From 15b2e429685fc753759ef8f3773ac559424e028f Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 24 Jan 2023 14:44:13 +0100 Subject: [PATCH] Modify devstack-base to allow for fips devstack-base is changed to descend from openstack-multinode-fips which is defined in project-config. This allows jobs to execute the enable_fips playbook to enable FIPS mode on the node, but only if they opt-in by setting enable_fips to True. Otherwise, this is a no-op. Change-Id: I5631281662dbd18056ffba291290ed0978ab937e --- .zuul.yaml | 2 +- functions-common | 5 +++++ lib/databases/mysql | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index fa7f180797..37625f3d11 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -370,7 +370,7 @@ - job: name: devstack-base - parent: multinode + parent: openstack-multinode-fips abstract: true description: | Base abstract Devstack job. diff --git a/functions-common b/functions-common index 4eed5d8407..844fffac37 100644 --- a/functions-common +++ b/functions-common @@ -2545,6 +2545,11 @@ function clean_pyc_files { fi } +function is_fips_enabled { + fips=`cat /proc/sys/crypto/fips_enabled` + [ "$fips" == "1" ] +} + # Restore xtrace $_XTRACE_FUNCTIONS_COMMON diff --git a/lib/databases/mysql b/lib/databases/mysql index e805b3e73f..bc6ce3d5c2 100644 --- a/lib/databases/mysql +++ b/lib/databases/mysql @@ -69,7 +69,7 @@ function recreate_database_mysql { } function configure_database_mysql { - local my_conf mysql slow_log + local my_conf mysql slow_log my_client_conf echo_summary "Configuring and starting MySQL" if is_ubuntu; then @@ -86,6 +86,15 @@ function configure_database_mysql { exit_distro_not_supported "mysql configuration" fi + # Set fips mode on + if is_ubuntu; then + if is_fips_enabled; then + my_client_conf=/etc/mysql/mysql.conf.d/mysql.cnf + iniset -sudo $my_client_conf mysql ssl-fips-mode "on" + iniset -sudo $my_conf mysqld ssl-fips-mode "on" + fi + fi + # Change bind-address from localhost (127.0.0.1) to any (::) iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"