diff options
author | Shukun Song <song.shukun@jp.fujitsu.com> | 2022-06-10 20:09:50 +0900 |
---|---|---|
committer | Shukun Song <song.shukun@jp.fujitsu.com> | 2022-09-26 16:12:07 +0900 |
commit | 4ab1f1e599f7b18007b0dac4b3ad684c47179247 (patch) | |
tree | 97ea644584125301a34303cf7eb009a22e5dd11c /doc/source/admin/drivers/irmc.rst | |
parent | 683462a3138db2b67aac2241735964ecf3e2b806 (diff) | |
download | ironic-4ab1f1e599f7b18007b0dac4b3ad684c47179247.tar.gz |
[iRMC] Add SNMPv3 authentication functionality
Currently when using SNMPv3, iRMC driver does not use SNMPv3
authentication parameters so the SNMPv3 authentication will
always fail. And iRMC cannot recognize FIPS mode, so when FIPS mode
is enabled, iRMC driver could still use non-FIPS-compliant algorithms.
This commit changes iRMC driver to require and use SNMPv3
authentication parameters when 'irmc_snmp_version' is set to v3 and
also makes iRMC driver to force 'irmc_snmp_version' to v3,
'irmc_snmp_auth_proto' to SHA and 'irmc_snmp_priv_proto' to AES
when FIPS mode is enabled, because currently among the algorithms
supported by iRMC, only SHA and AES are FIPS compliant.
Conflicts:
doc/source/admin/drivers/irmc.rst
driver-requirements.txt
ironic/drivers/modules/irmc/common.py
ironic/tests/unit/drivers/modules/irmc/test_common.py
Change-Id: Id6f8996e4d103f849325f54fe0619b4acb43453a
Story: 2010085
Task: 45590
(cherry picked from commit 79f82c0262c84f1e317991052d065259b3a4683d)
Diffstat (limited to 'doc/source/admin/drivers/irmc.rst')
-rw-r--r-- | doc/source/admin/drivers/irmc.rst | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/source/admin/drivers/irmc.rst b/doc/source/admin/drivers/irmc.rst index 4e9bf4434..3bd650479 100644 --- a/doc/source/admin/drivers/irmc.rst +++ b/doc/source/admin/drivers/irmc.rst @@ -181,6 +181,25 @@ Configuration via ``driver_info`` ``irmc_deploy_iso`` and ``irmc_boot_iso`` accordingly before the Xena release. +* The following properties are also required if ``irmc`` inspect interface is + enabled and SNMPv3 inspection is desired. + + - ``driver_info/irmc_snmp_user`` property to be the SNMPv3 username. SNMPv3 + functionality should be enabled for this user on iRMC server side. + - ``driver_info/irmc_snmp_auth_password`` property to be the auth protocol + pass phrase. The length of pass phrase should be at least 8 characters. + - ``driver_info/irmc_snmp_priv_password`` property to be the privacy protocol + pass phrase. The length of pass phrase should be at least 8 characters. + + .. note:: + When using SNMPv3, python-scciclient in old version (before 0.12.2) can + only interact with iRMC with no authentication protocol setted. This means + the passwords and protocol settings of the snmp user in iRMC side should + all be blank, otherwise python-scciclient will encounter an communication + error. If you are using such old version python-scciclient, the + ``irmc_snmp_auth_password`` and ``irmc_snmp_priv_password`` properties + will be ignored. If you want to set passwords, please update + python-scciclient to some newer version (>= 0.12.2). Configuration via ``ironic.conf`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -220,6 +239,17 @@ Configuration via ``ironic.conf`` and ``v2c``. The default value is ``public``. Optional. - ``snmp_security``: SNMP security name required for version ``v3``. Optional. + - ``snmp_auth_proto``: The SNMPv3 auth protocol. The valid value and the + default value are both ``sha``. We will add more supported valid values + in the future. Optional. + - ``snmp_priv_proto``: The SNMPv3 privacy protocol. The valid value and + the default value are both ``aes``. We will add more supported valid values + in the future. Optional. + + .. note:: + ``snmp_security`` will be ignored if ``driver_info/irmc_snmp_user`` is + set. ``snmp_auth_proto`` and ``snmp_priv_proto`` will be ignored if the + version of python-scciclient is before 0.12.2. Override ``ironic.conf`` configuration via ``driver_info`` @@ -237,6 +267,10 @@ Override ``ironic.conf`` configuration via ``driver_info`` - ``driver_info/irmc_snmp_port`` property overrides ``snmp_port``. - ``driver_info/irmc_snmp_community`` property overrides ``snmp_community``. - ``driver_info/irmc_snmp_security`` property overrides ``snmp_security``. + - ``driver_info/irmc_snmp_auth_proto`` property overrides + ``snmp_auth_proto``. + - ``driver_info/irmc_snmp_priv_proto`` property overrides + ``snmp_priv_proto``. Optional functionalities for the ``irmc`` hardware type |