openstack
/
ansible-hardening
Code Issues Proposed changes

Sync test files with the openstack-ansible-tests repository 

This syncs most of the common files with the openstack-tests repository.
This effectively removes the Ubuntu 14.04 support from the Vagrantfile
as well as the RHEL6 STIG V-38496 workaround for it. This also removes
the now unused tests/vagrant.yml file and uses the tests/test.yml like
the upstream OpenStack CI does.

However, it doesn't sync the bindep.txt file since it doesn't quite
match what we have in the openstack-ansible-tests repository so the
shared one needs to be fixed first.

Finally, it adds a new doc/.gitignore file to exclude the generated
documentation file. This is necessary in order for the shared .gitignore
one to be used in the root of the repository.

Change-Id: Ia34979af9029ffb03fb525679356e6d9f3a039a6
This commit is contained in:
Markos Chandras 2017-06-21 09:49:39 +01:00
parent 90b1317a26
commit 1a02653708
5 changed files with 80 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.gitignore vendored
View File

@ -61,15 +61,11 @@ ChangeLog
releasenotes/build
# Test temp files
tests/plugins
tests/playbooks
tests/test.retry
tests/common
tests/*.retry
# Vagrant artifacts
.vagrant
# Auto-generated documentation
doc/source/auto_*
doc/source/rhel7/auto_*
doc/source/rhel7/domains/auto_*
# Git clones
openstack-ansible-ops

66
Vagrantfile vendored
View File

@ -1,51 +1,35 @@
# Runs the role against Ubuntu 14.04, 16.04 and CentOS 7
# for local testing purposes
# Verify whether required plugins are installed.
required_plugins = [ "vagrant-disksize" ]
required_plugins.each do |plugin|
if not Vagrant.has_plugin?(plugin)
raise "The vagrant plugin #{plugin} is required. Please run `vagrant plugin install #{plugin}`"
end
end
Vagrant.configure("2") do |config|
config.vm.define "ubuntu1404" do |trusty|
trusty.vm.box = "ubuntu/trusty64"
trusty.vm.hostname = "sec-ansible-test-ubuntu1404"
trusty.vm.provision "ansible" do |ansible|
# ansible.verbose = "vvv"
ansible.playbook = "tests/vagrant.yml"
# we'll skip V-38496 because Vagrant itself creates the user that causes
# this to fail
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
end
Vagrant.configure(2) do |config|
config.vm.provider "virtualbox" do |v|
v.memory = 2048
v.cpus = 2
end
config.vm.define "ubuntu1604" do |trusty|
trusty.vm.box = "ubuntu/xenial64"
trusty.vm.hostname = "sec-ansible-test-ubuntu1604"
config.vm.provision "shell",
privileged: false,
inline: <<-SHELL
cd /vagrant
./run_tests.sh
SHELL
trusty.vm.provision "ansible" do |ansible|
# ansible.verbose = "vvv"
ansible.playbook = "tests/vagrant.yml"
# we'll skip V-38496 because Vagrant itself creates the user that causes
# this to fail
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
end
config.vm.define "ubuntu1604" do |xenial|
xenial.disksize.size = "40GB"
xenial.vm.box = "ubuntu/xenial64"
end
config.vm.define "opensuse422" do |leap422|
leap422.vm.box = "opensuse/openSUSE-42.2-x86_64"
end
config.vm.define "centos7" do |centos7|
centos7.vm.box = "centos/7"
centos7.vm.hostname = "sec-ansible-test-centos-7"
centos7.vm.provision "ansible" do |ansible|
# ansible.verbose = "vvv"
ansible.playbook = "tests/vagrant.yml"
# we'll skip V-38496 because Vagrant itself creates the user that causes
# this to fail
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
end
end
end
end

5
doc/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
# Auto-generated documentation
source/auto_*
source/rhel7/auto_*
source/rhel7/domains/auto_*

96
run_tests.sh
View File

@ -12,62 +12,58 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Note:
# This file is maintained in the openstack-ansible-tests repository.
# https://git.openstack.org/cgit/openstack/openstack-ansible-tests/tree/run_tests.sh
# If you need to modify this file, update the one in the openstack-ansible-tests
# repository and then update this file as well. The purpose of this file is to
# prepare the host and then execute all the tox tests.
#
set -xeuo pipefail
## Shell Opts ----------------------------------------------------------------
set -xeu
FUNCTIONAL_TEST=${FUNCTIONAL_TEST:-true}
## Vars ----------------------------------------------------------------------
# Install pip.
if ! which pip; then
curl --silent --show-error --retry 5 \
https://bootstrap.pypa.io/get-pip.py | sudo python2.7
fi
export WORKING_DIR=${WORKING_DIR:-$(pwd)}
# Install bindep and tox with pip.
sudo pip install bindep tox
## Main ----------------------------------------------------------------------
## Bindep pre-requisites
# Fedora requires the redhat-lsb-core package.
# CentOS 7 requires two additional packages:
# redhat-lsb-core - for bindep profile support
# epel-release - required to install python-ndg_httpsclient/python2-pyasn1
if [ -e /etc/fedora-release ]; then
sudo dnf -y install redhat-lsb-core
elif [ -e /etc/centos-release ]; then
sudo yum -y install redhat-lsb-core epel-release
fi
source /etc/os-release || source /usr/lib/os-release
# Get a list of packages to install with bindep. If packages need to be
# installed, bindep exits with an exit code of 1.
BINDEP_PKGS=$(bindep -b -f bindep.txt test || true)
echo "Packages to install: ${BINDEP_PKGS}"
install_pkg_deps() {
pkg_deps="git"
# Install a list of OS packages provided by bindep.
if which apt-get; then
sudo apt-get update
DEBIAN_FRONTEND=noninteractive \
sudo apt-get -q --option "Dpkg::Options::=--force-confold" \
--assume-yes install $BINDEP_PKGS
elif [ -e /etc/fedora-release ]; then
if [[ ${#BINDEP_PKGS} > 0 ]]; then
sudo dnf install -y $BINDEP_PKGS
case ${ID,,} in
*suse*) pkg_mgr_cmd="zypper -n in" ;;
centos|rhel) pkg_mgr_cmd="yum install -y" ;;
fedora) pkg_mgr_cmd="dnf -y install" ;;
ubuntu|debian) pkg_mgr_cmd="apt-get install -y" ;;
*) echo "unsupported distribution: ${ID,,}"; exit 1 ;;
esac
eval sudo $pkg_mgr_cmd $pkg_deps
}
git_clone_repo() {
if [[ ! -d tests/common ]]; then
# The tests repo doesn't need a clone, we can just
# symlink it.
if [[ "$(basename ${WORKING_DIR})" == "openstack-ansible-tests" ]]; then
ln -s ${WORKING_DIR} ${WORKING_DIR}/tests/common
else
git clone \
https://git.openstack.org/openstack/openstack-ansible-tests \
tests/common
fi
fi
elif [ -e /etc/centos-release]; then
# Don't run yum with an empty list of packages.
# It will fail and cause the script to exit with an error.
if [[ ${#BINDEP_PKGS} > 0 ]]; then
sudo yum install -y $BINDEP_PKGS
fi
fi
}
install_pkg_deps
git_clone_repo
# start executing the main test script
source tests/common/run_tests_common.sh
# Loop through each tox environment and run tests.
for tox_env in $(awk -F= '/envlist/ { gsub(",", " "); print $2 }' tox.ini); do
echo "Executing tox environment: ${tox_env}"
if [[ ${tox_env} == ansible-functional ]]; then
if ${FUNCTIONAL_TEST}; then
tox -e ${tox_env}
fi
else
tox -e ${tox_env}
fi
done

19
tests/vagrant.yml
View File

@ -1,19 +0,0 @@
---
# Copyright 2016, HPE, VMWare
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Playbook for role testing
hosts: all
roles:
- role: "../../../ansible-hardening"