Merge "Add role to enable FIPS on a node"
This commit is contained in:
commit
4918fbcc89
|
@ -13,6 +13,7 @@ General Purpose Roles
|
|||
.. zuul:autorole:: download-artifact
|
||||
.. zuul:autorole:: dstat-graph
|
||||
.. zuul:autorole:: emit-job-header
|
||||
.. zuul:autorole:: enable-fips
|
||||
.. zuul:autorole:: enable-netconsole
|
||||
.. zuul:autorole:: ensure-bazelisk
|
||||
.. zuul:autorole:: ensure-dhall
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
Enable FIPS on a node.
|
||||
|
||||
Set a node into FIPS mode, to test functionality when crypto
|
||||
policies are set to FIPS in RHEL 8/Centos 8.
|
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
- name: Make sure this role is run on RHEL/CentOS 8 systems
|
||||
fail:
|
||||
msg: This role supports RHEL/CentOS 8 systems only
|
||||
when:
|
||||
- (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
|
||||
ansible_distribution_major_version != '8'
|
||||
|
||||
- name: Install fips-mode-setup
|
||||
become: true
|
||||
package:
|
||||
name: crypto-policies-scripts
|
||||
state: present
|
||||
|
||||
- name: Enable FIPS mode
|
||||
become: true
|
||||
command: fips-mode-setup --enable
|
||||
|
||||
- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
|
||||
become: true
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
|
||||
register: test_grep
|
||||
failed_when: false
|
||||
|
||||
- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
|
||||
when: test_grep.rc != 0
|
||||
|
||||
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
|
||||
backrefs: true
|
||||
when: test_grep.rc == 0
|
||||
|
||||
- name: Rebuild grub.cfg file
|
||||
become: true
|
||||
command: grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||
|
||||
- name: Reboot server for FIPS mode
|
||||
become: true
|
||||
reboot:
|
||||
reboot_timeout: 1800
|
||||
|
||||
- name: Run start-zuul-console role
|
||||
include_role:
|
||||
name: start-zuul-console
|
||||
|
||||
- name: Ensure FIPS mode is enabled
|
||||
become: true
|
||||
command: fips-mode-setup --check
|
||||
register: _result
|
||||
|
||||
- name: Assert FIPS is enabled
|
||||
assert:
|
||||
that: _result.stdout == "FIPS mode is enabled."
|
|
@ -368,6 +368,19 @@
|
|||
vars:
|
||||
role_name: clear-firewall
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-enable-fips
|
||||
description: Test the enable-fips role
|
||||
files:
|
||||
- roles/enable-fips/.*
|
||||
run: test-playbooks/simple-role-test.yaml
|
||||
vars:
|
||||
role_name: enable-fips
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: centos-8-stream
|
||||
label: centos-8-stream
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-bazelisk
|
||||
description: Test the ensure-bazelisk role
|
||||
|
@ -749,6 +762,7 @@
|
|||
- zuul-jobs-test-bindep-ubuntu-xenial
|
||||
- zuul-jobs-test-bindep-ubuntu-focal
|
||||
- zuul-jobs-test-clear-firewall
|
||||
- zuul-jobs-test-enable-fips
|
||||
- zuul-jobs-test-ensure-bazelisk
|
||||
- zuul-jobs-test-netconsole
|
||||
- zuul-jobs-test-dstat-graph
|
||||
|
@ -798,6 +812,7 @@
|
|||
- zuul-jobs-test-bindep-ubuntu-xenial
|
||||
- zuul-jobs-test-bindep-ubuntu-focal
|
||||
- zuul-jobs-test-clear-firewall
|
||||
- zuul-jobs-test-enable-fips
|
||||
- zuul-jobs-test-ensure-bazelisk
|
||||
- zuul-jobs-test-netconsole
|
||||
- zuul-jobs-test-dstat-graph
|
||||
|
|
Loading…
Reference in New Issue