Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15235

OCP installer's OpenStack Ironic iRMC driver doesn'e work with FIPS mode enabled.

XMLWordPrintable

    • No
    • 2
    • Metal Platform 238, Metal Platform 239
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      OCP installer's OpenStack Ironic iRMC driver doesn'e work with FIPS mode enabled, as it requires SNMP version to be set to v3. However, there is no way to set the SNMP version parameter in the RHOCP installer yaml file, so it falls back to default v2, and it fails 100% of the time.
      
      

      Version-Release number of selected component (if applicable):

      Release Number: 14.3.3
      
      Drivers or hardware or architecture dependency:
      Deploy baremetal node with BMC using iRMC protocol(When RHOCP installer uses OpenStack Ironic iRMC driver)
      
      Hardware configuration:
      Model/Hypervisor: PRIMERGY RX2540 M6
      CPU Info: Intel(R) Xeon(R) Gold 5317 CPU @ 3.00GHz
      Memory Info: 125G
      Hardware Component Information: None
      Configuration Info: None
      Guest Configuration Info: None
      

      How reproducible:

      Always
      

      Steps to Reproduce:

        1. Enable FIPS mode of RHOCP nodes through setting "fips" to "true" at install-config.yaml.
        2. In install-config.yaml, set platform.baremetal.hosts.bmc.address to start with 'irmc://'
        3. Run OpenShift Container Platform installer.
      

      Actual Results:

        OpenStack Ironic iRMC driver used in OpenShift Container Platform installer doesn't work and installation fails. Log message suggests setting SNMP version parameter of Ironic iRMC driver to v3 (non-default value) under FIPS mode enabled.
      
      <LOG_MESSAGE>
        2023-06-12 07:07:06.738 1 ERROR ironic.conductor.utils [None req-b03893d2-d1c6-47b3-be11-3c8361b0d807 - - - - - -] Node 150927e9-397b-4780-85f6-157788786e8e failed verify step verify_http_https_connection_and_fw_version with unexpected error: iRMC configuration validation failed. Reason: 'v3' has to be set for 'irmc_snmp_version' when FIPS mode is enabled.: ironic.common.exception.IRMCOperationError: iRMC configuration validation failed. Reason: 'v3' has to be set for 'irmc_snmp_version' when FIPS mode is enabled.
      

      Expected Results:

        When FIPS mode is enabled on RHOCP, OpenStack Ironic iRMC driver used in RHOCP installer checks whether iRMC driver is configured to use SNMP (current OCP installer configures iRMC driver not to use SNMP) and if iRMC driver is configured not to use SNMP, driver doesn't require setting SNMP version parameter to v3 and installation proceeds. If iRMC driver is configured to use SNMP, driver requires setting SNMP version parameter to v3.
      Additional info:{code:none}
      When FIPS mode is enabled, installation of RHOCP into Fujitsu server fails
      because OpenStack Ironic iRMC driver, which is used in RHOCP installer,
      requires iRMC driver's SNMP version parameter to be set to v3 even though
      iRMC driver isn't configured to use SNMP and there is no way to set it to v3.
      

      Additional info:

      Installing RHOCP with IPI to baremetal node uses install-config.yaml.
      User sets configuration related to RHOCP in install-config.yaml.
      This installation uses OpenStack Ironic internally and values in
      install-config.yaml affect behavior of Ironic.
      During installation, Ironic connects to BMC(Baseboard management controller)
      and does operation related to RHOCP installation (e.g. power management).
      
      Ironic uses iRMC driver to operate on Fujitsu server's BMC. And iRMC driver checks
      iRMC-driver-specific Ironic parameters stored at Ironic component.
      When FIPS is enabled (i.e. "fips" is set to "true" in install-config.yaml), iRMC
      driver checks whether SNMP version specified in Ironic parameter to be set to v3
      even though iRMC driver isn't configured to use SNMP internally.
      Currently, default value of SNMP version parameter of Ironic, which is iRMC driver
      specific parameter, is v2c and not v3. And iRMC driver fails with error if SNMP 
      version is set to other than v3 when FIPS enabled.
      
      However, there is no way to set SNMP version parameter in RHOCP and that
      parameter is set to v2c by default. So when FIPS is enabled, deployment of
      OpenShift to Fujitsu server always fails.
      
      Cause of problem is, when FIPS is enabled, iRMC driver always requires SNMP
      version parameter to be set to v3 even though iRMC driver is not configured
      to use SNMP (current RHOCP installer configures iRMC driver not to use SNMP).
      To solve this problem, iRMC driver should be modified to check whether iRMC driver
      is configured to use SNMP internally and, if iRMC driver is configured to use SNMP
      and FIPS is enabled, requires SNMP version parameter to be set to v3.
      Such modification patch is already submitted to OpenStack Ironic community[1].
      
      Summary of actions taken to resolve issue:
      Use OpenStack Ironic iRMC driver which incorporates bug fix patch[1] submitted on OpenStack Ironic community.
      
       [1] https://review.opendev.org/c/openstack/ironic/+/881358
      

              hroy@redhat.com Himanshu Roy
              rhn-support-mvalsecc Michele Valsecchi (Inactive)
              Jad Haj Yahya Jad Haj Yahya
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: