Use centos amphora image in the FIPS jobs

The FIPS jobs use centos-8-stream controllers but the image is still based on ubuntu, this commit updates the amphora images to centos-8-stream and enable FIPS inside the amphora. Change-Id: I8916796ed6727a103907a33d3c14e99e1d3734e6
2022-02-04 12:15:41 +01:00 · 2022-02-04 12:15:41 +01:00 · 74a7cbe122
parent 76e731ad73
commit 74a7cbe122
11 changed files with 105 additions and 6 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -108,6 +108,9 @@ function build_octavia_worker_image {
    if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then
        export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f'
    fi
+    if [[ "$(trueorfalse False OCTAVIA_AMP_ENABLE_FIPS)" == "True" ]]; then
+        export PARAM_OCTAVIA_AMP_ENABLE_FIPS='-y'
+    fi

    # Use the infra pypi mirror if it is available
    if [[ -e /etc/ci/mirror_info.sh ]]; then
@ -131,7 +134,7 @@ function build_octavia_worker_image {
        fi
        sudo mkdir -m755 ${dib_logs}
        sudo chown $STACK_USER ${dib_logs}
-        $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-}
+        $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} ${PARAM_OCTAVIA_AMP_ENABLE_FIPS:-}
    fi

    if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then
--- a/diskimage-create/README.rst
+++ b/diskimage-create/README.rst
@ -118,6 +118,7 @@ Command syntax:
            [-v]
            [-w <working directory> ]
            [-x]
+            [-y]

        '-a' is the architecture type for the image (default: amd64)
        '-b' is the backend type (default: haproxy)
@ -139,6 +140,7 @@ Command syntax:
        '-v' display the script version
        '-w' working directory for image building (default: .)
        '-x' enable tracing for diskimage-builder
+        '-y' enable FIPS 140-2 mode in the amphora image


 Building Images for Alternate Branches
--- a/diskimage-create/diskimage-create.sh
+++ b/diskimage-create/diskimage-create.sh
@ -61,6 +61,7 @@ usage() {
    echo "        '-v' display the script version"
    echo "        '-w' working directory for image building (default: .)"
    echo "        '-x' enable tracing for diskimage-builder"
+    echo "        '-y' enable FIPS 140-2 mode in the amphora image"
    echo
    exit 1
 }
@ -91,7 +92,7 @@ dib_enable_tracing=

 AMP_LOGFILE=""

-while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
+while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:xy" opt; do
    case $opt in
        a)
            AMP_ARCH=$OPTARG
@ -207,6 +208,8 @@ while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do
        ;;
        x)  dib_enable_tracing=1
        ;;
+        y)  AMP_ENABLE_FIPS=1
+        ;;
        *)
            usage
        ;;
@ -256,6 +259,8 @@ AMP_ENABLE_FULL_MAC_SECURITY=${AMP_ENABLE_FULL_MAC_SECURITY:-0}

 AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""}

+AMP_ENABLE_FIPS=${AMP_ENABLE_FIPS:-0}
+
 if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then
    echo "RHEL/Fedora based amphora requires an image size of at least 3GB"
    exit 1
@ -471,6 +476,11 @@ if [ "$AMP_DISABLE_SSHD" -eq 1 ]; then
    AMP_element_sequence="$AMP_element_sequence remove-sshd"
 fi

+# Enable FIPS if requested
+if [ "$AMP_ENABLE_FIPS" -eq 1 ]; then
+    AMP_element_sequence="$AMP_element_sequence amphora-fips"
+fi
+
 # Allow full elements override
 if [ "$DIB_ELEMENTS" ]; then
    AMP_element_sequence="$DIB_ELEMENTS"
--- a/elements/amphora-fips/README.rst
+++ b/elements/amphora-fips/README.rst
@ -0,0 +1,7 @@
+Element to enable FIPS mode inside the Amphora.
+
+This element configures the Amphora OS to enable FIPS 140-2 mode in the
+operating system for the Amphora.
+
+Note: Current this element only supports the Red Hat family of operating
+systems.
--- a/elements/amphora-fips/element-deps
+++ b/elements/amphora-fips/element-deps
@ -0,0 +1,4 @@
+bootloader
+dracut-regenerate
+package-installs
+pkg-map
--- a/elements/amphora-fips/environment.d/95-enable-fips
+++ b/elements/amphora-fips/environment.d/95-enable-fips
@ -0,0 +1,28 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+
+set -eu
+set -o pipefail
+
+case $DISTRO_NAME in
+    ubuntu | debian )
+        echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
+        exit 1
+    ;;
+    fedora | centos* | rhel* )
+        DIB_DRACUT_ENABLED_MODULES+="
+- name: fips
+        "
+        export DIB_DRACUT_ENABLED_MODULES
+
+        DIB_BOOTLOADER_DEFAULT_CMDLINE+=" fips=1"
+        export DIB_BOOTLOADER_DEFAULT_CMDLINE
+    ;;
+    *)
+        echo "ERROR: Unsupported distribution $DISTRO_NAME"
+        exit 1
+    ;;
+esac
--- a/elements/amphora-fips/package-installs.yaml
+++ b/elements/amphora-fips/package-installs.yaml
@ -0,0 +1,2 @@
+# Required for fips-mode-setup to enable fips mode
+crypto-policies-scripts:
--- a/elements/amphora-fips/pkg-map
+++ b/elements/amphora-fips/pkg-map
@ -0,0 +1,10 @@
+{
+  "family": {
+    "redhat": {
+      "crypto-policies-scripts": "crypto-policies-scripts"
+    }
+  },
+  "default": {
+      "crypto-policies-scripts": ""
+  }
+}
--- a/elements/amphora-fips/post-install.d/10-enable-fips
+++ b/elements/amphora-fips/post-install.d/10-enable-fips
@ -0,0 +1,22 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+
+set -eu
+set -o pipefail
+
+case $DISTRO_NAME in
+    ubuntu | debian )
+        echo "ERROR: $DISTRO_NAME is not supported for FIPS mode."
+        exit 1
+    ;;
+    fedora | centos* | rhel* )
+        update-crypto-policies --no-reload --set FIPS
+    ;;
+    *)
+        echo "ERROR: Unsupported distribution $DISTRO_NAME"
+        exit 1
+    ;;
+esac
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -202,9 +202,15 @@
    parent: octavia-v2-dsvm-scenario
    nodeset: octavia-single-node-centos-8-stream
    description: |
-      Functional testing for a FIPS enabled Centos 8 system
+      Functional testing for a FIPS enabled Centos 8 system.
    pre-run: playbooks/enable-fips.yaml
+    timeout: 10800
    vars:
+      devstack_localrc:
+        OCTAVIA_AMP_BASE_OS: centos
+        OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
+        OCTAVIA_AMP_IMAGE_SIZE: 3
+        OCTAVIA_AMP_ENABLE_FIPS: True
      devstack_local_conf:
        test-config:
          "$TEMPEST_CONFIG":
@ -219,6 +225,11 @@
      Functional testing for a FIPS enabled Centos 8 system
    pre-run: playbooks/enable-fips.yaml
    vars:
+      devstack_localrc:
+        OCTAVIA_AMP_BASE_OS: centos
+        OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream
+        OCTAVIA_AMP_IMAGE_SIZE: 3
+        OCTAVIA_AMP_ENABLE_FIPS: True
      devstack_local_conf:
        test-config:
          "$TEMPEST_CONFIG":
--- a/zuul.d/projects.yaml
+++ b/zuul.d/projects.yaml
@ -50,9 +50,6 @@
              - ^tools/.*$
              - ^(test-|)requirements.txt$
              - ^tox.ini$
-        - octavia-v2-dsvm-scenario-fips:
-            irrelevant-files: *irrelevant-files
-            voting: false
        - octavia-v2-dsvm-tls-barbican-fips:
            irrelevant-files: *irrelevant-files
            voting: false
@ -109,6 +106,9 @@
            branches: ^(?!stable/.*).*$
        - octavia-amphora-image-build
        - octavia-grenade-ffu
+# Putting octavia-v2-dsvm-scenario-fips in periodic as centos 8 is too slow
+        - octavia-v2-dsvm-scenario-fips:
+            voting: false
    experimental:
      jobs:
        - octavia-v2-dsvm-scenario-nftables