Merge "Add an option to choose the hash ring algorithm"

5 files changed, 21 insertions, 3 deletions

diff --git a/ironic/common/hash_ring.py b/ironic/common/hash_ring.py
index d682fcc0d..0c2c534a9 100644
--- a/ironic/common/hash_ring.py
+++ b/ironic/common/hash_ring.py
@@ -69,7 +69,8 @@ class HashRingManager(object):
 
         for driver_name, hosts in d2c.items():
             rings[driver_name] = hashring.HashRing(
-                hosts, partitions=2 ** CONF.hash_partition_exponent)
+                hosts, partitions=2 ** CONF.hash_partition_exponent,
+                hash_function=CONF.hash_ring_algorithm)
 
         return rings
 
diff --git a/ironic/conf/default.py b/ironic/conf/default.py
index 2936d232a..b799208f0 100644
--- a/ironic/conf/default.py
+++ b/ironic/conf/default.py
@@ -17,6 +17,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import hashlib
 import os
 import socket
 import tempfile
@@ -183,6 +184,15 @@ hash_opts = [
                help=_('Time (in seconds) after which the hash ring is '
                       'considered outdated and is refreshed on the next '
                       'access.')),
+    cfg.StrOpt('hash_ring_algorithm',
+               default='md5',
+               advanced=True,
+               choices=hashlib.algorithms_guaranteed,
+               help=_('Hash function to use when building the hash ring. '
+                      'If running on a FIPS system, do not use md5. '
+                      'WARNING: all ironic services in a cluster MUST use '
+                      'the same algorithm at all times. Changing the '
+                      'algorithm requires an offline update.')),
 ]
 
 image_opts = [
diff --git a/lower-constraints.txt b/lower-constraints.txt
index c29d25e8d..3f483d1fe 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -135,7 +135,7 @@ testrepository==0.0.20
 testresources==2.0.0
 testscenarios==0.4
 testtools==2.2.0
-tooz==1.58.0
+tooz==2.7.0
 traceback2==1.4.0
 unittest2==1.1.0
 vine==1.3.0
diff --git a/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml
new file mode 100644
index 000000000..181a5ed9d
--- /dev/null
+++ b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Provides a new option ``[DEFAULT]hash_ring_algorithm`` that specifies
+    which cryptographic algorithm to use when building the hash ring. Set
+    to something other than ``md5`` when using ironic on a system in FIPS
+    mode.
diff --git a/requirements.txt b/requirements.txt
index bb37845eb..b1b1011d5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -42,5 +42,5 @@ oslo.versionedobjects>=1.31.2 # Apache-2.0
 jsonschema>=3.2.0 # MIT
 psutil>=3.2.2 # BSD
 futurist>=1.2.0 # Apache-2.0
-tooz>=1.58.0 # Apache-2.0
+tooz>=2.7.0 # Apache-2.0
 openstacksdk>=0.37.0 # Apache-2.0