openstack/glance
Code Issues Proposed changes

Merge "Add fips check jobs"

Browse Source
This commit is contained in:
Zuul 2022-02-07 09:18:00 +00:00 committed by Gerrit Code Review
commit 43df45f9a6
3 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.zuul.yaml
View File

@ -256,16 +256,25 @@
output_format: raw output_format: raw
- job: - job:
name: glance-multistore-cinder-import name: glance-multistore-cinder-import-fips
parent: tempest-integrated-storage-import parent: tempest-integrated-storage-import
description: | description: |
The regular import workflow job to test with multiple cinder stores The regular import workflow job to test with multiple cinder stores with
fips enabled
nodeset: devstack-single-node-centos-8-stream
pre-run: playbooks/enable-fips.yaml
vars: vars:
configure_swap_size: 4096
devstack_localrc: devstack_localrc:
USE_CINDER_FOR_GLANCE: True USE_CINDER_FOR_GLANCE: True
GLANCE_ENABLE_MULTIPLE_STORES: True GLANCE_ENABLE_MULTIPLE_STORES: True
CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2 CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2
GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1 GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1
devstack_local_conf:
test-config:
"$TEMPEST_CONFIG":
validation:
ssh_key_type: 'ecdsa'
- job: - job:
name: tempest-integrated-storage-import-standalone name: tempest-integrated-storage-import-standalone
@ -303,7 +312,7 @@
- release-notes-jobs-python3 - release-notes-jobs-python3
check: check:
jobs: jobs:
- openstack-tox-functional-py36 - openstack-tox-functional-py36-fips
- openstack-tox-functional-py39 - openstack-tox-functional-py39
- glance-tox-functional-py39-rbac-defaults - glance-tox-functional-py39-rbac-defaults
- glance-code-constants-check - glance-code-constants-check
@ -327,7 +336,7 @@
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- tempest-integrated-storage-import-standalone: - tempest-integrated-storage-import-standalone:
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- glance-multistore-cinder-import: - glance-multistore-cinder-import-fips:
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files
- grenade: - grenade:
irrelevant-files: *tempest-irrelevant-files irrelevant-files: *tempest-irrelevant-files

3
playbooks/enable-fips.yaml Normal file
View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- enable-fips

28
tools/test-setup.sh
View File

@ -15,6 +15,34 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
DB_USER=openstack_citest DB_USER=openstack_citest
DB_PW=openstack_citest DB_PW=openstack_citest
function set_conf_line {
# parameters: file regex value
# check if the regex occurs in the file
# If so, replace with the value.
# If not, append the value to the end of the file.
sudo sh -c "grep -q -e '$2' $1 && \
sed -i 's|$2|$3|g' $1 || \
echo '$3' >> $1"
}
if $(egrep -q "^.*(centos:centos:|cloudlinux:cloudlinux:|redhat:enterprise_linux:)[78].*$" /etc/*release); then
# mysql needs to be started on centos/rhel
sudo systemctl restart mariadb.service
# postgres setup for centos
# make sure to use scram-sha-256 instead of md5 for fips!
sudo postgresql-setup --initdb
PG_CONF=/var/lib/pgsql/data/postgresql.conf
set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
PG_HBA=/var/lib/pgsql/data/pg_hba.conf
set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
sudo systemctl restart postgresql.service
fi
sudo -H mysqladmin -u root password $DB_ROOT_PW sudo -H mysqladmin -u root password $DB_ROOT_PW
# It's best practice to remove anonymous users from the database. If # It's best practice to remove anonymous users from the database. If