With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`
Change-Id: I7807b7d29f4504404253f5c42b624639c8b19c97
The docs job is failing in https://review.opendev.org/671840 and thus
nothing is synced in from openstack-ansible-tests. The failure is due to
the removal of entries from doc/requirements.txt. Add those
to test-requirements.txt instead.
Change-Id: I21bcbde8acc8d4fd83b28026bcec33f388e69912
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Update requirements, no need for python_version anymore
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove install_command from tox.ini, the default is fine
Change-Id: Ic96b71596d4523e55fa4b451c99a8521dd581e4d
This patch adds a `pdf-docs` tox target that will build
PDF versions of our docs. As per the Train community goal:
https://governance.openstack.org/tc/goals/selected/train/pdf-doc-generation.html
Add sphinxcontrib-svg2pdfconverter to doc/requirements.txt
to convert our SVGs.
Change-Id: I04319a1195873d63bfc45ffb0f5c7c89fb797652
Story: 2006105
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: If229d848b92ed10ea4b788598c575c5b9f693c90
Closes-Bug: #1801657
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: I75820c3160ffa9cbe048650ba30aa44281a7c9a1
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
Using tox for requirements management requires in-repo
requirements files for all our repositories. Rather than
do that, we make use of the tests repo to capture our
common requirements and use this to install them.
This reduces our review requirement rate and simplifies
maintenance for us for the tox config. It also makes it
usable with 'Depends-On', which is marvellous!
The tox requirements definitions for docs/releasenotes
builds are left in-place as those are standard entries
across the community. If that changes at some point, we
can re-assess those entries too.
Depends-On: https://review.openstack.org/579208
Change-Id: Ibaf4aeeb60b0ceca8352cef87bf7c38529ca0fd2
Now that run_tests.sh handles the tests repo clone, we can
remove the use of the older tests-repo-clone.sh script.
Change-Id: I839a959565585af033188ef13087d52dc320bc1f
In order to allow the use of the environment variable which informs
Ansible which user executed the playbook, we pass the USER env var
into the environment that tox builds.
Change-Id: Ia4e760454d216b8d2f54fc6fc11d7455f148427c
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.
This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.
Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
Currently the role tests use whatever versions of pip,
setuptools and wheel are already installed on the host.
When a version of these tools changes it often causes
problems for our testing.
This will ensure that we use a known good set of pins
which is maintained in the general SHA bumping process.
Change-Id: Ib19dcb75e8f924ae294299242a7f51efe6df6126
This patch gets rid of the old "special notes" section that was a
dead-end in the documentation and replaces it with a brief header
followed by a dynamically-generated list of tag-specific
documentation. All of this sits underneath the "Hardening Domains"
section.
It also splits the "Deviations" documentation into its own section
because it's quite important for a deployer to review.
The patch also includes a link to video/slides from the Boston
Summit, which provided the latest updates for the project and some
background on how everything fits together.
Change-Id: I1a5e78733c301335fe1bcfcee36cc146d690b841
When executing the tests repo clone in OpenStack-CI,
use zuul-cloner instead of git to enable cross-repo
testing. This ensures that if a dependent patch from
the tests repo is noted using 'Depends-On: <change-id>'
in the commit message, that patch will be included.
Depends-On: Idce7abebf32f24c356a27e099fbca954d917402b
Depends-On: I5da7802d61d2ab6b03908138e3a3ed2db22e3d29
Change-Id: I4da173e3c41e70ff48b3c88c430a6a65eded295a
This commit removes the verbose options from the gate job and disables
clamav installation in the CI jobs. The clamav package is only available
in the EPEL repository, but the EPEL repo has been removed from
the CentOS images in the OpenStack gate. This will need to be handled
carefully in a later patch.
It also removes an apostrophe from `tasks/main.yml` that breaks syntax
highlighting in vim.
Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05
This patch removes the `func_rhel7` environment and brings over the
verbose options from the tests role.
Change-Id: I44c2e089ff6175b3004ef7f6713622ac615bf6db
When the role was switched to use RHEL 7 STIG content as the default,
the RHEL 6 STIG content was no longer being gated. This patch adds a
new test environment, `func_rhel6` and replaces the `func_rhel7`
environment with testing of the RHEL 6 STIG content. This is only
temporary and the `func_rhel7` environment should be removed as soon
as upstream gating is updated to use the new `func_rhel6` environment.
Change-Id: I9f91dac8ecadd3b791954f18e0607403ff147876
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.
The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.
Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
This patch enables chrony and performs basic configuration to meet the
STIG requirements.
These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
Instead of breaking up package installations and removals into separate
tasks, this patch moves them all under one task that does two execution
steps.
In addition, the security_enable_chrony variable was added to control the
installation and configuration of chrony. The tox tests for the role were
configured to skip chrony in the gate using a skipped tag, but this caused
the package install/removal task to get skipped.
Docs/release notes are included for the chrony change.
Change-Id: I1def033953b50be3911cd932fd17b10dd2c658b7
With the implementation of https://review.openstack.org/388087 all
tox targets may now use upper constraints.
Change-Id: I08cb68bf8eb8ec734894dc85314ed5fbda6a78e3
The func_rhel7 gate is not running the RHEL7 STIG tests due
to an issue in the tests repository (see Depends-On below) and due
to some errant quotes in the tox.ini.
Depends-On: I0ec6eb0692e67ebdfdf81b3cbfa89e8c51d88d10
Change-Id: Ife5591ea98fae9e502a9f230ab13a73c11fe78a3
This patch consumes the centralised Ansible test scripts
implemented in https://review.openstack.org/381853
Depends-On: I5c1f2f0949d6b7ad7bfc4151257b081728ba956f
Depends-On: Ie379de765c6ebba958ce8e7f9dc27b7a3af74ff8
Change-Id: Ib7fe11b666322b11b1e30dea775304fd5d236f2f
With https://review.openstack.org/381479 merged, setting this
variable in tox.ini via an extra var is unnecessary.
Change-Id: I48fbeb9cdaa2c70269be2f07008ee4ffd2f04396
This patch adds the initial scaffolding for the RHEL 7 STIG content
and provides a pathway for adding gate jobs that test the tasks for
the new content.
Implements: blueprint security-rhel7-stig
Change-Id: I4cc9468977fc6c14f4ca792a8964fa7a60a4e831
The OpenStack CI runs ntpd in the gate images and this causes chrony
to fail on startup. This patch skips V-38620 so that chrony won't
cause gate failures.
Closes-Bug: 1629936
Change-Id: I0c67241c0725621715877e728a6c6c17d771a596
This patch consumes the test scripts implemented by
https://review.openstack.org/375061 to ensure that
the tests and test preparation is consistent and
more maintainable.
Change-Id: I2c26eb12711128082a7136ab962f8239b59124b4
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:
* A Sphinx extension runs early in the doc build process that writes
all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
documentation only needs to be added there. (Will explain this in
the developer notes in a subsequent patch.)
Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
To avoid executing an alias and therefore get the default behavior
from gzip, executing gzip with command is better than using which.
Change-Id: I376af163a0b7c7aec3ba5d323d3f9c4128b55735
OpenStack-CI facilitates the ability to view compressed
files on the log server if they have the suffix .txt.gz.
This patch ensures that all collected log files are renamed
to have a .txt suffix before compressing them.
The following changes are also made:
- The bindep file is also cleaned up a little to reduce
unnecessary duplication.
- PYTHONUNBUFFERED is set to ensure that the console log
from the CI jobs are in the exact order of execution.
Change-Id: I89f5734275dc2789f44b5bd9c0b45dc34c4a7a50
This change enables log collection within the gate so that further
analysis on gate tasks can be performed post build. This is very
useful when debugging problems and also for investigating the
consequences of patches once they've been tested.
Related-Bug: #1620849
Change-Id: I2bb923ebcd73114c1199b14f9b769435596091eb
This change enables log collection within the gate so that further analysis
on gate tasks can be performed post build. This is very useful when
debugging problems.
Change-Id: I41e70d0f6a0e5fed78e0a5462ee4d1730c94ec21
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch bumps the openstack-ansible-security role to use Ansible
2.1 and adds the python-apt package which is now required for
Ansible's check mode on Ubuntu.
Change-Id: I4899e426a7bb5623837704b49920847c1308af53
As per [1] all linting tests can now use upper-constraints. This patch
removes all instances of the install_command override relating to lint
testing which were needed to negate the use of upper-constraints.
[1] http://lists.openstack.org/pipermail/openstack-dev/2016-August/101474.html
Change-Id: I016b1c1f77a7cc9b2020d8455208a977cb80ffc6
The CI gate job images have SNMPv1/2 configurations applied and
they are in the process of being removed. This patch should get
the openstack-ansible-security gate jobs unblocked by skipping
V-38660 temporarily.
When https://review.openstack.org/#/c/354819/ merges and new
images are deployed, this task won't need to be skipped.
Change-Id: I2bad2ce8bb5ba73356d224ce1093bc4f19fe75b9
This patch displays the idempotency check output so that issues
can be found more easily when the check fails.
Change-Id: I302d6ba581da6fc454d0fa27002e2b7d74881c82
The plugin repo needs to be cloned for ansible-lint to
understand ansible plugins. The commands currently
reside in tox.ini under the ansible section and are not
currently included. This commit fixes that error.
Change-Id: I499f5807afcf3c8e94d571eb7975d7f198b72538
The 'docs' tox target executes the doc8 lint test which may result in
failures when testing documentation builds, but OpenStack-CI does not
execute that tox target.
In order to ensure that we catch all standard documentation syntax
errors and prevent them from merging, this patch includes the docs
target in the 'linters' chain of tests.
Fixes for any failures which result from executing this test are also
included in the patch.
Change-Id: I80c2ce387e59a30c34bf2252a54037c00b420380
This patch adds idempotency checking for the security role. It
ensures that no changes are made when the security role runs
multiple times against the same system.
Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
The check/audit mode test in tox.ini was removed in
If42e739002e36669044a9396e233dbd382add4c8 with the tox.ini cleanup.
This patch adds it back into tox.ini so that it runs prior to the
functional tests.
Change-Id: I1842c8170ec532baf713ab789ffe389369c5e48e
With the implementation of https://review.openstack.org/321331 the
human_log callback plugin is now part of the plugins repo.
This patch removes the retrofitted version in tox in favor of using
the version from the plugins repo instead.
Change-Id: Ic8c204a8bb61a041bd361dff5ec3a24bc376685a