Add support for FIPS mode

[miskopo]

Introduce fips bool variable and its handling, implement FIPS setup to
provisioning playbooks. Include check to ensure that FIPS mode is
initialized correctly prior to launching the test phase.

Add support for reloading all machines from vagrant's side (this halts
all the machines, starts them up and reestablishes shared folder).
Reload can be triggered by creating a REBOOT_READY file in the vagrant
shared folder before the test phase (either in provisioning or upping
phase).

Signed-off-by: Michal Polovka mpolovka@redhat.com

[netoarmando]

There's a problem here. Vagrant is not able to detect a reboot, so it loses its synced folder functionality, that means we can't collect the artifacts once test is done.

Is the reboot really necessary?

[miskopo]

@netoarmando first of all, thank you for your review!

The reboot is necessary, as FIPS setup includes changing the boot parameters. Without the reboot, fips-mode-setup --is-enabled returns return code 2, which means disabled.

Regarding possible solution, I think, we can either:

• execute some sort of re-sync command after reboot (reboot has a hook for that)
• move the reboot to provisioning phase before the synchronization is established

[miskopo]

I'll leave it here, as the check has to be moved somewhere else.

    - name: check if the FIPS mode was enabled
      shell: fips-mode-setup --is-enabled
      register: fips_mode

    - name: assert the success of FIPS installation
      assert:
        that: "fips_mode.rc == 0"
        fail_msg: "FIPS installation was not successful, aborting"
        success_msg: "FIPS installation complete"

[miskopo]

miskopo/freeipa#11 shows that the current implementation correctly reloads the machines and fetches the test results. Great success!

[miskopo]

Current state:

• running in FIPS mode is now functional

To do:

• logging
• FIPS mode validation

[miskopo]

I've added some logging, exception handling and check for status of FIPS installation.

[miskopo]

I call this a great success

Mar 26 11:54:17 permanent-mpolovka-f35-big-runner bash[166181]: INFO: root: Executing: Process "vagrant ssh -c fips-mode-setup --is-enabled"
Mar 26 11:54:19 permanent-mpolovka-f35-big-runner bash[166181]: DEBUG: root: ==> controller: Libvirt Provider: volume_cache is deprecated. Use disk_driver :cache => 'unsafe' instead.
Mar 26 11:54:21 permanent-mpolovka-f35-big-runner bash[166181]: INFO: root: FIPS successfully installed.

[miskopo]

See the full run here. Provisioning in FIPS, logging, checking of installation, all work as expected. I am thinking about adding some tests though. This PR, however, is ready in my humble opinion.

[netoarmando]

Thanks for this @miskopo. Check my comments, I'll look into the logs later today.

[netoarmando]

On the other hand, I think we can replace this dict() with a beautiful literal. :D

[miskopo]

@netoarmando I hope this is what you meant :)

[netoarmando]

it is, maybe a little more formatted, like this:

constants.ANSIBLE_VARS_TEMPLATE.format(
    action_name=self.action_name),
    os.path.join(self.data_dir, 'vars.yml'),
    {
        "repofile_url": urllib.parse.urljoin(
            self.build_url, 'rpms/freeipa-prci.repo'
        ),
        "update_packages": self.update_packages,
        "selinux_enforcing": self.selinux_enforcing,
        "fips": self.fips,
    }
)

[netoarmando]

LGTM, formatting that dict is a plus. Approving this.

[netoarmando]

This has been deployed last Friday (Apr 1) in the nightly runners. It will be deployed in the gating runners today.