Add fips check jobs

This patch adds two new FIPS enabled jobs to determine if there are any issues when FIPS is enabled. Because the FIPS jobs currently run on centos, code is added to the test setup script to set up the databases correctly. Also had to increase the swap space on the nodes; see [0] for an explanation. [0] https://review.opendev.org/c/openstack/devstack/+/803706 Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087 Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086 Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
author: Ade Lee <alee@redhat.com> 2022-01-12 13:56:55 -0800
committer: Eric Harney <eharney@redhat.com> 2023-04-18 19:45:55 +0000
commit: 933a7b7e6c1ce2e93f7bd22d6abb07180e43625a (patch)
tree: c5b4f734dc62f05f31e1de011cbd6fee7618ab33
parent: 42d5d1d6487c7b838e7c01bd96757d6c59116fc6 (diff)
download: cinder-933a7b7e6c1ce2e93f7bd22d6abb07180e43625a.tar.gz
4 files changed, 62 insertions, 0 deletions
diff --git a/.zuul.yaml b/.zuul.yaml
index 52bdf40a7..822974645 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -58,6 +58,9 @@
             irrelevant-files: *gate-irrelevant-files
         - cinder-tempest-plugin-lvm-lio-barbican:
             irrelevant-files: *gate-irrelevant-files
+        - cinder-tempest-plugin-lvm-lio-barbican-fips:
+            voting: false
+            irrelevant-files: *gate-irrelevant-files
         - cinder-grenade-mn-sub-volbak:
             irrelevant-files: *gate-irrelevant-files
         - cinder-tempest-lvm-multibackend:
@@ -68,6 +71,9 @@
             irrelevant-files: *gate-irrelevant-files
         - devstack-plugin-nfs-tempest-full:
             irrelevant-files: *gate-irrelevant-files
+        - devstack-plugin-nfs-tempest-full-fips:
+            voting: false
+            irrelevant-files: *gate-irrelevant-files
         - tempest-slow-py3:
             irrelevant-files: *gate-irrelevant-files
         - tempest-integrated-storage:
@@ -176,6 +182,17 @@
               volume_revert: True
 
 - job:
+    # this depends on some ceph admin setup which is not yet complete
+    # TODO(alee) enable this test when ceph admin work is complete.
+    name: cinder-plugin-ceph-tempest-fips
+    parent: cinder-plugin-ceph-tempest
+    nodeset: devstack-single-node-centos-9-stream
+    pre-run: playbooks/enable-fips.yaml
+    vars:
+      configure_swap_size: 4096
+      nslookup_target: 'opendev.org'
+
+- job:
     name: cinder-plugin-ceph-tempest-mn-aa
     parent: devstack-plugin-ceph-multinode-tempest-py3
     roles:
diff --git a/bindep.txt b/bindep.txt
index d32d02680..6311a1885 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -29,6 +29,7 @@ postgresql
 postgresql-client [platform:dpkg]
 postgresql-devel [platform:rpm]
 postgresql-server [platform:rpm]
+python3-devel [platform:rpm test]
 libpq-dev [platform:dpkg]
 thin-provisioning-tools [platform:debian]
 libxml2-dev [platform:dpkg test]
diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml
new file mode 100644
index 000000000..bc1dc04ea
--- /dev/null
+++ b/playbooks/enable-fips.yaml
@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - enable-fips
diff --git a/tools/test-setup.sh b/tools/test-setup.sh
index 5b986ced3..fced9be5e 100755
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
 DB_USER=openstack_citest
 DB_PW=openstack_citest
 
+function is_rhel7 {
+    [ -f /usr/bin/yum ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 7'
+}
+
+function is_rhel8 {
+    [ -f /usr/bin/dnf ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 8'
+}
+
+function is_rhel9 {
+    [ -f /usr/bin/dnf ] && \
+        cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \
+        cat /etc/*release | grep -q 'release 9'
+}
+
+function set_conf_line { # file regex value
+    sudo sh -c "grep -q -e '$2' $1 && \
+            sed -i 's|$2|$3|g' $1 || \
+            echo '$3' >> $1"
+}
+
+if is_rhel7 || is_rhel8 || is_rhel9; then
+    # mysql needs to be started on centos/rhel
+    sudo systemctl restart mariadb.service
+
+    # postgres setup for centos
+    sudo postgresql-setup --initdb
+    PG_CONF=/var/lib/pgsql/data/postgresql.conf
+    set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
+
+    PG_HBA=/var/lib/pgsql/data/pg_hba.conf
+    set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
+
+    sudo systemctl restart postgresql.service
+fi
+
 sudo -H mysqladmin -u root password $DB_ROOT_PW
 
 # It's best practice to remove anonymous users from the database.  If
author	Ade Lee <alee@redhat.com>	2022-01-12 13:56:55 -0800
committer	Eric Harney <eharney@redhat.com>	2023-04-18 19:45:55 +0000
commit	933a7b7e6c1ce2e93f7bd22d6abb07180e43625a (patch)
tree	c5b4f734dc62f05f31e1de011cbd6fee7618ab33
parent	42d5d1d6487c7b838e7c01bd96757d6c59116fc6 (diff)
download	cinder-933a7b7e6c1ce2e93f7bd22d6abb07180e43625a.tar.gz