Update swift HTTPs information in ilo documentation

This commit updates iLO driver documentation to reflect that HTTPS has to enabled in swift explicitly to encrypt the communication with swift for ironic conductor and iLO. It also provides pointers on how to enable HTTPS for swift endpoint. Co-Authored-By: Ramakrishnan G <rameshg87@gmail.com> Closes-bug: 1511227 Change-Id: Ie0763259d6e1a84c19f89efeb5a19f7c8ca9fc8a
2015-10-28 23:28:26 -07:00 · 2015-10-28 23:28:26 -07:00 · 7924997b53
commit 7924997b53
parent bfcf0b723e
2 changed files with 43 additions and 8 deletions
--- a/doc/source/deploy/install-guide.rst
+++ b/doc/source/deploy/install-guide.rst
@ -1852,6 +1852,25 @@ can not be found.
 .. _`link`: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/persistent_naming.html


+.. _EnableHTTPSinSwift:
+
+Enabling HTTPS in Swift
+=======================
+
+The drivers using virtual media use swift for storing boot images
+and node configuration information (contains sensitive information for Ironic
+conductor to provision bare metal hardware).  By default, HTTPS is not enabled
+in swift. HTTPS is required to encrypt all communication between swift and Ironic
+conductor and swift and bare metal (via virtual media).  It can be enabled in one
+of the following ways:
+
+* Using an SSL termination proxy. For more information, `see here
+  <http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html>`_
+
+* Using native SSL support in swift (recommended only for testing
+  purpose by swift). For more information,
+  `see here <http://docs.openstack.org/developer/swift/deployment_guide.html>`_
+
 Using Bare Metal service as a standalone service
 ================================================

--- a/doc/source/drivers/ilo.rst
+++ b/doc/source/drivers/ilo.rst
@ -50,7 +50,6 @@ Prerequisites
  ``ironic-conductor`` is running. On most distros, this is provided as part
  of the ``ipmitool`` package.

-
 Drivers
 =======

@ -68,11 +67,17 @@ Target Users
 ~~~~~~~~~~~~

 * Users who do not want to use PXE/TFTP protocol on their data centres.
-* Current PXE driver passes management info in clear-text to the
-  bare metal node. ``iscsi_ilo`` driver enhances the security
-  by passing management info over encrypted management network. This
-  driver may be used by users who have concerns on PXE drivers security
-  issues and want to have a security enhanced PXE-less deployment mechanism.
+
+* Users who have concerns with PXE protocol's security issues and want to have a
+  security enhanced PXE-less deployment mechanism.
+
+  The PXE driver passes management information in clear-text to the
+  bare metal node.  However, if swift proxy server has an HTTPS
+  endpoint (See :ref:`EnableHTTPSinSwift` for more information), the
+  ``iscsi_ilo`` driver provides enhanced security by passing
+  management information to and from swift endpoint over HTTPS.  The
+  management information, deploy ramdisk and boot images for the instance will
+  be retrieved over encrypted management network via iLO virtual media.

 Tested Platforms
 ~~~~~~~~~~~~~~~~
@ -100,8 +105,9 @@ Features
 * UEFI Boot Support
 * UEFI Secure Boot Support
 * Passing management information via secure, encrypted management network
-  (virtual media) if swift proxy server has an HTTPs endpoint. Provisioning
-  is done using iSCSI over data network, so this driver has the  benefit
+  (virtual media) if swift proxy server has an HTTPS endpoint. See
+  :ref:`EnableHTTPSinSwift` for more info.  User image provisioning is done
+  using iSCSI over data network, so this driver has the benefit
  of security enhancement with the same performance. It segregates management
  info from data channel.
 * Support for out-of-band cleaning operations.
@ -274,6 +280,16 @@ https://wiki.openstack.org/wiki/Ironic-python-agent.
 Target Users
 ~~~~~~~~~~~~
 * Users who do not want to use PXE/TFTP protocol on their data centres.
+* Users who have concerns on PXE based agent driver's security and
+  want to have a security enhanced PXE-less deployment mechanism.
+
+  The PXE based agent drivers pass management information in clear-text to
+  the bare metal node.  However, if swift proxy server has an HTTPS
+  endpoint (See :ref:`EnableHTTPSinSwift` for more information),
+  the ``agent_ilo`` driver provides enhanced security by passing authtoken
+  and management information to and from swift endpoint over HTTPS.  The
+  management information and deploy ramdisk will be retrieved over encrypted
+  management network via iLO.

 Tested Platforms
 ~~~~~~~~~~~~~~~~