Merge "Update swift HTTPs information in ilo documentation"
This commit is contained in:
commit
872e0d2f35
@ -1855,6 +1855,25 @@ can not be found.
|
||||
.. _`link`: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/persistent_naming.html
|
||||
|
||||
|
||||
.. _EnableHTTPSinSwift:
|
||||
|
||||
Enabling HTTPS in Swift
|
||||
=======================
|
||||
|
||||
The drivers using virtual media use swift for storing boot images
|
||||
and node configuration information (contains sensitive information for Ironic
|
||||
conductor to provision bare metal hardware). By default, HTTPS is not enabled
|
||||
in swift. HTTPS is required to encrypt all communication between swift and Ironic
|
||||
conductor and swift and bare metal (via virtual media). It can be enabled in one
|
||||
of the following ways:
|
||||
|
||||
* Using an SSL termination proxy. For more information, `see here
|
||||
<http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html>`_
|
||||
|
||||
* Using native SSL support in swift (recommended only for testing
|
||||
purpose by swift). For more information,
|
||||
`see here <http://docs.openstack.org/developer/swift/deployment_guide.html>`_
|
||||
|
||||
Using Bare Metal service as a standalone service
|
||||
================================================
|
||||
|
||||
|
@ -50,7 +50,6 @@ Prerequisites
|
||||
``ironic-conductor`` is running. On most distros, this is provided as part
|
||||
of the ``ipmitool`` package.
|
||||
|
||||
|
||||
Drivers
|
||||
=======
|
||||
|
||||
@ -68,11 +67,17 @@ Target Users
|
||||
~~~~~~~~~~~~
|
||||
|
||||
* Users who do not want to use PXE/TFTP protocol on their data centres.
|
||||
* Current PXE driver passes management info in clear-text to the
|
||||
bare metal node. ``iscsi_ilo`` driver enhances the security
|
||||
by passing management info over encrypted management network. This
|
||||
driver may be used by users who have concerns on PXE drivers security
|
||||
issues and want to have a security enhanced PXE-less deployment mechanism.
|
||||
|
||||
* Users who have concerns with PXE protocol's security issues and want to have a
|
||||
security enhanced PXE-less deployment mechanism.
|
||||
|
||||
The PXE driver passes management information in clear-text to the
|
||||
bare metal node. However, if swift proxy server has an HTTPS
|
||||
endpoint (See :ref:`EnableHTTPSinSwift` for more information), the
|
||||
``iscsi_ilo`` driver provides enhanced security by passing
|
||||
management information to and from swift endpoint over HTTPS. The
|
||||
management information, deploy ramdisk and boot images for the instance will
|
||||
be retrieved over encrypted management network via iLO virtual media.
|
||||
|
||||
Tested Platforms
|
||||
~~~~~~~~~~~~~~~~
|
||||
@ -100,8 +105,9 @@ Features
|
||||
* UEFI Boot Support
|
||||
* UEFI Secure Boot Support
|
||||
* Passing management information via secure, encrypted management network
|
||||
(virtual media) if swift proxy server has an HTTPs endpoint. Provisioning
|
||||
is done using iSCSI over data network, so this driver has the benefit
|
||||
(virtual media) if swift proxy server has an HTTPS endpoint. See
|
||||
:ref:`EnableHTTPSinSwift` for more info. User image provisioning is done
|
||||
using iSCSI over data network, so this driver has the benefit
|
||||
of security enhancement with the same performance. It segregates management
|
||||
info from data channel.
|
||||
* Support for out-of-band cleaning operations.
|
||||
@ -274,6 +280,16 @@ https://wiki.openstack.org/wiki/Ironic-python-agent.
|
||||
Target Users
|
||||
~~~~~~~~~~~~
|
||||
* Users who do not want to use PXE/TFTP protocol on their data centres.
|
||||
* Users who have concerns on PXE based agent driver's security and
|
||||
want to have a security enhanced PXE-less deployment mechanism.
|
||||
|
||||
The PXE based agent drivers pass management information in clear-text to
|
||||
the bare metal node. However, if swift proxy server has an HTTPS
|
||||
endpoint (See :ref:`EnableHTTPSinSwift` for more information),
|
||||
the ``agent_ilo`` driver provides enhanced security by passing authtoken
|
||||
and management information to and from swift endpoint over HTTPS. The
|
||||
management information and deploy ramdisk will be retrieved over encrypted
|
||||
management network via iLO.
|
||||
|
||||
Tested Platforms
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
Loading…
x
Reference in New Issue
Block a user