diff --git a/tmt/steps/__init__.py b/tmt/steps/__init__.py index 3394829755..b7c08a0c42 100644 --- a/tmt/steps/__init__.py +++ b/tmt/steps/__init__.py @@ -112,6 +112,11 @@ PHASE_ORDER_PREPARE_INSTALL_RECOMMENDS = 75 #: Verification of package source repositories after installation. PHASE_ORDER_PREPARE_VERIFY_INSTALLATION = 79 +#: Enabling FIPS mode. +#: +#: To prevent issues with installation of packages signed by non-FIPS-compliant algorithms +#: FIPS should be enabled after package installation in 'try' +TRY_PHASE_ORDER_PREPARE_FEATURE_FIPS = PHASE_ORDER_PREPARE_INSTALL_RECOMMENDS + 10 # Supported steps and actions StepName = Literal['discover', 'provision', 'prepare', 'execute', 'report', 'finish', 'cleanup'] diff --git a/tmt/steps/prepare/feature/fips.py b/tmt/steps/prepare/feature/fips.py index fcfff26375..c55a5a4771 100644 --- a/tmt/steps/prepare/feature/fips.py +++ b/tmt/steps/prepare/feature/fips.py @@ -25,6 +25,29 @@ class FipsStepData(PrepareFeatureData): @provides_feature('fips') class Fips(ToggleableFeature): + """ + Enable FIPS mode on the guest. + + Enable FIPS mode on RHEL 7, 8, 9 and 10 and CentOS Stream + 8, 9 and 10 systems. + + .. code-block:: yaml + + prepare: + how: feature + fips: enabled + + .. code-block:: shell + + prepare --how feature --fips enabled + + .. note:: + + In order to prevent issues with installation of packages signed by + non-FIPS-compliant algorithms we recommend enabling FIPS mode after + package installation prepare steps. Use ``order:`` to enforce that. + """ + _data_class = FipsStepData PLAYBOOKS = {'fips-enable.yaml'} diff --git a/tmt/trying.py b/tmt/trying.py index e7e979821a..7eeef6c4ab 100644 --- a/tmt/trying.py +++ b/tmt/trying.py @@ -786,6 +786,7 @@ def handle_fips(self, plan: Plan) -> None: data = prepare_data_class( name="tmt-try-fips", how='feature', + order=tmt.steps.TRY_PHASE_ORDER_PREPARE_FEATURE_FIPS, fips="enabled", # type: ignore[reportCallIssue,call-arg,unused-ignore] )