Add an option to choose the hash ring algorithm

MD5 is not available in FIPS mode, we need a way to use something else. Change-Id: Ie6e09ac66028cbe18717a7ea7a4c23730e3cb642
2020-07-07 16:35:44 +02:00 · 2020-07-07 16:35:44 +02:00 · 9189b4bb26
commit 9189b4bb26
parent 3c47122f36
5 changed files with 21 additions and 3 deletions
--- a/ironic/common/hash_ring.py
+++ b/ironic/common/hash_ring.py
@ -69,7 +69,8 @@ class HashRingManager(object):

        for driver_name, hosts in d2c.items():
            rings[driver_name] = hashring.HashRing(
-                hosts, partitions=2 ** CONF.hash_partition_exponent)
+                hosts, partitions=2 ** CONF.hash_partition_exponent,
+                hash_function=CONF.hash_ring_algorithm)

        return rings

--- a/ironic/conf/default.py
+++ b/ironic/conf/default.py
@ -17,6 +17,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import hashlib
 import os
 import socket
 import tempfile
@ -183,6 +184,15 @@ hash_opts = [
               help=_('Time (in seconds) after which the hash ring is '
                      'considered outdated and is refreshed on the next '
                      'access.')),
+    cfg.StrOpt('hash_ring_algorithm',
+               default='md5',
+               advanced=True,
+               choices=hashlib.algorithms_guaranteed,
+               help=_('Hash function to use when building the hash ring. '
+                      'If running on a FIPS system, do not use md5. '
+                      'WARNING: all ironic services in a cluster MUST use '
+                      'the same algorithm at all times. Changing the '
+                      'algorithm requires an offline update.')),
 ]

 image_opts = [
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -135,7 +135,7 @@ testrepository==0.0.20
 testresources==2.0.0
 testscenarios==0.4
 testtools==2.2.0
-tooz==1.58.0
+tooz==2.7.0
 traceback2==1.4.0
 unittest2==1.1.0
 vine==1.3.0
--- a/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml
+++ b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Provides a new option ``[DEFAULT]hash_ring_algorithm`` that specifies
+    which cryptographic algorithm to use when building the hash ring. Set
+    to something other than ``md5`` when using ironic on a system in FIPS
+    mode.
--- a/requirements.txt
+++ b/requirements.txt
@ -43,5 +43,5 @@ oslo.versionedobjects>=1.31.2 # Apache-2.0
 jsonschema>=3.2.0 # MIT
 psutil>=3.2.2 # BSD
 futurist>=1.2.0 # Apache-2.0
-tooz>=1.58.0 # Apache-2.0
+tooz>=2.7.0 # Apache-2.0
 openstacksdk>=0.37.0 # Apache-2.0