fix(fips): switch fips check to be based on sct configuration

since we have cases we'll want to run ubuntu pro (EOL versions as example), that won't have fips enable, the assumption that ubuntu pro mean only the fips images, isn't valid anymore. in this change we introduce a new configuration option, that would help us list the distro features we expect, so the test would be able to verify those on installation.
scylladb · Sep 11, 2024 · 9950447 · 9950447
1 parent d419945
commit 9950447
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 6 deletions.
diff --git a/configurations/longevity-fips-and-encryptions.yaml b/configurations/longevity-fips-and-encryptions.yaml
@@ -1,4 +1,5 @@
 ami_id_db_scylla: 'resolve:ssm:/aws/service/marketplace/prod-k6fgbnayirmrc/latest' # Ubuntu Pro FIPS 20.04 LTS amd64
+assert_linux_distro_features: ['fips']
 scylla_linux_distro: 'ubuntu-focal'
 use_preinstalled_scylla: false
 ami_db_scylla_user: 'ubuntu'

diff --git a/defaults/test_default.yaml b/defaults/test_default.yaml
@@ -266,3 +266,5 @@ run_scylla_doctor: false
 nemesis_double_load_during_grow_shrink_duration: 0
 
 enterprise_disable_kms: false
+
+assert_linux_distro_features: []
diff --git a/docs/configuration_options.md b/docs/configuration_options.md
@@ -30,6 +30,7 @@
 | **<a href="#user-content-oracle_scylla_version" name="oracle_scylla_version">oracle_scylla_version</a>**  | Version of scylla to use as oracle cluster with gemini tests, ex. '3.0.11'<br>Automatically lookup AMIs for formal versions.<br>WARNING: can't be used together with 'ami_id_db_oracle' | 2022.1.14 | SCT_ORACLE_SCYLLA_VERSION
 | **<a href="#user-content-scylla_linux_distro" name="scylla_linux_distro">scylla_linux_distro</a>**  | The distro name and family name to use. Example: 'ubuntu-jammy' or 'debian-bookworm'. | ubuntu-focal | SCT_SCYLLA_LINUX_DISTRO
 | **<a href="#user-content-scylla_linux_distro_loader" name="scylla_linux_distro_loader">scylla_linux_distro_loader</a>**  | The distro name and family name to use. Example: 'ubuntu-jammy' or 'debian-bookworm'. | ubuntu-jammy | SCT_SCYLLA_LINUX_DISTRO_LOADER
+| **<a href="#user-content-assert_linux_distro_features" name="assert_linux_distro_features">assert_linux_distro_features</a>**  | List of distro features relevant to SCT test. Example: 'fips'. | N/A | SCT_ASSERT_LINUX_DISTRO_FEATURES
 | **<a href="#user-content-scylla_repo_m" name="scylla_repo_m">scylla_repo_m</a>**  | Url to the repo of scylla version to install scylla from for managment tests | N/A | SCT_SCYLLA_REPO_M
 | **<a href="#user-content-scylla_repo_loader" name="scylla_repo_loader">scylla_repo_loader</a>**  | Url to the repo of scylla version to install c-s for loader | https://s3.amazonaws.com/downloads.scylladb.com/deb/ubuntu/scylla-5.2.list | SCT_SCYLLA_REPO_LOADER
 | **<a href="#user-content-scylla_mgmt_address" name="scylla_mgmt_address">scylla_mgmt_address</a>**  | Url to the repo of scylla manager version to install for management tests | N/A | SCT_SCYLLA_MGMT_ADDRESS

diff --git a/sdcm/cluster.py b/sdcm/cluster.py
@@ -4616,13 +4616,15 @@ def node_setup(self, node: BaseNode, verbose: bool = False, timeout: int = 3600)
         if self.params.get('logs_transport') == 'ssh':
             node.install_package('python3')
 
-        if node.distro.is_ubuntu:
-            result = node.remoter.sudo("pro status", ignore_status=True)
+        # check fips enabled only if we specify it in sct config (so we can use ubuntu pro in other cases)
+        if node.distro.is_ubuntu and 'fips' in (self.params.get('assert_linux_distro_features') or []):
             # https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/explanations/status_columns.html
-            if "ENTITLED" in result.stdout:  # Pro is enabled
-                result = node.remoter.run("cat /proc/sys/crypto/fips_enabled", ignore_status=True)
-                assert int(result.stdout) == 1, "Even though Ubuntu pro is enabled, FIPS is not enabled"
-                # https://ubuntu.com/tutorials/using-the-ua-client-to-enable-fips#4-enabling-fips-crypto-modules
+            # https://ubuntu.com/tutorials/using-the-ua-client-to-enable-fips#4-enabling-fips-crypto-modules
+            pro_status = node.remoter.sudo("pro status", ignore_status=True)
+            fibs_enabled = node.remoter.run("cat /proc/sys/crypto/fips_enabled", ignore_status=True)
+            assert "ENTITLED" in pro_status.stdout and int(
+                fibs_enabled.stdout) == 1, "Even though Ubuntu pro is enabled, FIPS is not enabled"
+
         node.update_repo_cache()
         node.install_package('lsof net-tools')
         install_scylla = True

diff --git a/sdcm/sct_config.py b/sdcm/sct_config.py
@@ -318,6 +318,9 @@ class SCTConfiguration(dict):
         dict(name="scylla_linux_distro_loader", env="SCT_SCYLLA_LINUX_DISTRO_LOADER", type=str,
              help="""The distro name and family name to use. Example: 'ubuntu-jammy' or 'debian-bookworm'."""),
 
+        dict(name="assert_linux_distro_features", env="SCT_ASSERT_LINUX_DISTRO_FEATURES", type=str_or_list_or_eval,
+             help="""List of distro features relevant to SCT test. Example: 'fips'."""),
+
         dict(name="scylla_repo_m", env="SCT_SCYLLA_REPO_M", type=str,
              help="Url to the repo of scylla version to install scylla from for managment tests"),
 

diff --git a/test-cases/artifacts/ubuntu2004-fips.yaml b/test-cases/artifacts/ubuntu2004-fips.yaml
@@ -1,4 +1,5 @@
 ami_id_db_scylla: 'resolve:ssm:/aws/service/marketplace/prod-k6fgbnayirmrc/latest' # Ubuntu Pro FIPS 20.04 LTS amd64
+assert_linux_distro_features: ['fips']
 root_disk_size_db: 50
 backtrace_decoding: false
 cluster_backend: 'aws'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -266,3 +266,5 @@ run_scylla_doctor: false
		nemesis_double_load_during_grow_shrink_duration: 0

		enterprise_disable_kms: false

		assert_linux_distro_features: []