* Ubuntu pinning params allow to be used
multiply times. In same time, old `list`
format now allowing to be predictable
iterated inside jinja
Related-Bug: PROD-21604 (PROD:21604)
Change-Id: If1c0f0f834a296b9a19d0af5fc7673c9229a7ac5
Permissions 640 root:root doesn't allow regular user to read
/etc/{at,cron}.allow files, that changes behavior of at / crontab
commands:
* crontab command can't read /etc/cron.allow and allow any user to modify
their crontab files.
* at command can't read /etc/at.allow and deny every user.
at / crontab files have SGID bits set, so setting correct group
on /etc/{at,cron}.allow fixes the issue.
Change-Id: I4a3fc8d8e823498d6715e26307424e3065cbd6ca
* CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
* CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
Related-Prod: PROD-20765
Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213
linux/system/user.sls ignores 'shell' option if a
user is system. This is quite strange behavior, and it
breaks CIS:
* 5.4.2 Ensure system accounts are non-login
Change-Id: I32dd44ac4fcc1425ea47eb4cf60acf41f6ce0887
Related-Prod: PROD-20764
- Add possibility to remove prereq. packages installation BEFORE
* Crucial logic violation - if we don't have any repo\
have them configured in wrong way - stage will always fail.
* install prereq. packages after all - sounds stupid, but correct.
* By default - it will still try to install prereq. We don't want to
broke OLD logic.See readme, how-to overide such behaviour.
- don't update cache per-repo - it's simply useless and may fail due p1.
Run update only once - after all repos configured\reconfigured
- Add new option at system:refresh_repos_meta - for case, when update
should not be run in any case. By default - true.
- remove 99proxies-salt-{{ name }} along with disabled repo
- fix duplicate 'clean_file' option
Closes-Bug: PROD-15992 (PROD:15992)
Change-Id: I4b312f82f65be80e7726f62482978f68c25746a3
We create custom hugepages mount point for KVM/DPDK with custom
parameters (ownership flags/hugepages size). Need to disable default
mount point, because it can be unexpectedly used by DPDK.
Change-Id: Ibee95422213260e544406391c7a0922f1a41c5c2
Closes-Bug: PROD-14325
- fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7
- updated syntax for key verificatoin
- fix, avoid curl for salt:// schema (as in #156)
Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197
This is also covers the following CIS items
* CIS 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored)
Change-Id: If8c237ff4db7e9ab7ee244278d28f632e73ecb56
Related-Prod: PROD-19166
saltstack 2017.7 is failing to create user when default group for user is not present, commit which changes this behavior from 2016.3 is a18dbe0c11
Change-Id: I478d632e8aa7303ab2ee32b033478148c18c473d
This patch unifies /etc/motd managing approach for both RedHat and
Ubuntu systems. Providing a string value via linux:system:motd
pillar will configure static /etc/motd and remove dynamic scripts
from /etc/update-motd.d (if present).
update-motd can safely be removed because Ubuntu supports dynamic
motd by pam_motd means since 2009.
Related-Prod: PROD-17287
Change-Id: Ic9b7e18abb12cfe8704717b14dc1237e40715319
Allow hugepages to be used right away. This is a best effort attempt,
as memory might be too fragmented to free enough contiguous regions
for all hugepages, so early allocation during boot remains the norm.
This allows using ovs-switchd-dpdk without rebooting the node first.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Bruno Binet
azvyagintsev
Martin Polreich
Dmitry Teselkin
Alexandru Avadanii
Ondrej Smola
Sergey Kreys
Petr Michalec
Vasyl Saienko
Martin Horak
Dzmitry Stremkouski
Oleksii Chupryn
Michael Polenchuk
Michael Fladischer
Richard Felkl
cristinapauna