Use centos amphora image in the FIPS jobs
The FIPS jobs use centos-8-stream controllers but the image is still
based on ubuntu, this commit updates the amphora images to
centos-8-stream and enable FIPS inside the amphora.
Change-Id: I8916796ed6727a103907a33d3c14e99e1d3734e6
(cherry picked from commit 74a7cbe122
)
This commit is contained in:
parent
1986c89e3f
commit
903b9a76e5
@ -108,6 +108,9 @@ function build_octavia_worker_image {
|
||||
if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then
|
||||
export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f'
|
||||
fi
|
||||
if [[ "$(trueorfalse False OCTAVIA_AMP_ENABLE_FIPS)" == "True" ]]; then
|
||||
export PARAM_OCTAVIA_AMP_ENABLE_FIPS='-y'
|
||||
fi
|
||||
|
||||
# Use the infra pypi mirror if it is available
|
||||
if [[ -e /etc/ci/mirror_info.sh ]]; then
|
||||
@ -131,7 +134,7 @@ function build_octavia_worker_image {
|
||||
fi
|
||||
sudo mkdir -m755 ${dib_logs}
|
||||
sudo chown $STACK_USER ${dib_logs}
|
||||
$OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-}
|
||||
$OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} ${PARAM_OCTAVIA_AMP_ENABLE_FIPS:-}
|
||||
fi
|
||||
|
||||
if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then
|
||||
|
@ -118,6 +118,7 @@ Command syntax:
|
||||
[-v]
|
||||
[-w <working directory> ]
|
||||
[-x]
|
||||
[-y]
|
||||
|
||||
'-a' is the architecture type for the image (default: amd64)
|
||||
'-b' is the backend type (default: haproxy)
|
||||
@ -139,6 +140,7 @@ Command syntax:
|
||||
'-v' display the script version
|
||||
'-w' working directory for image building (default: .)
|
||||
'-x' enable tracing for diskimage-builder
|
||||
'-y' enable FIPS 140-2 mode in the amphora image
|
||||
|
||||
|
||||
Building Images for Alternate Branches
|
||||
|
@ -61,6 +61,7 @@ usage() {
|
||||
echo " '-v' display the script version"
|
||||
echo " '-w' working directory for image building (default: .)"
|
||||
echo " '-x' enable tracing for diskimage-builder"
|
||||
echo " '-y' enable FIPS 140-2 mode in the amphora image"
|
||||
echo
|
||||
exit 1
|
||||
}
|
||||
@ -91,7 +92,7 @@ dib_enable_tracing=
|
||||
|
||||
AMP_LOGFILE=""
|
||||
|
||||
while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
|
||||
while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:xy" opt; do
|
||||
case $opt in
|
||||
a)
|
||||
AMP_ARCH=$OPTARG
|
||||
@ -207,6 +208,8 @@ while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
|
||||
;;
|
||||
x) dib_enable_tracing=1
|
||||
;;
|
||||
y) AMP_ENABLE_FIPS=1
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
@ -256,6 +259,8 @@ AMP_ENABLE_FULL_MAC_SECURITY=${AMP_ENABLE_FULL_MAC_SECURITY:-0}
|
||||
|
||||
AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""}
|
||||
|
||||
AMP_ENABLE_FIPS=${AMP_ENABLE_FIPS:-0}
|
||||
|
||||
if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then
|
||||
echo "RHEL/Fedora based amphora requires an image size of at least 3GB"
|
||||
exit 1
|
||||
@ -471,6 +476,11 @@ if [ "$AMP_DISABLE_SSHD" -eq 1 ]; then
|
||||
AMP_element_sequence="$AMP_element_sequence remove-sshd"
|
||||
fi
|
||||
|
||||
# Enable FIPS if requested
|
||||
if [ "$AMP_ENABLE_FIPS" -eq 1 ]; then
|
||||
AMP_element_sequence="$AMP_element_sequence amphora-fips"
|
||||
fi
|
||||
|
||||
# Allow full elements override
|
||||
if [ "$DIB_ELEMENTS" ]; then
|
||||
AMP_element_sequence="$DIB_ELEMENTS"
|
||||
|
7
elements/amphora-fips/README.rst
Normal file
7
elements/amphora-fips/README.rst
Normal file
@ -0,0 +1,7 @@
|
||||
Element to enable FIPS mode inside the Amphora.
|
||||
|
||||
This element configures the Amphora OS to enable FIPS 140-2 mode in the
|
||||
operating system for the Amphora.
|
||||
|
||||
Note: Current this element only supports the Red Hat family of operating
|
||||
systems.
|
4
elements/amphora-fips/element-deps
Normal file
4
elements/amphora-fips/element-deps
Normal file
@ -0,0 +1,4 @@
|
||||
bootloader
|
||||
dracut-regenerate
|
||||
package-installs
|
||||
pkg-map
|
28
elements/amphora-fips/environment.d/95-enable-fips
Executable file
28
elements/amphora-fips/environment.d/95-enable-fips
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case $DISTRO_NAME in
|
||||
ubuntu | debian )
|
||||
echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
|
||||
exit 1
|
||||
;;
|
||||
fedora | centos* | rhel* )
|
||||
DIB_DRACUT_ENABLED_MODULES+="
|
||||
- name: fips
|
||||
"
|
||||
export DIB_DRACUT_ENABLED_MODULES
|
||||
|
||||
DIB_BOOTLOADER_DEFAULT_CMDLINE+=" fips=1"
|
||||
export DIB_BOOTLOADER_DEFAULT_CMDLINE
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unsupported distribution $DISTRO_NAME"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
2
elements/amphora-fips/package-installs.yaml
Normal file
2
elements/amphora-fips/package-installs.yaml
Normal file
@ -0,0 +1,2 @@
|
||||
# Required for fips-mode-setup to enable fips mode
|
||||
crypto-policies-scripts:
|
10
elements/amphora-fips/pkg-map
Normal file
10
elements/amphora-fips/pkg-map
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
"family": {
|
||||
"redhat": {
|
||||
"crypto-policies-scripts": "crypto-policies-scripts"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"crypto-policies-scripts": ""
|
||||
}
|
||||
}
|
22
elements/amphora-fips/post-install.d/10-enable-fips
Executable file
22
elements/amphora-fips/post-install.d/10-enable-fips
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case $DISTRO_NAME in
|
||||
ubuntu | debian )
|
||||
echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
|
||||
exit 1
|
||||
;;
|
||||
fedora | centos* | rhel* )
|
||||
update-crypto-policies --no-reload --set FIPS
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unsupported distribution $DISTRO_NAME"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
@ -202,9 +202,15 @@
|
||||
parent: octavia-v2-dsvm-scenario
|
||||
nodeset: octavia-single-node-centos-8-stream
|
||||
description: |
|
||||
Functional testing for a FIPS enabled Centos 8 system
|
||||
Functional testing for a FIPS enabled Centos 8 system.
|
||||
pre-run: playbooks/enable-fips.yaml
|
||||
timeout: 10800
|
||||
vars:
|
||||
devstack_localrc:
|
||||
OCTAVIA_AMP_BASE_OS: centos
|
||||
OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
|
||||
OCTAVIA_AMP_IMAGE_SIZE: 3
|
||||
OCTAVIA_AMP_ENABLE_FIPS: True
|
||||
devstack_local_conf:
|
||||
test-config:
|
||||
"$TEMPEST_CONFIG":
|
||||
@ -219,6 +225,11 @@
|
||||
Functional testing for a FIPS enabled Centos 8 system
|
||||
pre-run: playbooks/enable-fips.yaml
|
||||
vars:
|
||||
devstack_localrc:
|
||||
OCTAVIA_AMP_BASE_OS: centos
|
||||
OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
|
||||
OCTAVIA_AMP_IMAGE_SIZE: 3
|
||||
OCTAVIA_AMP_ENABLE_FIPS: True
|
||||
devstack_local_conf:
|
||||
test-config:
|
||||
"$TEMPEST_CONFIG":
|
||||
|
@ -50,9 +50,6 @@
|
||||
- ^tools/.*$
|
||||
- ^(test-|)requirements.txt$
|
||||
- ^tox.ini$
|
||||
- octavia-v2-dsvm-scenario-fips:
|
||||
irrelevant-files: *irrelevant-files
|
||||
voting: false
|
||||
- octavia-v2-dsvm-tls-barbican-fips:
|
||||
irrelevant-files: *irrelevant-files
|
||||
voting: false
|
||||
@ -109,6 +106,9 @@
|
||||
branches: ^(?!stable/.*).*$
|
||||
- octavia-amphora-image-build
|
||||
- octavia-grenade-ffu
|
||||
# Putting octavia-v2-dsvm-scenario-fips in periodic as centos 8 is too slow
|
||||
- octavia-v2-dsvm-scenario-fips:
|
||||
voting: false
|
||||
experimental:
|
||||
jobs:
|
||||
- octavia-v2-dsvm-scenario-nftables
|
||||
|
Loading…
Reference in New Issue
Block a user