Add fips check jobs
This patch adds two new FIPS enabled jobs to determine if there are any issues when FIPS is enabled. Because the FIPS jobs currently run on centos, code is added to the test setup script to set up the databases correctly. Also had to increase the swap space on the nodes; see [0] for an explanation. [0] https://review.opendev.org/c/openstack/devstack/+/803706 Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087 Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086 Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
This commit is contained in:
parent
42d5d1d648
commit
933a7b7e6c
17
.zuul.yaml
17
.zuul.yaml
@ -58,6 +58,9 @@
|
|||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- cinder-tempest-plugin-lvm-lio-barbican:
|
- cinder-tempest-plugin-lvm-lio-barbican:
|
||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
|
- cinder-tempest-plugin-lvm-lio-barbican-fips:
|
||||||
|
voting: false
|
||||||
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- cinder-grenade-mn-sub-volbak:
|
- cinder-grenade-mn-sub-volbak:
|
||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- cinder-tempest-lvm-multibackend:
|
- cinder-tempest-lvm-multibackend:
|
||||||
@ -68,6 +71,9 @@
|
|||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- devstack-plugin-nfs-tempest-full:
|
- devstack-plugin-nfs-tempest-full:
|
||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
|
- devstack-plugin-nfs-tempest-full-fips:
|
||||||
|
voting: false
|
||||||
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- tempest-slow-py3:
|
- tempest-slow-py3:
|
||||||
irrelevant-files: *gate-irrelevant-files
|
irrelevant-files: *gate-irrelevant-files
|
||||||
- tempest-integrated-storage:
|
- tempest-integrated-storage:
|
||||||
@ -175,6 +181,17 @@
|
|||||||
volume-feature-enabled:
|
volume-feature-enabled:
|
||||||
volume_revert: True
|
volume_revert: True
|
||||||
|
|
||||||
|
- job:
|
||||||
|
# this depends on some ceph admin setup which is not yet complete
|
||||||
|
# TODO(alee) enable this test when ceph admin work is complete.
|
||||||
|
name: cinder-plugin-ceph-tempest-fips
|
||||||
|
parent: cinder-plugin-ceph-tempest
|
||||||
|
nodeset: devstack-single-node-centos-9-stream
|
||||||
|
pre-run: playbooks/enable-fips.yaml
|
||||||
|
vars:
|
||||||
|
configure_swap_size: 4096
|
||||||
|
nslookup_target: 'opendev.org'
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: cinder-plugin-ceph-tempest-mn-aa
|
name: cinder-plugin-ceph-tempest-mn-aa
|
||||||
parent: devstack-plugin-ceph-multinode-tempest-py3
|
parent: devstack-plugin-ceph-multinode-tempest-py3
|
||||||
|
@ -29,6 +29,7 @@ postgresql
|
|||||||
postgresql-client [platform:dpkg]
|
postgresql-client [platform:dpkg]
|
||||||
postgresql-devel [platform:rpm]
|
postgresql-devel [platform:rpm]
|
||||||
postgresql-server [platform:rpm]
|
postgresql-server [platform:rpm]
|
||||||
|
python3-devel [platform:rpm test]
|
||||||
libpq-dev [platform:dpkg]
|
libpq-dev [platform:dpkg]
|
||||||
thin-provisioning-tools [platform:debian]
|
thin-provisioning-tools [platform:debian]
|
||||||
libxml2-dev [platform:dpkg test]
|
libxml2-dev [platform:dpkg test]
|
||||||
|
3
playbooks/enable-fips.yaml
Normal file
3
playbooks/enable-fips.yaml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
- hosts: all
|
||||||
|
roles:
|
||||||
|
- enable-fips
|
@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
|
|||||||
DB_USER=openstack_citest
|
DB_USER=openstack_citest
|
||||||
DB_PW=openstack_citest
|
DB_PW=openstack_citest
|
||||||
|
|
||||||
|
function is_rhel7 {
|
||||||
|
[ -f /usr/bin/yum ] && \
|
||||||
|
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
|
||||||
|
cat /etc/*release | grep -q 'release 7'
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_rhel8 {
|
||||||
|
[ -f /usr/bin/dnf ] && \
|
||||||
|
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
|
||||||
|
cat /etc/*release | grep -q 'release 8'
|
||||||
|
}
|
||||||
|
|
||||||
|
function is_rhel9 {
|
||||||
|
[ -f /usr/bin/dnf ] && \
|
||||||
|
cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
|
||||||
|
cat /etc/*release | grep -q 'release 9'
|
||||||
|
}
|
||||||
|
|
||||||
|
function set_conf_line { # file regex value
|
||||||
|
sudo sh -c "grep -q -e '$2' $1 && \
|
||||||
|
sed -i 's|$2|$3|g' $1 || \
|
||||||
|
echo '$3' >> $1"
|
||||||
|
}
|
||||||
|
|
||||||
|
if is_rhel7 || is_rhel8 || is_rhel9; then
|
||||||
|
# mysql needs to be started on centos/rhel
|
||||||
|
sudo systemctl restart mariadb.service
|
||||||
|
|
||||||
|
# postgres setup for centos
|
||||||
|
sudo postgresql-setup --initdb
|
||||||
|
PG_CONF=/var/lib/pgsql/data/postgresql.conf
|
||||||
|
set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
|
||||||
|
|
||||||
|
PG_HBA=/var/lib/pgsql/data/pg_hba.conf
|
||||||
|
set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
|
||||||
|
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
|
||||||
|
set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
|
||||||
|
|
||||||
|
sudo systemctl restart postgresql.service
|
||||||
|
fi
|
||||||
|
|
||||||
sudo -H mysqladmin -u root password $DB_ROOT_PW
|
sudo -H mysqladmin -u root password $DB_ROOT_PW
|
||||||
|
|
||||||
# It's best practice to remove anonymous users from the database. If
|
# It's best practice to remove anonymous users from the database. If
|
||||||
|
Loading…
Reference in New Issue
Block a user