Add role to enable FIPS on a node
Adds role to be used to enable FIPS on test nodes, so that projects can create jobs that would test when FIPS is enabled. This is pretty much copied from the same role in ansible zuul jobs, where it works well. Thanks to Paul Belanger for pointing it out. https://github.com/ansible/ansible-zuul-jobs/blob/master/roles/enable-fips-mode/tasks/main.yaml An example showing how this is can be used is in: https://review.opendev.org/c/openstack/barbican/+/760665 Change-Id: If07b8ddb77368d591659f3a111e3f5306daf6f06
This commit is contained in:
parent
01cae8ee22
commit
be0415e556
@ -13,6 +13,7 @@ General Purpose Roles
|
|||||||
.. zuul:autorole:: download-artifact
|
.. zuul:autorole:: download-artifact
|
||||||
.. zuul:autorole:: dstat-graph
|
.. zuul:autorole:: dstat-graph
|
||||||
.. zuul:autorole:: emit-job-header
|
.. zuul:autorole:: emit-job-header
|
||||||
|
.. zuul:autorole:: enable-fips
|
||||||
.. zuul:autorole:: enable-netconsole
|
.. zuul:autorole:: enable-netconsole
|
||||||
.. zuul:autorole:: ensure-bazelisk
|
.. zuul:autorole:: ensure-bazelisk
|
||||||
.. zuul:autorole:: ensure-dhall
|
.. zuul:autorole:: ensure-dhall
|
||||||
|
4
roles/enable-fips/README.rst
Normal file
4
roles/enable-fips/README.rst
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
Enable FIPS on a node.
|
||||||
|
|
||||||
|
Set a node into FIPS mode, to test functionality when crypto
|
||||||
|
policies are set to FIPS in RHEL 8/Centos 8.
|
63
roles/enable-fips/tasks/main.yaml
Normal file
63
roles/enable-fips/tasks/main.yaml
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
---
|
||||||
|
- name: Make sure this role is run on RHEL/CentOS 8 systems
|
||||||
|
fail:
|
||||||
|
msg: This role supports RHEL/CentOS 8 systems only
|
||||||
|
when:
|
||||||
|
- (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
|
||||||
|
ansible_distribution_major_version != '8'
|
||||||
|
|
||||||
|
- name: Install fips-mode-setup
|
||||||
|
become: true
|
||||||
|
package:
|
||||||
|
name: crypto-policies-scripts
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Enable FIPS mode
|
||||||
|
become: true
|
||||||
|
command: fips-mode-setup --enable
|
||||||
|
|
||||||
|
- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
|
||||||
|
become: true
|
||||||
|
shell: |
|
||||||
|
set -o pipefail
|
||||||
|
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
|
||||||
|
register: test_grep
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
|
- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||||
|
become: true
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/default/grub
|
||||||
|
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
|
||||||
|
when: test_grep.rc != 0
|
||||||
|
|
||||||
|
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
|
||||||
|
become: true
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/default/grub
|
||||||
|
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
|
||||||
|
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
|
||||||
|
backrefs: true
|
||||||
|
when: test_grep.rc == 0
|
||||||
|
|
||||||
|
- name: Rebuild grub.cfg file
|
||||||
|
become: true
|
||||||
|
command: grub2-mkconfig -o /boot/grub2/grub.cfg
|
||||||
|
|
||||||
|
- name: Reboot server for FIPS mode
|
||||||
|
become: true
|
||||||
|
reboot:
|
||||||
|
reboot_timeout: 1800
|
||||||
|
|
||||||
|
- name: Run start-zuul-console role
|
||||||
|
include_role:
|
||||||
|
name: start-zuul-console
|
||||||
|
|
||||||
|
- name: Ensure FIPS mode is enabled
|
||||||
|
become: true
|
||||||
|
command: fips-mode-setup --check
|
||||||
|
register: _result
|
||||||
|
|
||||||
|
- name: Assert FIPS is enabled
|
||||||
|
assert:
|
||||||
|
that: _result.stdout == "FIPS mode is enabled."
|
@ -368,6 +368,19 @@
|
|||||||
vars:
|
vars:
|
||||||
role_name: clear-firewall
|
role_name: clear-firewall
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: zuul-jobs-test-enable-fips
|
||||||
|
description: Test the enable-fips role
|
||||||
|
files:
|
||||||
|
- roles/enable-fips/.*
|
||||||
|
run: test-playbooks/simple-role-test.yaml
|
||||||
|
vars:
|
||||||
|
role_name: enable-fips
|
||||||
|
nodeset:
|
||||||
|
nodes:
|
||||||
|
- name: centos-8-stream
|
||||||
|
label: centos-8-stream
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: zuul-jobs-test-ensure-bazelisk
|
name: zuul-jobs-test-ensure-bazelisk
|
||||||
description: Test the ensure-bazelisk role
|
description: Test the ensure-bazelisk role
|
||||||
@ -749,6 +762,7 @@
|
|||||||
- zuul-jobs-test-bindep-ubuntu-xenial
|
- zuul-jobs-test-bindep-ubuntu-xenial
|
||||||
- zuul-jobs-test-bindep-ubuntu-focal
|
- zuul-jobs-test-bindep-ubuntu-focal
|
||||||
- zuul-jobs-test-clear-firewall
|
- zuul-jobs-test-clear-firewall
|
||||||
|
- zuul-jobs-test-enable-fips
|
||||||
- zuul-jobs-test-ensure-bazelisk
|
- zuul-jobs-test-ensure-bazelisk
|
||||||
- zuul-jobs-test-netconsole
|
- zuul-jobs-test-netconsole
|
||||||
- zuul-jobs-test-dstat-graph
|
- zuul-jobs-test-dstat-graph
|
||||||
@ -798,6 +812,7 @@
|
|||||||
- zuul-jobs-test-bindep-ubuntu-xenial
|
- zuul-jobs-test-bindep-ubuntu-xenial
|
||||||
- zuul-jobs-test-bindep-ubuntu-focal
|
- zuul-jobs-test-bindep-ubuntu-focal
|
||||||
- zuul-jobs-test-clear-firewall
|
- zuul-jobs-test-clear-firewall
|
||||||
|
- zuul-jobs-test-enable-fips
|
||||||
- zuul-jobs-test-ensure-bazelisk
|
- zuul-jobs-test-ensure-bazelisk
|
||||||
- zuul-jobs-test-netconsole
|
- zuul-jobs-test-netconsole
|
||||||
- zuul-jobs-test-dstat-graph
|
- zuul-jobs-test-dstat-graph
|
||||||
|
Loading…
Reference in New Issue
Block a user