Add creation of security hardened images

Those images won't use baremetal element, but will use bootloader instead. That image also comes with pre-created volumes with the right security flags, as well as enabling some extra flags on grub, and blacklisting some modules. Implements: blueprint whole-disk-images Change-Id: I541055fe81900b91e2bf131f1e95ce08c94f2554 Depends-On: I292fb70cde41ee6053b7b81a67931bcdaaa6d664 Depends-On: I153f979722eaec49eab93d7cd398c5589b9bfc44 Depends-On: Id6ece1c734d4cbf5adb857f0e627f59543be44ae
2017-03-22 12:49:39 +01:00 · 2017-03-22 12:49:39 +01:00 · fc07b696ac
parent 4a84166ca7
commit fc07b696ac
3 changed files with 63 additions and 1 deletions
--- a/image-yaml/overcloud-images-centos7.yaml
+++ b/image-yaml/overcloud-images-centos7.yaml
@ -19,4 +19,12 @@ disk_images:
      - selinux-permissive
    packages:
      - yum-plugin-priorities
-
+  -
+    imagename: overcloud-security-hardened-full
+    arch: amd64
+    type: qcow2
+    distro: centos7
+    elements:
+      - selinux-permissive
+    packages:
+      - yum-plugin-priorities
--- a/image-yaml/overcloud-images-rhel7.yaml
+++ b/image-yaml/overcloud-images-rhel7.yaml
@ -11,3 +11,8 @@ disk_images:
    arch: amd64
    type: qcow2
    distro: rhel7
+  -
+    imagename: overcloud-security-hardened-full
+    arch: amd64
+    type: qcow2
+    distro: rhel7
--- a/image-yaml/overcloud-images.yaml
+++ b/image-yaml/overcloud-images.yaml
@ -61,3 +61,52 @@ disk_images:
      - "--min-tmpfs=5"
    environment:
      DIB_PYTHON_VERSION: '2'
+
+  -
+    imagename: overcloud-security-hardened-full
+    arch: amd64
+    type: qcow2
+    elements:
+      - dhcp-all-interfaces
+      - overcloud-agent
+      - overcloud-full
+      - overcloud-controller
+      - overcloud-compute
+      - overcloud-ceph-storage
+      - puppet-modules
+      - hiera
+      - os-net-config
+      - stable-interface-names
+      - bootloader
+      - element-manifest
+      - dynamic-login
+      - iptables
+      - enable-packages-install
+      - pip-and-virtualenv-override
+      - ntp
+      - dracut-regenerate
+      - remove-machine-id
+      - modprobe-blacklist
+      - overcloud-secure
+    packages:
+      - python-psutil
+      - python-debtcollector
+      - plotnetcfg
+      - sos
+      - device-mapper-multipath
+      - python-heat-agent-puppet
+      - python-heat-agent-hiera
+      - python-heat-agent-apply-config
+      - python-heat-agent-ansible
+      - python-heat-agent-docker-cmd
+      - python-heat-agent-json-file
+      - screen
+    options:
+      - "--min-tmpfs 5"
+    environment:
+      DIB_PYTHON_VERSION: '2'
+      DIB_MODPROBE_BLACKLIST: 'usb-storage cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat bluetooth'
+      DIB_BOOTLOADER_DEFAULT_CMDLINE: 'nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb'
+      DIB_IMAGE_SIZE: '20'
+      COMPRESS_IMAGE: '1'
+