aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/kernel.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-03-28Disable core dump for setuid programszshi1-0/+2
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
2017-03-22Restrict Access to Kernel Message Bufferzshi1-0/+2
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-02-23Adding the ip_conntrack_proto_sctp kernel moduleItzik Brown1-0/+1
When using conntrack there is a need to load the ip_conntrack_proto_sctp module for SCTP to work. Closes-bug: 1664192 Change-Id: Ic58f5327401c3ab2215acd8b9ce699f555e8c5e4
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-11-04Defaults kernel.pid_max to 1048576Giulio Fidente1-0/+6
In some scenarios we reach the kernel.pid_max value, this change adds a parameter to the Kernel service for configuration of the sysctl key and defaults it to 1048576. Change-Id: Id8f3e6b7ed9846022898d7158fe9180418847085 Closes-Bug: #1639191
2016-10-12Disable IPv6 RAs & Autoconf For All (Not Just Default)Dan Sneddon1-0/+4
The current kernel sysctl settings modify the net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf to both be '0'. However, this is overridden by the settings in net.ipv6.conf.all, so no matter what setting is in the ifcfg file for the IPv6 interface, autoconfiguration and accept_ra will be enabled. This causes a security vulnerability where rogue RAs could be used to intercept traffic from the controllers. This change sets both default and all settings to '0' for IPv6 accept_ra and autoconf. Closes-Bug: 1632830 Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
2016-08-18Add DefaultPasswords to composable servicesDan Prince1-0/+3
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente1-0/+6
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-07-27Migrate Puppet Hieradata to composable servicesEmilien Macchi1-0/+21
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml except for some services that are not composable yet. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-22Add 'service_name' to composable servicesDan Prince1-0/+1
This patch adds a new service_name section to each composable service. We now have an explicit unit test check to ensure that service_name exists in tools/yaml-validate.py. This patch also wires service_names into hieradata on each of the roles so that tools can access the deployed services locally during deployment and upgrades. Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
2016-07-05Add kernel serviceEmilien Macchi1-0/+18
Add a new service that will load and configure kernel modules. Depends-On: If4f1047ff8c193a14b821d8b826f637872cf62bd Change-Id: I8f771712595d0f4826858b855985f65d3621c3f1