diff options
author | Ade Lee <alee@redhat.com> | 2022-01-12 13:56:55 -0800 |
---|---|---|
committer | Eric Harney <eharney@redhat.com> | 2023-04-18 19:45:55 +0000 |
commit | 933a7b7e6c1ce2e93f7bd22d6abb07180e43625a (patch) | |
tree | c5b4f734dc62f05f31e1de011cbd6fee7618ab33 | |
parent | 42d5d1d6487c7b838e7c01bd96757d6c59116fc6 (diff) | |
download | cinder-933a7b7e6c1ce2e93f7bd22d6abb07180e43625a.tar.gz |
Add fips check jobs
This patch adds two new FIPS enabled jobs to determine if there are any
issues when FIPS is enabled.
Because the FIPS jobs currently run on centos, code is added to the
test setup script to set up the databases correctly. Also had
to increase the swap space on the nodes; see [0] for an explanation.
[0] https://review.opendev.org/c/openstack/devstack/+/803706
Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087
Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086
Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
-rw-r--r-- | .zuul.yaml | 17 | ||||
-rw-r--r-- | bindep.txt | 1 | ||||
-rw-r--r-- | playbooks/enable-fips.yaml | 3 | ||||
-rwxr-xr-x | tools/test-setup.sh | 41 |
4 files changed, 62 insertions, 0 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index 52bdf40a7..822974645 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -58,6 +58,9 @@ irrelevant-files: *gate-irrelevant-files - cinder-tempest-plugin-lvm-lio-barbican: irrelevant-files: *gate-irrelevant-files + - cinder-tempest-plugin-lvm-lio-barbican-fips: + voting: false + irrelevant-files: *gate-irrelevant-files - cinder-grenade-mn-sub-volbak: irrelevant-files: *gate-irrelevant-files - cinder-tempest-lvm-multibackend: @@ -68,6 +71,9 @@ irrelevant-files: *gate-irrelevant-files - devstack-plugin-nfs-tempest-full: irrelevant-files: *gate-irrelevant-files + - devstack-plugin-nfs-tempest-full-fips: + voting: false + irrelevant-files: *gate-irrelevant-files - tempest-slow-py3: irrelevant-files: *gate-irrelevant-files - tempest-integrated-storage: @@ -176,6 +182,17 @@ volume_revert: True - job: + # this depends on some ceph admin setup which is not yet complete + # TODO(alee) enable this test when ceph admin work is complete. + name: cinder-plugin-ceph-tempest-fips + parent: cinder-plugin-ceph-tempest + nodeset: devstack-single-node-centos-9-stream + pre-run: playbooks/enable-fips.yaml + vars: + configure_swap_size: 4096 + nslookup_target: 'opendev.org' + +- job: name: cinder-plugin-ceph-tempest-mn-aa parent: devstack-plugin-ceph-multinode-tempest-py3 roles: diff --git a/bindep.txt b/bindep.txt index d32d02680..6311a1885 100644 --- a/bindep.txt +++ b/bindep.txt @@ -29,6 +29,7 @@ postgresql postgresql-client [platform:dpkg] postgresql-devel [platform:rpm] postgresql-server [platform:rpm] +python3-devel [platform:rpm test] libpq-dev [platform:dpkg] thin-provisioning-tools [platform:debian] libxml2-dev [platform:dpkg test] diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml new file mode 100644 index 000000000..bc1dc04ea --- /dev/null +++ b/playbooks/enable-fips.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - enable-fips diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 5b986ced3..fced9be5e 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -15,6 +15,47 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave} DB_USER=openstack_citest DB_PW=openstack_citest +function is_rhel7 { + [ -f /usr/bin/yum ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 7' +} + +function is_rhel8 { + [ -f /usr/bin/dnf ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 8' +} + +function is_rhel9 { + [ -f /usr/bin/dnf ] && \ + cat /etc/*release | grep -q -e "Red Hat" -e "CentOS" -e "CloudLinux" && \ + cat /etc/*release | grep -q 'release 9' +} + +function set_conf_line { # file regex value + sudo sh -c "grep -q -e '$2' $1 && \ + sed -i 's|$2|$3|g' $1 || \ + echo '$3' >> $1" +} + +if is_rhel7 || is_rhel8 || is_rhel9; then + # mysql needs to be started on centos/rhel + sudo systemctl restart mariadb.service + + # postgres setup for centos + sudo postgresql-setup --initdb + PG_CONF=/var/lib/pgsql/data/postgresql.conf + set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256' + + PG_HBA=/var/lib/pgsql/data/pg_hba.conf + set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer' + set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256' + set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256' + + sudo systemctl restart postgresql.service +fi + sudo -H mysqladmin -u root password $DB_ROOT_PW # It's best practice to remove anonymous users from the database. If |