Add role to enable FIPS on a node

Adds role to be used to enable FIPS on test nodes, so that projects
can create jobs that would test when FIPS is enabled.

This is pretty much copied from the same role in ansible zuul jobs, where
it works well. Thanks to Paul Belanger for pointing it out.
https://github.com/ansible/ansible-zuul-jobs/blob/master/roles/enable-fips-mode/tasks/main.yaml

An example showing how this is can be used is in:
https://review.opendev.org/c/openstack/barbican/+/760665

Change-Id: If07b8ddb77368d591659f3a111e3f5306daf6f06
This commit is contained in:
Ade Lee 2021-04-29 10:48:37 -04:00
parent 01cae8ee22
commit be0415e556
4 changed files with 83 additions and 0 deletions

View File

@ -13,6 +13,7 @@ General Purpose Roles
.. zuul:autorole:: download-artifact .. zuul:autorole:: download-artifact
.. zuul:autorole:: dstat-graph .. zuul:autorole:: dstat-graph
.. zuul:autorole:: emit-job-header .. zuul:autorole:: emit-job-header
.. zuul:autorole:: enable-fips
.. zuul:autorole:: enable-netconsole .. zuul:autorole:: enable-netconsole
.. zuul:autorole:: ensure-bazelisk .. zuul:autorole:: ensure-bazelisk
.. zuul:autorole:: ensure-dhall .. zuul:autorole:: ensure-dhall

View File

@ -0,0 +1,4 @@
Enable FIPS on a node.
Set a node into FIPS mode, to test functionality when crypto
policies are set to FIPS in RHEL 8/Centos 8.

View File

@ -0,0 +1,63 @@
---
- name: Make sure this role is run on RHEL/CentOS 8 systems
fail:
msg: This role supports RHEL/CentOS 8 systems only
when:
- (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
ansible_distribution_major_version != '8'
- name: Install fips-mode-setup
become: true
package:
name: crypto-policies-scripts
state: present
- name: Enable FIPS mode
become: true
command: fips-mode-setup --enable
- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
become: true
shell: |
set -o pipefail
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
register: test_grep
failed_when: false
- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
when: test_grep.rc != 0
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
backrefs: true
when: test_grep.rc == 0
- name: Rebuild grub.cfg file
become: true
command: grub2-mkconfig -o /boot/grub2/grub.cfg
- name: Reboot server for FIPS mode
become: true
reboot:
reboot_timeout: 1800
- name: Run start-zuul-console role
include_role:
name: start-zuul-console
- name: Ensure FIPS mode is enabled
become: true
command: fips-mode-setup --check
register: _result
- name: Assert FIPS is enabled
assert:
that: _result.stdout == "FIPS mode is enabled."

View File

@ -368,6 +368,19 @@
vars: vars:
role_name: clear-firewall role_name: clear-firewall
- job:
name: zuul-jobs-test-enable-fips
description: Test the enable-fips role
files:
- roles/enable-fips/.*
run: test-playbooks/simple-role-test.yaml
vars:
role_name: enable-fips
nodeset:
nodes:
- name: centos-8-stream
label: centos-8-stream
- job: - job:
name: zuul-jobs-test-ensure-bazelisk name: zuul-jobs-test-ensure-bazelisk
description: Test the ensure-bazelisk role description: Test the ensure-bazelisk role
@ -749,6 +762,7 @@
- zuul-jobs-test-bindep-ubuntu-xenial - zuul-jobs-test-bindep-ubuntu-xenial
- zuul-jobs-test-bindep-ubuntu-focal - zuul-jobs-test-bindep-ubuntu-focal
- zuul-jobs-test-clear-firewall - zuul-jobs-test-clear-firewall
- zuul-jobs-test-enable-fips
- zuul-jobs-test-ensure-bazelisk - zuul-jobs-test-ensure-bazelisk
- zuul-jobs-test-netconsole - zuul-jobs-test-netconsole
- zuul-jobs-test-dstat-graph - zuul-jobs-test-dstat-graph
@ -798,6 +812,7 @@
- zuul-jobs-test-bindep-ubuntu-xenial - zuul-jobs-test-bindep-ubuntu-xenial
- zuul-jobs-test-bindep-ubuntu-focal - zuul-jobs-test-bindep-ubuntu-focal
- zuul-jobs-test-clear-firewall - zuul-jobs-test-clear-firewall
- zuul-jobs-test-enable-fips
- zuul-jobs-test-ensure-bazelisk - zuul-jobs-test-ensure-bazelisk
- zuul-jobs-test-netconsole - zuul-jobs-test-netconsole
- zuul-jobs-test-dstat-graph - zuul-jobs-test-dstat-graph