azvyagintsev
75a4eb54a6
Disable cis-3-3-3 rule
Change-Id: I956da1f26e500eae693827ed5dce0f7e65e291bc
Closes-Bug: PROD-22520 (PROD:22520)
6 lat temu
Dmitry Teselkin
ad85db09b0
Remove non-existent CIS items
Change-Id: I91bfb8e2a06fc0499addd376db9e38483a6756d0
6 lat temu
Dmitry Teselkin
af730f9602
CIS compliance (sysctl, limits)
* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled
All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.
Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a
6 lat temu
Aleksey Zvyagintsev
cf1b5b322a
Revert "CIS compliance (modprobe.d)"
This reverts commit d87f461319
.
Change-Id: If175b29f2e130ecf5041e7b0be20f15485089ffa
6 lat temu
Dmitry Teselkin
d87f461319
CIS compliance (modprobe.d)
* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled
Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759
Change-Id: I719984829978caf0401e78daaabf1adfb0d1cfdf
6 lat temu
Dmitry Teselkin
809834c85e
Extend modprobe files functionality
Support full set of options defined in
man modprobe.d
Change-Id: I3d30b6bc261ef308ae6afd963f13fda1e4b22c0d
6 lat temu
Dennis Dmitriev
4bf87625a6
Fix pillar tests
* Update run_tests.sh to the latest revision
* drop odd .kitchen.vagrant.yml
Related-Bug: PROD-20730 (PROD:20730)
Change-Id: I367800a60ad17020700a76670d1216dfdfcfe692
7 lat temu
azvyagintsev
42b64a1f29
Misc fixes
* Add\fix __virtual__ for modules
* Remove unneded multiline for repo.sls
Change-Id: I1f8d321b68dfe6a44264b4ddcd6cd0c576938da1
6 lat temu
Vasyl Saienko
081647356f
Merge "CIS 3.3.3 Ensure IPv6 is disabled"
6 lat temu
azvyagintsev
b7c2ef4b57
Fix linux_enforce_hostname for test env
* Add TODO-proper fix for state - native salt fun.
But due bug[1] in saltstack - we can't enable
proper solution now
[1] 74599bbdfc
Related-PROD: PROD-20730
Change-Id: I11b6d81ae0f9a7864518f638e8fc423e4e087285
6 lat temu
Dmitry Teselkin
cc7263a275
CIS 3.3.3 Ensure IPv6 is disabled
Related-Prod: PROD-20755
Change-Id: I44cc3bdb4a0436ff17f790a828d03697b89d3520
6 lat temu
azvyagintsev
7903ba97da
Refactor pillar repo key fetch
Change-Id: I511996de9d8abc69d6775b45482f8196c7159a1a
6 lat temu
OlgaGusarenko
2828f5fcd4
README update
Change-Id: I70a28cac5c07fb3093b6038a0c448d16847a42e3
6 lat temu
Martin Polreich
b08a9144f7
Merge branch 'master' of github.com:salt-formulas/salt-formula-linux
Change-Id: I5468d69c362cbd2e71a064bd2bc89f843fbefe7e
6 lat temu
azvyagintsev
45cf452dbb
Fix global proxy processing
* Fix processing disabled repo
* Extend tests for such case
Change-Id: Ib3243f2b3e70aecef65273be215b30613b8df025
Closes-Bug: PROD-21954 (PROD:21954)
6 lat temu
Filip Pytloun
21c68864a9
Merge pull request #163 from alexandruavadanii/fix-duplicate-ids
system:repo: Fix duplicate file.absent sls IDs
6 lat temu
Alexandru Avadanii
5df87a1a13
system:repo: Fix duplicate file.absent sls IDs
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
6 lat temu
Vasyl Saienko
c6f75efb50
Merge "Fix|change system.repo update logic"
6 lat temu
azvyagintsev
ff089d2428
Fix|change system.repo update logic
- Add possibility to remove prereq. packages installation BEFORE
* Crucial logic violation - if we don't have any repo\
have them configured in wrong way - stage will always fail.
* install prereq. packages after all - sounds stupid, but correct.
* By default - it will still try to install prereq. We don't want to
broke OLD logic.See readme, how-to overide such behaviour.
- don't update cache per-repo - it's simply useless and may fail due p1.
Run update only once - after all repos configured\reconfigured
- Add new option at system:refresh_repos_meta - for case, when update
should not be run in any case. By default - true.
- remove 99proxies-salt-{{ name }} along with disabled repo
- fix duplicate 'clean_file' option
Closes-Bug: PROD-15992 (PROD:15992)
Change-Id: I4b312f82f65be80e7726f62482978f68c25746a3
6 lat temu
Dzmitry Stremkouski
adb655e604
Fix dependency for dpdk bond interfaces.
Wait for dpdk bond interfaces to come up.
linux.network.dpdk state fails to update a port within for loop
when this port does not exist yet.
Dependency will require interfaces to be added before
Prod-Related: PROD-19696
Closes-Bug: PROD-19696
Change-Id: Ia83218a76dd6e86664e7f9498a76341717eb5b80
6 lat temu
Mateusz Matuszkowiak
ee7c76af8b
Enable nstat input plugin for softnet_stat data
Since we added to nstat's telegraf plugin the possibility
to collect data from `/proc/net/softnet_stat` regarding
dropped packets and rx_net_action a.k.a time squeeze, we need to enable
it globally on all hosts.
Also grafana dashboard update to include new graphs + added four
new Prometheus alers.
Related-Bug: PROD-21090
Change-Id: I9dfe87bdc8b677a51e3f305dd3c75c7d4cc4e0d4
6 lat temu
azvyagintsev
f27f4367d3
0-change sugar
* Make system.repo more readable
Change-Id: I0f28e71f4b00422a70006559525e5be24c4cb065
6 lat temu
Ondrej Smola
6040a3f96d
added indexing for sysfs id
related bug: PROD-21512
Change-Id: I874535dbc6882ad49f133999209ae6a4c3bde403
6 lat temu
Martin Polreich
4fcd5c0eae
Enable setting home dir permissions
Fixes: PROD-21350
Change-Id: If5a4473296e4d2cb6a80cb7397ac38a66011f39d
6 lat temu
Alexander Noskov
2a52a52057
Install nscd for caching LDAP queries
nscd is recommended package for libpam-ldapd and libnss-ldapd, but
since we disabled Install-Recommends for apt in
https://gerrit.mcp.mirantis.net/14431 we need to specify this package in
linux formula.
nscd is a daemon which handles passwd, group and host lookups for
running programs and caches the results for the next query.
Change-Id: Ia17441da2b3072d943d0e9225721dc9921de2514
6 lat temu
Richard Felkl
563f47cfac
Merge "added possibility to use list for sysfs params"
6 lat temu
Ondrej Smola
ef9bd76e4b
added possibility to use list for sysfs params
Change-Id: Id9ffc5cbbbb10fd6136d459ed461151a1800e857
related-bug: PROD-21205
6 lat temu
Jiri Broulik
2c34cb1489
vlan pkg for interfaces
PROD-20944
Change-Id: I9ef98b529d57171cf17c33597fd6af69d2f43a41
6 lat temu
mkobus
f546f9582f
Revert "Add monitoring for cron job"
As we resign to develop full-stack solution to monitor cron jobs
This reverts commit 697ce4bf04
.
Change-Id: Icab6008011141bb658c836897a05018dd6ce2984
6 lat temu
Michal Kobus
697ce4bf04
Add monitoring for cron job
Change-Id: I710b65decf6697d0bb5d21fc3fc2d332b78119c5
Closes-bug: PROD-21073
6 lat temu
Ondrej Smola
792316452f
Merge "Add ability to configure VLAN tag on patch port"
6 lat temu
Dmitry Kalashnik
a0c0ccda99
Rationalize Linux dashboards
Change-Id: I6b21bed3dd2c632af8274769b562f366c4057b82
Closes-Prod: PROD-20090
6 lat temu
Petr Jediny
d7be9fca73
Merge "Disable creation of /dev/hugepages mount point"
6 lat temu
Oleksii Chupryn
694ee72f51
Add ability to configure VLAN tag on patch port
Change-Id: I41f6e9c4feed93d03ac0479f9bd3626e48ad8063
Co-Authored-By: Michael Polenchuk <mpolenchuk@mirantis.com>
Closes-Bug: PROD-20729
6 lat temu
Sergey Kreys
b1c8a3022f
Disable creation of /dev/hugepages mount point
We create custom hugepages mount point for KVM/DPDK with custom
parameters (ownership flags/hugepages size). Need to disable default
mount point, because it can be unexpectedly used by DPDK.
Change-Id: Ibee95422213260e544406391c7a0922f1a41c5c2
Closes-Bug: PROD-14325
6 lat temu
Petr Michalec
9f30456a0e
Fix, system.repo don't use curl if not needed
- fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7
- updated syntax for key verificatoin
- fix, avoid curl for salt:// schema (as in #156 )
Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197
6 lat temu
Vasyl Saienko
4a23e4d201
Revert "Fix, system.repo don't use curl on fixed pkgrepo.manage"
Commit totally broke all deployment CI job.
This reverts commit 24477c590b
.
Change-Id: Idce0954f0bd363095069e91edc6941ca78b22c60
6 lat temu
Petr Michalec
24477c590b
Fix, system.repo don't use curl on fixed pkgrepo.manage
Change-Id: Id5b5a44f3dfbbdd60442fd2f273b72557fa9e191
6 lat temu
Richard Felkl
38727e21df
Merge "Cosmetic changes for alerts"
6 lat temu
Michal Kobus
97242f156a
Cosmetic changes for alerts
Change-Id: I9e8464e3ee5ef28ca5eb7eb84e645e42fb6576cd
Closes-bug: PROD-20466
6 lat temu
azvyagintsev
eda3823a09
Fix default_repo requirments
Change-Id: I2d374a589e18f38f91beac9514ff5bf3c034d637
6 lat temu
mcp-jenkins
e959ef234a
Merge "Fix system:repo"
6 lat temu
Filip Pytloun
41b86940bb
Merge pull request #152 from bbinet/file.serialize
Add support file.serialize in linux:system:file
6 lat temu
Bruno Binet
9c2fe220a8
Add support file.serialize in linux:system:file
Ensure presence of file to be serialized through one of the serializer modules
(see: https://docs.saltstack.com/en/latest/ref/serializers/all/index.html ):
6 lat temu
azvyagintsev
6f5e69e2bf
Fix system:repo
* Currently, 'key' was processed only for default repos
* Remove double-definition
* Re-use idempotent fix
Co-Authored-By: Dennis Dmitriev <ddmitriev@mirantis.com>
Change-Id: Ic733f671b39e7b4a8d8e0a83515b6b0632c3a41b
6 lat temu
Petr Michalec
64113f1216
Merge pull request #150 from horakmar/repo-key-via-proxy
Workaround for fetching repo keys via proxy.
6 lat temu
Petr Michalec
7752d48fac
Merge pull request #151 from salt-formulas/atp-proxy
Fixed https apt proxy to same host as http
6 lat temu
Aleš Komárek
d620630de5
Fixed https apt proxy to same host as http
6 lat temu
Martin Horak
9673a18fba
Fixed curl to follow redirections.
6 lat temu
Martin Horak
ceb6686d71
Fix syntax - add quotes.
6 lat temu