Modify devstack-base to allow for fips

vakwetu · vakwetu · commit 15b2e429685f · 2023-04-17T08:43:22.000Z
devstack-base is changed to descend from
openstack-multinode-fips which is defined in
project-config.

This allows jobs to execute the enable_fips playbook
to enable FIPS mode on the node, but only if they
opt-in by setting enable_fips to True.  Otherwise,
this is a no-op.

Change-Id: I5631281662dbd18056ffba291290ed0978ab937e
diff --git a/.zuul.yaml b/.zuul.yaml
@@ -370,7 +370,7 @@
 
 - job:
     name: devstack-base
-    parent: multinode
+    parent: openstack-multinode-fips
     abstract: true
     description: |
       Base abstract Devstack job.
diff --git a/functions-common b/functions-common
@@ -2545,6 +2545,11 @@ function clean_pyc_files {
     fi
 }
 
+function is_fips_enabled {
+    fips=`cat /proc/sys/crypto/fips_enabled`
+    [ "$fips" == "1" ]
+}
+
 # Restore xtrace
 $_XTRACE_FUNCTIONS_COMMON
 
diff --git a/lib/databases/mysql b/lib/databases/mysql
@@ -69,7 +69,7 @@ function recreate_database_mysql {
 }
 
 function configure_database_mysql {
-    local my_conf mysql slow_log
+    local my_conf mysql slow_log my_client_conf
     echo_summary "Configuring and starting MySQL"
 
     if is_ubuntu; then
@@ -86,6 +86,15 @@ function configure_database_mysql {
         exit_distro_not_supported "mysql configuration"
     fi
 
+    # Set fips mode on
+    if is_ubuntu; then
+        if is_fips_enabled; then
+            my_client_conf=/etc/mysql/mysql.conf.d/mysql.cnf
+            iniset -sudo $my_client_conf mysql ssl-fips-mode "on"
+            iniset -sudo $my_conf mysqld ssl-fips-mode "on"
+        fi
+    fi
+
     # Change bind-address from localhost (127.0.0.1) to any (::)
     iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"
 
