Set chap algorithms for FIPS if not openeuler

The default CHAP algorithm for iscsid is md5, which is disallowed under fips. We will set the chap algorithm to "SHA3-256,SHA256", which should work under all configurations. For some reason, setting the CHAPAlgorithms as in c3b705138 breaks OpenEuler. Making this conditional so that tests continue to pass. Change-Id: Iaa740ecfbb9173dd97e90485bad88225caedb523 (cherry picked from commit ac958698d0)
2022-01-05 16:23:46 -05:00 · 2022-01-05 16:23:46 -05:00 · 58163a9c82
parent 381cf373ab
commit 58163a9c82
1 changed files with 8 additions and 0 deletions
--- a/lib/nova
+++ b/lib/nova
@ -314,6 +314,14 @@ EOF
            sudo systemctl daemon-reload
        fi

+        # set chap algorithms.  The default chap_algorithm is md5 which will
+        # not work under FIPS.
+        # FIXME(alee) For some reason, this breaks openeuler.  Openeuler devs should weigh in
+        # and determine the correct solution for openeuler here
+        if ! is_openeuler; then
+            iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+        fi
+
        # ensure that iscsid is started, even when disabled by default
        restart_service iscsid
    fi