Bug 1897415

Summary: [Bare Metal - Ironic] provide the ability to set the cipher suite for ipmitool when doing a Bare Metal IPI install
Product: OpenShift Container Platform Reporter: August Simonelli <asimonel>
Component: Bare Metal Hardware ProvisioningAssignee: Iury Gregory Melo Ferreira <imelofer>
Bare Metal Hardware Provisioning sub component: ironic QA Contact: Raviv Bar-Tal <rbartal>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: beth.white, imelofer, rbartal, tsedovic
Version: 4.6Keywords: Triaged
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Newer ipmitool packages have cipher suite default to 17. Consequence: Old hardware that doesn't support cipher suite 17 will fail during deployment. Fix: Ironic is now able to fallback to cipher suite 3 in case cipher suite 17 is not supported by the hardware. Result: Deployments in old hardware using ipmitool should succeed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:34:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description August Simonelli 2020-11-13 02:52:54 UTC 
Description of problem:

ipmitool used to default to a cipher suit of 3.

This worked well with older hardware as it expected it.

After ipmitool-1.8.18-11 this is no longer the default.

This can be set via a flag (ie -C 3) when using the cli

But when the inronic-conductor uses it in an OCP BM IPI install there is no way to Set that flag (ie no way to set cipher suite) because the base image for the container is RHEL 8.2 with ipmitool-1.8.18-18

This breaks the ability to use BM IPI with hardware that expects cipher suite 3 (as i think the default is now 17). 

Version-Release number of selected component (if applicable):
OCP 4.6, OCP 4.5 which use ipmitool-1.8.18-18 from RHEL 8.2 in the ironic-conductor container 

How reproducible:
Deploy BM IPI with hardware that expects cipher suite 3

Steps to Reproduce:
1. Standard BM IPI
2.
3.

Actual results:
Deployment fails with ironic errors.

Expected results:
Ability to deploy to older hardware successfully by being able to provide the desired ipmi cipher suite to the openshift installer.

Additional info:
Looks like it's know wrt OSP: https://bugzilla.redhat.com/show_bug.cgi?id=1873614
Comment 1 Iury Gregory Melo Ferreira 2020-11-16 12:06:27 UTC 
Our plan is to update Ironic with a new configuration option that will allow the downgrade of the cipher suite automatically.


@August Simonelli can you please provide me some logs that shows the exception that occurs?
Thanks!
Comment 4 Raviv Bar-Tal 2021-06-15 12:50:59 UTC 
Code was reviewed by QA and bug moved to verify so it will not block the code for the release.
If issue still exist please open new BZ and contact us
Thanks
Comment 7 errata-xmlrpc 2021-07-27 22:34:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438