Add fips check jobs

Some jobs have been modified to run to confirm that functionality is
still working when FIPS is enabled on the nodes.

As the FIPS tests currently run on centos nodes, code is added
to the test-setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

The current FIPS jobs run using python 3.6 on centos-8-stream.  We will
modify these to run on centos-9-stream and python 3.9 in a
subsequent patch.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Change-Id: I060d8247c7b09f63990ea411e6c6a056bb50410d
This commit is contained in:
Ade Lee 2021-05-10 20:50:29 -04:00
parent 472c1635ca
commit 0f13754f84
3 changed files with 44 additions and 4 deletions

View File

@ -256,16 +256,25 @@
output_format: raw
- job:
name: glance-multistore-cinder-import
name: glance-multistore-cinder-import-fips
parent: tempest-integrated-storage-import
description: |
The regular import workflow job to test with multiple cinder stores
The regular import workflow job to test with multiple cinder stores with
fips enabled
nodeset: devstack-single-node-centos-8-stream
pre-run: playbooks/enable-fips.yaml
vars:
configure_swap_size: 4096
devstack_localrc:
USE_CINDER_FOR_GLANCE: True
GLANCE_ENABLE_MULTIPLE_STORES: True
CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2
GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
validation:
ssh_key_type: 'ecdsa'
- job:
name: tempest-integrated-storage-import-standalone
@ -303,7 +312,7 @@
- release-notes-jobs-python3
check:
jobs:
- openstack-tox-functional-py36
- openstack-tox-functional-py36-fips
- openstack-tox-functional-py39
- glance-tox-functional-py39-rbac-defaults
- glance-code-constants-check
@ -327,7 +336,7 @@
irrelevant-files: *tempest-irrelevant-files
- tempest-integrated-storage-import-standalone:
irrelevant-files: *tempest-irrelevant-files
- glance-multistore-cinder-import:
- glance-multistore-cinder-import-fips:
irrelevant-files: *tempest-irrelevant-files
- grenade:
irrelevant-files: *tempest-irrelevant-files

View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- enable-fips

View File

@ -15,6 +15,34 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
DB_USER=openstack_citest
DB_PW=openstack_citest
function set_conf_line {
# parameters: file regex value
# check if the regex occurs in the file
# If so, replace with the value.
# If not, append the value to the end of the file.
sudo sh -c "grep -q -e '$2' $1 && \
sed -i 's|$2|$3|g' $1 || \
echo '$3' >> $1"
}
if $(egrep -q "^.*(centos:centos:|cloudlinux:cloudlinux:|redhat:enterprise_linux:)[78].*$" /etc/*release); then
# mysql needs to be started on centos/rhel
sudo systemctl restart mariadb.service
# postgres setup for centos
# make sure to use scram-sha-256 instead of md5 for fips!
sudo postgresql-setup --initdb
PG_CONF=/var/lib/pgsql/data/postgresql.conf
set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
PG_HBA=/var/lib/pgsql/data/pg_hba.conf
set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
sudo systemctl restart postgresql.service
fi
sudo -H mysqladmin -u root password $DB_ROOT_PW
# It's best practice to remove anonymous users from the database. If