zuul/zuul-jobs
Code Issues Proposed changes
65a3a8245b
zuul-jobs/roles/enable-fips/tasks/main.yaml
Gonéri Le Bouder 3cba437a15
enable-fips: Fedora also support FIPS 
Fedora supports FIPS. There is no version check because the feature is
available on all the supported Fedora releases.

Change-Id: I924fb565a4d70e7c93a215e9e0a5b2b80bced52a
2021-10-28 15:20:59 -04:00

65 lines
1.7 KiB
YAML
Raw Blame History

---
- name: Make sure this role is run on RHEL/CentOS 8 systems
fail:
msg: This role supports RHEL/CentOS 8 systems and Fedora only
when:
- not (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8)
- not (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8)
- not ansible_distribution == 'Fedora'
- name: Install fips-mode-setup
become: true
package:
name: crypto-policies-scripts
state: present
- name: Enable FIPS mode
become: true
command: fips-mode-setup --enable
- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
become: true
shell: |
set -o pipefail
grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
register: test_grep
failed_when: false
- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
when: test_grep.rc != 0
- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
become: true
lineinfile:
path: /etc/default/grub
regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
backrefs: true
when: test_grep.rc == 0
- name: Rebuild grub.cfg file
become: true
command: grub2-mkconfig -o /boot/grub2/grub.cfg
- name: Reboot server for FIPS mode
become: true
reboot:
reboot_timeout: 1800
- name: Run start-zuul-console role
include_role:
name: start-zuul-console
- name: Ensure FIPS mode is enabled
become: true
command: fips-mode-setup --check
register: _result
- name: Assert FIPS is enabled
assert:
that: _result.stdout == "FIPS mode is enabled."
View Git Blame Copy Permalink