* CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
* CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
Related-Prod: PROD-20765
Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213
linux/system/user.sls ignores 'shell' option if a
user is system. This is quite strange behavior, and it
breaks CIS:
* 5.4.2 Ensure system accounts are non-login
Change-Id: I32dd44ac4fcc1425ea47eb4cf60acf41f6ce0887
Related-Prod: PROD-20764
* Add TODO-proper fix for state - native salt fun.
But due bug[1] in saltstack - we can't enable
proper solution now
[1] 74599bbdfc
Related-PROD: PROD-20730
Change-Id: I11b6d81ae0f9a7864518f638e8fc423e4e087285
- Add possibility to remove prereq. packages installation BEFORE
* Crucial logic violation - if we don't have any repo\
have them configured in wrong way - stage will always fail.
* install prereq. packages after all - sounds stupid, but correct.
* By default - it will still try to install prereq. We don't want to
broke OLD logic.See readme, how-to overide such behaviour.
- don't update cache per-repo - it's simply useless and may fail due p1.
Run update only once - after all repos configured\reconfigured
- Add new option at system:refresh_repos_meta - for case, when update
should not be run in any case. By default - true.
- remove 99proxies-salt-{{ name }} along with disabled repo
- fix duplicate 'clean_file' option
Closes-Bug: PROD-15992 (PROD:15992)
Change-Id: I4b312f82f65be80e7726f62482978f68c25746a3
Wait for dpdk bond interfaces to come up.
linux.network.dpdk state fails to update a port within for loop
when this port does not exist yet.
Dependency will require interfaces to be added before
Prod-Related: PROD-19696
Closes-Bug: PROD-19696
Change-Id: Ia83218a76dd6e86664e7f9498a76341717eb5b80
Since we added to nstat's telegraf plugin the possibility
to collect data from `/proc/net/softnet_stat` regarding
dropped packets and rx_net_action a.k.a time squeeze, we need to enable
it globally on all hosts.
Also grafana dashboard update to include new graphs + added four
new Prometheus alers.
Related-Bug: PROD-21090
Change-Id: I9dfe87bdc8b677a51e3f305dd3c75c7d4cc4e0d4
nscd is recommended package for libpam-ldapd and libnss-ldapd, but
since we disabled Install-Recommends for apt in
https://gerrit.mcp.mirantis.net/14431 we need to specify this package in
linux formula.
nscd is a daemon which handles passwd, group and host lookups for
running programs and caches the results for the next query.
Change-Id: Ia17441da2b3072d943d0e9225721dc9921de2514
We create custom hugepages mount point for KVM/DPDK with custom
parameters (ownership flags/hugepages size). Need to disable default
mount point, because it can be unexpectedly used by DPDK.
Change-Id: Ibee95422213260e544406391c7a0922f1a41c5c2
Closes-Bug: PROD-14325
- fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7
- updated syntax for key verificatoin
- fix, avoid curl for salt:// schema (as in #156)
Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197
The patch adds ability to configure variety logging options
for OVS. In order to configure OVS log options the below pillar
sctructure should be used:
linux:
network:
openvswitch:
enabled: true
logging:
enabled: true
ovsdb:
console: emer
syslog: err
file: info
facility: local0
vswitchd:
console: emer
syslog: err
file: info
facility: local1
Change-Id: I59ef0636447a974215d872259a26beb858495cfb
Related-PROD: PROD-19980
When we use the upstart, setup-loopback should be running as a
service to pass the salt linux.storage.loopback state
(service.running).
Change-Id: I9b19a94126b497d89bd6d05f43dca1df0304c0c6
Closes-bug: PROD-19847