diff --git a/capabilities-map.yaml b/capabilities-map.yaml index c2ed54e972..0ed8dfcce4 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -531,6 +531,11 @@ topics: environments: - file: environments/securetty.yaml title: SecureTTY Values + - title: login.defs values + description: Set values within /etc/login.defs + environments: + - file: environments/login-defs.yaml + title: login.defs Values - title: Additional Services description: @@ -642,3 +647,4 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 129eb02cec..c1ad42624c 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -36,6 +36,7 @@ parameter_defaults: - OS::TripleO::Services::Docker - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::GlanceApi - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml index fd4ecfd7fd..077b4ca6b8 100644 --- a/environments/hyperconverged-ceph.yaml +++ b/environments/hyperconverged-ceph.yaml @@ -52,3 +52,5 @@ parameter_defaults: - OS::TripleO::Services::Iscsid - OS::TripleO::Services::OVNController - OS::TripleO::Services::RsyslogSidecar + - OS::TripleO::Services::LoginDefs + diff --git a/environments/login-defs.yaml b/environments/login-defs.yaml new file mode 100644 index 0000000000..033bce02c8 --- /dev/null +++ b/environments/login-defs.yaml @@ -0,0 +1,9 @@ +resource_registry: + OS::TripleO::Services::LoginDefs: ../puppet/services/login-defs.yaml + +parameter_defaults: + PasswordMaxDays: 60 + PasswordMinDays: 1 + PasswordMinLen: 5 + PasswordWarnAge: 7 + FailDelay: 4 diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 822478d88d..099ffeacaf 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -302,6 +302,7 @@ resource_registry: OS::TripleO::Services::VRTSHyperScale: OS::Heat::None OS::TripleO::Services::SkydiveAgent: OS::Heat::None OS::TripleO::Services::SkydiveAnalyzer: OS::Heat::None + OS::TripleO::Services::LoginDefs: OS::Heat::None # Logging OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml diff --git a/puppet/services/login-defs.yaml b/puppet/services/login-defs.yaml new file mode 100644 index 0000000000..acd4a8faf2 --- /dev/null +++ b/puppet/services/login-defs.yaml @@ -0,0 +1,66 @@ +heat_template_version: pike + +description: > + Configure login.defs values + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PasswordMaxDays: + default: {} + description: Set the maximum age allowed for passwords + type: number + PasswordMinDays: + default: {} + description: Set the minimum age allowed for passwords + type: number + PasswordWarnAge: + default: {} + description: Set the warning period for password expiration + type: number + PasswordMinLen: + default: {} + description: Set the minimum length allowed for passwords + type: number + FailDelay: + default: {} + description: The period of time between password retries + type: number + +outputs: + role_data: + description: Parameters for configuration of the login.defs file + value: + service_name: login_defs + config_settings: + tripleo::profile::base::login_defs::password_max_days: {get_param: PasswordMaxDays} + tripleo::profile::base::login_defs::password_min_days: {get_param: PasswordMinDays} + tripleo::profile::base::login_defs::password_warn_age: {get_param: PasswordWarnAge} + tripleo::profile::base::login_defs::password_min_len: {get_param: PasswordMinLen} + tripleo::profile::base::login_defs::fail_delay: {get_param: FailDelay} + step_config: | + include ::tripleo::profile::base::login_defs diff --git a/roles/BlockStorage.yaml b/roles/BlockStorage.yaml index 351277bfe0..f16bff1792 100644 --- a/roles/BlockStorage.yaml +++ b/roles/BlockStorage.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/CephStorage.yaml b/roles/CephStorage.yaml index 6b6073b717..e7efd5f3db 100644 --- a/roles/CephStorage.yaml +++ b/roles/CephStorage.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Compute.yaml b/roles/Compute.yaml index 60dcbc86c9..7bcab4d6c9 100644 --- a/roles/Compute.yaml +++ b/roles/Compute.yaml @@ -36,6 +36,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent diff --git a/roles/ComputeHCI.yaml b/roles/ComputeHCI.yaml index d9f0bc3985..3e6242cc4f 100644 --- a/roles/ComputeHCI.yaml +++ b/roles/ComputeHCI.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent diff --git a/roles/ComputeOvsDpdk.yaml b/roles/ComputeOvsDpdk.yaml index 9bf0a44096..ac9be84837 100644 --- a/roles/ComputeOvsDpdk.yaml +++ b/roles/ComputeOvsDpdk.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NovaCompute diff --git a/roles/ComputeSriov.yaml b/roles/ComputeSriov.yaml index 415577f22f..1082c49bae 100644 --- a/roles/ComputeSriov.yaml +++ b/roles/ComputeSriov.yaml @@ -27,6 +27,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronSriovAgent diff --git a/roles/Controller.yaml b/roles/Controller.yaml index 40456e559a..590b186a56 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -76,6 +76,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 221d8d9906..1d59aee831 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -61,6 +61,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon @@ -118,4 +119,3 @@ - OS::TripleO::Services::Tuned - OS::TripleO::Services::Vpp - OS::TripleO::Services::Zaqar - diff --git a/roles/Database.yaml b/roles/Database.yaml index 2a91068dbd..e890272f25 100644 --- a/roles/Database.yaml +++ b/roles/Database.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp diff --git a/roles/IronicConductor.yaml b/roles/IronicConductor.yaml index 550ad9744b..6463a68a63 100644 --- a/roles/IronicConductor.yaml +++ b/roles/IronicConductor.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::IronicConductor - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Messaging.yaml b/roles/Messaging.yaml index 1a4c403ed6..519d0a6c0e 100644 --- a/roles/Messaging.yaml +++ b/roles/Messaging.yaml @@ -15,6 +15,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond - OS::TripleO::Services::Pacemaker diff --git a/roles/Networker.yaml b/roles/Networker.yaml index 7f8a943689..5b129dc70a 100644 --- a/roles/Networker.yaml +++ b/roles/Networker.yaml @@ -16,6 +16,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronDhcpAgent - OS::TripleO::Services::NeutronL2gwAgent diff --git a/roles/ObjectStorage.yaml b/roles/ObjectStorage.yaml index 9367eb109d..136fe626d3 100644 --- a/roles/ObjectStorage.yaml +++ b/roles/ObjectStorage.yaml @@ -24,6 +24,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Telemetry.yaml b/roles/Telemetry.yaml index d24f1ff02c..aa0284cf2b 100644 --- a/roles/Telemetry.yaml +++ b/roles/Telemetry.yaml @@ -21,6 +21,7 @@ - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQL - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index 67f5c214d2..6e360df8cc 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -23,6 +23,7 @@ - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine diff --git a/roles/UndercloudLight.yaml b/roles/UndercloudLight.yaml index c365efef8a..7a809b353c 100644 --- a/roles/UndercloudLight.yaml +++ b/roles/UndercloudLight.yaml @@ -19,6 +19,7 @@ - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine diff --git a/roles_data.yaml b/roles_data.yaml index cbd7145ed1..ffe6211bdc 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -79,6 +79,7 @@ - OS::TripleO::Services::Keepalived - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::ManilaApi - OS::TripleO::Services::ManilaBackendCephFs - OS::TripleO::Services::ManilaBackendIsilon @@ -187,6 +188,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronBgpVpnBagpipe - OS::TripleO::Services::NeutronLinuxbridgeAgent @@ -230,6 +232,7 @@ - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond @@ -268,6 +271,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond @@ -300,6 +304,7 @@ - OS::TripleO::Services::Docker - OS::TripleO::Services::Fluentd - OS::TripleO::Services::Kernel + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::Ntp - OS::TripleO::Services::ContainersLogrotateCrond diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 49a5864538..d5e9c2cb50 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -26,6 +26,7 @@ - OS::TripleO::Services::IronicPxe - OS::TripleO::Services::Iscsid - OS::TripleO::Services::Keystone + - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::Memcached - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine