Bug 1897415 - [Bare Metal - Ironic] provide the ability to set the cipher suite for ipmitool when doing a Bare Metal IPI install
Summary: [Bare Metal - Ironic] provide the ability to set the cipher suite for ipmitoo...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.6
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 4.8.0
Assignee: Iury Gregory Melo Ferreira
QA Contact: Raviv Bar-Tal
Depends On:
TreeView+ depends on / blocked
Reported: 2020-11-13 02:52 UTC by August Simonelli
Modified: 2021-07-27 22:34 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Newer ipmitool packages have cipher suite default to 17. Consequence: Old hardware that doesn't support cipher suite 17 will fail during deployment. Fix: Ironic is now able to fallback to cipher suite 3 in case cipher suite 17 is not supported by the hardware. Result: Deployments in old hardware using ipmitool should succeed
Clone Of:
Last Closed: 2021-07-27 22:34:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ironic-image pull 177 0 None open BZ1897415 - Add cipher_suite_versions config 2021-06-07 09:17:10 UTC
OpenStack gerrit 770526 0 None MERGED Automaticaly set cipher suite 2021-06-07 09:18:37 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:34:30 UTC

Description August Simonelli 2020-11-13 02:52:54 UTC
Description of problem:

ipmitool used to default to a cipher suit of 3.

This worked well with older hardware as it expected it.

After ipmitool-1.8.18-11 this is no longer the default.

This can be set via a flag (ie -C 3) when using the cli

But when the inronic-conductor uses it in an OCP BM IPI install there is no way to Set that flag (ie no way to set cipher suite) because the base image for the container is RHEL 8.2 with ipmitool-1.8.18-18

This breaks the ability to use BM IPI with hardware that expects cipher suite 3 (as i think the default is now 17). 

Version-Release number of selected component (if applicable):
OCP 4.6, OCP 4.5 which use ipmitool-1.8.18-18 from RHEL 8.2 in the ironic-conductor container 

How reproducible:
Deploy BM IPI with hardware that expects cipher suite 3

Steps to Reproduce:
1. Standard BM IPI

Actual results:
Deployment fails with ironic errors.

Expected results:
Ability to deploy to older hardware successfully by being able to provide the desired ipmi cipher suite to the openshift installer.

Additional info:
Looks like it's know wrt OSP: https://bugzilla.redhat.com/show_bug.cgi?id=1873614

Comment 1 Iury Gregory Melo Ferreira 2020-11-16 12:06:27 UTC
Our plan is to update Ironic with a new configuration option that will allow the downgrade of the cipher suite automatically.

@August Simonelli can you please provide me some logs that shows the exception that occurs?

Comment 4 Raviv Bar-Tal 2021-06-15 12:50:59 UTC
Code was reviewed by QA and bug moved to verify so it will not block the code for the release.
If issue still exist please open new BZ and contact us

Comment 7 errata-xmlrpc 2021-07-27 22:34:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.