diff options
author | Zuul <zuul@review.opendev.org> | 2020-07-23 17:31:00 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-07-23 17:31:00 +0000 |
commit | 39a38ecf4e07d54e1ed5d2576d41176318e9bc7e (patch) | |
tree | a1a4f01b8b26f4ba40f96f7077165d8b605d3485 | |
parent | 49301bf46e86903159bd96412d1ca99a3d6a1e9a (diff) | |
parent | 9189b4bb26f2f9bb2b39dffd5881eb2dd04af401 (diff) | |
download | ironic-39a38ecf4e07d54e1ed5d2576d41176318e9bc7e.tar.gz |
Merge "Add an option to choose the hash ring algorithm"
-rw-r--r-- | ironic/common/hash_ring.py | 3 | ||||
-rw-r--r-- | ironic/conf/default.py | 10 | ||||
-rw-r--r-- | lower-constraints.txt | 2 | ||||
-rw-r--r-- | releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml | 7 | ||||
-rw-r--r-- | requirements.txt | 2 |
5 files changed, 21 insertions, 3 deletions
diff --git a/ironic/common/hash_ring.py b/ironic/common/hash_ring.py index d682fcc0d..0c2c534a9 100644 --- a/ironic/common/hash_ring.py +++ b/ironic/common/hash_ring.py @@ -69,7 +69,8 @@ class HashRingManager(object): for driver_name, hosts in d2c.items(): rings[driver_name] = hashring.HashRing( - hosts, partitions=2 ** CONF.hash_partition_exponent) + hosts, partitions=2 ** CONF.hash_partition_exponent, + hash_function=CONF.hash_ring_algorithm) return rings diff --git a/ironic/conf/default.py b/ironic/conf/default.py index 2936d232a..b799208f0 100644 --- a/ironic/conf/default.py +++ b/ironic/conf/default.py @@ -17,6 +17,7 @@ # License for the specific language governing permissions and limitations # under the License. +import hashlib import os import socket import tempfile @@ -183,6 +184,15 @@ hash_opts = [ help=_('Time (in seconds) after which the hash ring is ' 'considered outdated and is refreshed on the next ' 'access.')), + cfg.StrOpt('hash_ring_algorithm', + default='md5', + advanced=True, + choices=hashlib.algorithms_guaranteed, + help=_('Hash function to use when building the hash ring. ' + 'If running on a FIPS system, do not use md5. ' + 'WARNING: all ironic services in a cluster MUST use ' + 'the same algorithm at all times. Changing the ' + 'algorithm requires an offline update.')), ] image_opts = [ diff --git a/lower-constraints.txt b/lower-constraints.txt index c29d25e8d..3f483d1fe 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -135,7 +135,7 @@ testrepository==0.0.20 testresources==2.0.0 testscenarios==0.4 testtools==2.2.0 -tooz==1.58.0 +tooz==2.7.0 traceback2==1.4.0 unittest2==1.1.0 vine==1.3.0 diff --git a/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml new file mode 100644 index 000000000..181a5ed9d --- /dev/null +++ b/releasenotes/notes/hash-ring-algo-4337c18117b33070.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Provides a new option ``[DEFAULT]hash_ring_algorithm`` that specifies + which cryptographic algorithm to use when building the hash ring. Set + to something other than ``md5`` when using ironic on a system in FIPS + mode. diff --git a/requirements.txt b/requirements.txt index bb37845eb..b1b1011d5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -42,5 +42,5 @@ oslo.versionedobjects>=1.31.2 # Apache-2.0 jsonschema>=3.2.0 # MIT psutil>=3.2.2 # BSD futurist>=1.2.0 # Apache-2.0 -tooz>=1.58.0 # Apache-2.0 +tooz>=2.7.0 # Apache-2.0 openstacksdk>=0.37.0 # Apache-2.0 |