openstack
/
puppet-tripleo
Code Issues Proposed changes
puppet-tripleo/manifests/profile/base
History
Oliver Walsh fd20b306b0 Restrict nova migration ssh tunnel 
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
  over ssh.

Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327

bp tripleo-cold-migration

Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
(cherry picked from commit f8ca94a5b7)
 		2017-06-01 18:33:46 +00:00
..
aodh Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
barbican Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
ceilometer Merge "Move ceilometer wsgi to step 3" into stable/ocata 2017-04-21 06:00:55 +00:00
ceph Add support for not using admin_token in Ceph/RGW 2017-01-09 18:31:33 +01:00
cinder Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
database Restrict mongodb memory usage 2017-04-17 12:46:05 +00:00
glance Clean TLS proxy-related setup for glance api profile 2017-01-24 17:53:46 +00:00
gnocchi Merge "Move gnocchi wsgi configuration to step 3" into stable/ocata 2017-04-25 13:34:50 +00:00
heat Move db syncs into mysql base role 2016-09-27 12:08:20 -04:00
ironic Explicitly configure credentials used by ironic to access other services 2017-03-21 12:00:03 +00:00
logging Deploy monitoring/logging agents sooner 2016-10-21 12:41:25 +02:00
manila Set enabled_share_protocols based on enabled backends 2016-10-07 12:21:48 +02:00
metrics updates to collectd support 2017-01-18 10:06:15 -05:00
mistral Fix mistral sync_db profile steps 2016-08-09 16:32:45 +02:00
monitoring Deploy monitoring/logging agents sooner 2016-10-21 12:41:25 +02:00
neutron Fixes missing neutron base in sriov 2017-04-06 01:36:47 +00:00
nova Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
octavia Add initial profiles for rest of Octavia services 2017-01-25 18:17:25 -03:30
panko Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
sahara Move db syncs into mysql base role 2016-09-27 12:08:20 -04:00
swift Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleo 2017-04-09 17:18:57 +00:00
time Stop the chronyd service 2017-03-07 07:16:18 -07:00
trove Move db syncs into mysql base role 2016-09-27 12:08:20 -04:00
aodh.pp Use FQDNs for the services' RabbitMQ configuration 2016-11-28 15:45:03 +02:00
auditd.pp Add AuditD Profile 2017-01-27 10:10:34 +00:00
barbican.pp Add barbican profile 2016-10-19 08:44:58 +03:00
ceilometer.pp Use FQDNs for the services' RabbitMQ configuration 2016-11-28 15:45:03 +02:00
ceph.pp Enable usage of "short names" for Ceph cluster 2016-10-05 16:22:40 +03:00
cinder.pp cinder: move glance params into common 2017-01-19 20:20:02 -05:00
congress.pp Adding congress service 2017-01-26 08:26:43 -05:00
docker_registry.pp Stop accidentally removing docker-distribution 2017-02-21 16:08:36 +00:00
etcd.pp Adds etcd 2017-01-18 23:58:11 -05:00
gnocchi.pp Fix parameters and headers inconsistency in the puppet manifests. 2016-08-08 22:44:01 +02:00
haproxy.pp Reload haproxy if any configuration changes on HA 2016-10-26 19:38:55 +03:00
heat.pp Use transport_url for rabbitmq connection parameters in heat 2017-01-26 10:58:01 +01:00
horizon.pp Move horizon to step 3 2017-04-03 11:03:50 -06:00
ironic.pp Add ::ironic::config to Ironic base profile 2017-02-04 13:57:03 -05:00
keepalived.pp Adds auto-detection for VIP interfaces 2016-11-20 11:47:57 -05:00
kernel.pp Defaults empty hash to kernel_modules and sysctl_settings 2016-08-15 19:24:32 -04:00
keystone.pp Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
manila.pp Use FQDNs for the services' RabbitMQ configuration 2016-11-28 15:45:03 +02:00
memcached.pp Fix parameters and headers inconsistency in the puppet manifests. 2016-08-08 22:44:01 +02:00
mistral.pp Use FQDNs for the services' RabbitMQ configuration 2016-11-28 15:45:03 +02:00
neutron.pp Default neutron dhcp_agents_per_network to number of agents 2017-03-03 08:48:14 -03:30
nova.pp Restrict nova migration ssh tunnel 2017-06-01 18:33:46 +00:00
octavia.pp Add base profile for Octavia services 2017-01-19 13:05:27 -03:30
pacemaker.pp Use verify_on_create when creating pacemaker remote resources 2017-05-19 08:09:16 +02:00
pacemaker_remote.pp pacemaker remote profile support 2017-01-24 15:46:51 +01:00
panko.pp panko: Do db_sync in api manifest 2017-03-21 13:55:47 +00:00
rabbitmq.pp syntax error extra comma in rabbitmq.pp 2017-04-07 19:02:48 +00:00
sahara.pp Use FQDNs for the services' RabbitMQ configuration 2016-11-28 15:45:03 +02:00
snmp.pp Removing WARNING: line has more than 140 characters in puppet-tripleo profiles 2016-08-11 19:11:51 +00:00
sshd.pp Refactor SSHD config to allow both SSHD options and banner/motd to be set 2017-04-21 14:08:00 +01:00
tacker.pp Adding tacker service 2017-01-25 13:59:09 -05:00
ui.pp Manage tripleo-ui configuration files with puppet 2016-09-16 14:11:14 +02:00
validations.pp Add validations profile for tripleo 2016-09-12 17:39:50 +02:00
zaqar.pp Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00