Merge "Add role to enable FIPS on a node"

2021-06-18 18:50:35 +00:00 · 2021-06-18 18:50:35 +00:00 · 4918fbcc89
parent 859415c24b be0415e556
commit 4918fbcc89
4 changed files with 83 additions and 0 deletions
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@ -13,6 +13,7 @@ General Purpose Roles
 .. zuul:autorole:: download-artifact
 .. zuul:autorole:: dstat-graph
 .. zuul:autorole:: emit-job-header
+.. zuul:autorole:: enable-fips
 .. zuul:autorole:: enable-netconsole
 .. zuul:autorole:: ensure-bazelisk
 .. zuul:autorole:: ensure-dhall
--- a/roles/enable-fips/README.rst
+++ b/roles/enable-fips/README.rst
@ -0,0 +1,4 @@
+Enable FIPS on a node.
+
+Set a node into FIPS mode, to test functionality when crypto
+policies are set to FIPS in RHEL 8/Centos 8.
--- a/roles/enable-fips/tasks/main.yaml
+++ b/roles/enable-fips/tasks/main.yaml
@ -0,0 +1,63 @@
+---
+- name: Make sure this role is run on RHEL/CentOS 8 systems
+  fail:
+    msg: This role supports RHEL/CentOS 8 systems only
+  when:
+    - (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
+      ansible_distribution_major_version != '8'
+
+- name: Install fips-mode-setup
+  become: true
+  package:
+    name: crypto-policies-scripts
+    state: present
+
+- name: Enable FIPS mode
+  become: true
+  command: fips-mode-setup --enable
+
+- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
+  become: true
+  shell: |
+    set -o pipefail
+    grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
+  register: test_grep
+  failed_when: false
+
+- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
+  when: test_grep.rc != 0
+
+- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
+    backrefs: true
+  when: test_grep.rc == 0
+
+- name: Rebuild grub.cfg file
+  become: true
+  command: grub2-mkconfig -o /boot/grub2/grub.cfg
+
+- name: Reboot server for FIPS mode
+  become: true
+  reboot:
+    reboot_timeout: 1800
+
+- name: Run start-zuul-console role
+  include_role:
+    name: start-zuul-console
+
+- name: Ensure FIPS mode is enabled
+  become: true
+  command: fips-mode-setup --check
+  register: _result
+
+- name: Assert FIPS is enabled
+  assert:
+    that: _result.stdout == "FIPS mode is enabled."
--- a/zuul-tests.d/general-roles-jobs.yaml
+++ b/zuul-tests.d/general-roles-jobs.yaml
@ -368,6 +368,19 @@
    vars:
      role_name: clear-firewall

+- job:
+    name: zuul-jobs-test-enable-fips
+    description: Test the enable-fips role
+    files:
+      - roles/enable-fips/.*
+    run: test-playbooks/simple-role-test.yaml
+    vars:
+      role_name: enable-fips
+    nodeset:
+      nodes:
+        - name: centos-8-stream
+          label: centos-8-stream
+
 - job:
    name: zuul-jobs-test-ensure-bazelisk
    description: Test the ensure-bazelisk role
@ -749,6 +762,7 @@
        - zuul-jobs-test-bindep-ubuntu-xenial
        - zuul-jobs-test-bindep-ubuntu-focal
        - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
        - zuul-jobs-test-ensure-bazelisk
        - zuul-jobs-test-netconsole
        - zuul-jobs-test-dstat-graph
@ -798,6 +812,7 @@
        - zuul-jobs-test-bindep-ubuntu-xenial
        - zuul-jobs-test-bindep-ubuntu-focal
        - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
        - zuul-jobs-test-ensure-bazelisk
        - zuul-jobs-test-netconsole
        - zuul-jobs-test-dstat-graph