From 68d18fffbeda6fc69b9f123e154e558f72b8bc3f Mon Sep 17 00:00:00 2001 From: Dan Sneddon Date: Sun, 7 Feb 2016 16:17:09 +0100 Subject: Add sysctl settings to disable IPv6 autoconfig and accept_ra This change adds puppet hieradata settings which disable IPv6 autoconfiguration and accept_ra by default on all interfaces. When IPv6 is used, the interfaces are individually enabled and configured with static IP addresses. The networking on the compute host needs to be completely separate from the tenant networking, in order to safeguard the compute host and isolate tenant traffic. This change disables IPv6 autoconfiguration and acceptance of RAs by default on interfaces unless specifically enabled. Without these settings, IPv6 is enabled on all interfaces, as well as autoconfiguration and accept_ra, so when the compute host creates a bridge interface for the router (qbr-), the compute node will automatically assign an IPv6 address and will install a default IPv6 route on the bridge interface when it receives the RAs from the Neutron router. The change to turn off autoconfiguration means that interfaces will not self-assign an IPv6 address, and the change to not accept RAs is a security hardening feature. This requires that a static gateway address be declared in the network environment in the parameter ExternalNetworkDefaultRoute. Alternately, sysctl can be modified to change the accept_ra behavior for specific interfaces. Change-Id: I8a8d311a14b41baf6e7e1b8ce26a63abc2eaabef Closes-bug: 1544296 --- puppet/hieradata/common.yaml | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/hieradata') diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml index 52b23513..30645687 100644 --- a/puppet/hieradata/common.yaml +++ b/puppet/hieradata/common.yaml @@ -28,6 +28,11 @@ sysctl_settings: value: 500000 net.netfilter.nf_conntrack_max: value: 500000 + # prevent neutron bridges from autoconfiguring ipv6 addresses + net.ipv6.conf.default.accept_ra: + value: 0 + net.ipv6.conf.default.autoconf: + value: 0 nova::rabbit_heartbeat_timeout_threshold: 60 neutron::rabbit_heartbeat_timeout_threshold: 60 -- cgit 1.2.3-korg