Set chap algorithms for FIPS if not openeuler
The default CHAP algorithm for iscsid is md5, which is disallowed under fips. We will set the chap algorithm to "SHA3-256,SHA256", which should work under all configurations. For some reason, setting the CHAPAlgorithms as inc3b705138
breaks OpenEuler. Making this conditional so that tests continue to pass. Change-Id: Iaa740ecfbb9173dd97e90485bad88225caedb523 (cherry picked from commitac958698d0
)
This commit is contained in:
parent
381cf373ab
commit
58163a9c82
8
lib/nova
8
lib/nova
|
@ -314,6 +314,14 @@ EOF
|
|||
sudo systemctl daemon-reload
|
||||
fi
|
||||
|
||||
# set chap algorithms. The default chap_algorithm is md5 which will
|
||||
# not work under FIPS.
|
||||
# FIXME(alee) For some reason, this breaks openeuler. Openeuler devs should weigh in
|
||||
# and determine the correct solution for openeuler here
|
||||
if ! is_openeuler; then
|
||||
iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
|
||||
fi
|
||||
|
||||
# ensure that iscsid is started, even when disabled by default
|
||||
restart_service iscsid
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue