f5061fd022
The dictionary-based variables didn't work properly and this patch changes them to individual variables. If users followed the existing documentation, their environments will be unaffected by this change (they are still broken). The new variables follow the pattern `security_VARIABLENAME` which will soon become the standard for the role to avoid variable name collisions with other playbooks and roles. Release notes are included with this patch. Closes-bug: 1577944 Change-Id: I455f66a0b4f423e2cf0e753b129367427f29479f
969 B
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure that the default is maintained.
Keep in mind, however, that high-traffic environments may require TCP SYN cookies to be disabled. Certain load balancers may forward requests in such a way that web servers may think they're being SYN flooded during peak traffic events. Putting well-configured hardware network devices in front of OpenStack environments is always recommended and this may allow some deployers to turn off SYN cookies within their environment.
Deployers can disable TCP SYN cookies by setting an Ansible variable:
security_sysctl_tcp_syncookies: 0For more information on TCP SYN cookies and TCP SYN floods, refer to these links: