diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst index afc009d22..c81eb4efd 100644 --- a/doc/source/general-roles.rst +++ b/doc/source/general-roles.rst @@ -13,6 +13,7 @@ General Purpose Roles .. zuul:autorole:: download-artifact .. zuul:autorole:: dstat-graph .. zuul:autorole:: emit-job-header +.. zuul:autorole:: enable-fips .. zuul:autorole:: enable-netconsole .. zuul:autorole:: ensure-bazelisk .. zuul:autorole:: ensure-dhall diff --git a/roles/enable-fips/README.rst b/roles/enable-fips/README.rst new file mode 100644 index 000000000..c84db5ab6 --- /dev/null +++ b/roles/enable-fips/README.rst @@ -0,0 +1,4 @@ +Enable FIPS on a node. + +Set a node into FIPS mode, to test functionality when crypto +policies are set to FIPS in RHEL 8/Centos 8. diff --git a/roles/enable-fips/tasks/main.yaml b/roles/enable-fips/tasks/main.yaml new file mode 100644 index 000000000..aebdb9497 --- /dev/null +++ b/roles/enable-fips/tasks/main.yaml @@ -0,0 +1,63 @@ +--- +- name: Make sure this role is run on RHEL/CentOS 8 systems + fail: + msg: This role supports RHEL/CentOS 8 systems only + when: + - (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or + ansible_distribution_major_version != '8' + +- name: Install fips-mode-setup + become: true + package: + name: crypto-policies-scripts + state: present + +- name: Enable FIPS mode + become: true + command: fips-mode-setup --enable + +- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub + become: true + shell: | + set -o pipefail + grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub + register: test_grep + failed_when: false + +- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub + become: true + lineinfile: + path: /etc/default/grub + line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"' + when: test_grep.rc != 0 + +- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub + become: true + lineinfile: + path: /etc/default/grub + regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"' + backrefs: true + when: test_grep.rc == 0 + +- name: Rebuild grub.cfg file + become: true + command: grub2-mkconfig -o /boot/grub2/grub.cfg + +- name: Reboot server for FIPS mode + become: true + reboot: + reboot_timeout: 1800 + +- name: Run start-zuul-console role + include_role: + name: start-zuul-console + +- name: Ensure FIPS mode is enabled + become: true + command: fips-mode-setup --check + register: _result + +- name: Assert FIPS is enabled + assert: + that: _result.stdout == "FIPS mode is enabled." diff --git a/zuul-tests.d/general-roles-jobs.yaml b/zuul-tests.d/general-roles-jobs.yaml index 4ff06ac15..766a14f42 100644 --- a/zuul-tests.d/general-roles-jobs.yaml +++ b/zuul-tests.d/general-roles-jobs.yaml @@ -368,6 +368,19 @@ vars: role_name: clear-firewall +- job: + name: zuul-jobs-test-enable-fips + description: Test the enable-fips role + files: + - roles/enable-fips/.* + run: test-playbooks/simple-role-test.yaml + vars: + role_name: enable-fips + nodeset: + nodes: + - name: centos-8-stream + label: centos-8-stream + - job: name: zuul-jobs-test-ensure-bazelisk description: Test the ensure-bazelisk role @@ -749,6 +762,7 @@ - zuul-jobs-test-bindep-ubuntu-xenial - zuul-jobs-test-bindep-ubuntu-focal - zuul-jobs-test-clear-firewall + - zuul-jobs-test-enable-fips - zuul-jobs-test-ensure-bazelisk - zuul-jobs-test-netconsole - zuul-jobs-test-dstat-graph @@ -798,6 +812,7 @@ - zuul-jobs-test-bindep-ubuntu-xenial - zuul-jobs-test-bindep-ubuntu-focal - zuul-jobs-test-clear-firewall + - zuul-jobs-test-enable-fips - zuul-jobs-test-ensure-bazelisk - zuul-jobs-test-netconsole - zuul-jobs-test-dstat-graph