Add ubuntu to enable-fips role

The enable-fips role has been refactored to support both centos/rhel and
Ubuntu.

In addition, for the Ubuntu tasks, a small role is added to enable a
Ubuntu Advantage subscription.  This is required because Ubuntu requires
a subscription to enable FIPS.  This role takes a subscription key as a
parameter (ubuntu_ua_token.token).

In Openstack, this is provided by the openstack-fips job in
openstack/project-config, which will be the base job for OpenStack jobs.
This job will provide the ubuntu_ua_token.token.

Change-Id: I47a31f680172b47584510adb672b68498a85bd32

doc/source/general-roles.rst

@@ -16,6 +16,7 @@ General Purpose Roles
 .. zuul:autorole:: emit-job-header
 .. zuul:autorole:: enable-fips
 .. zuul:autorole:: enable-netconsole
+.. zuul:autorole:: enable-ua-subscription
 .. zuul:autorole:: encrypt-file
 .. zuul:autorole:: ensure-bazelisk
 .. zuul:autorole:: ensure-dhall

playbooks/enable-fips/README.rst

@@ -0,0 +1,18 @@
+The enable-fips playbook can be invoked to enable FIPS mode on jobs.
+
+This playbook will call the enable-fips role, which will turn FIPS mode on
+and then reboot the node.  To get consistent results, this role should
+be run very early in the node setup process, so that resources set up
+later are not affected by the reboot.
+
+A playbook variable enable_fips - which defaults to True - is provided.
+This variable can be used to skip this playbook.
+
+**Job Variables**
+
+.. zuul:jobvar:: enable_fips
+   :default: True
+
+   Whether to run the playbook and enable fips.  Defaults to True.
+
+

roles/enable-fips/README.rst

@@ -1,7 +1,12 @@
 Enable FIPS on a node.
 
 Set a node into FIPS mode, to test functionality when crypto
-policies are set to FIPS in RHEL 8/Centos 8.
+policies are set to FIPS in RHEL/Centos >=8 or Ubuntu.
+
+For Ubuntu nodes, the node is assumed to already have an Ubuntu
+Advantage subscription activated, as this is required to enable
+FIPS mode.  The enable-ua-subscription role in this repo can be
+used to activate the subscription.
 
 The role will set the node into FIPS mode, reboot the node, and
 then call the post-reboot-tasks role.  This role requires a role

roles/enable-fips/tasks/main.yaml

@@ -1,64 +1,21 @@
 ---
-- name: Make sure this role is run on RHEL/CentOS 8 systems
+- name: Make sure this role is run on RHEL/CentOS/Ubuntu systems
   fail:
-    msg: This role supports RHEL/CentOS 8 systems and Fedora only
+    msg: This role supports RHEL/CentOS/Fedora/Ubuntu systems only
   when:
     - not (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8)
     - not (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8)
     - not ansible_distribution == 'Fedora'
+    - not ansible_distribution == 'Ubuntu'
 
-- name: Install fips-mode-setup
+- name: Do tasks for RHEL/Centos systems
-  become: true
+  include_tasks: rhel.yaml
-  package:
+  when: >
-    name: crypto-policies-scripts
+    (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8) or
-    state: present
+    (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8) or
+    ansible_distribution == 'Fedora'
 
-- name: Enable FIPS mode
+- name: Do tasks for Ubuntu
-  become: true
+  include_tasks: ubuntu.yaml
-  command: fips-mode-setup --enable
+  when: >
-
+    (ansible_distribution == "Ubuntu")
-- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
-  become: true
-  shell: |
-    set -o pipefail
-    grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
-  register: test_grep
-  failed_when: false
-
-- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
-  become: true
-  lineinfile:
-    path: /etc/default/grub
-    line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
-  when: test_grep.rc != 0
-
-- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
-  become: true
-  lineinfile:
-    path: /etc/default/grub
-    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
-    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
-    backrefs: true
-  when: test_grep.rc == 0
-
-- name: Rebuild grub.cfg file
-  become: true
-  command: grub2-mkconfig -o /boot/grub2/grub.cfg
-
-- name: Reboot server for FIPS mode
-  become: true
-  reboot:
-    reboot_timeout: 1800
-
-- name: Run post-boot tasks
-  include_role:
-    name: post-reboot-tasks
-
-- name: Ensure FIPS mode is enabled
-  become: true
-  command: fips-mode-setup --check
-  register: _result
-
-- name: Assert FIPS is enabled
-  assert:
-    that: _result.stdout == "FIPS mode is enabled."

roles/enable-fips/tasks/rhel.yaml

@@ -0,0 +1,56 @@
+---
+- name: Install fips-mode-setup
+  become: true
+  package:
+    name: crypto-policies-scripts
+    state: present
+
+- name: Enable FIPS mode
+  become: true
+  command: fips-mode-setup --enable
+
+- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
+  become: true
+  shell: |
+    set -o pipefail
+    grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
+  register: test_grep
+  failed_when: false
+
+- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
+  when: test_grep.rc != 0
+
+- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
+    backrefs: true
+  when: test_grep.rc == 0
+
+- name: Rebuild grub.cfg file
+  become: true
+  command: grub2-mkconfig -o /boot/grub2/grub.cfg
+
+- name: Reboot server for FIPS mode
+  become: true
+  reboot:
+    reboot_timeout: 1800
+
+- name: Run post-boot tasks
+  include_role:
+    name: post-reboot-tasks
+
+- name: Ensure FIPS mode is enabled
+  become: true
+  command: fips-mode-setup --check
+  register: _result
+
+- name: Assert FIPS is enabled
+  assert:
+    that: _result.stdout == "FIPS mode is enabled."

roles/enable-fips/tasks/ubuntu.yaml

@@ -0,0 +1,31 @@
+- name: Install ua-tools
+  become: true
+  package:
+    name: ubuntu-advantage-tools
+    state: present
+
+- name: Enable fips
+  become: true
+  command: ua enable fips
+
+- name: Verify fips is enabled
+  become: true
+  command: ua status
+
+- name: Reboot server for FIPS mode
+  become: true
+  reboot:
+    reboot_timeout: 1800
+
+- name: Run post-boot tasks
+  include_role:
+    name: post-reboot-tasks
+
+- name: Ensure FIPS mode is enabled
+  become: true
+  command: cat /proc/sys/crypto/fips_enabled
+  register: _result
+
+- name: Assert FIPS is enabled
+  assert:
+    that: _result.stdout == "1"

roles/enable-ua-subscription/README.rst

@@ -0,0 +1,13 @@
+Enable UA Subscription on a node.
+
+For Ubuntu nodes, this role activates an Ubuntu advantage
+subscription using a passed in token (ubuntu_ua_token.token).
+
+**Role Variables**
+
+.. zuul:rolevar:: ubuntu_ua_token
+   :type: dict
+   :default: None
+
+   Dict used to specify Ubuntu advantage subscription information.
+   ubuntu_ua_token.token is a subscription key.

roles/enable-ua-subscription/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Install ua-tools
+  become: true
+  package:
+    name: ubuntu-advantage-tools
+    state: present
+
+- name: Attach subscription
+  command: pro attach --no-auto-enable "{{ ubuntu_ua_token.token }}"
+  become: true
+  no_log: true
+  when: >
+    (ansible_distribution == "Ubuntu")

roles/post-reboot-tasks/README.rst

@@ -9,6 +9,14 @@ connectivity (ssh), restarting the zuul-console and making sure
 DNS is up.
 
 A role parameter nslookup_target is required to specify the DNS name
-to ensure DNS is working. If working in a mirrored environment, it
+to ensure DNS is working.
-is a good idea to use $zuul_site_mirror_fqdn, because this is what
+
-will be needed for package installs in any case.
+**Role Variables**
+
+.. zuul:rolevar:: nslookup_target
+   :type: str
+   :default: None
+
+   DNS name to query to confirm that DNS is working.  If working in a
+   mirrored environment, it is a good idea to use $zuul_site_mirror_fqdn,
+   because this is what will be needed for package installs in any case.