Add functional and fullstack jobs with FIPS enabled

This patch adds definition of the functional and fullstack jobs
with enabled support for FIPS [1].
Jobs are based on the Centos 8 stream as this disto allows to enable
FIPS support.
Jobs are added to the experimental queue for now.

This patch also makes some changes in the bindep and
configure_functional_tests role to make functional/fullstack tests
working on the Centos.

[1] https://csrc.nist.gov/publications/detail/fips/140/3/final

Co-Authored-By: Ade Lee <alee@redhat.com>
Change-Id: I582495826155740ad2660ee2a8717696b0393d26
This commit is contained in:
Slawek Kaplonski 2021-10-14 15:14:49 +02:00
parent 63f8a39d75
commit 836592a8bc
7 changed files with 62 additions and 11 deletions

View File

@ -15,10 +15,11 @@ libffi-devel [platform:rpm]
# periodic-neutron-py35-with-neutron-lib-master.
haproxy
libmysqlclient-dev [platform:dpkg test]
mysql [platform:rpm test]
mariadb [platform:rpm test]
mariadb-devel [platform:rpm test]
mariadb-server [platform:rpm test]
mysql-client [platform:dpkg test]
mysql-devel [platform:rpm test]
mysql-server [test]
mysql-server [platform:dpkg test]
postgresql [test]
postgresql-client [platform:dpkg test]
postgresql-devel [platform:rpm test]

View File

@ -0,0 +1,5 @@
- hosts: all
roles:
- persistent-firewall
- enable-fips
- disable_selinux

View File

@ -15,10 +15,24 @@
STACK_USER=stack
OVS_BRANCH={{ OVS_BRANCH }}
OVN_BRANCH={{ OVN_BRANCH }}
# This is DB USER used in e.g. pgsql db
DATABASE_USER=openstack_citest
source $DEVSTACK_PATH/functions
source $DEVSTACK_PATH/lib/neutron_plugins/ovn_agent
source $NEUTRON_DIR/tools/configure_for_func_testing.sh
if is_fedora; then
# NOTE(slqweq) Running functional job e.g. on Centos requires to
# have repo with rabbitmq-server and some other packages available
install_package centos-release-openstack-victoria
install_package iproute-tc haproxy keepalived
# NOTE(slaweq) On Fedora/CentOS systems make sure that SELinux is
# not in enforcing mode
sudo setenforce 0
fi
configure_host_for_func_testing
executable: /bin/bash

View File

@ -0,0 +1,3 @@
- name: Ensure SELinux is in permissive mode
become: yes
command: "setenforce 0"

View File

@ -20,6 +20,8 @@ set -e
# directly or allow the gate_hook to import.
IS_GATE=${IS_GATE:-False}
USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-True}
MYSQL_USER=${MYSQL_USER:-root}
DATABASE_USER=${DATABASE_USER:-${MYSQL_USER}}
if [[ "$IS_GATE" != "True" ]] && [[ "$#" -lt 1 ]]; then
@ -153,8 +155,8 @@ function _install_databases {
return 0
fi
MYSQL_PASSWORD=${MYSQL_PASSWORD:-stackdb}
DATABASE_PASSWORD=${DATABASE_PASSWORD:-stackdb}
MYSQL_PASSWORD=${MYSQL_PASSWORD:-openstack_citest}
DATABASE_PASSWORD=${DATABASE_PASSWORD:-openstack_citest}
source $DEVSTACK_PATH/lib/database
@ -176,18 +178,16 @@ function _install_databases {
cat << EOF > $tmp_dir/mysql.sql
CREATE DATABASE openstack_citest;
CREATE USER 'openstack_citest'@'localhost' IDENTIFIED BY 'openstack_citest';
CREATE USER 'openstack_citest' IDENTIFIED BY 'openstack_citest';
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest'@'localhost';
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest';
CREATE USER '${DATABASE_USER}'@'localhost' IDENTIFIED BY '${MYSQL_PASSWORD}';
GRANT ALL PRIVILEGES ON *.* TO '${DATABASE_USER}'@'localhost';
FLUSH PRIVILEGES;
EOF
/usr/bin/mysql -u root -p"$MYSQL_PASSWORD" < $tmp_dir/mysql.sql
if [[ "$install_pg" == "True" ]]; then
cat << EOF > $tmp_dir/postgresql.sql
CREATE USER openstack_citest WITH CREATEDB LOGIN PASSWORD 'openstack_citest';
CREATE DATABASE openstack_citest WITH OWNER openstack_citest;
CREATE USER ${DATABASE_USER} WITH CREATEDB LOGIN PASSWORD ${DATABASE_PASSWORD};
CREATE DATABASE ${DATABASE_USER} WITH OWNER ${DATABASE_USER};
EOF
# User/group postgres needs to be given access to tmp_dir

View File

@ -104,6 +104,32 @@
required-projects:
- openstack/neutron-lib
- job:
name: neutron-functional-with-uwsgi-fips
parent: neutron-functional-with-uwsgi
nodeset: devstack-single-node-centos-8-stream
description: |
Functional testing for a FIPS enabled Centos 8 system
pre-run: playbooks/enable-fips.yaml
vars:
configure_swap_size: 4096
devstack_localrc:
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
Q_BUILD_OVS_FROM_GIT: true
- job:
name: neutron-fullstack-with-uwsgi-fips
parent: neutron-fullstack-with-uwsgi
nodeset: devstack-single-node-centos-8-stream
description: |
Functional testing for a FIPS enabled Centos 8 system
pre-run: playbooks/enable-fips.yaml
vars:
configure_swap_size: 4096
devstack_localrc:
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
Q_BUILD_OVS_FROM_GIT: true
- job:
name: neutron-linuxbridge-tempest-plugin-scenario-nftables
parent: neutron-tempest-plugin-scenario-linuxbridge

View File

@ -85,6 +85,8 @@
experimental:
jobs:
- neutron-functional-with-uwsgi-fips
- neutron-fullstack-with-uwsgi-fips
- neutron-ovn-grenade-multinode
- neutron-ovn-tempest-with-uwsgi-loki
- neutron-ovn-tempest-full-multinode-ovs-master