Merge "Modify devstack-base to allow for fips"

Zuul · openstack-gerrit · commit 2e607b0cbd91 · 2023-04-20T23:55:40.000Z
diff --git a/.zuul.yaml b/.zuul.yaml
@@ -370,7 +370,7 @@
 
 - job:
     name: devstack-base
-    parent: multinode
+    parent: openstack-multinode-fips
     abstract: true
     description: |
       Base abstract Devstack job.
diff --git a/functions-common b/functions-common
@@ -2498,6 +2498,11 @@ function clean_pyc_files {
     fi
 }
 
+function is_fips_enabled {
+    fips=`cat /proc/sys/crypto/fips_enabled`
+    [ "$fips" == "1" ]
+}
+
 # Restore xtrace
 $_XTRACE_FUNCTIONS_COMMON
 
diff --git a/lib/databases/mysql b/lib/databases/mysql
@@ -63,7 +63,7 @@ function recreate_database_mysql {
 }
 
 function configure_database_mysql {
-    local my_conf mysql slow_log
+    local my_conf mysql slow_log my_client_conf
     echo_summary "Configuring and starting MySQL"
 
     if is_ubuntu; then
@@ -80,6 +80,15 @@ function configure_database_mysql {
         exit_distro_not_supported "mysql configuration"
     fi
 
+    # Set fips mode on
+    if is_ubuntu; then
+        if is_fips_enabled; then
+            my_client_conf=/etc/mysql/mysql.conf.d/mysql.cnf
+            iniset -sudo $my_client_conf mysql ssl-fips-mode "on"
+            iniset -sudo $my_conf mysqld ssl-fips-mode "on"
+        fi
+    fi
+
     # Change bind-address from localhost (127.0.0.1) to any (::)
     iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"
 
