diff options
author | Zuul <zuul@review.opendev.org> | 2023-04-19 00:10:48 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2023-04-19 00:10:48 +0000 |
commit | 2e8aff660b18d1e8f961d6de979d541a8d06f1c1 (patch) | |
tree | 0375bb98b836d369df56a7328ebb5886f86f812b | |
parent | ecd2ac5bd434b2f3c979775342ebc59059ca9ad7 (diff) | |
parent | 933a7b7e6c1ce2e93f7bd22d6abb07180e43625a (diff) | |
download | cinder-2e8aff660b18d1e8f961d6de979d541a8d06f1c1.tar.gz |
Merge "Add fips check jobs"
-rw-r--r-- | .zuul.yaml | 17 | ||||
-rw-r--r-- | bindep.txt | 1 | ||||
-rw-r--r-- | playbooks/enable-fips.yaml | 3 | ||||
-rwxr-xr-x | tools/test-setup.sh | 41 |
4 files changed, 62 insertions, 0 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index 694962907..e15853006 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -58,6 +58,9 @@ irrelevant-files: *gate-irrelevant-files - cinder-tempest-plugin-lvm-lio-barbican: irrelevant-files: *gate-irrelevant-files + - cinder-tempest-plugin-lvm-lio-barbican-fips: + voting: false + irrelevant-files: *gate-irrelevant-files - cinder-grenade-mn-sub-volbak: irrelevant-files: *gate-irrelevant-files - cinder-tempest-lvm-multibackend: @@ -68,6 +71,9 @@ irrelevant-files: *gate-irrelevant-files - devstack-plugin-nfs-tempest-full: irrelevant-files: *gate-irrelevant-files + - devstack-plugin-nfs-tempest-full-fips: + voting: false + irrelevant-files: *gate-irrelevant-files - tempest-slow-py3: irrelevant-files: *gate-irrelevant-files - tempest-integrated-storage: @@ -179,6 +185,17 @@ volume_revert: True - job: + # this depends on some ceph admin setup which is not yet complete + # TODO(alee) enable this test when ceph admin work is complete. + name: cinder-plugin-ceph-tempest-fips + parent: cinder-plugin-ceph-tempest + nodeset: devstack-single-node-centos-9-stream + pre-run: playbooks/enable-fips.yaml + vars: + configure_swap_size: 4096 + nslookup_target: 'opendev.org' + +- job: name: cinder-plugin-ceph-tempest-mn-aa parent: devstack-plugin-ceph-multinode-tempest-py3 roles: diff --git a/bindep.txt b/bindep.txt index d32d02680..6311a1885 100644 --- a/bindep.txt +++ b/bindep.txt @@ -29,6 +29,7 @@ postgresql postgresql-client [platform:dpkg] postgresql-devel [platform:rpm] postgresql-server [platform:rpm] +python3-devel [platform:rpm test] libpq-dev [platform:dpkg] thin-provisioning-tools [platform:debian] libxml2-dev [platform:dpkg test] diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml new file mode 100644 index 000000000..bc1dc04ea --- /dev/null +++ b/playbooks/enable-fips.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - enable-fips diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 5b986ced3..fced9be5e 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave} DB_USER=openstack_citest DB_PW=openstack_citest +function is_rhel7 { + [ -f /usr/bin/yum ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 7' +} + +function is_rhel8 { + [ -f /usr/bin/dnf ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 8' +} + +function is_rhel9 { + [ -f /usr/bin/dnf ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 9' +} + +function set_conf_line { # file regex value + sudo sh -c "grep -q -e '$2' $1 && \ + sed -i 's|$2|$3|g' $1 || \ + echo '$3' >> $1" +} + +if is_rhel7 || is_rhel8 || is_rhel9; then + # mysql needs to be started on centos/rhel + sudo systemctl restart mariadb.service + + # postgres setup for centos + sudo postgresql-setup --initdb + PG_CONF=/var/lib/pgsql/data/postgresql.conf + set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256' + + PG_HBA=/var/lib/pgsql/data/pg_hba.conf + set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer' + set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256' + set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256' + + sudo systemctl restart postgresql.service +fi + sudo -H mysqladmin -u root password $DB_ROOT_PW # It's best practice to remove anonymous users from the database. If |