-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Upgrade to release 8 (reinstall openstack) - Install Scaphandre and Promentheus - Add preinstall/postinstall validation scrips - Specify minimal kernel version - Unsuccessfuly k3s experiments - Create a systemd unit to establish NFT rules (add logger commands for better analytics) - Minimal SSHD hardening - Install HWE kernel - A minimal helper script for running all OSISM validations --------- Signed-off-by: Marc Schöchlin <[email protected]>
- Loading branch information
Showing
23 changed files
with
1,693 additions
and
1,541 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
environments/custom/roles/scs-landscape-nodes/files/scripts/scs_check_openstack.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/bash | ||
|
||
FAILED="" | ||
|
||
if [ $(openstack compute service list --os-cloud admin -f json|jq '.[] | select(.Status != "enabled" or .State != "up")'|wc -l) -gt 0 ];then | ||
FAILED="NODES-DOWN" | ||
openstack compute service list --os-cloud admin | ||
fi | ||
|
||
if [ -z "FAILED" ];then | ||
echo "FAILED: $FAILED" | ||
exit 1 | ||
fi |
6 changes: 5 additions & 1 deletion
6
environments/custom/roles/scs-landscape-nodes/handlers/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,6 @@ | ||
--- | ||
# handlers file for scs-landscape | ||
- name: Reload ssh service | ||
become: true | ||
ansible.builtin.service: | ||
name: ssh | ||
state: reloaded |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
- name: Setup Node | ||
include_tasks: "{{ item }}" | ||
loop: | ||
- sshd.yml | ||
- lvm.yml | ||
- scripts.yml | ||
- vim.yml | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
environments/custom/roles/scs-landscape-nodes/tasks/sshd.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
- name: Hardening Settings for SSHD | ||
ansible.builtin.copy: | ||
dest: /etc/ssh/sshd_config.d/99-scs-hardening.conf | ||
content: | | ||
PermitRootLogin no | ||
PasswordAuthentication no | ||
PermitEmptyPasswords no | ||
ChallengeResponseAuthentication no | ||
KerberosAuthentication no | ||
GSSAPIAuthentication no | ||
AllowGroups {{ operator_group }} | ||
notify: Reload ssh service | ||
- name: Ensure that SSH passwordless login from cloud-init is removed | ||
ansible.builtin.file: | ||
path: /etc/ssh/sshd_config.d/50-cloud-init.conf | ||
state: absent | ||
notify: Reload ssh service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
environments/kolla/files/overlays/prometheus/prometheus.yml.d/50-scaphandre.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
--- | ||
scrape_configs: | ||
- job_name: scaphandre | ||
static_configs: | ||
- targets: | ||
{% for host in groups['scaphandre'] %} | ||
- "{{ host }}:9155" | ||
{% endfor %} | ||
relabel_configs: | ||
# remove port from instance name | ||
- source_labels: | ||
- __address__ | ||
regex: '(.*):.*' | ||
replacement: $1 | ||
target_label: instance | ||
scrape_interval: 1m | ||
|
Oops, something went wrong.