Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1595666 - [RFE] etcd with custom cipher-suite
[RFE] etcd with custom cipher-suite
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.9.0
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.11.0
Assigned To: Vadim Rutkovsky
Gaoyun Pei
: NeedsTestCase
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-27 06:13 EDT by Borja
Modified: 2018-10-11 03:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-10-11 03:20:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2652 None None None 2018-10-11 03:21 EDT

  None (edit)
Description Borja 2018-06-27 06:13:26 EDT 
Description of problem:
With etcd 3.2.22 or higher, the administrator can set a custom cipher-suite list with '--cipher-suites "comma-separated-cipher-list"'

It would be great to bring this to the OCP installer.

Steps to Reproduce:
1. Environment with etcd 3.2.22 or higher

2. Create a new env variable in /etc/etcd/etcd.conf, with a comma-separated cipher list:

~~~
ETCD_CIPHER_SUITES="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
~~~

* changes should be in https://github.com/openshift/openshift-ansible/blob/master/roles/etcd/templates/etcd.conf.j2

3. Edit the ExecStart in the systemd unit to use this cipher list:

~~~
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --cipher-suites \"${ETCD_CIPHER_SUITES}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\""
~~~

* I think the playbook should create a new systemd unit in /etc/systemd/... to avoid the default unit file to be overriden by the rpm (which by default overrides /usr/lib/systemd/...)

Expected results:
As an administrator I want to set my etcd cipher-suite list in my ansible host file.
Comment 3 Vadim Rutkovsky 2018-09-05 07:54:27 EDT 
PR to implement custom list of ciphers in openshift-ansible master: https://github.com/openshift/openshift-ansible/pull/9883
Comment 5 Gaoyun Pei 2018-09-05 23:39:39 EDT 
Verify this bug with openshift-ansible-3.11.0-0.28.0.git.0.730d4be.el7.noarch.rpm

Set etcd_cipher_suites in ansible inventory

etcd_cipher_suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

After installation, check etcd conf file.
[root@ip-172-18-2-210 ~]# grep ETCD_CIPHER_SUITES /etc/etcd/etcd.conf
ETCD_CIPHER_SUITES="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
Comment 7 errata-xmlrpc 2018-10-11 03:20:54 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.