moby · nishanttotla · Apr 10, 2018 · Apr 3, 2018 · Mar 7, 2018 · nishanttotla
diff --git a/agent/agent.go b/agent/agent.go
@@ -579,6 +579,7 @@ func (a *Agent) nodeDescriptionWithHostname(ctx context.Context, tlsInfo *api.No
 			desc.Hostname = a.config.Hostname
 		}
 		desc.TLSInfo = tlsInfo
+		desc.FIPS = a.config.FIPS
 	}
 	return desc, err
 }

diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -232,17 +232,20 @@ func TestHandleSessionMessageNodeChanges(t *testing.T) {
 	require.Empty(t, closedSessions)
 }
 
-// when the node description changes, the session is restarted and propagated up to the dispatcher
+// when the node description changes, the session is restarted and propagated up to the dispatcher.
+// the node description includes the FIPSness of the agent.
 func TestSessionRestartedOnNodeDescriptionChange(t *testing.T) {
 	tlsCh := make(chan events.Event, 1)
 	defer close(tlsCh)
 	tester := agentTestEnv(t, nil, tlsCh)
+	tester.agent.config.FIPS = true // start out with the agent in FIPS-enabled mode
 	defer tester.cleanup()
 	defer tester.StartAgent(t)()
 
 	currSession, closedSessions := tester.dispatcher.GetSessions()
 	require.NotNil(t, currSession)
 	require.NotNil(t, currSession.Description)
+	require.True(t, currSession.Description.FIPS)
 	require.Empty(t, closedSessions)
 
 	tester.executor.UpdateNodeDescription(&api.NodeDescription{
@@ -262,6 +265,7 @@ func TestSessionRestartedOnNodeDescriptionChange(t *testing.T) {
 	require.NotEqual(t, currSession, gotSession)
 	require.NotNil(t, gotSession.Description)
 	require.Equal(t, "testAgent", gotSession.Description.Hostname)
+	require.True(t, gotSession.Description.FIPS)
 	currSession = gotSession
 
 	// If nothing changes, the session is not re-established
@@ -291,6 +295,7 @@ func TestSessionRestartedOnNodeDescriptionChange(t *testing.T) {
 	require.NotNil(t, gotSession.Description)
 	require.Equal(t, "testAgent", gotSession.Description.Hostname)
 	require.Equal(t, newTLSInfo, gotSession.Description.TLSInfo)
+	require.True(t, gotSession.Description.FIPS)
 }
 
 // If the dispatcher returns an error, if it times out, or if it's unreachable, no matter

diff --git a/agent/config.go b/agent/config.go
@@ -47,6 +47,9 @@ type Config struct {
 	// SessionTracker, if provided, will have its SessionClosed and SessionError methods called
 	// when sessions close and error.
 	SessionTracker SessionTracker
+
+	// FIPS returns whether the node is FIPS-enabled
+	FIPS bool
 }
 
 func (c *Config) validate() error {

diff --git a/api/api.pb.txt b/api/api.pb.txt
@@ -2171,6 +2171,16 @@ file {
       }
       json_name: "tlsInfo"
     }
+    field {
+      name: "fips"
+      number: 6
+      label: LABEL_OPTIONAL
+      type: TYPE_BOOL
+      options {
+        65004: "FIPS"
+      }
+      json_name: "fips"
+    }
   }
   message_type {
     name: "NodeTLSInfo"

diff --git a/api/types.pb.go b/api/types.pb.go
diff --git a/api/types.proto b/api/types.proto
@@ -125,6 +125,9 @@ message NodeDescription {
 
 	// Information on the node's TLS setup
 	NodeTLSInfo tls_info = 5 [(gogoproto.customname) = "TLSInfo"];
+
+	// FIPS indicates whether the node has FIPS-enabled
+	bool fips = 6 [(gogoproto.customname) = "FIPS"];
 }
 
 message NodeTLSInfo {

diff --git a/node/node.go b/node/node.go
@@ -123,6 +123,9 @@ type Config struct {
 
 	// PluginGetter provides access to docker's plugin inventory.
 	PluginGetter plugingetter.PluginGetter
+
+	// FIPS is a boolean stating whether the node is FIPS enabled
+	FIPS bool
 }
 
 // Node implements the primary node functionality for a member of a swarm
@@ -609,6 +612,7 @@ waitPeer:
 			CertIssuerPublicKey: issuer.PublicKey,
 			CertIssuerSubject:   issuer.Subject,
 		},
+		FIPS: n.config.FIPS,
 	}
 	// if a join address has been specified, then if the agent fails to connect
 	// due to a TLS error, fail fast - don't keep re-trying to join