OCP installer's OpenStack Ironic iRMC driver doesn'e work with FIPS mode enabled, as it requires SNMP version to be set to v3. However, there is no way to set the SNMP version parameter in the RHOCP installer yaml file, so it falls back to default v2, and it fails 100% of the time.

Release Number: 14.0-ec.0

Drivers or hardware or architecture dependency:
Deploy baremetal node with BMC using iRMC protocol(When RHOCP installer uses OpenStack Ironic iRMC driver)

Hardware configuration:
Model/Hypervisor: PRIMERGY RX2540 M6
CPU Info: Intel(R) Xeon(R) Gold 5317 CPU @ 3.00GHz
Memory Info: 125G
Hardware Component Information: None
Configuration Info: None
Guest Configuration Info: None

Always

  1. Enable FIPS mode of RHOCP nodes through setting "fips" to "true" at install-config.yaml.
  2. In install-config.yaml, set platform.baremetal.hosts.bmc.address to start with 'irmc://'
  3. Run OpenShift Container Platform installer.

OpenStack Ironic iRMC driver used in OpenShift Container Platform installer doesn't work and installation fails. Log message suggests setting SNMP version parameter of Ironic iRMC driver to v3 (non-default value) under FIPS mode enabled.

When FIPS mode is enabled on RHOCP, OpenStack Ironic iRMC driver used in RHOCP installer checks whether iRMC driver is configured to use SNMP (current OCP installer configures iRMC driver not to use SNMP) and if iRMC driver is configured not to use SNMP, driver doesn't require setting SNMP version parameter to v3 and installation proceeds. If iRMC driver is configured to use SNMP, driver requires setting SNMP version parameter to v3.

When FIPS mode is enabled, installation of RHOCP into Fujitsu server fails
because OpenStack Ironic iRMC driver, which is used in RHOCP installer,
requires iRMC driver's SNMP version parameter to be set to v3 even though
iRMC driver isn't configured to use SNMP and there is no way to set it to v3.

Installing RHOCP with IPI to baremetal node uses install-config.yaml.
User sets configuration related to RHOCP in install-config.yaml.
This installation uses OpenStack Ironic internally and values in
install-config.yaml affect behavior of Ironic.
During installation, Ironic connects to BMC(Baseboard management controller)
and does operation related to RHOCP installation (e.g. power management).

Ironic uses iRMC driver to operate on Fujitsu server's BMC. And iRMC driver checks
iRMC-driver-specific Ironic parameters stored at Ironic component.
When FIPS is enabled (i.e. "fips" is set to "true" in install-config.yaml), iRMC
driver checks whether SNMP version specified in Ironic parameter to be set to v3
even though iRMC driver isn't configured to use SNMP internally.
Currently, default value of SNMP version parameter of Ironic, which is iRMC driver
specific parameter, is v2c and not v3. And iRMC driver fails with error if SNMP 
version is set to other than v3 when FIPS enabled.

However, there is no way to set SNMP version parameter in RHOCP and that
parameter is set to v2c by default. So when FIPS is enabled, deployment of
OpenShift to Fujitsu server always fails.

Cause of problem is, when FIPS is enabled, iRMC driver always requires SNMP
version parameter to be set to v3 even though iRMC driver is not configured
to use SNMP (current RHOCP installer configures iRMC driver not to use SNMP).
To solve this problem, iRMC driver should be modified to check whether iRMC driver
is configured to use SNMP internally and, if iRMC driver is configured to use SNMP
and FIPS is enabled, requires SNMP version parameter to be set to v3.
Such modification patch is already submitted to OpenStack Ironic community[1].

Summary of actions taken to resolve issue:
Use OpenStack Ironic iRMC driver which incorporates bug fix patch[1] submitted on OpenStack Ironic community.

 [1] https://review.opendev.org/c/openstack/ironic/+/881358