openstack/tripleo-heat-templates
Code Issues Proposed changes
RETIRED, Heat templates for deploying OpenStack
3,934 Commits 3 Branches 28 Tags 322 MiB
7268d1ae14
Go to file
zshi 7268d1ae14 Add network sysctl tweaks for security 
* Disable Kernel Parameter for Sending ICMP Redirects:
    - net.ipv4.conf.default.send_redirects = 0
    - net.ipv4.conf.all.send_redirects = 0

    Rationale: An attacker could use a compromised host
    to send invalid ICMP redirects to other router devices
    in an attempt to corrupt routing and have users access
    a system set up by the attacker as opposed to a valid
    system.

* Disable Kernel Parameter for Accepting ICMP Redirects:
    - net.ipv4.conf.default.accept_redirects = 0

    Rationale: Attackers could use bogus ICMP redirect
    messages to maliciously alter the system routing tables
    and get them to send packets to incorrect networks and
    allow your system packets to be captured.

* Disable Kernel Parameter for secure ICMP Redirects:
    - net.ipv4.conf.default.secure_redirects = 0
    - net.ipv4.conf.all.secure_redirects = 0

    Rationale: Secure ICMP redirects are the same as ICMP
    redirects, except they come from gateways listed on
    the default gateway list. It is assumed that these
    gateways are known to your system, and that they are
    likely to be secure.

* Enable Kernel Parameter to log suspicious packets:
    - net.ipv4.conf.default.log_martians = 1
    - net.ipv4.conf.all.log_martians = 1

    Rationale: Enabling this feature and logging these packets
    allows an administrator to investigate the possibility
    that an attacker is sending spoofed packets to their system.

* Ensure IPv6 redirects are not accepted by Default
    - net.ipv6.conf.all.accept_redirects = 0
    - net.ipv6.conf.default.accept_redirects = 0

    Rationale: It is recommended that systems not accept ICMP
    redirects as they could be tricked into routing traffic to
    compromised machines. Setting hard routes within the system
    (usually a single default route to a trusted router) protects
    the system from bad routes.

Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
2017-03-29 16:34:29 +08:00
ci Remove unnecesary code to enable panko-api 2017-03-13 09:35:48 +01:00
deployed-server Merge "Sort ResourceGroup resource list" 2017-03-27 19:59:32 +00:00
docker Remove kolla_config copy from keystone service. 2017-03-27 17:49:40 +02:00
environments Merge "Nic config mappings for deployed-server" 2017-03-28 09:26:31 +00:00
extraconfig Merge "Don't try to run os-net-config from yum_update.sh" 2017-03-20 17:16:05 +00:00
firstboot Merge "Add support for node groups in NetConfigDataLookup" 2017-02-23 03:51:37 +00:00
network Merge "Don't assume default network names in net_ip*map" 2017-02-25 16:38:11 +00:00
puppet Add network sysctl tweaks for security 2017-03-29 16:34:29 +08:00
releasenotes Add network sysctl tweaks for security 2017-03-29 16:34:29 +08:00
scripts Don't rely on lsb_release for hosts template write 2016-12-08 20:09:26 +00:00
tools Change kolla_config from required to optional in pep8. 2017-03-20 17:06:29 -04:00
validation-scripts FQDN validation 2017-02-14 17:39:35 +00:00
.gitignore Add ReNo support 2017-01-13 14:35:27 -05:00
.gitreview Update stackforge references to openstack 2013-08-17 22:57:57 -04:00
all-nodes-validation.yaml FQDN validation 2017-02-14 17:39:35 +00:00
babel.cfg Add release configuration. 2013-10-22 17:49:35 +01:00
bindep.txt Add bindep support 2017-03-13 12:11:46 -04:00
bootstrap-config.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
capabilities-map.yaml Add BGPVPN composable service 2017-03-10 11:35:48 +01:00
default_passwords.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
hosts-config.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
j2_excludes.yaml Add generic template for custom roles. 2016-10-06 02:13:36 +00:00
LICENSE Add license file 2014-01-20 11:58:20 +01:00
MANIFEST.in Add release configuration. 2013-10-22 17:49:35 +01:00
net-config-bond.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-bridge.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-linux-bridge.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-noop.yaml Update net-config-noop to use apply-config 2017-01-08 15:02:11 -05:00
net-config-static-bridge-with-external-dhcp.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-static-bridge.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-static.yaml Bump template version for all templates to "ocata" 2016-12-23 11:43:39 +00:00
net-config-undercloud.yaml Template and role support for the undercloud 2017-01-06 20:01:14 -05:00
overcloud-resource-registry-puppet.j2.yaml Add certmonger-user profile 2017-03-13 17:10:13 +02:00
overcloud.j2.yaml Pick dynamically the first node for stack validation 2017-03-17 09:29:41 +01:00
plan-environment.yaml Add plan-environment.yaml 2017-03-01 12:44:24 +01:00
README.rst Update README for Glance coverage 2017-03-13 20:16:16 -04:00
requirements.txt Updated from global requirements 2017-01-14 10:47:01 +00:00
roles_data_undercloud.yaml Containerize panko api service 2017-03-17 14:30:11 +00:00
roles_data.yaml Add certmonger-user profile 2017-03-13 17:10:13 +02:00
setup.cfg Drop deprecated templates/Makefile/merge.py 2015-11-25 15:00:13 -05:00
setup.py Updated from global requirements 2017-01-10 09:44:01 +00:00
test-requirements.txt Updated from global requirements 2017-02-14 06:02:06 +00:00
tox.ini Validate that endpoint_map.yaml is up to date in the gate 2017-02-01 16:06:20 -05:00

README.rst

Team and repository tags

image

tripleo-heat-templates

Heat templates to deploy OpenStack using OpenStack.

Features

The ability to deploy a multi-node, role based OpenStack deployment using OpenStack Heat. Notable features include:

  • Choice of deployment/configuration tooling: puppet, (soon) docker
  • Role based deployment: roles for the controller, compute, ceph, swift, and cinder storage
  • physical network configuration: support for isolated networks, bonding, and standard ctlplane networking

Directories

A description of the directory layout in TripleO Heat Templates.

  • environments: contains heat environment files that can be used with -e

    on the command like to enable features, etc.

  • extraconfig: templates used to enable 'extra' functionality. Includes

    functionality for distro specific registration and upgrades.

  • firstboot: example first_boot scripts that can be used when initially

    creating instances.

  • network: heat templates to help create isolated networks and ports
  • puppet: templates mostly driven by configuration with puppet. To use these

    templates you can use the overcloud-resource-registry-puppet.yaml.

  • validation-scripts: validation scripts useful to all deployment

    configurations

Service testing matrix

The configuration for the CI scenarios will be defined in tripleo-heat-templates/ci/ and should be executed according to the following table:

- scenario001 scenario002 scenario003 scenario004 multinode-nonha
keystone

X

X

X

X

X
glance

rbd

swift

file

 swift + rbd

swift
cinder

rbd

iscsi

iscsi
heat

X

X

X

X

X
mysql

X

X

X

X

X
neutron

ovs

ovs

ovs

ovs

X
rabbitmq

X

X

X

X

X
mongodb

X

X
redis

X
haproxy

X

X

X

X

X
keepalived

X

X

X

X

X
memcached

X

X

X

X

X
pacemaker

X

X

X

X

X
nova

qemu

qemu

qemu

qemu

X
ntp

X

X

X

X

X
snmp

X

X

X

X

X
timezone

X

X

X

X

X
sahara

X
mistral

X
swift

X

X
aodh

X
ceilometer

X
gnocchi

X
panko

X
barbican

X
zaqar

X
ec2api

X
cephrgw

X

X
tacker

X
congress

X
cephmds

X
manila

X