diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst index a2f62e530f..e611b0d91f 100644 --- a/doc/source/deploy/install-guide.rst +++ b/doc/source/deploy/install-guide.rst @@ -1855,6 +1855,25 @@ can not be found. .. _`link`: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/persistent_naming.html +.. _EnableHTTPSinSwift: + +Enabling HTTPS in Swift +======================= + +The drivers using virtual media use swift for storing boot images +and node configuration information (contains sensitive information for Ironic +conductor to provision bare metal hardware). By default, HTTPS is not enabled +in swift. HTTPS is required to encrypt all communication between swift and Ironic +conductor and swift and bare metal (via virtual media). It can be enabled in one +of the following ways: + +* Using an SSL termination proxy. For more information, `see here + `_ + +* Using native SSL support in swift (recommended only for testing + purpose by swift). For more information, + `see here `_ + Using Bare Metal service as a standalone service ================================================ diff --git a/doc/source/drivers/ilo.rst b/doc/source/drivers/ilo.rst index 7d888b9e11..0b9ae5b1f4 100644 --- a/doc/source/drivers/ilo.rst +++ b/doc/source/drivers/ilo.rst @@ -50,7 +50,6 @@ Prerequisites ``ironic-conductor`` is running. On most distros, this is provided as part of the ``ipmitool`` package. - Drivers ======= @@ -68,11 +67,17 @@ Target Users ~~~~~~~~~~~~ * Users who do not want to use PXE/TFTP protocol on their data centres. -* Current PXE driver passes management info in clear-text to the - bare metal node. ``iscsi_ilo`` driver enhances the security - by passing management info over encrypted management network. This - driver may be used by users who have concerns on PXE drivers security - issues and want to have a security enhanced PXE-less deployment mechanism. + +* Users who have concerns with PXE protocol's security issues and want to have a + security enhanced PXE-less deployment mechanism. + + The PXE driver passes management information in clear-text to the + bare metal node. However, if swift proxy server has an HTTPS + endpoint (See :ref:`EnableHTTPSinSwift` for more information), the + ``iscsi_ilo`` driver provides enhanced security by passing + management information to and from swift endpoint over HTTPS. The + management information, deploy ramdisk and boot images for the instance will + be retrieved over encrypted management network via iLO virtual media. Tested Platforms ~~~~~~~~~~~~~~~~ @@ -100,8 +105,9 @@ Features * UEFI Boot Support * UEFI Secure Boot Support * Passing management information via secure, encrypted management network - (virtual media) if swift proxy server has an HTTPs endpoint. Provisioning - is done using iSCSI over data network, so this driver has the benefit + (virtual media) if swift proxy server has an HTTPS endpoint. See + :ref:`EnableHTTPSinSwift` for more info. User image provisioning is done + using iSCSI over data network, so this driver has the benefit of security enhancement with the same performance. It segregates management info from data channel. * Support for out-of-band cleaning operations. @@ -274,6 +280,16 @@ https://wiki.openstack.org/wiki/Ironic-python-agent. Target Users ~~~~~~~~~~~~ * Users who do not want to use PXE/TFTP protocol on their data centres. +* Users who have concerns on PXE based agent driver's security and + want to have a security enhanced PXE-less deployment mechanism. + + The PXE based agent drivers pass management information in clear-text to + the bare metal node. However, if swift proxy server has an HTTPS + endpoint (See :ref:`EnableHTTPSinSwift` for more information), + the ``agent_ilo`` driver provides enhanced security by passing authtoken + and management information to and from swift endpoint over HTTPS. The + management information and deploy ramdisk will be retrieved over encrypted + management network via iLO. Tested Platforms ~~~~~~~~~~~~~~~~