[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Dave Walker email at daviey.com
Tue Nov 8 22:01:47 UTC 2016


Hey Steve,

All of the credential generation is optional right?  I mean, as far as
kolla is concerned - it doesn't *need* to generate the passwords... If
/etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla
isn't creating any credentials itself and the algorithm, entropy and policy
is transparent to kolla.

On 8 November 2016 at 21:50, Steven Dake (stdake) <stdake at cisco.com> wrote:

> Ok,
>
> Pavo has told me he has exceptions in place for everything related to
> Kolla.  He says as long as we don’t use MD5, he is good to go for a 232
> node deploy with more to follow (assuming Kolla works out of the box at
> that scale - we have only tested 123 node scale).
>
> We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos
> to generate passwords, and we also generate some ssh public/private keys.
>
> Hope the security context helps.
>
> Thanks everyone on his thread for providing guidance.  RobC++ on article.
>
> Regards
> -steve
>
>
>
>
> On 11/8/16, 1:46 PM, "Clint Byrum" <clint at fewbar.com> wrote:
>
> >Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
> >> Can I ask why FIPS compliance is a requirement for Kolla? This seems
> >> like an odd request for a deployment project.
> >>
> >
> >Guessing it's for the modules that need to communicate securely with
> >OpenStack itself.
> >
> >___________________________________________________________
> _______________
> >OpenStack Development Mailing List (not for usage questions)
> >Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161108/537ce04d/attachment.html>


More information about the OpenStack-dev mailing list