From 99711abf23b9a7bf76d50ec45309c25911899c5e Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 7 Dec 2022 18:08:58 +0100
Subject: [PATCH] Add ubuntu to enable-fips role
The enable-fips role has been refactored to support both centos/rhel and
Ubuntu.
In addition, for the Ubuntu tasks, a small role is added to enable a
Ubuntu Advantage subscription. This is required because Ubuntu requires
a subscription to enable FIPS. This role takes a subscription key as a
parameter (ubuntu_ua_token.token).
In Openstack, this is provided by the openstack-fips job in
openstack/project-config, which will be the base job for OpenStack jobs.
This job will provide the ubuntu_ua_token.token.
Change-Id: I47a31f680172b47584510adb672b68498a85bd32
---
doc/source/general-roles.rst | 1 +
playbooks/enable-fips/README.rst | 18 +++++
roles/enable-fips/README.rst | 7 +-
roles/enable-fips/tasks/main.yaml | 69 ++++----------------
roles/enable-fips/tasks/rhel.yaml | 56 ++++++++++++++++
roles/enable-fips/tasks/ubuntu.yaml | 31 +++++++++
roles/enable-ua-subscription/README.rst | 13 ++++
roles/enable-ua-subscription/tasks/main.yaml | 12 ++++
roles/post-reboot-tasks/README.rst | 14 +++-
9 files changed, 161 insertions(+), 60 deletions(-)
create mode 100644 playbooks/enable-fips/README.rst
create mode 100644 roles/enable-fips/tasks/rhel.yaml
create mode 100644 roles/enable-fips/tasks/ubuntu.yaml
create mode 100644 roles/enable-ua-subscription/README.rst
create mode 100644 roles/enable-ua-subscription/tasks/main.yaml
diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst
index 0e1b8f729..cbc9d9255 100644
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@@ -16,6 +16,7 @@ General Purpose Roles
.. zuul:autorole:: emit-job-header
.. zuul:autorole:: enable-fips
.. zuul:autorole:: enable-netconsole
+.. zuul:autorole:: enable-ua-subscription
.. zuul:autorole:: encrypt-file
.. zuul:autorole:: ensure-bazelisk
.. zuul:autorole:: ensure-dhall
diff --git a/playbooks/enable-fips/README.rst b/playbooks/enable-fips/README.rst
new file mode 100644
index 000000000..f6f28d151
--- /dev/null
+++ b/playbooks/enable-fips/README.rst
@@ -0,0 +1,18 @@
+The enable-fips playbook can be invoked to enable FIPS mode on jobs.
+
+This playbook will call the enable-fips role, which will turn FIPS mode on
+and then reboot the node. To get consistent results, this role should
+be run very early in the node setup process, so that resources set up
+later are not affected by the reboot.
+
+A playbook variable enable_fips - which defaults to True - is provided.
+This variable can be used to skip this playbook.
+
+**Job Variables**
+
+.. zuul:jobvar:: enable_fips
+ :default: True
+
+ Whether to run the playbook and enable fips. Defaults to True.
+
+
diff --git a/roles/enable-fips/README.rst b/roles/enable-fips/README.rst
index 055248612..be1ea532a 100644
--- a/roles/enable-fips/README.rst
+++ b/roles/enable-fips/README.rst
@@ -1,7 +1,12 @@
Enable FIPS on a node.
Set a node into FIPS mode, to test functionality when crypto
-policies are set to FIPS in RHEL 8/Centos 8.
+policies are set to FIPS in RHEL/Centos >=8 or Ubuntu.
+
+For Ubuntu nodes, the node is assumed to already have an Ubuntu
+Advantage subscription activated, as this is required to enable
+FIPS mode. The enable-ua-subscription role in this repo can be
+used to activate the subscription.
The role will set the node into FIPS mode, reboot the node, and
then call the post-reboot-tasks role. This role requires a role
diff --git a/roles/enable-fips/tasks/main.yaml b/roles/enable-fips/tasks/main.yaml
index 05525283b..e339ca4be 100644
--- a/roles/enable-fips/tasks/main.yaml
+++ b/roles/enable-fips/tasks/main.yaml
@@ -1,64 +1,21 @@
---
-- name: Make sure this role is run on RHEL/CentOS 8 systems
+- name: Make sure this role is run on RHEL/CentOS/Ubuntu systems
fail:
- msg: This role supports RHEL/CentOS 8 systems and Fedora only
+ msg: This role supports RHEL/CentOS/Fedora/Ubuntu systems only
when:
- not (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8)
- not (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8)
- not ansible_distribution == 'Fedora'
+ - not ansible_distribution == 'Ubuntu'
-- name: Install fips-mode-setup
- become: true
- package:
- name: crypto-policies-scripts
- state: present
+- name: Do tasks for RHEL/Centos systems
+ include_tasks: rhel.yaml
+ when: >
+ (ansible_distribution == 'CentOS' and ansible_distribution_major_version|int >= 8) or
+ (ansible_distribution == 'Red Hat Enterprise Linux' and ansible_distribution_major_version|int >= 8) or
+ ansible_distribution == 'Fedora'
-- name: Enable FIPS mode
- become: true
- command: fips-mode-setup --enable
-
-- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
- become: true
- shell: |
- set -o pipefail
- grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
- register: test_grep
- failed_when: false
-
-- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
- become: true
- lineinfile:
- path: /etc/default/grub
- line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
- when: test_grep.rc != 0
-
-- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
- become: true
- lineinfile:
- path: /etc/default/grub
- regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
- line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
- backrefs: true
- when: test_grep.rc == 0
-
-- name: Rebuild grub.cfg file
- become: true
- command: grub2-mkconfig -o /boot/grub2/grub.cfg
-
-- name: Reboot server for FIPS mode
- become: true
- reboot:
- reboot_timeout: 1800
-
-- name: Run post-boot tasks
- include_role:
- name: post-reboot-tasks
-
-- name: Ensure FIPS mode is enabled
- become: true
- command: fips-mode-setup --check
- register: _result
-
-- name: Assert FIPS is enabled
- assert:
- that: _result.stdout == "FIPS mode is enabled."
+- name: Do tasks for Ubuntu
+ include_tasks: ubuntu.yaml
+ when: >
+ (ansible_distribution == "Ubuntu")
diff --git a/roles/enable-fips/tasks/rhel.yaml b/roles/enable-fips/tasks/rhel.yaml
new file mode 100644
index 000000000..ac454ed8e
--- /dev/null
+++ b/roles/enable-fips/tasks/rhel.yaml
@@ -0,0 +1,56 @@
+---
+- name: Install fips-mode-setup
+ become: true
+ package:
+ name: crypto-policies-scripts
+ state: present
+
+- name: Enable FIPS mode
+ become: true
+ command: fips-mode-setup --enable
+
+- name: Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
+ become: true
+ shell: |
+ set -o pipefail
+ grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
+ register: test_grep
+ failed_when: false
+
+- name: Add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+ become: true
+ lineinfile:
+ path: /etc/default/grub
+ line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
+ when: test_grep.rc != 0
+
+- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+ become: true
+ lineinfile:
+ path: /etc/default/grub
+ regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
+ line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
+ backrefs: true
+ when: test_grep.rc == 0
+
+- name: Rebuild grub.cfg file
+ become: true
+ command: grub2-mkconfig -o /boot/grub2/grub.cfg
+
+- name: Reboot server for FIPS mode
+ become: true
+ reboot:
+ reboot_timeout: 1800
+
+- name: Run post-boot tasks
+ include_role:
+ name: post-reboot-tasks
+
+- name: Ensure FIPS mode is enabled
+ become: true
+ command: fips-mode-setup --check
+ register: _result
+
+- name: Assert FIPS is enabled
+ assert:
+ that: _result.stdout == "FIPS mode is enabled."
diff --git a/roles/enable-fips/tasks/ubuntu.yaml b/roles/enable-fips/tasks/ubuntu.yaml
new file mode 100644
index 000000000..d2137852f
--- /dev/null
+++ b/roles/enable-fips/tasks/ubuntu.yaml
@@ -0,0 +1,31 @@
+- name: Install ua-tools
+ become: true
+ package:
+ name: ubuntu-advantage-tools
+ state: present
+
+- name: Enable fips
+ become: true
+ command: ua enable fips
+
+- name: Verify fips is enabled
+ become: true
+ command: ua status
+
+- name: Reboot server for FIPS mode
+ become: true
+ reboot:
+ reboot_timeout: 1800
+
+- name: Run post-boot tasks
+ include_role:
+ name: post-reboot-tasks
+
+- name: Ensure FIPS mode is enabled
+ become: true
+ command: cat /proc/sys/crypto/fips_enabled
+ register: _result
+
+- name: Assert FIPS is enabled
+ assert:
+ that: _result.stdout == "1"
diff --git a/roles/enable-ua-subscription/README.rst b/roles/enable-ua-subscription/README.rst
new file mode 100644
index 000000000..ee5a24538
--- /dev/null
+++ b/roles/enable-ua-subscription/README.rst
@@ -0,0 +1,13 @@
+Enable UA Subscription on a node.
+
+For Ubuntu nodes, this role activates an Ubuntu advantage
+subscription using a passed in token (ubuntu_ua_token.token).
+
+**Role Variables**
+
+.. zuul:rolevar:: ubuntu_ua_token
+ :type: dict
+ :default: None
+
+ Dict used to specify Ubuntu advantage subscription information.
+ ubuntu_ua_token.token is a subscription key.
diff --git a/roles/enable-ua-subscription/tasks/main.yaml b/roles/enable-ua-subscription/tasks/main.yaml
new file mode 100644
index 000000000..8730258ac
--- /dev/null
+++ b/roles/enable-ua-subscription/tasks/main.yaml
@@ -0,0 +1,12 @@
+- name: Install ua-tools
+ become: true
+ package:
+ name: ubuntu-advantage-tools
+ state: present
+
+- name: Attach subscription
+ command: pro attach --no-auto-enable "{{ ubuntu_ua_token.token }}"
+ become: true
+ no_log: true
+ when: >
+ (ansible_distribution == "Ubuntu")
diff --git a/roles/post-reboot-tasks/README.rst b/roles/post-reboot-tasks/README.rst
index 82e4b694f..53de62df9 100644
--- a/roles/post-reboot-tasks/README.rst
+++ b/roles/post-reboot-tasks/README.rst
@@ -9,6 +9,14 @@ connectivity (ssh), restarting the zuul-console and making sure
DNS is up.
A role parameter nslookup_target is required to specify the DNS name
-to ensure DNS is working. If working in a mirrored environment, it
-is a good idea to use $zuul_site_mirror_fqdn, because this is what
-will be needed for package installs in any case.
+to ensure DNS is working.
+
+**Role Variables**
+
+.. zuul:rolevar:: nslookup_target
+ :type: str
+ :default: None
+
+ DNS name to query to confirm that DNS is working. If working in a
+ mirrored environment, it is a good idea to use $zuul_site_mirror_fqdn,
+ because this is what will be needed for package installs in any case.