<div dir="ltr">Hey Steve,<div><br></div><div>All of the credential generation is optional right? I mean, as far as kolla is concerned - it doesn't *need* to generate the passwords... If /etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla isn't creating any credentials itself and the algorithm, entropy and policy is transparent to kolla. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 November 2016 at 21:50, Steven Dake (stdake) <span dir="ltr"><<a href="mailto:stdake@cisco.com" target="_blank">stdake@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok,<br>
<br>
Pavo has told me he has exceptions in place for everything related to Kolla. He says as long as we don’t use MD5, he is good to go for a 232 node deploy with more to follow (assuming Kolla works out of the box at that scale - we have only tested 123 node scale).<br>
<br>
We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos to generate passwords, and we also generate some ssh public/private keys.<br>
<br>
Hope the security context helps.<br>
<br>
Thanks everyone on his thread for providing guidance. RobC++ on article.<br>
<br>
Regards<br>
-steve<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
On 11/8/16, 1:46 PM, "Clint Byrum" <<a href="mailto:clint@fewbar.com">clint@fewbar.com</a>> wrote:<br>
<br>
>Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:<br>
>> Can I ask why FIPS compliance is a requirement for Kolla? This seems<br>
>> like an odd request for a deployment project.<br>
>><br>
><br>
>Guessing it's for the modules that need to communicate securely with<br>
>OpenStack itself.<br>
><br>
>_____________________________<wbr>______________________________<wbr>_______________<br>
>OpenStack Development Mailing List (not for usage questions)<br>
>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div></div></blockquote></div><br></div>