diff options
| author | Vanou Ishii <ishii.vanou@fujitsu.com> | 2022-06-01 15:25:25 +0900 |
|---|---|---|
| committer | Vanou Ishii <ishii.vanou@fujitsu.com> | 2022-09-28 08:18:29 +0900 |
| commit | 83051205578f190a11d8a4e2a1f2598a59bf7ca9 (patch) | |
| tree | c0853e5bdb26447ed5e8c11c8183ad3bffd98d1b /doc | |
| parent | d85d7f8ac52f289b7b01096c65757b68791f4bd4 (diff) | |
| download | ironic-83051205578f190a11d8a4e2a1f2598a59bf7ca9.tar.gz | |
Fix iRMC driver to use certification file in HTTPS
This patch modifies iRMC driver to use certification file
when it connects to iRMC via HTTPS
Conflicts:
doc/source/admin/drivers/irmc.rst
driver-requirements.txt
ironic/drivers/modules/irmc/common.py
ironic/drivers/modules/irmc/raid.py
ironic/tests/unit/drivers/modules/irmc/test_common.py
ironic/tests/unit/drivers/modules/irmc/test_power.py
ironic/tests/unit/drivers/modules/irmc/test_raid.py
releasenotes/notes/irmc-add-certification-file-option-34e7a0062c768e58.yaml
Change-Id: If69ce1cf2789d9d60fb8e544596cf7d29eab514d
Co-authored-by: Kobayashi Daisuke <kobayashi.da-06@fujitsu.com>
Co-authored-by: Song Shukun <song.shukun@jp.fujitsu.com>
Story: 2009801
Task: 44345
(cherry picked from commit 64d7a7f3077bc000a18c4a0c56f122941b262483)
(cherry picked from commit 6c0152afa141d05ee28cba81178622021574ae17)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/admin/drivers/irmc.rst | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/doc/source/admin/drivers/irmc.rst b/doc/source/admin/drivers/irmc.rst index af7d10506..c92c73679 100644 --- a/doc/source/admin/drivers/irmc.rst +++ b/doc/source/admin/drivers/irmc.rst @@ -111,6 +111,9 @@ Here is a command example to enroll a node with ``irmc`` hardware type. Node configuration ^^^^^^^^^^^^^^^^^^ +Configuration via ``driver_info`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * Each node is configured for ``irmc`` hardware type by setting the following ironic node object's properties: @@ -126,6 +129,44 @@ Node configuration UEFI Secure Boot is required. Please refer to `UEFI Secure Boot Support`_ for more information. +* If ``port`` in ``[irmc]`` section of ``/etc/ironic/ironic.conf`` or + ``driver_info/irmc_port`` is set to 443, ``driver_info/irmc_verify_ca`` + will take effect: + + ``driver_info/irmc_verify_ca`` property takes one of 4 value (default value + is ``True``): + + - ``True``: When set to ``True``, which certification file iRMC driver uses + is determined by ``requests`` Python module. + + Value of ``driver_info/irmc_verify_ca`` is passed to ``verify`` argument + of functions defined in ``requests`` Python module. So which certification + will be used is depend on behavior of ``requests`` module. + (maybe certification provided by ``certifi`` Python module) + + - ``False``: When set to ``False``, iRMC driver won't verify server + certification with certification file during HTTPS connection with iRMC. + Just stop to verify server certification, but does HTTPS. + + .. warning:: + When set to ``False``, user must notice that it can result in + vulnerable situation. Stopping verification of server certification + during HTTPS connection means it cannot prevent Man-in-the-middle + attack. When set to ``False``, Ironic user must take enough care + around infrastructure environment in terms of security. + (e.g. make sure network between Ironic conductor and iRMC is secure) + + - string representing filesystem path to directory which contains + certification file: In this case, iRMC driver uses certification file + stored at specified directory. Ironic conductor must be able to access + that directory. For iRMC to recongnize certification file, Ironic user + must run ``openssl rehash <path_to_dir>``. + + - string representing filesystem path to certification file: In this case, + iRMC driver uses certification file specified. Ironic conductor must have + access to that file. + + * The following properties are also required if ``irmc-virtual-media`` boot interface is used: @@ -140,6 +181,10 @@ Node configuration ``irmc_deploy_iso`` and ``irmc_boot_iso`` accordingly before the Xena release. + +Configuration via ``ironic.conf`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * All of the nodes are configured by setting the following configuration options in the ``[irmc]`` section of ``/etc/ironic/ironic.conf``: @@ -176,6 +221,10 @@ Node configuration - ``snmp_security``: SNMP security name required for version ``v3``. Optional. + +Override ``ironic.conf`` configuration via ``driver_info`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * Each node can be further configured by setting the following ironic node object's properties which override the parameter values in ``[irmc]`` section of ``/etc/ironic/ironic.conf``: @@ -189,6 +238,7 @@ Node configuration - ``driver_info/irmc_snmp_community`` property overrides ``snmp_community``. - ``driver_info/irmc_snmp_security`` property overrides ``snmp_security``. + Optional functionalities for the ``irmc`` hardware type ======================================================= |