Merge "Use centos amphora image in the FIPS jobs"

This commit is contained in:
Zuul 2022-02-23 01:42:56 +00:00 committed by Gerrit Code Review
commit c5561a3ecb
11 changed files with 105 additions and 6 deletions

View File

@ -108,6 +108,9 @@ function build_octavia_worker_image {
if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then
export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f' export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f'
fi fi
if [[ "$(trueorfalse False OCTAVIA_AMP_ENABLE_FIPS)" == "True" ]]; then
export PARAM_OCTAVIA_AMP_ENABLE_FIPS='-y'
fi
# Use the infra pypi mirror if it is available # Use the infra pypi mirror if it is available
if [[ -e /etc/ci/mirror_info.sh ]]; then if [[ -e /etc/ci/mirror_info.sh ]]; then
@ -131,7 +134,7 @@ function build_octavia_worker_image {
fi fi
sudo mkdir -m755 ${dib_logs} sudo mkdir -m755 ${dib_logs}
sudo chown $STACK_USER ${dib_logs} sudo chown $STACK_USER ${dib_logs}
$OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} ${PARAM_OCTAVIA_AMP_ENABLE_FIPS:-}
fi fi
if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then

View File

@ -118,6 +118,7 @@ Command syntax:
[-v] [-v]
[-w <working directory> ] [-w <working directory> ]
[-x] [-x]
[-y]
'-a' is the architecture type for the image (default: amd64) '-a' is the architecture type for the image (default: amd64)
'-b' is the backend type (default: haproxy) '-b' is the backend type (default: haproxy)
@ -139,6 +140,7 @@ Command syntax:
'-v' display the script version '-v' display the script version
'-w' working directory for image building (default: .) '-w' working directory for image building (default: .)
'-x' enable tracing for diskimage-builder '-x' enable tracing for diskimage-builder
'-y' enable FIPS 140-2 mode in the amphora image
Building Images for Alternate Branches Building Images for Alternate Branches

View File

@ -61,6 +61,7 @@ usage() {
echo " '-v' display the script version" echo " '-v' display the script version"
echo " '-w' working directory for image building (default: .)" echo " '-w' working directory for image building (default: .)"
echo " '-x' enable tracing for diskimage-builder" echo " '-x' enable tracing for diskimage-builder"
echo " '-y' enable FIPS 140-2 mode in the amphora image"
echo echo
exit 1 exit 1
} }
@ -91,7 +92,7 @@ dib_enable_tracing=
AMP_LOGFILE="" AMP_LOGFILE=""
while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:xy" opt; do
case $opt in case $opt in
a) a)
AMP_ARCH=$OPTARG AMP_ARCH=$OPTARG
@ -207,6 +208,8 @@ while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
;; ;;
x) dib_enable_tracing=1 x) dib_enable_tracing=1
;; ;;
y) AMP_ENABLE_FIPS=1
;;
*) *)
usage usage
;; ;;
@ -256,6 +259,8 @@ AMP_ENABLE_FULL_MAC_SECURITY=${AMP_ENABLE_FULL_MAC_SECURITY:-0}
AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""} AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""}
AMP_ENABLE_FIPS=${AMP_ENABLE_FIPS:-0}
if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then
echo "RHEL/Fedora based amphora requires an image size of at least 3GB" echo "RHEL/Fedora based amphora requires an image size of at least 3GB"
exit 1 exit 1
@ -471,6 +476,11 @@ if [ "$AMP_DISABLE_SSHD" -eq 1 ]; then
AMP_element_sequence="$AMP_element_sequence remove-sshd" AMP_element_sequence="$AMP_element_sequence remove-sshd"
fi fi
# Enable FIPS if requested
if [ "$AMP_ENABLE_FIPS" -eq 1 ]; then
AMP_element_sequence="$AMP_element_sequence amphora-fips"
fi
# Allow full elements override # Allow full elements override
if [ "$DIB_ELEMENTS" ]; then if [ "$DIB_ELEMENTS" ]; then
AMP_element_sequence="$DIB_ELEMENTS" AMP_element_sequence="$DIB_ELEMENTS"

View File

@ -0,0 +1,7 @@
Element to enable FIPS mode inside the Amphora.
This element configures the Amphora OS to enable FIPS 140-2 mode in the
operating system for the Amphora.
Note: Current this element only supports the Red Hat family of operating
systems.

View File

@ -0,0 +1,4 @@
bootloader
dracut-regenerate
package-installs
pkg-map

View File

@ -0,0 +1,28 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case $DISTRO_NAME in
ubuntu | debian )
echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
exit 1
;;
fedora | centos* | rhel* )
DIB_DRACUT_ENABLED_MODULES+="
- name: fips
"
export DIB_DRACUT_ENABLED_MODULES
DIB_BOOTLOADER_DEFAULT_CMDLINE+=" fips=1"
export DIB_BOOTLOADER_DEFAULT_CMDLINE
;;
*)
echo "ERROR: Unsupported distribution $DISTRO_NAME"
exit 1
;;
esac

View File

@ -0,0 +1,2 @@
# Required for fips-mode-setup to enable fips mode
crypto-policies-scripts:

View File

@ -0,0 +1,10 @@
{
"family": {
"redhat": {
"crypto-policies-scripts": "crypto-policies-scripts"
}
},
"default": {
"crypto-policies-scripts": ""
}
}

View File

@ -0,0 +1,22 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case $DISTRO_NAME in
ubuntu | debian )
echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
exit 1
;;
fedora | centos* | rhel* )
update-crypto-policies --no-reload --set FIPS
;;
*)
echo "ERROR: Unsupported distribution $DISTRO_NAME"
exit 1
;;
esac

View File

@ -202,9 +202,15 @@
parent: octavia-v2-dsvm-scenario parent: octavia-v2-dsvm-scenario
nodeset: octavia-single-node-centos-8-stream nodeset: octavia-single-node-centos-8-stream
description: | description: |
Functional testing for a FIPS enabled Centos 8 system Functional testing for a FIPS enabled Centos 8 system.
pre-run: playbooks/enable-fips.yaml pre-run: playbooks/enable-fips.yaml
timeout: 10800
vars: vars:
devstack_localrc:
OCTAVIA_AMP_BASE_OS: centos
OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
OCTAVIA_AMP_IMAGE_SIZE: 3
OCTAVIA_AMP_ENABLE_FIPS: True
devstack_local_conf: devstack_local_conf:
test-config: test-config:
"$TEMPEST_CONFIG": "$TEMPEST_CONFIG":
@ -219,6 +225,11 @@
Functional testing for a FIPS enabled Centos 8 system Functional testing for a FIPS enabled Centos 8 system
pre-run: playbooks/enable-fips.yaml pre-run: playbooks/enable-fips.yaml
vars: vars:
devstack_localrc:
OCTAVIA_AMP_BASE_OS: centos
OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
OCTAVIA_AMP_IMAGE_SIZE: 3
OCTAVIA_AMP_ENABLE_FIPS: True
devstack_local_conf: devstack_local_conf:
test-config: test-config:
"$TEMPEST_CONFIG": "$TEMPEST_CONFIG":

View File

@ -50,9 +50,6 @@
- ^tools/.*$ - ^tools/.*$
- ^(test-|)requirements.txt$ - ^(test-|)requirements.txt$
- ^tox.ini$ - ^tox.ini$
- octavia-v2-dsvm-scenario-fips:
irrelevant-files: *irrelevant-files
voting: false
- octavia-v2-dsvm-tls-barbican-fips: - octavia-v2-dsvm-tls-barbican-fips:
irrelevant-files: *irrelevant-files irrelevant-files: *irrelevant-files
voting: false voting: false
@ -109,6 +106,9 @@
branches: ^(?!stable/.*).*$ branches: ^(?!stable/.*).*$
- octavia-amphora-image-build - octavia-amphora-image-build
- octavia-grenade-ffu - octavia-grenade-ffu
# Putting octavia-v2-dsvm-scenario-fips in periodic as centos 8 is too slow
- octavia-v2-dsvm-scenario-fips:
voting: false
experimental: experimental:
jobs: jobs:
- octavia-v2-dsvm-scenario-nftables - octavia-v2-dsvm-scenario-nftables