
accept_ra and autoconf.
Closes-Bug: 1632830
Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
|
|
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).
Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.
Change-Id: I4f21603c58a169a093962594e860933306879e3f
|
|
This will be needed to pick the network where the service has
to bind to from within the service template.
Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
|
|
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
|
|
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.
This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.
Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
|
|
Add a new service that will load and configure kernel modules.
Depends-On: If4f1047ff8c193a14b821d8b826f637872cf62bd
Change-Id: I8f771712595d0f4826858b855985f65d3621c3f1
|