Add ubuntu to enable-fips role

The enable-fips role has been refactored to support both centos/rhel and
Ubuntu.

In addition, for the Ubuntu tasks, a small role is added to enable a
Ubuntu Advantage subscription.  This is required because Ubuntu requires
a subscription to enable FIPS.  This role takes a subscription key as a
parameter (ubuntu_ua_token.token).

In Openstack, this is provided by the openstack-fips job in
openstack/project-config, which will be the base job for OpenStack jobs.
This job will provide the ubuntu_ua_token.token.

Change-Id: I47a31f680172b47584510adb672b68498a85bd32
This commit is contained in:
Ade Lee 2022-12-07 18:08:58 +01:00 committed by Jeremy Stanley
parent 780fc2f768
commit 99711abf23
9 changed files with 161 additions and 60 deletions

View File

@ -16,6 +16,7 @@ General Purpose Roles
.. zuul:autorole:: emit-job-header
.. zuul:autorole:: enable-fips
.. zuul:autorole:: enable-netconsole
.. zuul:autorole:: enable-ua-subscription
.. zuul:autorole:: encrypt-file
.. zuul:autorole:: ensure-bazelisk
.. zuul:autorole:: ensure-dhall

View File

@ -0,0 +1,18 @@
The enable-fips playbook can be invoked to enable FIPS mode on jobs.
This playbook will call the enable-fips role, which will turn FIPS mode on
and then reboot the node. To get consistent results, this role should
be run very early in the node setup process, so that resources set up
later are not affected by the reboot.
A playbook variable enable_fips - which defaults to True - is provided.
This variable can be used to skip this playbook.
**Job Variables**
.. zuul:jobvar:: enable_fips
:default: True
Whether to run the playbook and enable fips. Defaults to True.

View File

@ -1,7 +1,12 @@
Enable FIPS on a node.
Set a node into FIPS mode, to test functionality when crypto
policies are set to FIPS in RHEL 8/Centos 8.
policies are set to FIPS in RHEL/Centos >=8 or Ubuntu.
For Ubuntu nodes, the node is assumed to already have an Ubuntu
Advantage subscription activated, as this is required to enable
FIPS mode. The enable-ua-subscription role in this repo can be
used to activate the subscription.
The role will set the node into FIPS mode, reboot the node, and
then call the post-reboot-tasks role. This role requires a role

View File

@ -1,64 +1,21 @@
---
- name: Make sure this role is run on RHEL/CentOS 8 systems
- name: Make sure this role is run on RHEL/CentOS/Ubuntu systems
fail:
msg: This role supports RHEL/CentOS 8 systems and Fedora only
msg: This role supports RHEL/CentOS/Fedora/Ubuntu systems only
when:
- not (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8)
- not (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8)
- not ansible_distribution == 'Fedora'
- not ansible_distribution == 'Ubuntu'
- name: Install fips-mode-setup
become: true
package:
name: crypto-policies-scripts
state: present
- name: Do tasks for RHEL/Centos systems
include_tasks: rhel.yaml
when: >
(ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8) or
(ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8) or
ansible_distribution == 'Fedora'
- name: Enable FIPS mode
become: true
command: fips-mode-setup --enable
- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
become: true
shell: |
set -o pipefail
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
register: test_grep
failed_when: false
- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
when: test_grep.rc != 0
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
backrefs: true
when: test_grep.rc == 0
- name: Rebuild grub.cfg file
become: true
command: grub2-mkconfig -o /boot/grub2/grub.cfg
- name: Reboot server for FIPS mode
become: true
reboot:
reboot_timeout: 1800
- name: Run post-boot tasks
include_role:
name: post-reboot-tasks
- name: Ensure FIPS mode is enabled
become: true
command: fips-mode-setup --check
register: _result
- name: Assert FIPS is enabled
assert:
that: _result.stdout == "FIPS mode is enabled."
- name: Do tasks for Ubuntu
include_tasks: ubuntu.yaml
when: >
(ansible_distribution == "Ubuntu")

View File

@ -0,0 +1,56 @@
---
- name: Install fips-mode-setup
become: true
package:
name: crypto-policies-scripts
state: present
- name: Enable FIPS mode
become: true
command: fips-mode-setup --enable
- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
become: true
shell: |
set -o pipefail
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
register: test_grep
failed_when: false
- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
when: test_grep.rc != 0
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
backrefs: true
when: test_grep.rc == 0
- name: Rebuild grub.cfg file
become: true
command: grub2-mkconfig -o /boot/grub2/grub.cfg
- name: Reboot server for FIPS mode
become: true
reboot:
reboot_timeout: 1800
- name: Run post-boot tasks
include_role:
name: post-reboot-tasks
- name: Ensure FIPS mode is enabled
become: true
command: fips-mode-setup --check
register: _result
- name: Assert FIPS is enabled
assert:
that: _result.stdout == "FIPS mode is enabled."

View File

@ -0,0 +1,31 @@
- name: Install ua-tools
become: true
package:
name: ubuntu-advantage-tools
state: present
- name: Enable fips
become: true
command: ua enable fips
- name: Verify fips is enabled
become: true
command: ua status
- name: Reboot server for FIPS mode
become: true
reboot:
reboot_timeout: 1800
- name: Run post-boot tasks
include_role:
name: post-reboot-tasks
- name: Ensure FIPS mode is enabled
become: true
command: cat /proc/sys/crypto/fips_enabled
register: _result
- name: Assert FIPS is enabled
assert:
that: _result.stdout == "1"

View File

@ -0,0 +1,13 @@
Enable UA Subscription on a node.
For Ubuntu nodes, this role activates an Ubuntu advantage
subscription using a passed in token (ubuntu_ua_token.token).
**Role Variables**
.. zuul:rolevar:: ubuntu_ua_token
:type: dict
:default: None
Dict used to specify Ubuntu advantage subscription information.
ubuntu_ua_token.token is a subscription key.

View File

@ -0,0 +1,12 @@
- name: Install ua-tools
become: true
package:
name: ubuntu-advantage-tools
state: present
- name: Attach subscription
command: pro attach --no-auto-enable "{{ ubuntu_ua_token.token }}"
become: true
no_log: true
when: >
(ansible_distribution == "Ubuntu")

View File

@ -9,6 +9,14 @@ connectivity (ssh), restarting the zuul-console and making sure
DNS is up.
A role parameter nslookup_target is required to specify the DNS name
to ensure DNS is working. If working in a mirrored environment, it
is a good idea to use $zuul_site_mirror_fqdn, because this is what
will be needed for package installs in any case.
to ensure DNS is working.
**Role Variables**
.. zuul:rolevar:: nslookup_target
:type: str
:default: None
DNS name to query to confirm that DNS is working. If working in a
mirrored environment, it is a good idea to use $zuul_site_mirror_fqdn,
because this is what will be needed for package installs in any case.