Add functional and fullstack jobs with FIPS enabled

This patch adds definition of the functional and fullstack jobs with enabled support for FIPS [1]. Jobs are based on the Centos 8 stream as this disto allows to enable FIPS support. Jobs are added to the experimental queue for now. This patch also makes some changes in the bindep and configure_functional_tests role to make functional/fullstack tests working on the Centos. [1] https://csrc.nist.gov/publications/detail/fips/140/3/final Co-Authored-By: Ade Lee <alee@redhat.com> Change-Id: I582495826155740ad2660ee2a8717696b0393d26
2021-10-14 15:14:49 +02:00 · 2021-10-14 15:14:49 +02:00 · 836592a8bc
parent 63f8a39d75
commit 836592a8bc
7 changed files with 62 additions and 11 deletions
--- a/bindep.txt
+++ b/bindep.txt
@ -15,10 +15,11 @@ libffi-devel [platform:rpm]
 # periodic-neutron-py35-with-neutron-lib-master.
 haproxy
 libmysqlclient-dev [platform:dpkg test]
-mysql [platform:rpm test]
+mariadb [platform:rpm test]
+mariadb-devel [platform:rpm test]
+mariadb-server [platform:rpm test]
 mysql-client [platform:dpkg test]
-mysql-devel [platform:rpm test]
-mysql-server [test]
+mysql-server [platform:dpkg test]
 postgresql [test]
 postgresql-client [platform:dpkg test]
 postgresql-devel [platform:rpm test]
--- a/playbooks/enable-fips.yaml
+++ b/playbooks/enable-fips.yaml
@ -0,0 +1,5 @@
+- hosts: all
+  roles:
+    - persistent-firewall
+    - enable-fips
+    - disable_selinux
--- a/roles/configure_functional_tests/tasks/main.yaml
+++ b/roles/configure_functional_tests/tasks/main.yaml
@ -15,10 +15,24 @@
        STACK_USER=stack
        OVS_BRANCH={{ OVS_BRANCH }}
        OVN_BRANCH={{ OVN_BRANCH }}
+        # This is DB USER used in e.g. pgsql db
+        DATABASE_USER=openstack_citest

        source $DEVSTACK_PATH/functions
        source $DEVSTACK_PATH/lib/neutron_plugins/ovn_agent
        source $NEUTRON_DIR/tools/configure_for_func_testing.sh

+        if is_fedora; then
+            # NOTE(slqweq) Running functional job e.g. on Centos requires to
+            # have repo with rabbitmq-server and some other packages available
+            install_package centos-release-openstack-victoria
+            install_package iproute-tc haproxy keepalived
+
+            # NOTE(slaweq) On Fedora/CentOS systems make sure that SELinux is
+            # not in enforcing mode
+            sudo setenforce 0
+        fi
+
        configure_host_for_func_testing
+
    executable: /bin/bash
--- a/roles/disable_selinux/tasks/main.yaml
+++ b/roles/disable_selinux/tasks/main.yaml
@ -0,0 +1,3 @@
+- name: Ensure SELinux is in permissive mode
+  become: yes
+  command: "setenforce 0"
--- a/tools/configure_for_func_testing.sh
+++ b/tools/configure_for_func_testing.sh
@ -20,6 +20,8 @@ set -e
 # directly or allow the gate_hook to import.
 IS_GATE=${IS_GATE:-False}
 USE_CONSTRAINT_ENV=${USE_CONSTRAINT_ENV:-True}
+MYSQL_USER=${MYSQL_USER:-root}
+DATABASE_USER=${DATABASE_USER:-${MYSQL_USER}}


 if [[ "$IS_GATE" != "True" ]] && [[ "$#" -lt 1 ]]; then
@ -153,8 +155,8 @@ function _install_databases {
        return 0
    fi

-    MYSQL_PASSWORD=${MYSQL_PASSWORD:-stackdb}
-    DATABASE_PASSWORD=${DATABASE_PASSWORD:-stackdb}
+    MYSQL_PASSWORD=${MYSQL_PASSWORD:-openstack_citest}
+    DATABASE_PASSWORD=${DATABASE_PASSWORD:-openstack_citest}

    source $DEVSTACK_PATH/lib/database

@ -176,18 +178,16 @@ function _install_databases {

    cat << EOF > $tmp_dir/mysql.sql
 CREATE DATABASE openstack_citest;
-CREATE USER 'openstack_citest'@'localhost' IDENTIFIED BY 'openstack_citest';
-CREATE USER 'openstack_citest' IDENTIFIED BY 'openstack_citest';
-GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest'@'localhost';
-GRANT ALL PRIVILEGES ON *.* TO 'openstack_citest';
+CREATE USER '${DATABASE_USER}'@'localhost' IDENTIFIED BY '${MYSQL_PASSWORD}';
+GRANT ALL PRIVILEGES ON *.* TO '${DATABASE_USER}'@'localhost';
 FLUSH PRIVILEGES;
 EOF
    /usr/bin/mysql -u root -p"$MYSQL_PASSWORD" < $tmp_dir/mysql.sql

    if [[ "$install_pg" == "True" ]]; then
        cat << EOF > $tmp_dir/postgresql.sql
-CREATE USER openstack_citest WITH CREATEDB LOGIN PASSWORD 'openstack_citest';
-CREATE DATABASE openstack_citest WITH OWNER openstack_citest;
+CREATE USER ${DATABASE_USER} WITH CREATEDB LOGIN PASSWORD ${DATABASE_PASSWORD};
+CREATE DATABASE ${DATABASE_USER} WITH OWNER ${DATABASE_USER};
 EOF

        # User/group postgres needs to be given access to tmp_dir
--- a/zuul.d/base.yaml
+++ b/zuul.d/base.yaml
@ -104,6 +104,32 @@
    required-projects:
      - openstack/neutron-lib

+- job:
+    name: neutron-functional-with-uwsgi-fips
+    parent: neutron-functional-with-uwsgi
+    nodeset: devstack-single-node-centos-8-stream
+    description: |
+      Functional testing for a FIPS enabled Centos 8 system
+    pre-run: playbooks/enable-fips.yaml
+    vars:
+      configure_swap_size: 4096
+      devstack_localrc:
+        ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
+        Q_BUILD_OVS_FROM_GIT: true
+
+- job:
+    name: neutron-fullstack-with-uwsgi-fips
+    parent: neutron-fullstack-with-uwsgi
+    nodeset: devstack-single-node-centos-8-stream
+    description: |
+      Functional testing for a FIPS enabled Centos 8 system
+    pre-run: playbooks/enable-fips.yaml
+    vars:
+      configure_swap_size: 4096
+      devstack_localrc:
+        ISCSI_CHAP_ALGORITHMS: SHA3-256,SHA256
+        Q_BUILD_OVS_FROM_GIT: true
+
 - job:
    name: neutron-linuxbridge-tempest-plugin-scenario-nftables
    parent: neutron-tempest-plugin-scenario-linuxbridge
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -85,6 +85,8 @@

    experimental:
      jobs:
+        - neutron-functional-with-uwsgi-fips
+        - neutron-fullstack-with-uwsgi-fips
        - neutron-ovn-grenade-multinode
        - neutron-ovn-tempest-with-uwsgi-loki
        - neutron-ovn-tempest-full-multinode-ovs-master