Use centos amphora image in the FIPS jobs

The FIPS jobs use centos-8-stream controllers but the image is still
based on ubuntu, this commit updates the amphora images to
centos-8-stream and enable FIPS inside the amphora.

Change-Id: I8916796ed6727a103907a33d3c14e99e1d3734e6
(cherry picked from commit 74a7cbe122)

devstack/plugin.sh

@@ -108,6 +108,9 @@ function build_octavia_worker_image {
     if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then
         export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f'
     fi
+    if [[ "$(trueorfalse False OCTAVIA_AMP_ENABLE_FIPS)" == "True" ]]; then
+        export PARAM_OCTAVIA_AMP_ENABLE_FIPS='-y'
+    fi
 
     # Use the infra pypi mirror if it is available
     if [[ -e /etc/ci/mirror_info.sh ]]; then
@@ -131,7 +134,7 @@ function build_octavia_worker_image {
         fi
         sudo mkdir -m755 ${dib_logs}
         sudo chown $STACK_USER ${dib_logs}
-        $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-}
+        $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} ${PARAM_OCTAVIA_AMP_ENABLE_FIPS:-}
     fi
 
     if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then

diskimage-create/README.rst

@@ -118,6 +118,7 @@ Command syntax:
             [-v]
             [-w <working directory> ]
             [-x]
+            [-y]
 
         '-a' is the architecture type for the image (default: amd64)
         '-b' is the backend type (default: haproxy)
@@ -139,6 +140,7 @@ Command syntax:
         '-v' display the script version
         '-w' working directory for image building (default: .)
         '-x' enable tracing for diskimage-builder
+        '-y' enable FIPS 140-2 mode in the amphora image
 
 
 Building Images for Alternate Branches

diskimage-create/diskimage-create.sh

@@ -61,6 +61,7 @@ usage() {
     echo "        '-v' display the script version"
     echo "        '-w' working directory for image building (default: .)"
     echo "        '-x' enable tracing for diskimage-builder"
+    echo "        '-y' enable FIPS 140-2 mode in the amphora image"
     echo
     exit 1
 }
@@ -91,7 +92,7 @@ dib_enable_tracing=
 
 AMP_LOGFILE=""
 
-while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
+while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:xy" opt; do
     case $opt in
         a)
             AMP_ARCH=$OPTARG
@@ -207,6 +208,8 @@ while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
         ;;
         x)  dib_enable_tracing=1
         ;;
+        y)  AMP_ENABLE_FIPS=1
+        ;;
         *)
             usage
         ;;
@@ -256,6 +259,8 @@ AMP_ENABLE_FULL_MAC_SECURITY=${AMP_ENABLE_FULL_MAC_SECURITY:-0}
 
 AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""}
 
+AMP_ENABLE_FIPS=${AMP_ENABLE_FIPS:-0}
+
 if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then
     echo "RHEL/Fedora based amphora requires an image size of at least 3GB"
     exit 1
@@ -471,6 +476,11 @@ if [ "$AMP_DISABLE_SSHD" -eq 1 ]; then
     AMP_element_sequence="$AMP_element_sequence remove-sshd"
 fi
 
+# Enable FIPS if requested
+if [ "$AMP_ENABLE_FIPS" -eq 1 ]; then
+    AMP_element_sequence="$AMP_element_sequence amphora-fips"
+fi
+
 # Allow full elements override
 if [ "$DIB_ELEMENTS" ]; then
     AMP_element_sequence="$DIB_ELEMENTS"

elements/amphora-fips/README.rst

@@ -0,0 +1,7 @@
+Element to enable FIPS mode inside the Amphora.
+
+This element configures the Amphora OS to enable FIPS 140-2 mode in the
+operating system for the Amphora.
+
+Note: Current this element only supports the Red Hat family of operating
+systems.

elements/amphora-fips/element-deps

@@ -0,0 +1,4 @@
+bootloader
+dracut-regenerate
+package-installs
+pkg-map

elements/amphora-fips/environment.d/95-enable-fips

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+
+set -eu
+set -o pipefail
+
+case $DISTRO_NAME in
+    ubuntu | debian )
+        echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
+        exit 1
+    ;;
+    fedora | centos* | rhel* )
+        DIB_DRACUT_ENABLED_MODULES+="
+- name: fips
+        "
+        export DIB_DRACUT_ENABLED_MODULES
+
+        DIB_BOOTLOADER_DEFAULT_CMDLINE+=" fips=1"
+        export DIB_BOOTLOADER_DEFAULT_CMDLINE
+    ;;
+    *)
+        echo "ERROR: Unsupported distribution $DISTRO_NAME"
+        exit 1
+    ;;
+esac

elements/amphora-fips/package-installs.yaml

@@ -0,0 +1,2 @@
+# Required for fips-mode-setup to enable fips mode
+crypto-policies-scripts:

elements/amphora-fips/pkg-map

@@ -0,0 +1,10 @@
+{
+  "family": {
+    "redhat": {
+      "crypto-policies-scripts": "crypto-policies-scripts"
+    }
+  },
+  "default": {
+      "crypto-policies-scripts": ""
+  }
+}

elements/amphora-fips/post-install.d/10-enable-fips

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+
+set -eu
+set -o pipefail
+
+case $DISTRO_NAME in
+    ubuntu | debian )
+        echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
+        exit 1
+    ;;
+    fedora | centos* | rhel* )
+        update-crypto-policies --no-reload --set FIPS
+    ;;
+    *)
+        echo "ERROR: Unsupported distribution $DISTRO_NAME"
+        exit 1
+    ;;
+esac

zuul.d/jobs.yaml

@@ -202,9 +202,15 @@
     parent: octavia-v2-dsvm-scenario
     nodeset: octavia-single-node-centos-8-stream
     description: |
-      Functional testing for a FIPS enabled Centos 8 system
+      Functional testing for a FIPS enabled Centos 8 system.
     pre-run: playbooks/enable-fips.yaml
+    timeout: 10800
     vars:
+      devstack_localrc:
+        OCTAVIA_AMP_BASE_OS: centos
+        OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
+        OCTAVIA_AMP_IMAGE_SIZE: 3
+        OCTAVIA_AMP_ENABLE_FIPS: True
       devstack_local_conf:
         test-config:
           "$TEMPEST_CONFIG":
@@ -219,6 +225,11 @@
       Functional testing for a FIPS enabled Centos 8 system
     pre-run: playbooks/enable-fips.yaml
     vars:
+      devstack_localrc:
+        OCTAVIA_AMP_BASE_OS: centos
+        OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
+        OCTAVIA_AMP_IMAGE_SIZE: 3
+        OCTAVIA_AMP_ENABLE_FIPS: True
       devstack_local_conf:
         test-config:
           "$TEMPEST_CONFIG":

zuul.d/projects.yaml

@@ -50,9 +50,6 @@
               - ^tools/.*$
               - ^(test-|)requirements.txt$
               - ^tox.ini$
-        - octavia-v2-dsvm-scenario-fips:
-            irrelevant-files: *irrelevant-files
-            voting: false
         - octavia-v2-dsvm-tls-barbican-fips:
             irrelevant-files: *irrelevant-files
             voting: false
@@ -109,6 +106,9 @@
             branches: ^(?!stable/.*).*$
         - octavia-amphora-image-build
         - octavia-grenade-ffu
+# Putting octavia-v2-dsvm-scenario-fips in periodic as centos 8 is too slow
+        - octavia-v2-dsvm-scenario-fips:
+            voting: false
     experimental:
       jobs:
         - octavia-v2-dsvm-scenario-nftables