openstack
/
puppet-tripleo
Code Issues Proposed changes
puppet-tripleo/manifests
History
Oliver Walsh fd20b306b0 Restrict nova migration ssh tunnel 
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
  over ssh.

Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327

bp tripleo-cold-migration

Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
(cherry picked from commit f8ca94a5b7)
 		2017-06-01 18:33:46 +00:00
..
certmonger Fix MySQL service name parameter 2017-01-27 21:03:58 +02:00
cluster Modify cassandra dependency 2015-12-14 14:15:15 +00:00
firewall Add a default rule for dhcpv6 traffic 2017-01-27 10:54:28 +01:00
glance NFS mounting for Glance file backend 2016-10-21 17:41:03 +02:00
haproxy Fix typo in endpoint.pp 2017-01-20 07:25:52 +00:00
host Delete the unnecessary word in numvfs_persistence.pp 2017-01-23 06:10:02 +00:00
network Fix style nits in contrail manifests 2017-02-01 21:35:15 +01:00
pacemaker IPv6 VIP addresses need to be /128 2017-05-04 12:18:46 +02:00
packages packages: run upgrade at 'setup' stage 2016-10-14 18:17:30 -04:00
profile Restrict nova migration ssh tunnel 2017-06-01 18:33:46 +00:00
fencing.pp Add support for fence_ironic fencing agent. 2017-01-11 16:55:32 +00:00
firewall.pp firewall: stop using stdlib stages 2016-11-21 14:24:20 -05:00
haproxy.pp Add tunnel timeout for ui proxy container 2017-04-04 11:06:18 +00:00
init.pp Implement firewalling in tripleo::firewall 2015-07-15 11:58:46 +02:00
keepalived.pp [keepalived] fix netmask for vip 2017-01-25 14:35:53 +00:00
noop.pp Add class to set noop on various puppet resources 2015-07-03 17:16:07 -04:00
packages.pp Ensure package updates don't happen unexpectedly 2016-12-22 16:42:12 +00:00
redis_notification.pp Loadbalancer: Add support for Redis 2015-04-16 21:13:40 +02:00
selinux.pp Add tripleo::selinux 2016-05-05 13:19:20 -04:00
tls_proxy.pp Add TLS proxy resource 2016-12-20 08:50:08 +00:00
trusted_ca.pp Add manifests to inject and trust CA certificates 2016-08-23 14:36:20 +00:00
trusted_cas.pp Add manifests to inject and trust CA certificates 2016-08-23 14:36:20 +00:00
ui.pp Enable languages in UI config 2017-02-18 15:19:32 +00:00