Open Stack

Daviey,

I pointed this out to Pavo as well a few weeks ago.  I’m not sure if it mattered or not.

Regards
-steve


From: Dave Walker <email at daviey.com<mailto:email at daviey.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, November 8, 2016 at 2:01 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Hey Steve,

All of the credential generation is optional right?  I mean, as far as kolla is concerned - it doesn't *need* to generate the passwords... If /etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla isn't creating any credentials itself and the algorithm, entropy and policy is transparent to kolla.

On 8 November 2016 at 21:50, Steven Dake (stdake) <stdake at cisco.com<mailto:stdake at cisco.com>> wrote:
Ok,

Pavo has told me he has exceptions in place for everything related to Kolla.  He says as long as we don’t use MD5, he is good to go for a 232 node deploy with more to follow (assuming Kolla works out of the box at that scale - we have only tested 123 node scale).

We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos to generate passwords, and we also generate some ssh public/private keys.

Hope the security context helps.

Thanks everyone on his thread for providing guidance.  RobC++ on article.

Regards
-steve




On 11/8/16, 1:46 PM, "Clint Byrum" <clint at fewbar.com<mailto:clint at fewbar.com>> wrote:

>Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500:
>> Can I ask why FIPS compliance is a requirement for Kolla? This seems
>> like an odd request for a deployment project.
>>
>
>Guessing it's for the modules that need to communicate securely with
>OpenStack itself.
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161109/f3c589b3/attachment.html>