Age | Commit message (Collapse) | Author | Files | Lines |
|
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
|
|
|
|
|
|
|
|
|
|
The str_replace conversion used previously is no longer needed and
breaks the hieradata value.
Closes-Bug: 1675426
Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
This feature stopped working somewhere along the lines. In the past it
was working with parameter_defaults like this:
CinderNfsServers: '10.0.0.254:/srv/nfs/cinder'
or
CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder"
The problem was that the templating escaped these strings, and
puppet-tripleo didn't receive a proper array, but a string.
This patch fixes this. It accepts strings as above as well as
comma-delimited lists of Nfs Servers.
Closes-Bug: 1671153
Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
|
|
No other packages actually require openstack-selinux, so it must be
explicity installed.
Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a
Closes-Bug: #1675170
|
|
Firewall config was being inherited by the dpdk service, however
since the firewall service name was the parent (neutron_ovs_agent)
and technically that service was not enabled - the rules were never
applied. This modifies the service name as it is inherited using
map_replace.
Closes-Bug: 1674689
Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
|
|
Unprivileged access to the kernel syslog can expose sensitive
kernel address information.
Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2
Signed-off-by: zshi <zshi@redhat.com>
|
|
Port 2550 is required for inter-ODL communication when clustering.
odl-jolokia feature is required to expose REST APIs from ODL for
monitoring the cluster.
Implements: blueprint opendaylight-ha
Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31
Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
The agent configuration was lost in newton during the puppet-tripleo and
THT role conversion. This change adds support for including the bigswitch
agent service for composable roles.
Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908
Closes-Bug: #1673126
|
|
|
|
Secure EtcdInitialClusterToken parameter by:
* removing the default value.
* make it hidden.
Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961
Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9
Closes-Bug: #1673266
|
|
Previously the rhel registration script disabled the satellite repo
after installing packages from it. This means those packages will
never be updated, which is not desirable from a long-term
maintenance perspective.
I believe this behavior is a holdover from the dib registration
script, where we don't want to leave repos enabled because the
image may be deployed many times and each instance needs to be
re-registered. In t-h-t we don't have that problem because the
script only runs at deploy time so it's okay and desirable to leave
the repos enabled.
Change-Id: I5d760467b458d90d74507a55effc49b71d22eaa3
Closes-Bug: 1673116
|
|
UUID is to be deprecated, and we should be using fernet.
Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
|
|
|
|
* Move swift_authurl to gnocchi-base hieradata, where other swift auth
credentials live and switch it to versionless keystone endpoint.
* Force swift_auth_version to 3 for Keystone v3.
* Switch auth_uri to use versionless Keystone endpoint.
* Switch auth_url to use Keystone admin endpoint (instead of internal).
* Remove old parameters from gnocchi::api, not used anymore.
Partial-blueprint: keystone-v3
Change-Id: I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
|
|
|
|
|
|
This has not landed yet but was accidentally release noted for
Ocata. The release note should land with the patch that actually
makes the change: I0f61016df6a9f07971c5eab51cc9674a1458c66f
Change-Id: I7d68899a5892e219b73007b18ab42e06196ae07a
|
|
This project aims at supporting inter-connection between L3VPNs
and Neutron resources, i.e. Networks, Routers and Ports.
Partially-Implements: blueprint bgpvpn-service-integration
Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876
Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
|
|
The patch this depends on passes through the classes some parameters
that are meant to be passed via t-h-t. This patch addresses these and
other things required for deploying these services over httpd:
* Set the number of workers taking care not to set this value to 0.
* Add the apache base hieradata to the service profiles.
* Set the servernames and other httpd-specific values.
bp tls-via-certmonger
Change-Id: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6
Depends-On: I23971b0164468e67c9b3577772af84bd947e16f1
|
|
Configure keystone_authtoken for Sahara service.
Change-Id: I045b7d1d52851ab0d532a8524fcea95705e3db78
Partial-implement: blueprint keystone-v3
|
|
|
|
This file is needed for plan import and export features. We want to enable the
user to store the selection of environment options, so that it can be
re-imported, and it does not have to be perfmed manually multiple times.
The plan create workflow will look into the Swift
container for this file, and import its contents into the Mistral
environment. Conversely, plan export will create this file from the Mistral
environment contents, so that it can later be re-imported.
For more information, see the related blueprint, and the spec at
https://specs.openstack.org/openstack/tripleo-specs/specs/ocata/gui-plan-import-export.html
Partially implements: blueprint enhance-plan-creation-with-plan-environment
Change-Id: I95e3e3a25104623d6fcf38e99403cebbd591b92d
|
|
While the heat templates specify a default value of 3, it rarely seems
to have an effect as the tripleoclient is setting this according to the
controller scale. This was fine before composable roles, but it is now
invalid. While the client needs to be modified to no longer set this
according to controller scale, the template should default to a sentinel
value that will allow the puppet code to determine the proper value by
the number of hosts that have the neutron dhcp agent deployed on them.
Depends-On: I5533e42c5ba9f72cc70d80489a07e30ee2341198
Partial-bug: #1632721
Change-Id: I06628764c4769d91bbc42efe1c722702d6574d02
|
|
Vector Packet Processing (VPP) is a high performance packet processing
stack that runs in user space in Linux. VPP is used as an alternative to
kernel networking stack for accelerated network data path. This patch
adds VPP as a composable service. Note that NIC binding related configs
for VPP are handled in os-net-config.
Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf
Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b
Implements: blueprint fdio-integration-tripleo
|
|
The previous patch [1] that changed the default value for the parameter and
that also deprecated the parameter missed a release note. This change
fixes the mistake.
[1] Iade7fbaf92c8c601227f4456a15ea3f13a907ee2
Change-Id: I72f6f7e50d729734ae6d61191f788ae2aed15145
|
|
|
|
|
|
Change-Id: Ifef3e6f661d0094ebcc587fd6c1d0783a92ada3f
|
|
Change-Id: I4e68d566c7d52df850de41cb207f523ccb029c3f
|
|
|
|
|
|
|
|
|
|
Add some release notes about the composable ha work
Change-Id: I8975c3f597d1affbe6e52d4e16a2aad527006264
|
|
Adding a default NTP server by default will
keep all Pacemaker and non-Pacemaker deployments
aligned with the same server by default.
Also useful for keeping time diff controlled for
Keystone and Ceph.
Change-Id: I8a26bae15cbfb83e3abd6b9ef9d12b57467e6258
|
|
Add reno for:
- I1213a83ef8693c1cca1d20de974f7949a801d9f1
- Ib1103c00ddb7d6d624f4911147197d8355a3a6dd
Change-Id: Iecbbab5aeeade46b5cc238bc5542396e78db751c
|
|
Change-Id: I8c2e0af3ad4e47b12f4ecf2d5762df95e66fa34d
|
|
|
|
Previously the memcached configuration was set to use the defaults which
would be 95% of the avaiable ram in the system. This can lead to memory
contention issues if memcache is heavily utilized. This change reduces
the default to 50% and exposes the ability to tune this configuration.
Change-Id: Ie8a48ff4cf509e93d7c1487813d5feed5e5131a4
Closes-Bug: #1662941
|
|
Change-Id: I1bc3f37f910d6dfa833166217b1f58931d06be02
|
|
|
|
This patch adds the Octavia services to the registry and controller role
(disabled by default). Also included is an example environment file for
enabling the services and required configuration. The API service
profile is also amended configure the load balancer service provider in
neutron to point to the octavia load balancer driver.
Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb
Partially-implements: blueprint octavia-service-integration
|
|
Ironic will soon refuse to start when at least some value is not provided.
Unfortunately, we do not create any overcloud[*] networks during deployment.
Fortunately, Ironic does not validate this value until actual cleaning. So,
this change sets it to "provisioning", which is what people often use.
An update will follow to the documentation to recommend this name:
http://tripleo.org/advanced_deployment/baremetal_overcloud.html#configuring-cleaning
A new parameter is created for this value, with a reminded to change it to
an actual UUID later on. While a pre-defined name will work in a simplest case,
in a real multi-tenant deployment a network name conflict is possible.
Using a UUID is safer in this regard.
[*] networks created in overcloud neutron
Change-Id: I1b7dc2ff70d3b76f19a183a60e88cf72f6d2a318
Closes-Bug: #1661082
|
|
This patch seeks to add futher security functions present within
tripleo for the ocata release.
Change-Id: Ie89b85589c2dfd3580de75253b73009b5d06c9f2
|
|
This patch allows the management of the AuditD service and its associated
files (such as `audit.rules`)
This is achieved by means of the `puppet-auditd` puppet module.
Also places ssh banner capabilities map on top of patch
Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d
Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
|