openstack
/
puppet-tripleo
Code Issues Proposed changes
puppet-tripleo/releasenotes/notes
History
Oliver Walsh fd20b306b0 Restrict nova migration ssh tunnel 
This change enhances the security of the migration ssh tunnel:
- The ssh authorized_keys file is only writeable by root.
- Creates a new user for migration instead of using root/nova.
- Disables SSH forwarding for this user.
- Optionally restricts the networks that this user can connect from.
- Uses an ssh wrapper command to whitelist the commands that this user can run
  over ssh.

Requires the openstack-nova-migration package from
https://review.rdoproject.org/r/6327

bp tripleo-cold-migration

Change-Id: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293
(cherry picked from commit f8ca94a5b7)
 		2017-06-01 18:33:46 +00:00
..
6.2.0-64eaf596539f3ed1.yaml Add missing release notes for Ocata RC1 2017-02-15 11:29:01 -05:00
add-ldap-backend-48e875e971343e2a.yaml Add a trigger to call ldap_backend define 2017-04-07 07:23:33 +00:00
add-octavia-auth-to-keystone-d0353544c0e27b57.yaml Add missing octavia auth include to keystone manifest 2017-04-07 14:52:51 +00:00
add-support-for-octavia-f1e472af89e9a05c.yaml Add initial profiles for rest of Octavia services 2017-01-25 18:17:25 -03:30
add-tunnel-timeout-for-haproxy-ui-0705dfd671f9f487.yaml Add tunnel timeout for ui proxy container 2017-04-04 11:06:18 +00:00
calculate-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml make release note a list of strings 2017-06-01 12:54:01 -04:00
cold_migration_security-1543136408c76459.yaml Restrict nova migration ssh tunnel 2017-06-01 18:33:46 +00:00
cold_migration_setup-dc4ebd834920c27f.yaml Configure migration SSH tunnel 2017-04-21 01:02:04 +00:00
create-ceilo-user-for-gnocchi-b8a4d5ea2f2375a9.yaml Decouple ceilometer user create from API 2017-04-04 12:06:57 +00:00
enable-languages-in-ui-88a8caa6db9b4dd7.yaml Enable languages in UI config 2017-02-18 15:19:32 +00:00
ensure-ssl-conf-2f32c6ead6f3bb0e.yaml Ensure we configure ssl.conf 2017-04-19 13:41:14 +02:00
fix-horizon-configuration-during-updates-aecfab9a4aa8770b.yaml Move horizon to step 3 2017-04-03 11:03:50 -06:00
fix-sriov-neutron-base-3e32bd667886c474.yaml Fixes missing neutron base in sriov 2017-04-06 01:36:47 +00:00
hpelefthand_8474c416b0d411e6.yaml HPELeftHandISCSIDriver support for cinder 2016-12-09 03:00:55 -08:00
innodb_file_per_table-f925b3bbf29d44ea.yaml Revert "Revert "set innodb_file_per_table to ON for MySQL / Galera"" 2017-02-03 19:50:08 +00:00
nova_cells_setup-2c3e3344d8adcc26.yaml nova: deploy basic setup for cells 2017-01-27 14:26:25 +00:00
proxy-api-endpoints-359e5fb64d80d400.yaml Proxy API endpoints that UI uses 2017-02-03 20:04:10 -05:00
puppet-auditd-0f6cbd6a2d193aac.yaml Add AuditD Profile 2017-01-27 10:10:34 +00:00
rabbitmq_password_change-4fce15c9ebb0e20c.yaml Add support to changing the Rabbitmq password on update 2017-02-03 16:15:50 +05:30
re-run-ceilo-upgrade-0d9ba69fe4bfe780.yaml Re-run gnocchi and ceilometer upgrade in step 5 2017-03-27 15:45:19 +00:00
remove-old-urls-dea2b7fdcb50dd48.yaml Proxy API endpoints that UI uses 2017-02-03 20:04:10 -05:00
restrict-mongodb-memory-c19d69638b63feb4.yaml Restrict mongodb memory usage 2017-04-17 12:46:05 +00:00
rgw-keystone-v3-43ef17dd10f825be.yaml Add support for not using admin_token in Ceph/RGW 2017-01-09 18:31:33 +01:00
sriov_numvfs-40564db9e1be589b.yaml Fixes typo in sriov_numvfs releasenotes 2016-12-02 10:39:11 +00:00
sshd-437c531301f458bb.yaml SSHD Service extensions 2017-04-21 14:06:12 +01:00
use-reno-80402e5526a598aa.yaml Add basic structure for ReNo 2016-12-03 13:16:33 +00:00
vncserver_listen-4417377cac38464c.yaml nova/libvirt: switch vnc server binding 2017-02-06 17:10:19 +00:00