Add fips check jobs

This patch adds two new FIPS enabled jobs to determine if there are any
issues when FIPS is enabled.

Because the FIPS jobs currently run on centos, code is added to the
test setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087
Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086

Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
This commit is contained in:
Ade Lee 2022-01-12 13:56:55 -08:00 committed by Eric Harney
parent 42d5d1d648
commit 933a7b7e6c
4 changed files with 62 additions and 0 deletions

View File

@ -58,6 +58,9 @@
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- cinder-tempest-plugin-lvm-lio-barbican: - cinder-tempest-plugin-lvm-lio-barbican:
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- cinder-tempest-plugin-lvm-lio-barbican-fips:
voting: false
irrelevant-files: *gate-irrelevant-files
- cinder-grenade-mn-sub-volbak: - cinder-grenade-mn-sub-volbak:
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- cinder-tempest-lvm-multibackend: - cinder-tempest-lvm-multibackend:
@ -68,6 +71,9 @@
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- devstack-plugin-nfs-tempest-full: - devstack-plugin-nfs-tempest-full:
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- devstack-plugin-nfs-tempest-full-fips:
voting: false
irrelevant-files: *gate-irrelevant-files
- tempest-slow-py3: - tempest-slow-py3:
irrelevant-files: *gate-irrelevant-files irrelevant-files: *gate-irrelevant-files
- tempest-integrated-storage: - tempest-integrated-storage:
@ -175,6 +181,17 @@
volume-feature-enabled: volume-feature-enabled:
volume_revert: True volume_revert: True
- job:
# this depends on some ceph admin setup which is not yet complete
# TODO(alee) enable this test when ceph admin work is complete.
name: cinder-plugin-ceph-tempest-fips
parent: cinder-plugin-ceph-tempest
nodeset: devstack-single-node-centos-9-stream
pre-run: playbooks/enable-fips.yaml
vars:
configure_swap_size: 4096
nslookup_target: 'opendev.org'
- job: - job:
name: cinder-plugin-ceph-tempest-mn-aa name: cinder-plugin-ceph-tempest-mn-aa
parent: devstack-plugin-ceph-multinode-tempest-py3 parent: devstack-plugin-ceph-multinode-tempest-py3

View File

@ -29,6 +29,7 @@ postgresql
postgresql-client [platform:dpkg] postgresql-client [platform:dpkg]
postgresql-devel [platform:rpm] postgresql-devel [platform:rpm]
postgresql-server [platform:rpm] postgresql-server [platform:rpm]
python3-devel [platform:rpm test]
libpq-dev [platform:dpkg] libpq-dev [platform:dpkg]
thin-provisioning-tools [platform:debian] thin-provisioning-tools [platform:debian]
libxml2-dev [platform:dpkg test] libxml2-dev [platform:dpkg test]

View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- enable-fips

View File

@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
DB_USER=openstack_citest DB_USER=openstack_citest
DB_PW=openstack_citest DB_PW=openstack_citest
function is_rhel7 {
[ -f /usr/bin/yum ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 7'
}
function is_rhel8 {
[ -f /usr/bin/dnf ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 8'
}
function is_rhel9 {
[ -f /usr/bin/dnf ] && \
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
cat /etc/*release | grep -q 'release 9'
}
function set_conf_line { # file regex value
sudo sh -c "grep -q -e '$2' $1 && \
sed -i 's|$2|$3|g' $1 || \
echo '$3' >> $1"
}
if is_rhel7 || is_rhel8 || is_rhel9; then
# mysql needs to be started on centos/rhel
sudo systemctl restart mariadb.service
# postgres setup for centos
sudo postgresql-setup --initdb
PG_CONF=/var/lib/pgsql/data/postgresql.conf
set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
PG_HBA=/var/lib/pgsql/data/pg_hba.conf
set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
sudo systemctl restart postgresql.service
fi
sudo -H mysqladmin -u root password $DB_ROOT_PW sudo -H mysqladmin -u root password $DB_ROOT_PW
# It's best practice to remove anonymous users from the database. If # It's best practice to remove anonymous users from the database. If