MAAS

Merge ~ddstreet/maas:lp1916860-v2 into maas:master

  1. Git
  2. lp:~ddstreet/maas
  3. lp1916860-v2
  4. Merge into master
Proposed by Dan Streetman
Status: Rejected
Rejected by: Adam Collard
Proposed branch: ~ddstreet/maas:lp1916860-v2
Merge into: maas:master
Diff against target: 48 lines (+14/-22)
1 file modified
src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py (+14/-22)
Reviewer Review Type Date Requested Status
MAAS Lander Needs Fixing
Lee Trager (community) Needs Fixing
Review via email: mp+399118@code.launchpad.net
To post a comment you must log in.
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860-v2 lp:~ddstreet/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9400/console
COMMIT: 83b230ee1d49b89a703e9d1086f7f1acd603e3b5

review: Needs Fixing
Revision history for this message
Lee Trager (ltrager) wrote :

Thanks for the patch and noticing I used an '=' instead of a '+=' :). I think the root cause of the bug is MAAS isn't accounting for gaps in ciphers. See my comment in the bug for a full explanation. I'll create a patch for testing.

review: Needs Fixing
Revision history for this message
Dan Streetman (ddstreet) wrote :

> Thanks for the patch and noticing I used an '=' instead of a '+=' :). I think
> the root cause of the bug is MAAS isn't accounting for gaps in ciphers. See my
> comment in the bug for a full explanation. I'll create a patch for testing.

no, i think you need to look at my patch again, please - the problem wasn't (just) = instead of +=

Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860-v2 lp:~ddstreet/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9401/console
COMMIT: 94245fe639b23ff1fe191db1ec8d3e3f5c1380da

review: Needs Fixing
Revision history for this message
Lee Trager (ltrager) wrote :

I agree there were other things wrong with the original code. While this fixes one of them it doesn't check for gaps in supported ciphers. Look at the unit test I added in my branch[1]. Lets say ipmitool returns the following for supported ciphers and their settings

RMCP+ Cipher Suites : 1,2,3,6,7,8,11,12,15,16,17
Cipher Suite Priv Max : aaaXXXXXXXXXXaa

This means the BMC doesn't IPMI ciphers 0, 4, 5, 9, 10, 13, and 14. It has options for all supported ciphers plus 4 vendor ciphers which are not listed. ciphers 1, 2, 3 and two vendor ciphers are currently enabled while the others are disabled.

This branch will result push the settings string "XXXXXXXXXXXXXXX" which disables all ciphers making remote access impossible. The correct cipher string is "XXaXXXXXXXaXXaa" which means disable the insecure ciphers 1 and 2, keep 3 and the two vendor ciphers as is, and enable cipher 17 for MAAS to use.

[1] https://code.launchpad.net/~ltrager/maas/+git/maas/+merge/399134

Revision history for this message
Dan Streetman (ddstreet) wrote :

> While this fixes one of them it doesn't check for gaps in supported ciphers.

again, you're misunderstanding the api of ipmitool. the commit you landed to fix this is wrong.

> This branch will result push the settings string "XXXXXXXXXXXXXXX" which disables all ciphers making remote access impossible.

no, that isn't what this commit will use...

Unmerged commits

94245fe... by Dan Streetman

BMC config: fix usage of ipmi cipher_privs

LP: #1916860

Signed-off-by: Dan Streetman <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 69cc4c6..b6b31f7 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -624,29 +624,21 @@ class IPMI(BMCConfig):
624 ):624 ):
625 new_cipher_suite_privs = ""625 new_cipher_suite_privs = ""
626 for i, v in enumerate(cipher_suite_privs):626 for i, v in enumerate(cipher_suite_privs):
627 if i < len(supported_cipher_suite_ids):627 if i in [17, 3, 8, 12]:
628 cipher_suite_id = supported_cipher_suite_ids[i]628 if i == max_cipher_suite_id and v != "a":
629 if cipher_suite_id in [17, 3, 8, 12]:629 print(
630 if cipher_suite_id == max_cipher_suite_id and v != "a":630 'INFO: Enabling IPMI cipher suite id "%s" '
631 print(631 "for MAAS use..." % i
632 'INFO: Enabling IPMI cipher suite id "%s" '632 )
633 "for MAAS use..." % cipher_suite_id633 v = "a"
634 )
635 new_cipher_suite_privs += "a"
636 else:
637 new_cipher_suite_privs += v
638 else:
639 if v != "X":
640 print(
641 "INFO: Disabling insecure IPMI cipher suite id "
642 '"%s"' % cipher_suite_id
643 )
644 new_cipher_suite_privs = "X"
645 else:634 else:
646 # 15 characters are usually given even if there635 if v != "X":
647 # aren't 15 ciphers supported. Copy the current value636 print(
648 # incase there is some OEM use for them.637 "INFO: Disabling insecure IPMI cipher suite id "
649 new_cipher_suite_privs += v638 '"%s"' % i
639 )
640 v = "X"
641 new_cipher_suite_privs += v
650642
651 if cipher_suite_privs == new_cipher_suite_privs:643 if cipher_suite_privs == new_cipher_suite_privs:
652 # Cipher suites are already properly configured, nothing644 # Cipher suites are already properly configured, nothing

Subscribers

People subscribed via source and target branches