openstack/cinder
Code Issues Proposed changes

Add fips check jobs

Browse Source 
This patch adds two new FIPS enabled jobs to determine if there are any
issues when FIPS is enabled.

Because the FIPS jobs currently run on centos, code is added to the
test setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087
Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086

Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
This commit is contained in:
Ade Lee 2022-01-12 13:56:55 -08:00 committed by Eric Harney
parent 42d5d1d648
commit 933a7b7e6c
4 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.zuul.yaml
View File

@ -58,6 +58,9 @@
irrelevant-files: *gate-irrelevant-files
- cinder-tempest-plugin-lvm-lio-barbican:
irrelevant-files: *gate-irrelevant-files
- cinder-tempest-plugin-lvm-lio-barbican-fips:
voting: false
irrelevant-files: *gate-irrelevant-files
- cinder-grenade-mn-sub-volbak:
irrelevant-files: *gate-irrelevant-files
- cinder-tempest-lvm-multibackend:
@ -68,6 +71,9 @@
irrelevant-files: *gate-irrelevant-files
- devstack-plugin-nfs-tempest-full:
irrelevant-files: *gate-irrelevant-files
- devstack-plugin-nfs-tempest-full-fips:
voting: false
irrelevant-files: *gate-irrelevant-files
- tempest-slow-py3:
irrelevant-files: *gate-irrelevant-files
- tempest-integrated-storage:
@ -175,6 +181,17 @@
volume-feature-enabled:
volume_revert: True
- job:
# this depends on some ceph admin setup which is not yet complete
# TODO(alee) enable this test when ceph admin work is complete.
name: cinder-plugin-ceph-tempest-fips
parent: cinder-plugin-ceph-tempest
nodeset: devstack-single-node-centos-9-stream
pre-run: playbooks/enable-fips.yaml
vars:
configure_swap_size: 4096
nslookup_target: 'opendev.org'
- job:
name: cinder-plugin-ceph-tempest-mn-aa
parent: devstack-plugin-ceph-multinode-tempest-py3

1
bindep.txt
View File

@ -29,6 +29,7 @@ postgresql
postgresql-client [platform:dpkg]
postgresql-devel [platform:rpm]
postgresql-server [platform:rpm]
python3-devel [platform:rpm test]
libpq-dev [platform:dpkg]
thin-provisioning-tools [platform:debian]
libxml2-dev [platform:dpkg test]

3
playbooks/enable-fips.yaml Normal file
View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- enable-fips

41
tools/test-setup.sh
View File

@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
DB_USER=openstack_citest
DB_PW=openstack_citest
function is_rhel7 {
[ -f /usr/bin/yum ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 7'
}
function is_rhel8 {
[ -f /usr/bin/dnf ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 8'
}
function is_rhel9 {
[ -f /usr/bin/dnf ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 9'
}
function set_conf_line { # file regex value
sudo sh -c "grep -q -e '$2' $1 && \
sed -i 's|$2|$3|g' $1 || \
echo '$3' >> $1"
}
if is_rhel7 || is_rhel8 || is_rhel9; then
# mysql needs to be started on centos/rhel
sudo systemctl restart mariadb.service
# postgres setup for centos
sudo postgresql-setup --initdb
PG_CONF=/var/lib/pgsql/data/postgresql.conf
set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
PG_HBA=/var/lib/pgsql/data/pg_hba.conf
set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
sudo systemctl restart postgresql.service
fi
sudo -H mysqladmin -u root password $DB_ROOT_PW
# It's best practice to remove anonymous users from the database. If