MAAS

Merge ~ddstreet/maas:lp1916860-v2 into maas:master

  1. Git
  2. lp:~ddstreet/maas
  3. lp1916860-v2
  4. Merge into master
Proposed by Dan Streetman
Status: Rejected
Rejected by: Adam Collard
Proposed branch: ~ddstreet/maas:lp1916860-v2
Merge into: maas:master
Diff against target: 48 lines (+14/-22)
1 file modified
src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py (+14/-22)
Reviewer Review Type Date Requested Status
MAAS Lander Needs Fixing
Lee Trager (community) Needs Fixing
Review via email: mp+399118@code.launchpad.net
To post a comment you must log in.
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860-v2 lp:~ddstreet/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9400/console
COMMIT: 83b230ee1d49b89a703e9d1086f7f1acd603e3b5

review: Needs Fixing
Revision history for this message
Lee Trager (ltrager) wrote :

Thanks for the patch and noticing I used an '=' instead of a '+=' :). I think the root cause of the bug is MAAS isn't accounting for gaps in ciphers. See my comment in the bug for a full explanation. I'll create a patch for testing.

review: Needs Fixing
Revision history for this message
Dan Streetman (ddstreet) wrote :

> Thanks for the patch and noticing I used an '=' instead of a '+=' :). I think
> the root cause of the bug is MAAS isn't accounting for gaps in ciphers. See my
> comment in the bug for a full explanation. I'll create a patch for testing.

no, i think you need to look at my patch again, please - the problem wasn't (just) = instead of +=

Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860-v2 lp:~ddstreet/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9401/console
COMMIT: 94245fe639b23ff1fe191db1ec8d3e3f5c1380da

review: Needs Fixing
Revision history for this message
Lee Trager (ltrager) wrote :

I agree there were other things wrong with the original code. While this fixes one of them it doesn't check for gaps in supported ciphers. Look at the unit test I added in my branch[1]. Lets say ipmitool returns the following for supported ciphers and their settings

RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max : aaaXXXXXXXXXXaa

This means the BMC doesn't IPMI ciphers 0, 4, 5, 9, 10, 13, and 14. It has options for all supported ciphers plus 4 vendor ciphers which are not listed. ciphers 1, 2, 3 and two vendor ciphers are currently enabled while the others are disabled.

This branch will result push the settings string "XXXXXXXXXXXXXXX" which disables all ciphers making remote access impossible. The correct cipher string is "XXaXXXXXXXaXXaa" which means disable the insecure ciphers 1 and 2, keep 3 and the two vendor ciphers as is, and enable cipher 17 for MAAS to use.

[1] https://code.launchpad.net/~ltrager/maas/+git/maas/+merge/399134

Revision history for this message
Dan Streetman (ddstreet) wrote :

> While this fixes one of them it doesn't check for gaps in supported ciphers.

again, you're misunderstanding the api of ipmitool. the commit you landed to fix this is wrong.

> This branch will result push the settings string "XXXXXXXXXXXXXXX" which disables all ciphers making remote access impossible.

no, that isn't what this commit will use...

Unmerged commits

94245fe... by Dan Streetman

BMC config: fix usage of ipmi cipher_privs

LP: #1916860

Signed-off-by: Dan Streetman <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
2index 69cc4c6..b6b31f7 100755
3--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
4+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
5@@ -624,29 +624,21 @@ class IPMI(BMCConfig):
6 ):
7 new_cipher_suite_privs = ""
8 for i, v in enumerate(cipher_suite_privs):
9- if i < len(supported_cipher_suite_ids):
10- cipher_suite_id = supported_cipher_suite_ids[i]
11- if cipher_suite_id in [17, 3, 8, 12]:
12- if cipher_suite_id == max_cipher_suite_id and v != "a":
13- print(
14- 'INFO: Enabling IPMI cipher suite id "%s" '
15- "for MAAS use..." % cipher_suite_id
16- )
17- new_cipher_suite_privs += "a"
18- else:
19- new_cipher_suite_privs += v
20- else:
21- if v != "X":
22- print(
23- "INFO: Disabling insecure IPMI cipher suite id "
24- '"%s"' % cipher_suite_id
25- )
26- new_cipher_suite_privs = "X"
27+ if i in [17, 3, 8, 12]:
28+ if i == max_cipher_suite_id and v != "a":
29+ print(
30+ 'INFO: Enabling IPMI cipher suite id "%s" '
31+ "for MAAS use..." % i
32+ )
33+ v = "a"
34 else:
35- # 15 characters are usually given even if there
36- # aren't 15 ciphers supported. Copy the current value
37- # incase there is some OEM use for them.
38- new_cipher_suite_privs += v
39+ if v != "X":
40+ print(
41+ "INFO: Disabling insecure IPMI cipher suite id "
42+ '"%s"' % i
43+ )
44+ v = "X"
45+ new_cipher_suite_privs += v
46
47 if cipher_suite_privs == new_cipher_suite_privs:
48 # Cipher suites are already properly configured, nothing

Subscribers

People subscribed via source and target branches