Description of problem: We need an official recommendation to enable below hardening in the OpenStack environment since we didn't find any recommendation in our official guide. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/security_and_hardening_guide/ Hardening Details: 1. Wish to disable "path MTU discovery" since it could be used by a malicious attacker to receive a reply from the server despite the firewall configuration by forcefully sending a large packet. The customer suspecting is that, since some interfaces do have a 9000-byte MTU this discovery mechanism might be used if the MTU in some part of the path is in fact lower. # - name: Disable PMTUD on sysctl.conf # sysctl: # name: net.ipv4.ip_no_pmtu_disc # value: 0 # state: present # reload: yes 2. Regarding the filesystems, the customer has already disabled freevxfs, jffs2, hfs and hfsplus since none of them will ever be used on the OSP infra. But they are having doubt in UDF fs where it used in ISO files and suspecting QEMU did some conversation where it needs to load the module. Please confirm whether it is safe to remove all these file system modules from overcloud nodes. modprobe -r cramfs modprobe -r freevxfs modprobe -r jffs2 modprobe -r hfs modprobe -r hfsplus modprobe -r UDF Version-Release number of selected component (if applicable): Red Hat OpenStack 13 Director
I feel like UDF should not be needed for Glance/Ceph, but I'm putting a needinfo on Yogev, who knows Ceph better than I do.
OSP 13 was retired on June 27, 2023. If this was to be targeted for a different release, please reopen and retarget.