Gitiles
Code Review Sign In
spfactory.storpool.com / devstack / c3b7051387d4332f956148c5676383499fa31859^! / . / lib / nova
commitc3b7051387d4332f956148c5676383499fa31859[log] [tgz]
authorAde Lee <alee@redhat.com>Fri Aug 06 14:26:37 2021 -0400
committerAde Lee <alee@redhat.com>Wed Dec 08 19:20:40 2021 -0500
treec52855a56700c6f4d6530fb4870cee6845f6524a
parent6c849e371384e468679d3d030fe494a36587c505 [diff] [blame]
Add option to set chap algorithms for iscsid for FIPS

The default CHAP algorithm for iscsid is md5, which is disallowed
under fips.  We will set the chap algorithm to "SHA3-256,SHA256",
which should work under all configurations.

Change-Id: Ide186fb53b3f9826ff602cb7fb797f245a15033a

diff --git a/lib/nova b/lib/nova
index 5fcccff..1420183 100644
--- a/lib/nova
+++ b/lib/nova

@@ -315,6 +315,10 @@
             sudo systemctl daemon-reload
         fi
 
+        # set chap algorithms.  The default chap_algorithm is md5 which will
+        # not work under FIPS
+        iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+
         # ensure that iscsid is started, even when disabled by default
         restart_service iscsid
     fi