Add functional and fullstack jobs with FIPS enabled
This patch adds definition of the functional and fullstack jobs with enabled support for FIPS [1]. Jobs are based on the Centos 8 stream as this disto allows to enable FIPS support. Jobs are added to the experimental queue for now. This patch also makes some changes in the bindep and configure_functional_tests role to make functional/fullstack tests working on the Centos. [1] https://csrc.nist.gov/publications/detail/fips/140/3/final Co-Authored-By: Ade Lee <alee@redhat.com> Change-Id: I582495826155740ad2660ee2a8717696b0393d26
This commit is contained in:
parent
63f8a39d75
commit
836592a8bc
|
@ -15,10 +15,11 @@ libffi-devel [platform:rpm]
|
||||||
# periodic-neutron-py35-with-neutron-lib-master.
|
# periodic-neutron-py35-with-neutron-lib-master.
|
||||||
haproxy
|
haproxy
|
||||||
libmysqlclient-dev [platform:dpkg test]
|
libmysqlclient-dev [platform:dpkg test]
|
||||||
mysql [platform:rpm test]
|
mariadb [platform:rpm test]
|
||||||
|
mariadb-devel [platform:rpm test]
|
||||||
|
mariadb-server [platform:rpm test]
|
||||||
mysql-client [platform:dpkg test]
|
mysql-client [platform:dpkg test]
|
||||||
mysql-devel [platform:rpm test]
|
mysql-server [platform:dpkg test]
|
||||||
mysql-server [test]
|
|
||||||
postgresql [test]
|
postgresql [test]
|
||||||
postgresql-client [platform:dpkg test]
|
postgresql-client [platform:dpkg test]
|
||||||
postgresql-devel [platform:rpm test]
|
postgresql-devel [platform:rpm test]
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
- hosts: all
|
||||||
|
roles:
|
||||||
|
- persistent-firewall
|
||||||
|
- enable-fips
|
||||||
|
- disable_selinux
|
|
@ -15,10 +15,24 @@
|
||||||
STACK_USER=stack
|
STACK_USER=stack
|
||||||
OVS_BRANCH={{ OVS_BRANCH }}
|
OVS_BRANCH={{ OVS_BRANCH }}
|
||||||
OVN_BRANCH={{ OVN_BRANCH }}
|
OVN_BRANCH={{ OVN_BRANCH }}
|
||||||
|
# This is DB USER used in e.g. pgsql db
|
||||||
|
DATABASE_USER=openstack_citest
|
||||||
|
|
||||||
source $DEVSTACK_PATH/functions
|
source $DEVSTACK_PATH/functions
|
||||||
source $DEVSTACK_PATH/lib/neutron_plugins/ovn_agent
|
source $DEVSTACK_PATH/lib/neutron_plugins/ovn_agent
|
||||||
source $NEUTRON_DIR/tools/configure_for_func_testing.sh
|
source $NEUTRON_DIR/tools/configure_for_func_testing.sh
|
||||||
|
|
||||||
|
if is_fedora; then
|
||||||
|
# NOTE(slqweq) Running functional job e.g. on Centos requires to
|
||||||
|
# have repo with rabbitmq-server and some other packages available
|
||||||
|
install_package centos-release-openstack-victoria
|
||||||
|
install_package iproute-tc haproxy keepalived
|
||||||
|
|
||||||
|
# NOTE(slaweq) On Fedora/CentOS systems make sure that SELinux is
|
||||||
|
# not in enforcing mode
|
||||||
|
sudo setenforce 0
|
||||||
|
fi
|
||||||
|
|
||||||
configure_host_for_func_testing
|
configure_host_for_func_testing
|
||||||
|
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
- name: Ensure SELinux is in permissive mode
|
||||||
|
become: yes
|
||||||
|
command: "setenforce 0"
|
|
@ -20,6 +20,8 @@ set -e
|
||||||
# directly or allow the gate_hook to import.
|
# directly or allow the gate_hook to import.
|
||||||
IS_GATE=${IS_GATE:-False}
|
IS_GATE=${IS_GATE:-False}
|
||||||
USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-True}
|
USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-True}
|
||||||
|
MYSQL_USER=${MYSQL_USER:-root}
|
||||||
|
DATABASE_USER=${DATABASE_USER:-${MYSQL_USER}}
|
||||||
|
|
||||||
|
|
||||||
if [[ "$IS_GATE" != "True" ]] && [[ "$#" -lt 1 ]]; then
|
if [[ "$IS_GATE" != "True" ]] && [[ "$#" -lt 1 ]]; then
|
||||||
|
@ -153,8 +155,8 @@ function _install_databases {
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
MYSQL_PASSWORD=${MYSQL_PASSWORD:-stackdb}
|
MYSQL_PASSWORD=${MYSQL_PASSWORD:-openstack_citest}
|
||||||
DATABASE_PASSWORD=${DATABASE_PASSWORD:-stackdb}
|
DATABASE_PASSWORD=${DATABASE_PASSWORD:-openstack_citest}
|
||||||
|
|
||||||
source $DEVSTACK_PATH/lib/database
|
source $DEVSTACK_PATH/lib/database
|
||||||
|
|
||||||
|
@ -176,18 +178,16 @@ function _install_databases {
|
||||||
|
|
||||||
cat << EOF > $tmp_dir/mysql.sql
|
cat << EOF > $tmp_dir/mysql.sql
|
||||||
CREATE DATABASE openstack_citest;
|
CREATE DATABASE openstack_citest;
|
||||||
CREATE USER 'openstack_citest'@'localhost' IDENTIFIED BY 'openstack_citest';
|
CREATE USER '${DATABASE_USER}'@'localhost' IDENTIFIED BY '${MYSQL_PASSWORD}';
|
||||||
CREATE USER 'openstack_citest' IDENTIFIED BY 'openstack_citest';
|
GRANT ALL PRIVILEGES ON *.* TO '${DATABASE_USER}'@'localhost';
|
||||||
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest'@'localhost';
|
|
||||||
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest';
|
|
||||||
FLUSH PRIVILEGES;
|
FLUSH PRIVILEGES;
|
||||||
EOF
|
EOF
|
||||||
/usr/bin/mysql -u root -p"$MYSQL_PASSWORD" < $tmp_dir/mysql.sql
|
/usr/bin/mysql -u root -p"$MYSQL_PASSWORD" < $tmp_dir/mysql.sql
|
||||||
|
|
||||||
if [[ "$install_pg" == "True" ]]; then
|
if [[ "$install_pg" == "True" ]]; then
|
||||||
cat << EOF > $tmp_dir/postgresql.sql
|
cat << EOF > $tmp_dir/postgresql.sql
|
||||||
CREATE USER openstack_citest WITH CREATEDB LOGIN PASSWORD 'openstack_citest';
|
CREATE USER ${DATABASE_USER} WITH CREATEDB LOGIN PASSWORD ${DATABASE_PASSWORD};
|
||||||
CREATE DATABASE openstack_citest WITH OWNER openstack_citest;
|
CREATE DATABASE ${DATABASE_USER} WITH OWNER ${DATABASE_USER};
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# User/group postgres needs to be given access to tmp_dir
|
# User/group postgres needs to be given access to tmp_dir
|
||||||
|
|
|
@ -104,6 +104,32 @@
|
||||||
required-projects:
|
required-projects:
|
||||||
- openstack/neutron-lib
|
- openstack/neutron-lib
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: neutron-functional-with-uwsgi-fips
|
||||||
|
parent: neutron-functional-with-uwsgi
|
||||||
|
nodeset: devstack-single-node-centos-8-stream
|
||||||
|
description: |
|
||||||
|
Functional testing for a FIPS enabled Centos 8 system
|
||||||
|
pre-run: playbooks/enable-fips.yaml
|
||||||
|
vars:
|
||||||
|
configure_swap_size: 4096
|
||||||
|
devstack_localrc:
|
||||||
|
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
|
||||||
|
Q_BUILD_OVS_FROM_GIT: true
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: neutron-fullstack-with-uwsgi-fips
|
||||||
|
parent: neutron-fullstack-with-uwsgi
|
||||||
|
nodeset: devstack-single-node-centos-8-stream
|
||||||
|
description: |
|
||||||
|
Functional testing for a FIPS enabled Centos 8 system
|
||||||
|
pre-run: playbooks/enable-fips.yaml
|
||||||
|
vars:
|
||||||
|
configure_swap_size: 4096
|
||||||
|
devstack_localrc:
|
||||||
|
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
|
||||||
|
Q_BUILD_OVS_FROM_GIT: true
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: neutron-linuxbridge-tempest-plugin-scenario-nftables
|
name: neutron-linuxbridge-tempest-plugin-scenario-nftables
|
||||||
parent: neutron-tempest-plugin-scenario-linuxbridge
|
parent: neutron-tempest-plugin-scenario-linuxbridge
|
||||||
|
|
|
@ -85,6 +85,8 @@
|
||||||
|
|
||||||
experimental:
|
experimental:
|
||||||
jobs:
|
jobs:
|
||||||
|
- neutron-functional-with-uwsgi-fips
|
||||||
|
- neutron-fullstack-with-uwsgi-fips
|
||||||
- neutron-ovn-grenade-multinode
|
- neutron-ovn-grenade-multinode
|
||||||
- neutron-ovn-tempest-with-uwsgi-loki
|
- neutron-ovn-tempest-with-uwsgi-loki
|
||||||
- neutron-ovn-tempest-full-multinode-ovs-master
|
- neutron-ovn-tempest-full-multinode-ovs-master
|
||||||
|
|
Loading…
Reference in New Issue