Introduces a service to configure AIDE Intrusion Detection.
This service init's the database and copies the new database
to the active naming. It also sets a cron job, using email if
`AideEmail` is populated, otherwise the reports are sent to
`/var/log/aide/`.
AIDE rules can be supplied as a hash, and should the rules ever
be changed, the service will populate the new rules and re-init
a fresh integrity database.
Related-Blueprint: tripleo-aide-database
Depends-On: Iac2ceb7fc6b610f8920ae6f75faa2885f3edf6eb
Change-Id: I23d8ba2c43e907372fe079026df1fca5fa1c9881
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.
Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.
Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.
Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.
Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
Enables management of shadow password directives in login.defs
By allowing operators to set values in login.defs, they are able
to improve password security for newly created system accounts.
This change will in turn allow operators to adhere with security
hardening frameworks, such as STIG DISA & CIS Security Benchmarks.
bp login-defs
Change-Id: Id4fe88cb9569f18f27f94c35b5c27a85fe7947ae
Depends-On: Iec8c032adb44593da3770d3c6bb5a4655e463637
A router is needed so that router advertisements are send out for
the subnet. Also add the router plugin and start the l3 agent
which are responsible for the router handling.
Change-Id: I2c7c6232d00a11f550ad186f94ce628090ec93ed
If enable_cinder is true in undercloud.conf, we will need to include
these env files to setup cinder containers.
Change-Id: I208347c52ac5ad24a54aade0be23a31f5bdd4249
This patch adds the Docker service to the default undercloud
roles data. By default Docker is set to OS::Heat::None.
When using environments/docker.yaml however it will get set
to puppet/service/docker.yaml which will facilitate installing
the Docker service early in the deployment at step 1.
Change-Id: I2d569eef136254dc81bdee93a7869fd361a8400d
Mistral has an event engine to trigger cron-type events. Let's use it.
Change-Id: I15b48bd7a501608b1fad64fea8d4f9822946dcb2
Depends-On: I71f556c96ed7c2bbafacab4b2f66874effbd8b73
Add a docker service template to provide containerized services
logs rotation with a crond job.
Add OS::TripleO::Services::LogrotateCrond to CI multinode-containers
and to all environments among with generic services like Ntp or Kernel.
Set it to OS::Heat::None for non containerized environments and
only enable it to the environments/docker.yaml.
Closes-bug: #1700912
Change-Id: Ic94373f0a0758e9959e1f896481780674437147d
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Allow the user to set a specific Tuned profile on a given host.
Defaults to throughput-performance
Change-Id: I0c66193d2733b7a82ad44b1cd0d2187dd732065a
This patch drops MongoDB from the undercloud and swaps
in a 'swift' and 'sqlalchemy' versions for the Zaqar
backends.
Change-Id: Ic6600f284dfbf4360b42598d3651b4c0f8046d1c
With the merging of Iad3e9b215c6f21ba761c8360bb7ed531e34520e6 the
roles_data.yaml should be generated with tripleoclient rather than
edited. This change adds in a pep8 task to verify that the appropriate
role files in roles/ have been modified to match how our default
roles_data.yaml is constructed. Additionally this change adds a new tox
target called 'genrolesdata' that will all you to automatically generate
roles_data.yaml and roles_data_undercloud.yaml
Change-Id: I5eb15443a131a122d1a4abf6fc15a3ac3e15941b
Related-Blueprint: example-custom-role-environments
This configures iscsid so that it runs as a container on
relevant roles (undercloud, controller, compute, and volume).
When the iscsid docker service is provision it will also run
an ansible snippet that disables the iscsid.socket on the host
OS thus disabling the hosts systemd from auto-starting iscsid
as it normally does.
Co-Authored-By: Jon Bernard <jobernar@redhat.com>
Change-Id: I2ea741ad978f166e199d47ed1b52369e9b031f1f
As we create new standard roles, we should include them from a single
location for ease of use and to reduce the duplication of the role
definitions elsewhere. This change adds a roles folder to the THT that
can be used with the new roles commands in python-tripleoclient by the
end user to generate a roles_data.yaml from a standard set of roles.
Depends-On: I326bae5bdee088e03aa89128d253612ef89e5c0c
Change-Id: Iad3e9b215c6f21ba761c8360bb7ed531e34520e6
Related-Blueprint: example-custom-role-environments