From 9189b4bb26f2f9bb2b39dffd5881eb2dd04af401 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Tue, 7 Jul 2020 16:35:44 +0200 Subject: [PATCH] Add an option to choose the hash ring algorithm MD5 is not available in FIPS mode, we need a way to use something else. Change-Id: Ie6e09ac66028cbe18717a7ea7a4c23730e3cb642 --- ironic/common/hash_ring.py | 3 ++- ironic/conf/default.py | 10 ++++++++++ lower-constraints.txt | 2 +- .../notes/hash-ring-algo-4337c18117b33070.yaml | 7 +++++++ requirements.txt | 2 +- 5 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml diff --git a/ironic/common/hash_ring.py b/ironic/common/hash_ring.py index d682fcc0d2..0c2c534a95 100644 --- a/ironic/common/hash_ring.py +++ b/ironic/common/hash_ring.py @@ -69,7 +69,8 @@ class HashRingManager(object): for driver_name, hosts in d2c.items(): rings[driver_name] = hashring.HashRing( - hosts, partitions=2 ** CONF.hash_partition_exponent) + hosts, partitions=2 ** CONF.hash_partition_exponent, + hash_function=CONF.hash_ring_algorithm) return rings diff --git a/ironic/conf/default.py b/ironic/conf/default.py index 2936d232a5..b799208f03 100644 --- a/ironic/conf/default.py +++ b/ironic/conf/default.py @@ -17,6 +17,7 @@ # License for the specific language governing permissions and limitations # under the License. +import hashlib import os import socket import tempfile @@ -183,6 +184,15 @@ hash_opts = [ help=_('Time (in seconds) after which the hash ring is ' 'considered outdated and is refreshed on the next ' 'access.')), + cfg.StrOpt('hash_ring_algorithm', + default='md5', + advanced=True, + choices=hashlib.algorithms_guaranteed, + help=_('Hash function to use when building the hash ring. ' + 'If running on a FIPS system, do not use md5. ' + 'WARNING: all ironic services in a cluster MUST use ' + 'the same algorithm at all times. Changing the ' + 'algorithm requires an offline update.')), ] image_opts = [ diff --git a/lower-constraints.txt b/lower-constraints.txt index 82533a1b1f..930205c6b7 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -135,7 +135,7 @@ testrepository==0.0.20 testresources==2.0.0 testscenarios==0.4 testtools==2.2.0 -tooz==1.58.0 +tooz==2.7.0 traceback2==1.4.0 unittest2==1.1.0 vine==1.3.0 diff --git a/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml new file mode 100644 index 0000000000..181a5ed9dd --- /dev/null +++ b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Provides a new option ``[DEFAULT]hash_ring_algorithm`` that specifies + which cryptographic algorithm to use when building the hash ring. Set + to something other than ``md5`` when using ironic on a system in FIPS + mode. diff --git a/requirements.txt b/requirements.txt index 9a59e67777..50053460e6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,5 +43,5 @@ oslo.versionedobjects>=1.31.2 # Apache-2.0 jsonschema>=3.2.0 # MIT psutil>=3.2.2 # BSD futurist>=1.2.0 # Apache-2.0 -tooz>=1.58.0 # Apache-2.0 +tooz>=2.7.0 # Apache-2.0 openstacksdk>=0.37.0 # Apache-2.0