From 22c06a90399da3d5ff3d74ecd564e8338fb271d1 Mon Sep 17 00:00:00 2001
From: robin2008 <bxuxa@cn.ibm.com>
Date: Fri, 22 Jun 2018 17:34:46 +0800
Subject: [PATCH] secureroot doc

---
 docs/source/advanced/security/security.rst               | 9 +++++++++
 .../guides/admin-guides/references/man5/site.5.rst       | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/docs/source/advanced/security/security.rst b/docs/source/advanced/security/security.rst
index 32d9b9c4e..e47ca74e9 100644
--- a/docs/source/advanced/security/security.rst
+++ b/docs/source/advanced/security/security.rst
@@ -136,6 +136,15 @@ Here is an example about how to store a MD5 encrypted password for root in ``pas
 
     tabch key=system passwd.username=root passwd.password=`openSSL passwd -1 <password>`
 
+During the provisioning, the root password will be set on the compute nodes. By default, xCAT stores the encrypted hash of password into installation files directly for better performance.
+
+For example, ``/etc/shadow`` in stateless image for stateless nodes or installation files ( ``/install/autoinst/<node>`` ) for stateful nodes.
+
+You can enable **secureroot** feature for more secure consideration. ::
+
+    chdef -t site secureroot=1
+
+Then, after the new ``packimage`` or ``nodeset`` command, the root password hash can only be acquired on-the-fly with strict security control.
 
 
 Nodes Inter-Access in The Cluster
diff --git a/docs/source/guides/admin-guides/references/man5/site.5.rst b/docs/source/guides/admin-guides/references/man5/site.5.rst
index b43e6a12f..b77143fd2 100644
--- a/docs/source/guides/admin-guides/references/man5/site.5.rst
+++ b/docs/source/guides/admin-guides/references/man5/site.5.rst
@@ -295,6 +295,9 @@ site Attributes:
                 for each node, and put them in a directory of tftpdir(such as: /tftpboot)
                 If no, it will not generate the mypostscript file in the tftpdir.
   
+   secureroot:  If set to 1, xCAT will use secure mode to transfer root password hash
+                during the installation.  Default is 0.
+
    setinstallnic:  Set the network configuration for installnic to be static.
   
    sharedtftp:  Set to 0 or no, xCAT should not assume the directory