| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* Disable Kernel Parameter for Sending ICMP Redirects:
- net.ipv4.conf.default.send_redirects = 0
- net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host
to send invalid ICMP redirects to other router devices
in an attempt to corrupt routing and have users access
a system set up by the attacker as opposed to a valid
system.
* Disable Kernel Parameter for Accepting ICMP Redirects:
- net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect
messages to maliciously alter the system routing tables
and get them to send packets to incorrect networks and
allow your system packets to be captured.
* Disable Kernel Parameter for secure ICMP Redirects:
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP
redirects, except they come from gateways listed on
the default gateway list. It is assumed that these
gateways are known to your system, and that they are
likely to be secure.
* Enable Kernel Parameter to log suspicious packets:
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets
allows an administrator to investigate the possibility
that an attacker is sending spoofed packets to their system.
* Ensure IPv6 redirects are not accepted by Default
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP
redirects as they could be tricked into routing traffic to
compromised machines. Setting hard routes within the system
(usually a single default route to a trusted router) protects
the system from bad routes.
Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
|
|
Note: since it replaces rabbitmq, in order to aim for the smallest
amount of changes the service_name is called 'rabbitmq' so all the
other services do not need additional logic to use qdr.
Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608
Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
|
|
|
|
For both containers and classic deployments, allow to configure
policy.json for all OpenStack APIs with new parameters (hash,
empty by default).
Example of new parameter: NovaApiPolicies.
See environments/nova-api-policy.yaml for how the feature can be used.
Note: use it with extreme caution.
Partial-implement: blueprint modify-policy-json
Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
|
|
panko is enabled by default, we might as well make it
the default dispatcher along with gnocchi.
Closes-bug: #1676900
Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
|
|
Hiera value of nova::compute::pci_passthrough should be a string.
It has been modified to JSON with the heira hook changes. Modifying
it again back to string.
Closes-Bug: #1675036
Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
|
|
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
|
|
|
|
|
|
The str_replace conversion used previously is no longer needed and
breaks the hieradata value.
Closes-Bug: 1675426
Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
This feature stopped working somewhere along the lines. In the past it
was working with parameter_defaults like this:
CinderNfsServers: '10.0.0.254:/srv/nfs/cinder'
or
CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder"
The problem was that the templating escaped these strings, and
puppet-tripleo didn't receive a proper array, but a string.
This patch fixes this. It accepts strings as above as well as
comma-delimited lists of Nfs Servers.
Closes-Bug: 1671153
Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
|
|
No other packages actually require openstack-selinux, so it must be
explicity installed.
Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a
Closes-Bug: #1675170
|
|
Firewall config was being inherited by the dpdk service, however
since the firewall service name was the parent (neutron_ovs_agent)
and technically that service was not enabled - the rules were never
applied. This modifies the service name as it is inherited using
map_replace.
Closes-Bug: 1674689
Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
Unprivileged access to the kernel syslog can expose sensitive
kernel address information.
Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2
Signed-off-by: zshi <zshi@redhat.com>
|
|
Port 2550 is required for inter-ODL communication when clustering.
odl-jolokia feature is required to expose REST APIs from ODL for
monitoring the cluster.
Implements: blueprint opendaylight-ha
Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31
Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.
Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
|
|
|
|
Secure EtcdInitialClusterToken parameter by:
* removing the default value.
* make it hidden.
Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
Closes-Bug: #1673266
|
|
Previously the rhel registration script disabled the satellite repo
after installing packages from it. This means those packages will
never be updated, which is not desirable from a long-term
maintenance perspective.
I believe this behavior is a holdover from the dib registration
script, where we don't want to leave repos enabled because the
image may be deployed many times and each instance needs to be
re-registered. In t-h-t we don't have that problem because the
script only runs at deploy time so it's okay and desirable to leave
the repos enabled.
Change-Id: I5d760467b458d90d74507a55effc49b71d22eaa3
Closes-Bug: 1673116
|
|
UUID is to be deprecated, and we should be using fernet.
Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
|
|
|
|
* Move swift_authurl to gnocchi-base hieradata, where other swift auth
credentials live and switch it to versionless keystone endpoint.
* Force swift_auth_version to 3 for Keystone v3.
* Switch auth_uri to use versionless Keystone endpoint.
* Switch auth_url to use Keystone admin endpoint (instead of internal).
* Remove old parameters from gnocchi::api, not used anymore.
Partial-blueprint: keystone-v3
Change-Id: I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
|
|
|
|
|
|
This has not landed yet but was accidentally release noted for
Ocata. The release note should land with the patch that actually
makes the change: I0f61016df6a9f07971c5eab51cc9674a1458c66f
Change-Id: I7d68899a5892e219b73007b18ab42e06196ae07a
|
|
This project aims at supporting inter-connection between L3VPNs
and Neutron resources, i.e. Networks, Routers and Ports.
Partially-Implements: blueprint bgpvpn-service-integration
Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876
Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
The patch this depends on passes through the classes some parameters
that are meant to be passed via t-h-t. This patch addresses these and
other things required for deploying these services over httpd:
* Set the number of workers taking care not to set this value to 0.
* Add the apache base hieradata to the service profiles.
* Set the servernames and other httpd-specific values.
bp tls-via-certmonger
Change-Id: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
Depends-On: I23971b0164468e67c9b3577772af84bd947e16f1
|
|
Configure keystone_authtoken for Sahara service.
Change-Id: I045b7d1d52851ab0d532a8524fcea95705e3db78
Partial-implement: blueprint keystone-v3
|
|
|
|
This file is needed for plan import and export features. We want to enable the
user to store the selection of environment options, so that it can be
re-imported, and it does not have to be perfmed manually multiple times.
The plan create workflow will look into the Swift
container for this file, and import its contents into the Mistral
environment. Conversely, plan export will create this file from the Mistral
environment contents, so that it can later be re-imported.
For more information, see the related blueprint, and the spec at
https://specs.openstack.org/openstack/tripleo-specs/specs/ocata/gui-plan-import-export.html
Partially implements: blueprint enhance-plan-creation-with-plan-environment
Change-Id: I95e3e3a25104623d6fcf38e99403cebbd591b92d
|
|
While the heat templates specify a default value of 3, it rarely seems
to have an effect as the tripleoclient is setting this according to the
controller scale. This was fine before composable roles, but it is now
invalid. While the client needs to be modified to no longer set this
according to controller scale, the template should default to a sentinel
value that will allow the puppet code to determine the proper value by
the number of hosts that have the neutron dhcp agent deployed on them.
Depends-On: I5533e42c5ba9f72cc70d80489a07e30ee2341198
Partial-bug: #1632721
Change-Id: I06628764c4769d91bbc42efe1c722702d6574d02
|
|
Vector Packet Processing (VPP) is a high performance packet processing
stack that runs in user space in Linux. VPP is used as an alternative to
kernel networking stack for accelerated network data path. This patch
adds VPP as a composable service. Note that NIC binding related configs
for VPP are handled in os-net-config.
Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf
Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b
Implements: blueprint fdio-integration-tripleo
|
|
The previous patch [1] that changed the default value for the parameter and
that also deprecated the parameter missed a release note. This change
fixes the mistake.
[1] Iade7fbaf92c8c601227f4456a15ea3f13a907ee2
Change-Id: I72f6f7e50d729734ae6d61191f788ae2aed15145
|
|
|
|
|
|
Change-Id: Ifef3e6f661d0094ebcc587fd6c1d0783a92ada3f
|
|
Change-Id: I4e68d566c7d52df850de41cb207f523ccb029c3f
|
|
|
|
|
|
|
|
|
|
Add some release notes about the composable ha work
Change-Id: I8975c3f597d1affbe6e52d4e16a2aad527006264
|
|
Adding a default NTP server by default will
keep all Pacemaker and non-Pacemaker deployments
aligned with the same server by default.
Also useful for keeping time diff controlled for
Keystone and Ceph.
Change-Id: I8a26bae15cbfb83e3abd6b9ef9d12b57467e6258
|
|
Add reno for:
- I1213a83ef8693c1cca1d20de974f7949a801d9f1
- Ib1103c00ddb7d6d624f4911147197d8355a3a6dd
Change-Id: Iecbbab5aeeade46b5cc238bc5542396e78db751c
|
|
Change-Id: I8c2e0af3ad4e47b12f4ecf2d5762df95e66fa34d
|
|
|
|
Previously the memcached configuration was set to use the defaults which
would be 95% of the avaiable ram in the system. This can lead to memory
contention issues if memcache is heavily utilized. This change reduces
the default to 50% and exposes the ability to tune this configuration.
Change-Id: Ie8a48ff4cf509e93d7c1487813d5feed5e5131a4
Closes-Bug: #1662941
|
zshi
John Eckersberg
Jenkins
Emilien Macchi
Pradeep Kilambi
Saravanan KR
Tim Rozet
Christian Schwede
James Slagle
Alex Schultz
Ben Nemec
Juan Antonio Osorio Robles
Ricardo Noriega
Ana Krivokapic
Brent Eagles
Feng Pan
Ihar Hrachyshka
OpenStack Release Bot
Michele Baldessari
Carlos Camacho