14 Commits

Author SHA1 Message Date
lhinds
7e68dbdf8c Implements AIDE Intrusion Detection System
Introduces a service to configure AIDE Intrusion Detection.

This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.

AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.

Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
2018-01-15 13:10:16 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
lhinds
502fde7a64 Implements management of /etc/login.defs
Enables management of shadow password directives in login.defs

By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.

This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.

bp login-defs

Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-11-29 09:23:25 +00:00
Zuul
b2bc4f36a3 Merge "logging: merge fluentd-client and fluentd-base" 2017-11-22 10:41:19 +00:00
Lars Kellogg-Stedman
f982eb55c4 logging: merge fluentd-client and fluentd-base
The fluentd implementation was originally split across multiple files
in order to support both client and server services. we ultimately
decided to only implement the client as part of tripleo so this
division is no longer necessary.  This commit merges
fluentd-client.yaml and fluentd-base.yaml into fluentd.yaml, and
renames things appropriately.

Partial-bug: #1715187
Depends-On: Iace34b7baae8822d2233d97adabf6ebc8833adab
Change-Id: Idb9886f04d56ffc75a78c4059ff319b58b4acf9f
2017-11-17 11:04:52 +01:00
Juan Antonio Osorio Robles
97f9a01f79 Add rsyslog-sidecar resource and configuration
This introduces a "sidecar" container, which is meant to be used
besides other containers (or as part of the pod). It merely uses
rsyslog to listen on a specific UNIX socket and outputs what it
gets to stdout.

This adds the service to each relevant role and introduces a
composable service which merely configures the container. Subsequently
it'll be used as part of other templates.

Note that it is only enabled if "stdout logging" is enabled.

bp logging-stdout-rsyslog
Depends-On: I4864ddca223becd0a17f902729cf2e566df5e521

Change-Id: I2c54acaaa820961c936f1fbe304f42162f720496
2017-11-17 10:38:57 +02:00
Michele Baldessari
1760079dfe Move the clustercheck service to the DB role
The clustercheck service is currently in the ControllerOpenstack role
which represents a controller without the DB. Since the clustercheck
service/container always talks to the SQL server via a localhost
connection it *has* to run on the very same node that hosts the DB.

In a containerized deployment this error shows up with db syncs simply
hanging because haproxy will stop serving port 3306 because the
clustercheck service on port 9200 cannot talk to mysql locally.

Errors like this will be logged when trying to connect to the DB VIP:
mysql -u heat -h 172.17.1.13 -p3UazsaeTC64V9UvEcJ3GZ9rbd
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0

Fix this by making sure that the clustercheck service runs on
the DB role.

Change-Id: Iec4c9678d8b8d44e002c1e53110dedc0674359fb
Closes-Bug: #1715847
2017-09-08 12:31:18 +02:00
Alex Schultz
50c975d159 Add missing Docker service
The example composable roles are missing the docker service declaration
so they currently do not work when trying to deploy with containerized
services.

Change-Id: I986ae561b950e74aacea10bce84673e8d0c9bd97
Closes-Bug: #1713755
2017-08-29 09:31:03 -06:00
Bogdan Dobrelya
8a03456056 Add logrotate with crond service
Add a docker service template to provide containerized services
logs rotation with a crond job.
Add OS::TripleO::Services::LogrotateCrond to CI multinode-containers
and to all environments among with generic services like Ntp or Kernel.
Set it to OS::Heat::None for non containerized environments and
only enable it to the environments/docker.yaml.

Closes-bug: #1700912

Change-Id: Ic94373f0a0758e9959e1f896481780674437147d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-08-21 08:56:29 +02:00
Juan Antonio Osorio Robles
0bf9c789c7 Add certmonger user profile to all overcloud roles
This is needed for TLS everywhere, else the certs won't be requested.

Change-Id: I9849e009843683a75fefa6e9f4b8213bcff3a889
Closes-Bug: #1711424
2017-08-17 20:40:19 +03:00
Joe Talerico
c2b2cc555a Adding Tuned Service
Allow the user to set a specific Tuned profile on a given host.

Defaults to throughput-performance

Change-Id: I0c66193d2733b7a82ad44b1cd0d2187dd732065a
2017-07-25 17:08:37 +00:00
Steven Hardy
cba5288867 Make network-isolation environment rendered for all roles
Currently there's some hard-coded references to roles here, rendering
from the roles_data.yaml is a step towards making the use of isolated
networks for custom roles easier.

Partial-Bug: #1633090
Depends-On: Ib681729cc2728ca4b0486c14166b6b702edfcaab
Change-Id: If3989f24f077738845d2edbee405bd9198e7b7db
2017-06-13 11:19:02 +01:00
Alex Schultz
0b259c8d39 Standardize example role definitions
As we create new standard roles, we should include them from a single
location for ease of use and to reduce the duplication of the role
definitions elsewhere. This change adds a roles folder to the THT that
can be used with the new roles commands in python-tripleoclient by the
end user to generate a roles_data.yaml from a standard set of roles.

Depends-On: I326bae5bdee088e03aa89128d253612ef89e5c0c
Change-Id: Iad3e9b215c6f21ba761c8360bb7ed531e34520e6
Related-Blueprint: example-custom-role-environments
2017-06-07 20:20:03 +00:00