Merge pull request #690 from brendandixon/master

Enabled FIPS support and address #668.
Support mixed case hostnames on RedHat #686.

azurelinuxagent/common/conf.py

@@ -113,6 +113,8 @@ def get_agent_pid_file_path(conf=__conf__):
 def get_ext_log_dir(conf=__conf__):
     return conf.get("Extension.LogDir", "/var/log/azure")
 
+def get_fips_enabled(conf=__conf__):
+    return conf.get_switch("OS.FIPSEnabled", False)
 
 def get_openssl_cmd(conf=__conf__):
     return conf.get("OS.OpensslPath", "/usr/bin/openssl")

azurelinuxagent/common/osutil/redhat.py

@@ -103,7 +103,7 @@ def set_hostname(self, hostname):
         Due to a bug in systemd in Centos-7.0, if this call fails, fallback
         to hostname.
         """
-        hostnamectl_cmd = "hostnamectl set-hostname {0}".format(hostname)
+        hostnamectl_cmd = "hostnamectl set-hostname {0} --static".format(hostname)
         if shellutil.run(hostnamectl_cmd, chk_err=False) != 0:
             logger.warn("[{0}] failed, attempting fallback".format(hostnamectl_cmd))
             DefaultOSUtil.set_hostname(self, hostname)

azurelinuxagent/daemon/main.py

@@ -39,6 +39,8 @@
 from azurelinuxagent.pa.provision import get_provision_handler
 from azurelinuxagent.pa.rdma import get_rdma_handler
 
+OPENSSL_FIPS_ENVIRONMENT = "OPENSSL_FIPS"
+
 
 def get_daemon_handler():
     return DaemonHandler()
@@ -61,6 +63,12 @@ def run(self):
 
         self.check_pid()
 
+        # If FIPS is enabled, set the OpenSSL environment variable
+        # Note:
+        # -- Subprocesses inherit the current environment
+        if conf.get_fips_enabled():
+            os.environ[OPENSSL_FIPS_ENVIRONMENT] = '1'
+
         while self.running:
             try:
                 self.daemon()

config/alpine/waagent.conf

@@ -56,6 +56,9 @@ Logs.Verbose=n
 # Preferred network interface to communicate with Azure platform
 Network.Interface=eth0
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/arch/waagent.conf

@@ -57,6 +57,9 @@ LBProbeResponder=y
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/bigip/waagent.conf

@@ -51,6 +51,9 @@ LBProbeResponder=y
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/clearlinux/waagent.conf

@@ -56,6 +56,9 @@ ResourceDisk.SwapSizeMB=0
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/coreos/waagent.conf

@@ -57,6 +57,9 @@ LBProbeResponder=y
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/freebsd/waagent.conf

@@ -51,6 +51,9 @@ ResourceDisk.MountOptions=None
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/suse/waagent.conf

@@ -57,6 +57,9 @@ LBProbeResponder=y
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/ubuntu/waagent.conf

@@ -57,6 +57,9 @@ LBProbeResponder=y
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

config/waagent.conf

@@ -54,6 +54,9 @@ ResourceDisk.MountOptions=None
 # Enable verbose logging (y|n)
 Logs.Verbose=n
 
+# Is FIPS enabled
+OS.FIPSEnabled=n
+
 # Root device timeout in seconds.
 OS.RootDeviceScsiTimeout=300
 

tests/daemon/test_daemon.py

@@ -14,7 +14,9 @@
 #
 # Requires Python 2.4+ and Openssl 1.0+
 #
-from azurelinuxagent.daemon import get_daemon_handler
+
+from azurelinuxagent.daemon import *
+from azurelinuxagent.daemon.main import OPENSSL_FIPS_ENVIRONMENT
 from tests.tools import *
 
 
@@ -30,8 +32,9 @@ def __call__(self, *args, **kw):
             self.daemon_handler.running = False
         raise Exception("Mock unhandled exception")
 
-@patch("time.sleep")
 class TestDaemon(AgentTestCase):
+
+    @patch("time.sleep")
     def test_daemon_restart(self, mock_sleep):
         #Mock daemon function
         daemon_handler = get_daemon_handler()
@@ -45,6 +48,7 @@ def test_daemon_restart(self, mock_sleep):
         mock_sleep.assert_any_call(15)
         self.assertEquals(2, daemon_handler.daemon.call_count)
 
+    @patch("time.sleep")
     @patch("azurelinuxagent.daemon.main.conf")
     @patch("azurelinuxagent.daemon.main.sys.exit")
     def test_check_pid(self, mock_exit, mock_conf, mock_sleep):
@@ -58,6 +62,25 @@ def test_check_pid(self, mock_exit, mock_conf, mock_sleep):
 
         daemon_handler.check_pid()
         mock_exit.assert_any_call(0)
+
+    @patch("azurelinuxagent.daemon.main.DaemonHandler.check_pid")
+    @patch("azurelinuxagent.common.conf.get_fips_enabled", return_value=True)
+    def test_set_openssl_fips(self, mock_conf, mock_daemon):
+        daemon_handler = get_daemon_handler()
+        daemon_handler.running = False
+        with patch.dict("os.environ"):
+            daemon_handler.run()
+            self.assertTrue(OPENSSL_FIPS_ENVIRONMENT in os.environ)
+            self.assertEqual('1', os.environ[OPENSSL_FIPS_ENVIRONMENT])
+
+    @patch("azurelinuxagent.daemon.main.DaemonHandler.check_pid")
+    @patch("azurelinuxagent.common.conf.get_fips_enabled", return_value=False)
+    def test_does_not_set_openssl_fips(self, mock_conf, mock_daemon):
+        daemon_handler = get_daemon_handler()
+        daemon_handler.running = False
+        with patch.dict("os.environ"):
+            daemon_handler.run()
+            self.assertFalse(OPENSSL_FIPS_ENVIRONMENT in os.environ)
 
 if __name__ == '__main__':
     unittest.main()