diff --git a/doc/source/archive/configuration/k8s_auth_winactivedir.rst b/doc/source/archive/configuration/k8s_auth_winactivedir.rst index aa77d6953..2af0cd49c 100644 --- a/doc/source/archive/configuration/k8s_auth_winactivedir.rst +++ b/doc/source/archive/configuration/k8s_auth_winactivedir.rst @@ -115,7 +115,7 @@ are in ``/home/sysadmin/ssl/``. insecureNoSSL: false insecureSkipVerify: false bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com - bindPW: Li69nux* + bindPW: St8rlingXCloud* usernamePrompt: Username userSearch: baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com diff --git a/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst b/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst index 69537356a..049b4828f 100644 --- a/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst +++ b/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst @@ -34,4 +34,4 @@ For example: .. code-block:: none - ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingX*" -e "admin_password=St8rlingX*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6" + ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingXCloud*" -e "admin_password=St8rlingXCloud*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6" diff --git a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst index 7b3d7a4ab..edd395e2e 100644 --- a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst +++ b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst @@ -137,7 +137,7 @@ conditions are in place: #. Ensure that the system is at the same patch level as it was when the backup was taken. On the |AIO-SX| systems, you must manually reinstall any previous patches. This may include doing a reboot if required. - + For steps on how to install patches using the :command:`sw-patch install-local` command, see :ref:`aio_simplex_install_kubernetes_r7`; ``Install Software on Controller-0``. @@ -176,7 +176,7 @@ conditions are in place: .. code-block:: none - ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingX*" + ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingXCloud*" .. note:: diff --git a/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst b/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst index 9f78b9547..5723fd03a 100644 --- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst +++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst @@ -84,11 +84,11 @@ and target it at controller-0. yes/no: 'yes' sysadmin*: 'sysadmin' (current) UNIX password: 'sysadmin' - New password: 'St8rlingX*' - Retype new password: 'St8rlingX*' - admin_password: St8rlingX* - ansible_become_pass: St8rlingX* - ansible_ssh_pass: St8rlingX* + New password: 'St8rlingXCloud*' + Retype new password: 'St8rlingXCloud*' + admin_password: St8rlingXCloud* + ansible_become_pass: St8rlingXCloud* + ansible_ssh_pass: St8rlingXCloud* Save your changes and quit the editor. If you need to make additional changes, you can use the command :command:`ansible-vault edit diff --git a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst index b4cffccad..0f3ae5378 100644 --- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst +++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst @@ -85,7 +85,7 @@ Below you can find other ``-e`` command line options: .. code-block:: none - ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingX* admin_password=St8rlingX* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true" + ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true" .. note:: diff --git a/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst b/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst index e4ec887c9..0dd673b26 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst @@ -186,7 +186,7 @@ From a new shell as a root user, without sourcing ``/etc/platform/openrc``: endpoint_type: internalURL auth: username: 'admin' - password: 'Li69nux*' + password: 'St8rlingXCloud*' project_name: 'admin' project_domain_name: 'default' user_domain_name: 'default' diff --git a/doc/source/deploy_install_guides/release/openstack/access.rst b/doc/source/deploy_install_guides/release/openstack/access.rst index adaee6de7..69e95e479 100644 --- a/doc/source/deploy_install_guides/release/openstack/access.rst +++ b/doc/source/deploy_install_guides/release/openstack/access.rst @@ -269,7 +269,7 @@ The following command will request the Keystone token: "user": { "name": "admin", "domain": { "id": "default" }, - "password": "St8rlingX*" + "password": "St8rlingXCloud*" } } }, diff --git a/doc/source/developer_resources/backup_restore.rst b/doc/source/developer_resources/backup_restore.rst index 6aaa51a14..dea983f57 100644 --- a/doc/source/developer_resources/backup_restore.rst +++ b/doc/source/developer_resources/backup_restore.rst @@ -127,7 +127,7 @@ Example: :: - ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* ansible_ssh_pass=Li69nux*" + ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud*" #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable. @@ -344,7 +344,7 @@ Steps: :: - ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore" + ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore" #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command. @@ -470,7 +470,7 @@ Steps: :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz' + ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz' If you want to restore Glance images and Cinder volumes from external storage (the Optional step above was executed) or you want to reconcile @@ -489,7 +489,7 @@ Steps: :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' + ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' * Restore Glance images and Cinder volumes using image-backup.sh and tidy_storage_post_restore helper scripts. @@ -556,4 +556,4 @@ Steps: :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' + ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups' diff --git a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst index 9e239a9de..bb6f8e611 100644 --- a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst +++ b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst @@ -93,7 +93,7 @@ using the ansible playbook. .. code-block:: none { - "ansible_ssh_pass": "St8rlingX*", + "ansible_ssh_pass": "St8rlingXCloud*", "external_oam_node_0_address": "10.10.10.13", "external_oam_node_1_address": "10.10.10.14", } diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index df7dd822e..f45572e62 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -21,6 +21,7 @@ System Accounts remote-windows-active-directory-accounts starlingx-system-accounts-system-account-password-rules manage-local-ldap-39fe3a85a528 + linux-accounts-password-3dcad436dce4 ***************** Access the System diff --git a/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst b/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst index c1305826b..5d461cdf0 100644 --- a/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst +++ b/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst @@ -18,6 +18,26 @@ You can configure custom password rules for keystone security compliance. system service-parameter-add identity security_compliance unique_last_password_count system service-parameter-add identity security_compliance password_regex system service-parameter-add identity security_compliance password_regex_description + system service-parameter-add identity security_compliance password_expires_days + + .. note:: + + ``password_expire_days`` must be a positive integer. + + .. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90 + +-------------+--------------------------------------+ + | Property | Value | + +-------------+--------------------------------------+ + | uuid | 27d24c80-e9de-37ce-9d26-f21236782be8 | + | service | identity | + | section | security_compliance | + | name | password_expires_days | + | value | 90 | + | personality | None | + | resource | None | + +-------------+--------------------------------------+ #. In order for the changes to take effect, apply the new configuration with the command: diff --git a/doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst b/doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst new file mode 100644 index 000000000..e77d8baa2 --- /dev/null +++ b/doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst @@ -0,0 +1,58 @@ +.. _linux-accounts-password-3dcad436dce4: + +============================= +Linux Accounts Password Rules +============================= + +.. rubric:: Check Current Password Expiry Settings + +Before making any changes, you may want to check the current password expiry +settings for the user. You can do this by running the :command:`chage -l +` command, replacing ```` with the name of the user whose +password expiry settings you want to view. + +.. code-block:: none + + sudo chage -l + +.. rubric:: Change Password Expiry Settings + +To change the password expiry period of Linux accounts, run the :command:`chage` +command, as bellow: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M + +For example, to set the maximum number of days before the password must be +changed to 60 days for a user named ``sysadmin``, you can use the following +command: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M 60 sysadmin + + +Verify Changes +-------------- + +After making the changes, verify that the new password expiry settings have +been applied by running the :command:`chage -l ` command again. + +.. code-block:: none + + chage -l + +For the example above of user ``sysadmin`` and expiry period of 60 days, the +output of ``chage -l `` should be as follows: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ chage -l sysadmin + Last password change : abr 30, 2024 + Password expires : jun 29, 2024 + Password inactive : never + Account expires : never + Minimum number of days between password change : 0 + Maximum number of days between password change : 60 + Number of days of warning before password expires : 7 \ No newline at end of file diff --git a/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst b/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst index 2234ba1eb..a2c629dad 100644 --- a/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst +++ b/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst @@ -14,9 +14,9 @@ other Linux Accounts, and Keystone accounts): .. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb: -- The password must be at least seven characters long. +- The password must be at least 12 characters long. -- You cannot reuse the last 2 passwords in history. +- You cannot reuse the last 5 passwords in history. - The password must contain: @@ -59,3 +59,6 @@ LDAP, sysadmin, and other Linux accounts): .. note:: This rule does not apply to the root user. + +For more details on Linux Accounts password rules see: +:ref:`linux-accounts-password-3dcad436dce4`. diff --git a/doc/source/security/openstack/security-system-account-password-rules.rst b/doc/source/security/openstack/security-system-account-password-rules.rst index d66d5934a..e69b6833b 100644 --- a/doc/source/security/openstack/security-system-account-password-rules.rst +++ b/doc/source/security/openstack/security-system-account-password-rules.rst @@ -13,9 +13,9 @@ By default, the following rules apply: .. _security-system-account-password-rules-ul-jwb-g15-zw: -- The password must be at least seven characters long. +- The password must be at least 12 characters long. -- You cannot reuse the last 2 passwords in history. +- You cannot reuse the last 5 passwords in history. - The password must contain: