MAAS

Merge ~ltrager/maas:lp1916860 into maas:master

  1. Git
  2. lp:~ltrager/maas
  3. lp1916860
  4. Merge into master
Proposed by Lee Trager
Status: Merged
Approved by: Adam Collard
Approved revision: 60d33a59c1ee5aac6f2e4cc2b64963341495605f
Merge reported by: MAAS Lander
Merged at revision: not available
Proposed branch: ~ltrager/maas:lp1916860
Merge into: maas:master
Diff against target: 114 lines (+61/-26)
2 files modified
src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py (+25/-25)
src/metadataserver/builtin_scripts/commissioning_scripts/tests/test_bmc_config.py (+36/-1)
Reviewer Review Type Date Requested Status
Björn Tillenius Approve
MAAS Lander Approve
Review via email: mp+399134@code.launchpad.net

Commit message

LP: #1916860 - Check for gaps in supported ciphers when using ipmitool

When ipmitool was being used to configure IPMI ciphers MAAS wasn't
accounting for BMCs which omit support for certain ciphers. In this
case the setting string MAAS uses to enable ciphers was offset which
resulted in the wrong ciphers being enabled and disabled.

To post a comment you must log in.
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860 lp:~ltrager/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: FAILED
LOG: http://maas-ci.internal:8080/job/maas/job/branch-tester/9402/console
COMMIT: 403734fb90155f1fac808b4aa98f18819045143d

review: Needs Fixing
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860 lp:~ltrager/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: c81a66a887094ee336bd26c5e06f3a07efca99dd

review: Approve
Revision history for this message
MAAS Lander (maas-lander) wrote :

UNIT TESTS
-b lp1916860 lp:~ltrager/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 60d33a59c1ee5aac6f2e4cc2b64963341495605f

review: Approve
Revision history for this message
Björn Tillenius (bjornt) wrote :

+1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 69cc4c6..2c2777c 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -622,32 +622,32 @@ class IPMI(BMCConfig):
622 supported_cipher_suite_ids,622 supported_cipher_suite_ids,
623 cipher_suite_privs,623 cipher_suite_privs,
624 ):624 ):
625 new_cipher_suite_privs = ""625 cipher_suite_privs_list = list(cipher_suite_privs)
626 for i, v in enumerate(cipher_suite_privs):626 for i, cipher_suite_id in enumerate(supported_cipher_suite_ids):
627 if i < len(supported_cipher_suite_ids):627 if cipher_suite_id > 17:
628 cipher_suite_id = supported_cipher_suite_ids[i]628 # The IPMI spec reserves ciphers > 17 for vendor use.
629 if cipher_suite_id in [17, 3, 8, 12]:629 # Don't touch them
630 if cipher_suite_id == max_cipher_suite_id and v != "a":630 continue
631 print(631 elif cipher_suite_id == max_cipher_suite_id:
632 'INFO: Enabling IPMI cipher suite id "%s" '632 if cipher_suite_privs_list[i] != "a":
633 "for MAAS use..." % cipher_suite_id633 # Make sure the maximum supported cipher suite is enabled,
634 )634 # this is the cipher suite MAAS will use.
635 new_cipher_suite_privs += "a"635 cipher_suite_privs_list[i] = "a"
636 else:636 print(
637 new_cipher_suite_privs += v637 'INFO: Enabling IPMI cipher suite id "%s" '
638 else:638 "for MAAS use..." % cipher_suite_id
639 if v != "X":639 )
640 print(640 elif cipher_suite_id not in [17, 3, 8, 12]:
641 "INFO: Disabling insecure IPMI cipher suite id "641 # Disable any cipher suite which isn't a known secure
642 '"%s"' % cipher_suite_id642 # cipher suite.
643 )643 if cipher_suite_privs_list[i] != "X":
644 new_cipher_suite_privs = "X"644 cipher_suite_privs_list[i] = "X"
645 else:645 print(
646 # 15 characters are usually given even if there646 "INFO: Disabling insecure IPMI cipher suite id "
647 # aren't 15 ciphers supported. Copy the current value647 '"%s"' % cipher_suite_id
648 # incase there is some OEM use for them.648 )
649 new_cipher_suite_privs += v
650649
650 new_cipher_suite_privs = "".join(cipher_suite_privs_list)
651 if cipher_suite_privs == new_cipher_suite_privs:651 if cipher_suite_privs == new_cipher_suite_privs:
652 # Cipher suites are already properly configured, nothing652 # Cipher suites are already properly configured, nothing
653 # to do.653 # to do.
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/tests/test_bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/tests/test_bmc_config.py
index 6065608..af571d1 100644
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/tests/test_bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/tests/test_bmc_config.py
@@ -1,4 +1,4 @@
1# Copyright 2020 Canonical Ltd. This software is licensed under the1# Copyright 2020-2021 Canonical Ltd. This software is licensed under the
2# GNU Affero General Public License version 3 (see the file LICENSE).2# GNU Affero General Public License version 3 (see the file LICENSE).
33
4"""Test bmc_config functions."""4"""Test bmc_config functions."""
@@ -796,6 +796,41 @@ EndSection
796 )796 )
797 self.assertEqual("17", self.ipmi._cipher_suite_id)797 self.assertEqual("17", self.ipmi._cipher_suite_id)
798798
799 def test_config_ipmitool_cipher_suite_ids_with_gaps(self):
800 mock_get_ipmitool_lan_print = self.patch(
801 self.ipmi, "_get_ipmitool_lan_print"
802 )
803 mock_get_ipmitool_lan_print.return_value = (
804 "2",
805 factory.make_name("output"),
806 )
807
808 # This tests a BMC which has IPMI ciphers 0, 4, 5, 9, 10, 13, and
809 # 14. The BMC has options for all supported ciphers plus 4 vendor
810 # ciphers which are not listed. ciphers 1, 2, 3 and two vendor
811 # ciphers are currently enabled while the others are disabled.
812 self.ipmi._config_ipmitool_cipher_suite_ids(
813 17, [1, 2, 3, 6, 7, 8, 11, 12, 15, 16, 17], "aaaXXXXXXXXXXaa"
814 )
815
816 # This verifies MAAS would keep cipher 3 and the two vendor ciphers
817 # as is while enabling cipher 17 for MAAS to use.
818 self.assertThat(
819 self.mock_check_call,
820 MockCalledOnceWith(
821 [
822 "ipmitool",
823 "lan",
824 "set",
825 "2",
826 "cipher_privs",
827 "XXaXXXXXXXaXXaa",
828 ],
829 timeout=60,
830 ),
831 )
832 self.assertEqual("17", self.ipmi._cipher_suite_id)
833
799 def test_config_ipmitool_cipher_suite_ids_does_nothing(self):834 def test_config_ipmitool_cipher_suite_ids_does_nothing(self):
800 mock_get_ipmitool_lan_print = self.patch(835 mock_get_ipmitool_lan_print = self.patch(
801 self.ipmi, "_get_ipmitool_lan_print"836 self.ipmi, "_get_ipmitool_lan_print"

Subscribers

People subscribed via source and target branches