Hey Steve, All of the credential generation is optional right? I mean, as far as kolla is concerned - it doesn't *need* to generate the passwords... If /etc/kolla/passwords.yml is created outside of kolla-genpwd, then kolla isn't creating any credentials itself and the algorithm, entropy and policy is transparent to kolla.
On 8 November 2016 at 21:50, Steven Dake (stdake) <std...@cisco.com> wrote: > Ok, > > Pavo has told me he has exceptions in place for everything related to > Kolla. He says as long as we don’t use MD5, he is good to go for a 232 > node deploy with more to follow (assuming Kolla works out of the box at > that scale - we have only tested 123 node scale). > > We do some basic PRNG to generate passwords, and some PKCS#11 (iirc) algos > to generate passwords, and we also generate some ssh public/private keys. > > Hope the security context helps. > > Thanks everyone on his thread for providing guidance. RobC++ on article. > > Regards > -steve > > > > > On 11/8/16, 1:46 PM, "Clint Byrum" <cl...@fewbar.com> wrote: > > >Excerpts from Ian Cordasco's message of 2016-11-08 16:11:26 -0500: > >> Can I ask why FIPS compliance is a requirement for Kolla? This seems > >> like an odd request for a deployment project. > >> > > > >Guessing it's for the modules that need to communicate securely with > >OpenStack itself. > > > >___________________________________________________________ > _______________ > >OpenStack Development Mailing List (not for usage questions) > >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: > unsubscribe > >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
