Add SP6 LTSS, remove SP3 LTSS

Author: dirkmueller

.github/workflows/ci.yaml

@@ -130,21 +130,12 @@ jobs:
           - "16.0"
           - "tumbleweed"
         include:
-          - toxenv: fips
-            testing_target: ibs-released
-            os_version: 15.3
           - toxenv: fips
             testing_target: ibs-released
             os_version: 15.4
           - toxenv: repository
             testing_target: ibs-released
             os_version: 15.5
-          - toxenv: all
-            testing_target: ibs-released
-            os_version: 15.3
-          - toxenv: base
-            testing_target: ibs-released
-            os_version: 15.3
           - toxenv: all
             testing_target: ibs-released
             os_version: 15.4
@@ -163,6 +154,15 @@ jobs:
           - toxenv: metadata
             testing_target: ibs-released
             os_version: 15.5
+          - toxenv: all
+            testing_target: ibs-released
+            os_version: 15.6
+          - toxenv: base
+            testing_target: ibs-released
+            os_version: 15.6
+          - toxenv: metadata
+            testing_target: ibs-released
+            os_version: 15.6
           - toxenv: spr
             testing_target: ibs-released
             os_version: 15.7-spr
@@ -173,35 +173,25 @@ jobs:
             testing_target: ibs-released
             os_version: 15.7-spr
           - toxenv: all
-            os_version: 15.6
+            os_version: 15.4
           - toxenv: base
-            os_version: 15.6
+            os_version: 15.4
           - toxenv: metadata
-            os_version: 15.6
-          - toxenv: node
-            os_version: 15.6
-          - toxenv: python
-            os_version: 15.6
-          - toxenv: kernel_module
-            os_version: 15.6
-          - toxenv: repository
-            os_version: 15.6
-          - toxenv: fips
-            os_version: 15.6
-          - toxenv: mariadb
-            os_version: 15.6
+            os_version: 15.4
           - toxenv: all
-            os_version: 15.3
+            os_version: 15.5
           - toxenv: base
-            os_version: 15.3
+            os_version: 15.5
           - toxenv: metadata
-            os_version: 15.3
+            os_version: 15.5
           - toxenv: all
-            os_version: 15.4
+            os_version: 15.6
           - toxenv: base
-            os_version: 15.4
+            os_version: 15.6
           - toxenv: metadata
-            os_version: 15.4
+            os_version: 15.6
+          - toxenv: fips
+            os_version: 15.6
           - toxenv: all
             os_version: "16.0"
           - toxenv: base

bci_tester/data.py

@@ -37,7 +37,6 @@
 
 # Allowed os versions for base (non lang/non-app) containers
 ALLOWED_BASE_OS_VERSIONS = (
-    "15.3",
     "15.4",
     "15.5",
     "15.6",
@@ -78,7 +77,6 @@
 
 # List the released versions of SLE, used for supportabilty and EULA tests
 RELEASED_SLE_VERSIONS = (
-    "15.3",
     "15.4",
     "15.5",
     "15.6",
@@ -89,7 +87,7 @@
 )
 
 # List the LTSS versions of SLE
-RELEASED_LTSS_VERSIONS = ("15.3", "15.4", "15.5")
+RELEASED_LTSS_VERSIONS = ("15.4", "15.5", "15.6")
 
 
 #: directory of the SCC credentials stored by zypper
@@ -225,8 +223,8 @@ def create_container_version_mark(
     Args:
 
     available_versions: iterable of versions for which this container is
-        available. Each version must be in the form ``15.4`` for SLE 15 SP4,
-        ``15.3`` for SLE 15 SP3 and so on
+        available. Each version must be in the form ``15.4`` for SLE 15 SP4
+        and so on
     """
     for ver in available_versions:
         if ver.startswith("15") and ver[:2] == str(OS_MAJOR_VERSION):
@@ -502,15 +500,15 @@ def create_BCI(
                 extra_marks=[pytest.mark.__getattr__(f"bci-base_{sp}-ltss")],
                 bci_type=ImageType.OS_LTSS,
             )
-            for sp in ("15.3", "15.4", "15.5", "15.6")
+            for sp in ("15.4", "15.5", "15.6")
         )
         LTSS_BASE_FIPS_CONTAINERS.extend(
             create_BCI(
                 build_tag=f"{APP_CONTAINER_PREFIX}/ltss/sle{sp}/bci-base-fips:{OS_CONTAINER_TAG}",
                 available_versions=[sp],
                 bci_type=ImageType.OS_LTSS,
             )
-            for sp in ("15.3", "15.4")
+            for sp in ("15.4", "15.6")
         )
 
 MINIMAL_CONTAINER = create_BCI(

bci_tester/fips.py

@@ -16,7 +16,7 @@
 )
 
 # OpenSSL 3.x in Tumbleweed dropped those as they're beyond deprecated
-if OS_VERSION in ("15.3", "15.4", "15.5"):
+if OS_VERSION in ("15.4", "15.5"):
     NONFIPS_DIGESTS += ("md4", "mdc2")
 
 #: FIPS compliant openssl digests
@@ -98,6 +98,7 @@
     "stribog256",
     "stribog512",
     "md5",
+    "sm3",
 )
 
 #: FIPS compliant gcrypt digests
@@ -110,16 +111,10 @@
     "sha3-256",
     "sha3-384",
     "sha3-512",
+    "sha512_224",
+    "sha512_256",
 )
 
-if OS_VERSION != "15.3":
-    FIPS_GCRYPT_DIGESTS += (
-        "sha512_224",
-        "sha512_256",
-    )
-    NONFIPS_GCRYPT_DIGESTS += ("sm3",)
-
-
 # sha1 is non-FIPS in 15.6
 if OS_VERSION == "15.6":
     NONFIPS_GCRYPT_DIGESTS += ("sha1",)

pre-commit-full.sh

@@ -2,7 +2,7 @@
 
 tox -e format -- --check
 
-for OS_VERSION in "15.3" "15.4" "15.5" "15.6" "15.6-spr" "15.7" "15.7-spr" "16.0" "tumbleweed"; do
+for OS_VERSION in "15.4" "15.5" "15.6" "15.6-spr" "15.7" "15.7-spr" "16.0" "tumbleweed"; do
     export OS_VERSION
     tox -e check_marks
 done

tests/test_all.py

@@ -121,7 +121,7 @@ def test_os_release(auto_container):
 
 
 @pytest.mark.skipif(
-    OS_VERSION in ("15.3", "15.4", "15.5"),
+    OS_VERSION in ("15.4", "15.5"),
     reason="branding packages are known to not be installed",
 )
 @pytest.mark.parametrize(
@@ -165,7 +165,7 @@ def test_product(auto_container):
 
 
 @pytest.mark.skipif(
-    OS_VERSION in ("15.3", "15.4", "15.5", "15.6", "tumbleweed"),
+    OS_VERSION in ("15.4", "15.5", "15.6", "tumbleweed"),
     reason="suse trademark only available in certain SLE versions",
 )
 def test_suse_trademark(auto_container):
@@ -487,7 +487,7 @@ def test_systemd_not_installed_in_all_containers_except_init(container):
 
 
 @pytest.mark.skipif(
-    OS_VERSION in ("15.3", "15.4", "15.5", "15.6-spr", "15.7-spr"),
+    OS_VERSION in ("15.4", "15.5", "15.6-spr", "15.7-spr"),
     reason="doesn't have the fixes for blkid/udev",
 )
 @pytest.mark.parametrize(

tests/test_base.py

@@ -88,7 +88,7 @@ def test_iconv_working(auto_container):
 
 
 @pytest.mark.skipif(
-    OS_VERSION in ("15.3", "15.4", "15.5"),
+    OS_VERSION in ("15.4", "15.5"),
     reason="unfixed in LTSS codestreams",
 )
 def test_group_nobody_working(auto_container):
@@ -129,7 +129,7 @@ def test_base_size(container: ContainerData, container_runtime):
         # SP4+ is a lot larger as it pulls in python3 and
         # the FIPS crypto policy scripts
         base_container_max_size: Dict[str, int] = {
-            "x86_64": 130 if OS_VERSION in ("15.3",) else 169,
+            "x86_64": 169,
         }
         if TARGET in ("dso",):
             # the dso container is larger than the bci-base-fips container
@@ -205,7 +205,7 @@ def test_gost_digest_disable(auto_container):
     """Checks that the gost message digest is not known to openssl."""
     openssl_error_message = (
         "Invalid command 'gost'"
-        if OS_VERSION not in ("15.3", "15.4", "15.5")
+        if OS_VERSION not in ("15.4", "15.5")
         else "gost is not a known digest"
     )
     assert (
@@ -266,13 +266,13 @@ def test_all_openssl_hashes_known(auto_container):
     expected_digest_list = ALL_DIGESTS
 
     # openssl-3 reduces the listed digests in FIPS mode, openssl 1.x does not
-    if OS_VERSION not in ("15.3", "15.4", "15.5"):
+    if OS_VERSION not in ("15.4", "15.5"):
         if host_fips_enabled() or target_fips_enforced() or fips_mode:
             expected_digest_list = FIPS_DIGESTS
 
     # gost is not supported to generate digests, but it appears in:
     # openssl list --digest-commands
-    if OS_VERSION in ("15.3", "15.4", "15.5"):
+    if OS_VERSION in ("15.4", "15.5"):
         expected_digest_list += ("gost",)
 
     assert set(hashes) == set(expected_digest_list), (

tests/test_fips.py

@@ -99,7 +99,7 @@ def digest_xoflen(digest: str) -> str:
     for variable-length hash functions."""
     param: str = ""
 
-    if OS_VERSION in ("15.3", "15.4", "15.5"):
+    if OS_VERSION in ("15.4", "15.5"):
         return param
 
     if digest in ("shake128",):
@@ -213,9 +213,6 @@ def run_digest_tests(command_prefix: str):
         run_digest_tests("openssl-1_1")
 
 
-@pytest.mark.skipif(
-    OS_VERSION in ("15.3",), reason="FIPS 140-3 not supported on 15.3"
-)
 def fips_mode_setup_check(container_per_test: ContainerData) -> None:
     """If the host is running in FIPS mode, then `fips-mode-setup --check` should
     exit with `0`.
@@ -311,12 +308,7 @@ def test_gcrypt_binary(container_per_test: ContainerData) -> None:
         r"fips-mode:y::Libgcrypt version [\d\.\-]+:",
         c.check_output("gpgconf --show-versions"),
     )
-    if not fips_ver_match:
-        if OS_VERSION == "15.3":
-            pytest.xfail(
-                reason="https://bugzilla.suse.com/show_bug.cgi?id=1234366"
-            )
-        assert fips_ver_match, "FIPS mode not detected by gpgconf"
+    assert fips_ver_match, "FIPS mode not detected by gpgconf"
 
     expected_fips_gcrypt_digests = {
         "sha1": "c87d25a09584c040f3bfc53b570199591deb10ba648a6a6ffffdaa0badb23b8baf90b6168dd16b3a",
@@ -352,7 +344,7 @@ def test_gcrypt_binary(container_per_test: ContainerData) -> None:
         if non_fips_call.rc == 0 or any(
             msg in non_fips_call.stderr for msg in expected_msg
         ):
-            if OS_VERSION in ("15.3", "15.4", "15.5"):
+            if OS_VERSION in ("15.4", "15.5"):
                 pytest.xfail(
                     reason="bsc#1229856 - libgcrypt computes hashes of non-FIPS digests",
                 )
@@ -375,9 +367,6 @@ def test_gpgconf_binary(container_per_test: ContainerData) -> None:
 @pytest.mark.skipif(
     LOCALHOST.system_info.arch != "s390x", reason="libica is s390x specific"
 )
-@pytest.mark.skipif(
-    OS_VERSION in ("15.3",), reason="FIPS 140-3 not supported on 15.3"
-)
 @pytest.mark.parametrize(
     "container_per_test", FIPS_TESTER_IMAGES, indirect=True
 )

tests/test_multistage.py

@@ -112,13 +112,13 @@
 
 OPENJDK_DEVEL_CONTAINER = (
     OPENJDK_DEVEL_11_CONTAINER
-    if OS_VERSION in ("15.3", "15.4", "15.5")
+    if OS_VERSION in ("15.4", "15.5")
     else OPENJDK_DEVEL_21_CONTAINER
 )
 
 OPENJDK_CONTAINER = (
     OPENJDK_11_CONTAINER
-    if OS_VERSION in ("15.3", "15.4", "15.5")
+    if OS_VERSION in ("15.4", "15.5")
     else OPENJDK_21_CONTAINER
 )
 

tests/test_openjdk_devel.py

@@ -84,7 +84,7 @@ def test_maven_present(auto_container):
 
 
 @pytest.mark.skipif(
-    OS_VERSION not in ("15.3", "15.4", "15.5", "15.6"),
+    OS_VERSION not in ("15.4", "15.5", "15.6"),
     reason="jshell is no longer the CMD as of SP7",
 )
 @pytest.mark.parametrize(

tests/test_php.py

@@ -271,7 +271,7 @@ def get_env_var(env_var: str) -> str:
             f"{apache_confdir}/httpd.conf"
         ).is_file
 
-        if OS_VERSION in ("15.3", "15.4", "15.5"):
+        if OS_VERSION in ("15.4", "15.5"):
             apache_envvars = get_env_var("APACHE_ENVVARS")
             assert container_per_test.connection.file(apache_envvars).is_file
             assert container_per_test.connection.run_expect(