Add ubuntu to enable-fips role
The enable-fips role has been refactored to support both centos/rhel and Ubuntu. In addition, for the Ubuntu tasks, a small role is added to enable a Ubuntu Advantage subscription. This is required because Ubuntu requires a subscription to enable FIPS. This role takes a subscription key as a parameter (ubuntu_ua_token.token). In Openstack, this is provided by the openstack-fips job in openstack/project-config, which will be the base job for OpenStack jobs. This job will provide the ubuntu_ua_token.token. Change-Id: I47a31f680172b47584510adb672b68498a85bd32
This commit is contained in:
parent
780fc2f768
commit
99711abf23
@ -16,6 +16,7 @@ General Purpose Roles
|
||||
.. zuul:autorole:: emit-job-header
|
||||
.. zuul:autorole:: enable-fips
|
||||
.. zuul:autorole:: enable-netconsole
|
||||
.. zuul:autorole:: enable-ua-subscription
|
||||
.. zuul:autorole:: encrypt-file
|
||||
.. zuul:autorole:: ensure-bazelisk
|
||||
.. zuul:autorole:: ensure-dhall
|
||||
|
18
playbooks/enable-fips/README.rst
Normal file
18
playbooks/enable-fips/README.rst
Normal file
@ -0,0 +1,18 @@
|
||||
The enable-fips playbook can be invoked to enable FIPS mode on jobs.
|
||||
|
||||
This playbook will call the enable-fips role, which will turn FIPS mode on
|
||||
and then reboot the node. To get consistent results, this role should
|
||||
be run very early in the node setup process, so that resources set up
|
||||
later are not affected by the reboot.
|
||||
|
||||
A playbook variable enable_fips - which defaults to True - is provided.
|
||||
This variable can be used to skip this playbook.
|
||||
|
||||
**Job Variables**
|
||||
|
||||
.. zuul:jobvar:: enable_fips
|
||||
:default: True
|
||||
|
||||
Whether to run the playbook and enable fips. Defaults to True.
|
||||
|
||||
|
@ -1,7 +1,12 @@
|
||||
Enable FIPS on a node.
|
||||
|
||||
Set a node into FIPS mode, to test functionality when crypto
|
||||
policies are set to FIPS in RHEL 8/Centos 8.
|
||||
policies are set to FIPS in RHEL/Centos >=8 or Ubuntu.
|
||||
|
||||
For Ubuntu nodes, the node is assumed to already have an Ubuntu
|
||||
Advantage subscription activated, as this is required to enable
|
||||
FIPS mode. The enable-ua-subscription role in this repo can be
|
||||
used to activate the subscription.
|
||||
|
||||
The role will set the node into FIPS mode, reboot the node, and
|
||||
then call the post-reboot-tasks role. This role requires a role
|
||||
|
@ -1,64 +1,21 @@
|
||||
---
|
||||
- name: Make sure this role is run on RHEL/CentOS 8 systems
|
||||
- name: Make sure this role is run on RHEL/CentOS/Ubuntu systems
|
||||
fail:
|
||||
msg: This role supports RHEL/CentOS 8 systems and Fedora only
|
||||
msg: This role supports RHEL/CentOS/Fedora/Ubuntu systems only
|
||||
when:
|
||||
- not (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8)
|
||||
- not (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8)
|
||||
- not ansible_distribution == 'Fedora'
|
||||
- not ansible_distribution == 'Ubuntu'
|
||||
|
||||
- name: Install fips-mode-setup
|
||||
become: true
|
||||
package:
|
||||
name: crypto-policies-scripts
|
||||
state: present
|
||||
- name: Do tasks for RHEL/Centos systems
|
||||
include_tasks: rhel.yaml
|
||||
when: >
|
||||
(ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8) or
|
||||
(ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8) or
|
||||
ansible_distribution == 'Fedora'
|
||||
|
||||
- name: Enable FIPS mode
|
||||
become: true
|
||||
command: fips-mode-setup --enable
|
||||
|
||||
- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
|
||||
become: true
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
|
||||
register: test_grep
|
||||
failed_when: false
|
||||
|
||||
- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
|
||||
when: test_grep.rc != 0
|
||||
|
||||
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
|
||||
backrefs: true
|
||||
when: test_grep.rc == 0
|
||||
|
||||
- name: Rebuild grub.cfg file
|
||||
become: true
|
||||
command: grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||
|
||||
- name: Reboot server for FIPS mode
|
||||
become: true
|
||||
reboot:
|
||||
reboot_timeout: 1800
|
||||
|
||||
- name: Run post-boot tasks
|
||||
include_role:
|
||||
name: post-reboot-tasks
|
||||
|
||||
- name: Ensure FIPS mode is enabled
|
||||
become: true
|
||||
command: fips-mode-setup --check
|
||||
register: _result
|
||||
|
||||
- name: Assert FIPS is enabled
|
||||
assert:
|
||||
that: _result.stdout == "FIPS mode is enabled."
|
||||
- name: Do tasks for Ubuntu
|
||||
include_tasks: ubuntu.yaml
|
||||
when: >
|
||||
(ansible_distribution == "Ubuntu")
|
||||
|
56
roles/enable-fips/tasks/rhel.yaml
Normal file
56
roles/enable-fips/tasks/rhel.yaml
Normal file
@ -0,0 +1,56 @@
|
||||
---
|
||||
- name: Install fips-mode-setup
|
||||
become: true
|
||||
package:
|
||||
name: crypto-policies-scripts
|
||||
state: present
|
||||
|
||||
- name: Enable FIPS mode
|
||||
become: true
|
||||
command: fips-mode-setup --enable
|
||||
|
||||
- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
|
||||
become: true
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
|
||||
register: test_grep
|
||||
failed_when: false
|
||||
|
||||
- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
|
||||
when: test_grep.rc != 0
|
||||
|
||||
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/default/grub
|
||||
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
|
||||
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
|
||||
backrefs: true
|
||||
when: test_grep.rc == 0
|
||||
|
||||
- name: Rebuild grub.cfg file
|
||||
become: true
|
||||
command: grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||
|
||||
- name: Reboot server for FIPS mode
|
||||
become: true
|
||||
reboot:
|
||||
reboot_timeout: 1800
|
||||
|
||||
- name: Run post-boot tasks
|
||||
include_role:
|
||||
name: post-reboot-tasks
|
||||
|
||||
- name: Ensure FIPS mode is enabled
|
||||
become: true
|
||||
command: fips-mode-setup --check
|
||||
register: _result
|
||||
|
||||
- name: Assert FIPS is enabled
|
||||
assert:
|
||||
that: _result.stdout == "FIPS mode is enabled."
|
31
roles/enable-fips/tasks/ubuntu.yaml
Normal file
31
roles/enable-fips/tasks/ubuntu.yaml
Normal file
@ -0,0 +1,31 @@
|
||||
- name: Install ua-tools
|
||||
become: true
|
||||
package:
|
||||
name: ubuntu-advantage-tools
|
||||
state: present
|
||||
|
||||
- name: Enable fips
|
||||
become: true
|
||||
command: ua enable fips
|
||||
|
||||
- name: Verify fips is enabled
|
||||
become: true
|
||||
command: ua status
|
||||
|
||||
- name: Reboot server for FIPS mode
|
||||
become: true
|
||||
reboot:
|
||||
reboot_timeout: 1800
|
||||
|
||||
- name: Run post-boot tasks
|
||||
include_role:
|
||||
name: post-reboot-tasks
|
||||
|
||||
- name: Ensure FIPS mode is enabled
|
||||
become: true
|
||||
command: cat /proc/sys/crypto/fips_enabled
|
||||
register: _result
|
||||
|
||||
- name: Assert FIPS is enabled
|
||||
assert:
|
||||
that: _result.stdout == "1"
|
13
roles/enable-ua-subscription/README.rst
Normal file
13
roles/enable-ua-subscription/README.rst
Normal file
@ -0,0 +1,13 @@
|
||||
Enable UA Subscription on a node.
|
||||
|
||||
For Ubuntu nodes, this role activates an Ubuntu advantage
|
||||
subscription using a passed in token (ubuntu_ua_token.token).
|
||||
|
||||
**Role Variables**
|
||||
|
||||
.. zuul:rolevar:: ubuntu_ua_token
|
||||
:type: dict
|
||||
:default: None
|
||||
|
||||
Dict used to specify Ubuntu advantage subscription information.
|
||||
ubuntu_ua_token.token is a subscription key.
|
12
roles/enable-ua-subscription/tasks/main.yaml
Normal file
12
roles/enable-ua-subscription/tasks/main.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
- name: Install ua-tools
|
||||
become: true
|
||||
package:
|
||||
name: ubuntu-advantage-tools
|
||||
state: present
|
||||
|
||||
- name: Attach subscription
|
||||
command: pro attach --no-auto-enable "{{ ubuntu_ua_token.token }}"
|
||||
become: true
|
||||
no_log: true
|
||||
when: >
|
||||
(ansible_distribution == "Ubuntu")
|
@ -9,6 +9,14 @@ connectivity (ssh), restarting the zuul-console and making sure
|
||||
DNS is up.
|
||||
|
||||
A role parameter nslookup_target is required to specify the DNS name
|
||||
to ensure DNS is working. If working in a mirrored environment, it
|
||||
is a good idea to use $zuul_site_mirror_fqdn, because this is what
|
||||
will be needed for package installs in any case.
|
||||
to ensure DNS is working.
|
||||
|
||||
**Role Variables**
|
||||
|
||||
.. zuul:rolevar:: nslookup_target
|
||||
:type: str
|
||||
:default: None
|
||||
|
||||
DNS name to query to confirm that DNS is working. If working in a
|
||||
mirrored environment, it is a good idea to use $zuul_site_mirror_fqdn,
|
||||
because this is what will be needed for package installs in any case.
|
||||
|
Loading…
Reference in New Issue
Block a user