diff options
| author | Dmitry Tantsur <dtantsur@protonmail.com> | 2020-07-07 16:35:44 +0200 |
|---|---|---|
| committer | Dmitry Tantsur <dtantsur@protonmail.com> | 2020-07-22 18:27:19 +0200 |
| commit | 9189b4bb26f2f9bb2b39dffd5881eb2dd04af401 (patch) | |
| tree | 2695357ada8f891a85fb6e091a4545074b98ae8f | |
| parent | 3c47122f363756911f066f8cf8ecb0b1cac1335b (diff) | |
| download | ironic-9189b4bb26f2f9bb2b39dffd5881eb2dd04af401.tar.gz | |
Add an option to choose the hash ring algorithm
MD5 is not available in FIPS mode, we need a way to use something else.
Change-Id: Ie6e09ac66028cbe18717a7ea7a4c23730e3cb642
| -rw-r--r-- | ironic/common/hash_ring.py | 3 | ||||
| -rw-r--r-- | ironic/conf/default.py | 10 | ||||
| -rw-r--r-- | lower-constraints.txt | 2 | ||||
| -rw-r--r-- | releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml | 7 | ||||
| -rw-r--r-- | requirements.txt | 2 |
5 files changed, 21 insertions, 3 deletions
diff --git a/ironic/common/hash_ring.py b/ironic/common/hash_ring.py index d682fcc0d..0c2c534a9 100644 --- a/ironic/common/hash_ring.py +++ b/ironic/common/hash_ring.py @@ -69,7 +69,8 @@ class HashRingManager(object): for driver_name, hosts in d2c.items(): rings[driver_name] = hashring.HashRing( - hosts, partitions=2 ** CONF.hash_partition_exponent) + hosts, partitions=2 ** CONF.hash_partition_exponent, + hash_function=CONF.hash_ring_algorithm) return rings diff --git a/ironic/conf/default.py b/ironic/conf/default.py index 2936d232a..b799208f0 100644 --- a/ironic/conf/default.py +++ b/ironic/conf/default.py @@ -17,6 +17,7 @@ # License for the specific language governing permissions and limitations # under the License. +import hashlib import os import socket import tempfile @@ -183,6 +184,15 @@ hash_opts = [ help=_('Time (in seconds) after which the hash ring is ' 'considered outdated and is refreshed on the next ' 'access.')), + cfg.StrOpt('hash_ring_algorithm', + default='md5', + advanced=True, + choices=hashlib.algorithms_guaranteed, + help=_('Hash function to use when building the hash ring. ' + 'If running on a FIPS system, do not use md5. ' + 'WARNING: all ironic services in a cluster MUST use ' + 'the same algorithm at all times. Changing the ' + 'algorithm requires an offline update.')), ] image_opts = [ diff --git a/lower-constraints.txt b/lower-constraints.txt index 82533a1b1..930205c6b 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -135,7 +135,7 @@ testrepository==0.0.20 testresources==2.0.0 testscenarios==0.4 testtools==2.2.0 -tooz==1.58.0 +tooz==2.7.0 traceback2==1.4.0 unittest2==1.1.0 vine==1.3.0 diff --git a/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml new file mode 100644 index 000000000..181a5ed9d --- /dev/null +++ b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Provides a new option ``[DEFAULT]hash_ring_algorithm`` that specifies + which cryptographic algorithm to use when building the hash ring. Set + to something other than ``md5`` when using ironic on a system in FIPS + mode. diff --git a/requirements.txt b/requirements.txt index 9a59e6777..50053460e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,5 +43,5 @@ oslo.versionedobjects>=1.31.2 # Apache-2.0 jsonschema>=3.2.0 # MIT psutil>=3.2.2 # BSD futurist>=1.2.0 # Apache-2.0 -tooz>=1.58.0 # Apache-2.0 +tooz>=2.7.0 # Apache-2.0 openstacksdk>=0.37.0 # Apache-2.0 |