Add overcloud-secure element
This element will export all the block device configuration needed for security images. As the layout to expose is complex, it won't fit on the environment vars that can be provided on tripleo-common. So is better to create a new element that exposes all this configuration, and include it on the security hardened image. It will also uninstall some packages that need to be removed for security reasons. Change-Id: Id6ece1c734d4cbf5adb857f0e627f59543be44ae Needed-By: I541055fe81900b91e2bf131f1e95ce08c94f2554
This commit is contained in:
parent
748f4680bb
commit
17f835b487
|
@ -0,0 +1,15 @@
|
|||
overcloud-secure
|
||||
================
|
||||
|
||||
CAUTION: This element is part of the security hardened images feature, that
|
||||
is delivered in this release as tech preview. The following element is not
|
||||
intended for production usage.
|
||||
|
||||
overcloud-secure is an element to add extra security hardening features to
|
||||
the tripleo images: partition creation and unsafe package uninstall.
|
||||
|
||||
It includes the block-device-default definition, that creates independent
|
||||
partitions on the overcloud image, allowing those to accomplish the ANSSI
|
||||
security requirements. Please note that the sizes of the partitions may not
|
||||
be enough for production usage, they will need to be resized properly after
|
||||
deployment depending on the available disk size.
|
|
@ -0,0 +1,58 @@
|
|||
- local_loop:
|
||||
name: image0
|
||||
- partitioning:
|
||||
base: image0
|
||||
label: mbr
|
||||
partitions:
|
||||
- name: root
|
||||
flags: [ boot,primary ]
|
||||
size: 6G
|
||||
mkfs:
|
||||
type: xfs
|
||||
label: "img-rootfs"
|
||||
mount:
|
||||
mount_point: /
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
fck-passno: 1
|
||||
- name: tmp
|
||||
size: 1G
|
||||
mkfs:
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /tmp
|
||||
fstab:
|
||||
options: "rw,nosuid,nodev,noexec,relatime"
|
||||
- name: var
|
||||
size: 7G
|
||||
mkfs:
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- name: log
|
||||
size: 5G
|
||||
mkfs:
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var/log
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- name: audit
|
||||
size: 900M
|
||||
mkfs:
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var/log/audit
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- name: home
|
||||
size: 100M
|
||||
mkfs:
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /home
|
||||
fstab:
|
||||
options: "rw,nodev,relatime"
|
||||
|
|
@ -0,0 +1 @@
|
|||
package-installs
|
|
@ -0,0 +1,4 @@
|
|||
kexec-tools:
|
||||
uninstall: True
|
||||
telnet:
|
||||
uninstall: True
|
Loading…
Reference in New Issue