Added default whitelist
Change-Id: I32318739661629d733fde4fb0c168108cf490eb5
This commit is contained in:
parent
5d697ffbab
commit
a2bd542d26
|
@ -180,5 +180,12 @@ Example YAML file with whitelist rules:
|
||||||
rule: Service[nova-compute]/ensure
|
rule: Service[nova-compute]/ensure
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The default whitelist can be loaded with following command
|
||||||
|
```
|
||||||
|
fuel2 audit whitelist load fromfile <env-id> /usr/lib/python2.7/site-packages/fuel_external_git/default_whitelist.yaml
|
||||||
|
```
|
||||||
|
Note: this whitelist is not complete as it has been put together on following configuration:
|
||||||
|
MOS 9.1, Ubuntu, 1 controller, 1 compute+cinder lvm, Neutron GRE.
|
||||||
|
|
||||||
### REST API
|
### REST API
|
||||||
API documentation can be found [here](./doc/api.md)
|
API documentation can be found [here](./doc/api.md)
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'Service[irqbalance]/ensure'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'Notify[SDN]'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'Disable_hotplug[global]'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'L23_stored_config'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'vendor_specific'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'external_ids'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'L3_clear_route[default]'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'br-floating'
|
||||||
|
- fuel_task: netconfig
|
||||||
|
rule: 'Exec[wait-for-interfaces]'
|
||||||
|
- fuel_task: configuration_symlink
|
||||||
|
rule: 'Exec[configuration_symlink_shell]'
|
||||||
|
- fuel_task: sync_time
|
||||||
|
rule: 'Exec[sync_time_shell]'
|
||||||
|
- fuel_task: generate_keys
|
||||||
|
rule: 'Exec[generate_keys_shell]'
|
||||||
|
- fuel_task: sriov_iommu_check
|
||||||
|
rule: 'Exec[sriov_iommu_check]'
|
||||||
|
- fuel_task: primary-database
|
||||||
|
rule: 'Mysql::Server::Root_password/File[/root/.my.cnf]/target'
|
||||||
|
- fuel_task: openstack-network-common-config
|
||||||
|
rule: 'Sysctl_runtime[net.ipv4.neigh.default.gc_thresh1]/val'
|
||||||
|
- fuel_task: openstack-network-common-config
|
||||||
|
rule: 'Sysctl_runtime[net.ipv4.neigh.default.gc_thresh2]/val'
|
||||||
|
- fuel_task: openstack-network-common-config
|
||||||
|
rule: 'Sysctl_runtime[net.ipv4.neigh.default.gc_thresh3]/val'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Notify[Module openstack_tasks cannot notify service nova-compute on packages update]'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Nova/Nova_config[cinder/os_region_name]/ensure'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Nova::Deps/Anchor[nova::config::end]'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Nova::Deps/Anchor[nova::service::begin]'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Nova::Deps/Anchor[nova::service::end]'
|
||||||
|
- fuel_task: top-role-compute
|
||||||
|
rule: 'Nova::Compute/Nova::Generic_service[compute]/Service[nova-compute]'
|
||||||
|
- fuel_task: top-role-cinder
|
||||||
|
rule: 'Cinder::Volume/Service[cinder-volume]/ensure'
|
||||||
|
- fuel_task: workloads_collector_add
|
||||||
|
rule: 'Openstack::Workloads_collector/Keystone_tenant[services]/description'
|
||||||
|
- fuel_task: generate_keys_ceph
|
||||||
|
rule: 'Main/Exec[generate_keys_ceph_shell]/returns'
|
||||||
|
- fuel_task: openrc-delete
|
||||||
|
rule: 'Openstack_tasks::Keystone::Openrc_delete/File[/root/openrc]/ensure'
|
|
@ -93,7 +93,7 @@ class Audit(lister.Lister, command.Command):
|
||||||
changes = filter(lambda c:
|
changes = filter(lambda c:
|
||||||
len(filter(lambda w: w['rule'] in c['resource'] and
|
len(filter(lambda w: w['rule'] in c['resource'] and
|
||||||
(w['fuel_task'] == c['task_id'] or
|
(w['fuel_task'] == c['task_id'] or
|
||||||
w['fuel_task'] == ''), wl) == 0),
|
w['fuel_task'] == ''), wl)) == 0,
|
||||||
changes)
|
changes)
|
||||||
|
|
||||||
return changes
|
return changes
|
||||||
|
|
Loading…
Reference in New Issue