Add functional and fullstack jobs with FIPS enabled
This patch adds definition of the functional and fullstack jobs with enabled support for FIPS [1]. Jobs are based on the Centos 8 stream as this disto allows to enable FIPS support. Jobs are added to the experimental queue for now. This patch also makes some changes in the bindep and configure_functional_tests role to make functional/fullstack tests working on the Centos. [1] https://csrc.nist.gov/publications/detail/fips/140/3/final Co-Authored-By: Ade Lee <alee@redhat.com> Change-Id: I582495826155740ad2660ee2a8717696b0393d26
This commit is contained in:
parent
63f8a39d75
commit
836592a8bc
@ -15,10 +15,11 @@ libffi-devel [platform:rpm]
|
||||
# periodic-neutron-py35-with-neutron-lib-master.
|
||||
haproxy
|
||||
libmysqlclient-dev [platform:dpkg test]
|
||||
mysql [platform:rpm test]
|
||||
mariadb [platform:rpm test]
|
||||
mariadb-devel [platform:rpm test]
|
||||
mariadb-server [platform:rpm test]
|
||||
mysql-client [platform:dpkg test]
|
||||
mysql-devel [platform:rpm test]
|
||||
mysql-server [test]
|
||||
mysql-server [platform:dpkg test]
|
||||
postgresql [test]
|
||||
postgresql-client [platform:dpkg test]
|
||||
postgresql-devel [platform:rpm test]
|
||||
|
5
playbooks/enable-fips.yaml
Normal file
5
playbooks/enable-fips.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
- hosts: all
|
||||
roles:
|
||||
- persistent-firewall
|
||||
- enable-fips
|
||||
- disable_selinux
|
@ -15,10 +15,24 @@
|
||||
STACK_USER=stack
|
||||
OVS_BRANCH={{ OVS_BRANCH }}
|
||||
OVN_BRANCH={{ OVN_BRANCH }}
|
||||
# This is DB USER used in e.g. pgsql db
|
||||
DATABASE_USER=openstack_citest
|
||||
|
||||
source $DEVSTACK_PATH/functions
|
||||
source $DEVSTACK_PATH/lib/neutron_plugins/ovn_agent
|
||||
source $NEUTRON_DIR/tools/configure_for_func_testing.sh
|
||||
|
||||
if is_fedora; then
|
||||
# NOTE(slqweq) Running functional job e.g. on Centos requires to
|
||||
# have repo with rabbitmq-server and some other packages available
|
||||
install_package centos-release-openstack-victoria
|
||||
install_package iproute-tc haproxy keepalived
|
||||
|
||||
# NOTE(slaweq) On Fedora/CentOS systems make sure that SELinux is
|
||||
# not in enforcing mode
|
||||
sudo setenforce 0
|
||||
fi
|
||||
|
||||
configure_host_for_func_testing
|
||||
|
||||
executable: /bin/bash
|
||||
|
3
roles/disable_selinux/tasks/main.yaml
Normal file
3
roles/disable_selinux/tasks/main.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
- name: Ensure SELinux is in permissive mode
|
||||
become: yes
|
||||
command: "setenforce 0"
|
@ -20,6 +20,8 @@ set -e
|
||||
# directly or allow the gate_hook to import.
|
||||
IS_GATE=${IS_GATE:-False}
|
||||
USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-True}
|
||||
MYSQL_USER=${MYSQL_USER:-root}
|
||||
DATABASE_USER=${DATABASE_USER:-${MYSQL_USER}}
|
||||
|
||||
|
||||
if [[ "$IS_GATE" != "True" ]] && [[ "$#" -lt 1 ]]; then
|
||||
@ -153,8 +155,8 @@ function _install_databases {
|
||||
return 0
|
||||
fi
|
||||
|
||||
MYSQL_PASSWORD=${MYSQL_PASSWORD:-stackdb}
|
||||
DATABASE_PASSWORD=${DATABASE_PASSWORD:-stackdb}
|
||||
MYSQL_PASSWORD=${MYSQL_PASSWORD:-openstack_citest}
|
||||
DATABASE_PASSWORD=${DATABASE_PASSWORD:-openstack_citest}
|
||||
|
||||
source $DEVSTACK_PATH/lib/database
|
||||
|
||||
@ -176,18 +178,16 @@ function _install_databases {
|
||||
|
||||
cat << EOF > $tmp_dir/mysql.sql
|
||||
CREATE DATABASE openstack_citest;
|
||||
CREATE USER 'openstack_citest'@'localhost' IDENTIFIED BY 'openstack_citest';
|
||||
CREATE USER 'openstack_citest' IDENTIFIED BY 'openstack_citest';
|
||||
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest'@'localhost';
|
||||
GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest';
|
||||
CREATE USER '${DATABASE_USER}'@'localhost' IDENTIFIED BY '${MYSQL_PASSWORD}';
|
||||
GRANT ALL PRIVILEGES ON *.* TO '${DATABASE_USER}'@'localhost';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
/usr/bin/mysql -u root -p"$MYSQL_PASSWORD" < $tmp_dir/mysql.sql
|
||||
|
||||
if [[ "$install_pg" == "True" ]]; then
|
||||
cat << EOF > $tmp_dir/postgresql.sql
|
||||
CREATE USER openstack_citest WITH CREATEDB LOGIN PASSWORD 'openstack_citest';
|
||||
CREATE DATABASE openstack_citest WITH OWNER openstack_citest;
|
||||
CREATE USER ${DATABASE_USER} WITH CREATEDB LOGIN PASSWORD ${DATABASE_PASSWORD};
|
||||
CREATE DATABASE ${DATABASE_USER} WITH OWNER ${DATABASE_USER};
|
||||
EOF
|
||||
|
||||
# User/group postgres needs to be given access to tmp_dir
|
||||
|
@ -104,6 +104,32 @@
|
||||
required-projects:
|
||||
- openstack/neutron-lib
|
||||
|
||||
- job:
|
||||
name: neutron-functional-with-uwsgi-fips
|
||||
parent: neutron-functional-with-uwsgi
|
||||
nodeset: devstack-single-node-centos-8-stream
|
||||
description: |
|
||||
Functional testing for a FIPS enabled Centos 8 system
|
||||
pre-run: playbooks/enable-fips.yaml
|
||||
vars:
|
||||
configure_swap_size: 4096
|
||||
devstack_localrc:
|
||||
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
|
||||
Q_BUILD_OVS_FROM_GIT: true
|
||||
|
||||
- job:
|
||||
name: neutron-fullstack-with-uwsgi-fips
|
||||
parent: neutron-fullstack-with-uwsgi
|
||||
nodeset: devstack-single-node-centos-8-stream
|
||||
description: |
|
||||
Functional testing for a FIPS enabled Centos 8 system
|
||||
pre-run: playbooks/enable-fips.yaml
|
||||
vars:
|
||||
configure_swap_size: 4096
|
||||
devstack_localrc:
|
||||
ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
|
||||
Q_BUILD_OVS_FROM_GIT: true
|
||||
|
||||
- job:
|
||||
name: neutron-linuxbridge-tempest-plugin-scenario-nftables
|
||||
parent: neutron-tempest-plugin-scenario-linuxbridge
|
||||
|
@ -85,6 +85,8 @@
|
||||
|
||||
experimental:
|
||||
jobs:
|
||||
- neutron-functional-with-uwsgi-fips
|
||||
- neutron-fullstack-with-uwsgi-fips
|
||||
- neutron-ovn-grenade-multinode
|
||||
- neutron-ovn-tempest-with-uwsgi-loki
|
||||
- neutron-ovn-tempest-full-multinode-ovs-master
|
||||
|
Loading…
Reference in New Issue
Block a user