openstack/openstack-zuul-jobs
Code Issues Proposed changes
5e012776ad
openstack-zuul-jobs/playbooks/fips/README.rst
Ade Lee 176daf9c82 FIPS changes to allow FIPS to run on multinode Ubuntu jobs 
There are two problems we need to solve when enabling FIPS for
multinode Ubuntu jobs.

1. Ubuntu nodes require a subscription to be activated with a
   subscription key that is stored as a secret in project-config.

2. Because enabling FIPS requires a reboot, we need to execute the
   enable-fips playbook before the multinode playbook.  If not,
   resources set up by the multinode playbook may not survive the
   reboot.

To solve these problems, we have created a new base job for
OpenStack multinode jobs.  (openstack-multinode-fips).  We expect
to use this job as the base job for OpenStack multinode jobs
instead of the multinode job in zuul-jobs.

The openstack-multinode-fips inherits from openstack-fips, which
is a job defined in project-config that access the UA subscription
key and activates the UA subscription.  This solves problem #1.

It then executes the enable-fips and multinode playbooks
(FIPS first!), which in turn, invoke the enable-fips and multinode
roles in zuul-jobs.  This solves problem #2.

This has the unfortunate result of having to duplicate the logic
of the multinode/pre.yaml playbook in zuul-jobs here in
openstack-zuul-jobs instead, but I can't see a way around that.

Note that unless the variable enable_fips is defined to be true
in the job, all the FIPS logic is essentially a no-op.

If enable_fips is set to True, then jobs will also need to specify
nslookup_target for the post-reboot-tasks role invoked by the
enable_fips role.

Depends-On: I8a88d6a9bcf5725986b00b063e03686d3225b48e
Change-Id: I080df90af850088893976c8649aa528638c6f373
2023-01-30 22:35:16 +01:00

899 B
Raw Blame History

The enable-fips playbook can be invoked to enable FIPS mode on jobs.

This playbook will call the enable-fips role in zuul-jobs, which will turn FIPS mode on and then reboot the node. To get consistent results, this role should be run very early in the node setup process, so that resources set up later are not affected by the reboot.

In practice, this means that the playbook is invoked as part of a base job like openstack-multinode-fips for example. In order to avoid duplicating complex inheritance trees, we expect to use this base job for most jobs.

As most jobs will not require fips, a playbook variable enable_fips - which defaults to False - is provided. To enable FIPS mode, a job will simply need to set enable_fips to True as a job variable.

Job Variables