Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.18.0
Affects Version/s: 4.18.0
Component/s: Installer / OpenShift on Bare Metal IPI
Labels:
- triaged

Severity:
Moderate
Regression:
None
Story Points:
2
Sprint:
Metal Platform 262, Metal Platform 263, Metal Platform 264
sprint_count:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
In the bootstrap phase of the installation process, the Transport Layer Security (TLS) between the metal3 httpd server and the node’s Baseboard Management Controller (BMC) is enabled by default in OpenShift Container Platform 4.18 and later. The httpd server is on port 6183 instead of port 6180 when TLS is enabled. Disable the TLS setting by adding 'disableVirtualMediaTLS: true' to the provisioning custom resource (CR) file that is created on the disk. (~~OCPBUGS-39404~~)
====
In the bootstrap phase of the install process, TLS between Metal3's httpd server and the nodes' BMCs is now enabled by default from OCP 4.18 onwards. The httpd server listens on port 6183 instead of 6180 when TLS is enabled. This makes it consistent with how CBO deploys metal3 (with TLS enabled). The user can disable this TLS setting by adding 'disableVirtualMediaTLS: true' to the Provisioning CR file created on disk by the installer. This file is created as a result of the 'openshift-install ... create manifests' command.

Show
In the bootstrap phase of the installation process, the Transport Layer Security (TLS) between the metal3 httpd server and the node’s Baseboard Management Controller (BMC) is enabled by default in OpenShift Container Platform 4.18 and later. The httpd server is on port 6183 instead of port 6180 when TLS is enabled. Disable the TLS setting by adding 'disableVirtualMediaTLS: true' to the provisioning custom resource (CR) file that is created on the disk. ( OCPBUGS-39404 ) ==== In the bootstrap phase of the install process, TLS between Metal3's httpd server and the nodes' BMCs is now enabled by default from OCP 4.18 onwards. The httpd server listens on port 6183 instead of 6180 when TLS is enabled. This makes it consistent with how CBO deploys metal3 (with TLS enabled). The user can disable this TLS setting by adding 'disableVirtualMediaTLS: true' to the Provisioning CR file created on disk by the installer. This file is created as a result of the 'openshift-install ... create manifests' command.
Release Note Type:
Enhancement
Release Note Status:
Done
Target Version:

4.18

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

OCPBUGS-36283 introduced the ability to switch on TLS between the BMC and the Metal3's httpd server. It is currently off by default to make the change backportable without a high risk of regressions. We need to turn it on for 4.18+ for consistency with CBO-deployed Metal3.

relates to

OCPBUGS-45175 Baremetal IPI install fails to retrieve boot iso with SSLError - ssl service is not running on the 6180 port used for IPv6

Verified

links to

openshift/installer#9170: OCPBUGS-39404: Enable TLS by default between Metal3's httpd server and the BMC (for serving virtual media images)

RHBA-2025:4019 OpenShift Container Platform 4.18.z bug fix update

Assignee:: Mahnoor Asghar

Reporter:: Dmitry Tantsur

QA Contact:: Jad Haj Yahya

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/09/03 1:33 PM

Updated:: 2025/05/02 3:50 AM

Resolved:: 2025/04/22 11:52 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates