Merge "Add fips check jobs"

2022-02-07 09:18:00 +00:00 · 2022-02-07 09:18:00 +00:00 · 43df45f9a6
commit 43df45f9a6
parent d615de6b73 0f13754f84
3 changed files with 44 additions and 4 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -256,16 +256,25 @@
              output_format: raw

 - job:
-    name: glance-multistore-cinder-import
+    name: glance-multistore-cinder-import-fips
    parent: tempest-integrated-storage-import
    description: |
-      The regular import workflow job to test with multiple cinder stores
+      The regular import workflow job to test with multiple cinder stores with
+      fips enabled
+    nodeset: devstack-single-node-centos-8-stream
+    pre-run: playbooks/enable-fips.yaml
    vars:
+      configure_swap_size: 4096
      devstack_localrc:
        USE_CINDER_FOR_GLANCE: True
        GLANCE_ENABLE_MULTIPLE_STORES: True
        CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2
        GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1
+      devstack_local_conf:
+        test-config:
+          "$TEMPEST_CONFIG":
+            validation:
+              ssh_key_type: 'ecdsa'

 - job:
    name: tempest-integrated-storage-import-standalone
@ -303,7 +312,7 @@
      - release-notes-jobs-python3
    check:
      jobs:
-        - openstack-tox-functional-py36
+        - openstack-tox-functional-py36-fips
        - openstack-tox-functional-py39
        - glance-tox-functional-py39-rbac-defaults
        - glance-code-constants-check
@ -327,7 +336,7 @@
            irrelevant-files: *tempest-irrelevant-files
        - tempest-integrated-storage-import-standalone:
            irrelevant-files: *tempest-irrelevant-files
-        - glance-multistore-cinder-import:
+        - glance-multistore-cinder-import-fips:
            irrelevant-files: *tempest-irrelevant-files
        - grenade:
            irrelevant-files: *tempest-irrelevant-files
--- a/playbooks/enable-fips.yaml
+++ b/playbooks/enable-fips.yaml
@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - enable-fips
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@ -15,6 +15,34 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
 DB_USER=openstack_citest
 DB_PW=openstack_citest

+function set_conf_line {
+    # parameters: file regex value
+    # check if the regex occurs in the file
+    # If so, replace with the value.
+    # If not, append the value to the end of the file.
+    sudo sh -c "grep -q -e '$2' $1 && \
+            sed -i 's|$2|$3|g' $1 || \
+            echo '$3' >> $1"
+}
+
+if $(egrep -q "^.*(centos:centos:|cloudlinux:cloudlinux:|redhat:enterprise_linux:)[78].*$" /etc/*release); then
+    # mysql needs to be started on centos/rhel
+    sudo systemctl restart mariadb.service
+
+    # postgres setup for centos
+    # make sure to use scram-sha-256 instead of md5 for fips!
+    sudo postgresql-setup --initdb
+    PG_CONF=/var/lib/pgsql/data/postgresql.conf
+    set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
+
+    PG_HBA=/var/lib/pgsql/data/pg_hba.conf
+    set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
+
+    sudo systemctl restart postgresql.service
+fi
+
 sudo -H mysqladmin -u root password $DB_ROOT_PW

 # It's best practice to remove anonymous users from the database.  If