diff --git a/devstack/plugin.sh b/devstack/plugin.sh index dde2902ba9..7fa2f9df9f 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -108,6 +108,9 @@ function build_octavia_worker_image { if [[ "$(trueorfalse False OCTAVIA_AMP_DISABLE_TMP_FS)" == "True" ]]; then export PARAM_OCTAVIA_AMP_DISABLE_TMP_FS='-f' fi + if [[ "$(trueorfalse False OCTAVIA_AMP_ENABLE_FIPS)" == "True" ]]; then + export PARAM_OCTAVIA_AMP_ENABLE_FIPS='-y' + fi # Use the infra pypi mirror if it is available if [[ -e /etc/ci/mirror_info.sh ]]; then @@ -131,7 +134,7 @@ function build_octavia_worker_image { fi sudo mkdir -m755 ${dib_logs} sudo chown $STACK_USER ${dib_logs} - $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} + $OCTAVIA_DIR/diskimage-create/diskimage-create.sh -l ${dib_logs}/$(basename $OCTAVIA_AMP_IMAGE_FILE).log $octavia_dib_tracing_arg -o $OCTAVIA_AMP_IMAGE_FILE ${PARAM_OCTAVIA_AMP_BASE_OS:-} ${PARAM_OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID:-} ${PARAM_OCTAVIA_AMP_IMAGE_SIZE:-} ${PARAM_OCTAVIA_AMP_IMAGE_ARCH:-} ${PARAM_OCTAVIA_AMP_DISABLE_TMP_FS:-} ${PARAM_OCTAVIA_AMP_ENABLE_FIPS:-} fi if ! [ -f $OCTAVIA_AMP_IMAGE_FILE ]; then diff --git a/diskimage-create/README.rst b/diskimage-create/README.rst index b6f0d16680..b3f336776d 100644 --- a/diskimage-create/README.rst +++ b/diskimage-create/README.rst @@ -118,6 +118,7 @@ Command syntax: [-v] [-w ] [-x] + [-y] '-a' is the architecture type for the image (default: amd64) '-b' is the backend type (default: haproxy) @@ -139,6 +140,7 @@ Command syntax: '-v' display the script version '-w' working directory for image building (default: .) '-x' enable tracing for diskimage-builder + '-y' enable FIPS 140-2 mode in the amphora image Building Images for Alternate Branches diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 073bb4d8f3..6d553305b4 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -61,6 +61,7 @@ usage() { echo " '-v' display the script version" echo " '-w' working directory for image building (default: .)" echo " '-x' enable tracing for diskimage-builder" + echo " '-y' enable FIPS 140-2 mode in the amphora image" echo exit 1 } @@ -91,7 +92,7 @@ dib_enable_tracing= AMP_LOGFILE="" -while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do +while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:xy" opt; do case $opt in a) AMP_ARCH=$OPTARG @@ -207,6 +208,8 @@ while getopts "a:b:c:d:efg:hi:k:l:no:pt:r:s:vw:x" opt; do ;; x) dib_enable_tracing=1 ;; + y) AMP_ENABLE_FIPS=1 + ;; *) usage ;; @@ -256,6 +259,8 @@ AMP_ENABLE_FULL_MAC_SECURITY=${AMP_ENABLE_FULL_MAC_SECURITY:-0} AMP_DISABLE_TMP_FS=${AMP_DISABLE_TMP_FS:-""} +AMP_ENABLE_FIPS=${AMP_ENABLE_FIPS:-0} + if [[ "$AMP_BASEOS" =~ ^(rhel|fedora)$ ]] && [[ "$AMP_IMAGESIZE" -lt 3 ]]; then echo "RHEL/Fedora based amphora requires an image size of at least 3GB" exit 1 @@ -471,6 +476,11 @@ if [ "$AMP_DISABLE_SSHD" -eq 1 ]; then AMP_element_sequence="$AMP_element_sequence remove-sshd" fi +# Enable FIPS if requested +if [ "$AMP_ENABLE_FIPS" -eq 1 ]; then + AMP_element_sequence="$AMP_element_sequence amphora-fips" +fi + # Allow full elements override if [ "$DIB_ELEMENTS" ]; then AMP_element_sequence="$DIB_ELEMENTS" diff --git a/elements/amphora-fips/README.rst b/elements/amphora-fips/README.rst new file mode 100644 index 0000000000..5c2656a3b1 --- /dev/null +++ b/elements/amphora-fips/README.rst @@ -0,0 +1,7 @@ +Element to enable FIPS mode inside the Amphora. + +This element configures the Amphora OS to enable FIPS 140-2 mode in the +operating system for the Amphora. + +Note: Current this element only supports the Red Hat family of operating +systems. diff --git a/elements/amphora-fips/element-deps b/elements/amphora-fips/element-deps new file mode 100644 index 0000000000..b0c47881bc --- /dev/null +++ b/elements/amphora-fips/element-deps @@ -0,0 +1,4 @@ +bootloader +dracut-regenerate +package-installs +pkg-map diff --git a/elements/amphora-fips/environment.d/95-enable-fips b/elements/amphora-fips/environment.d/95-enable-fips new file mode 100755 index 0000000000..88b48c8f74 --- /dev/null +++ b/elements/amphora-fips/environment.d/95-enable-fips @@ -0,0 +1,28 @@ +#!/bin/bash + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi + +set -eu +set -o pipefail + +case $DISTRO_NAME in + ubuntu | debian ) + echo "ERROR: $DISTRO_NAME is not supported for FIPS mode." + exit 1 + ;; + fedora | centos* | rhel* ) + DIB_DRACUT_ENABLED_MODULES+=" +- name: fips + " + export DIB_DRACUT_ENABLED_MODULES + + DIB_BOOTLOADER_DEFAULT_CMDLINE+=" fips=1" + export DIB_BOOTLOADER_DEFAULT_CMDLINE + ;; + *) + echo "ERROR: Unsupported distribution $DISTRO_NAME" + exit 1 + ;; +esac diff --git a/elements/amphora-fips/package-installs.yaml b/elements/amphora-fips/package-installs.yaml new file mode 100644 index 0000000000..7a9998cc4e --- /dev/null +++ b/elements/amphora-fips/package-installs.yaml @@ -0,0 +1,2 @@ +# Required for fips-mode-setup to enable fips mode +crypto-policies-scripts: diff --git a/elements/amphora-fips/pkg-map b/elements/amphora-fips/pkg-map new file mode 100644 index 0000000000..32c7761863 --- /dev/null +++ b/elements/amphora-fips/pkg-map @@ -0,0 +1,10 @@ +{ + "family": { + "redhat": { + "crypto-policies-scripts": "crypto-policies-scripts" + } + }, + "default": { + "crypto-policies-scripts": "" + } +} diff --git a/elements/amphora-fips/post-install.d/10-enable-fips b/elements/amphora-fips/post-install.d/10-enable-fips new file mode 100755 index 0000000000..1579a1210d --- /dev/null +++ b/elements/amphora-fips/post-install.d/10-enable-fips @@ -0,0 +1,22 @@ +#!/bin/bash + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi + +set -eu +set -o pipefail + +case $DISTRO_NAME in + ubuntu | debian ) + echo "ERROR: $DISTRO_NAME is not supported for FIPS mode." + exit 1 + ;; + fedora | centos* | rhel* ) + update-crypto-policies --no-reload --set FIPS + ;; + *) + echo "ERROR: Unsupported distribution $DISTRO_NAME" + exit 1 + ;; +esac diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 7eac5f35e7..3d253dae43 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -202,9 +202,15 @@ parent: octavia-v2-dsvm-scenario nodeset: octavia-single-node-centos-8-stream description: | - Functional testing for a FIPS enabled Centos 8 system + Functional testing for a FIPS enabled Centos 8 system. pre-run: playbooks/enable-fips.yaml + timeout: 10800 vars: + devstack_localrc: + OCTAVIA_AMP_BASE_OS: centos + OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream + OCTAVIA_AMP_IMAGE_SIZE: 3 + OCTAVIA_AMP_ENABLE_FIPS: True devstack_local_conf: test-config: "$TEMPEST_CONFIG": @@ -219,6 +225,11 @@ Functional testing for a FIPS enabled Centos 8 system pre-run: playbooks/enable-fips.yaml vars: + devstack_localrc: + OCTAVIA_AMP_BASE_OS: centos + OCTAVIA_AMP_DISTRIBUTION_RELEASE_ID: 8-stream + OCTAVIA_AMP_IMAGE_SIZE: 3 + OCTAVIA_AMP_ENABLE_FIPS: True devstack_local_conf: test-config: "$TEMPEST_CONFIG": diff --git a/zuul.d/projects.yaml b/zuul.d/projects.yaml index a30be85f1c..93dace51df 100644 --- a/zuul.d/projects.yaml +++ b/zuul.d/projects.yaml @@ -50,9 +50,6 @@ - ^tools/.*$ - ^(test-|)requirements.txt$ - ^tox.ini$ - - octavia-v2-dsvm-scenario-fips: - irrelevant-files: *irrelevant-files - voting: false - octavia-v2-dsvm-tls-barbican-fips: irrelevant-files: *irrelevant-files voting: false @@ -109,6 +106,9 @@ branches: ^(?!stable/.*).*$ - octavia-amphora-image-build - octavia-grenade-ffu +# Putting octavia-v2-dsvm-scenario-fips in periodic as centos 8 is too slow + - octavia-v2-dsvm-scenario-fips: + voting: false experimental: jobs: - octavia-v2-dsvm-scenario-nftables