1
0
mirror of https://github.com/dev-sec/ansible-nginx-hardening.git synced 2024-11-26 11:13:45 +01:00

use new docker images

This commit is contained in:
Sebastian Gumprich 2017-01-21 21:21:06 +01:00
parent 6e0fc63602
commit e3073ba0e9
7 changed files with 155 additions and 85 deletions

12
.gitignore vendored

@ -1,13 +1,3 @@
README.pdf
README.html
shared_test_repo/
test/integration
.kitchen .kitchen
coverage
Vagrantfile.erb
Gemfile.lock
Berksfile.lock
ansible.cfg
hosts hosts
Gemfile.lock

@ -1,18 +1,28 @@
--- ---
driver: driver:
name: vagrant name: vagrant
driver_config:
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
vagrantfiles:
- kitchen_vagrant_block.rb
provisioner: provisioner:
name: ansible_playbook name: ansible_playbook
test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git
hosts: all hosts: all
require_ansible_repo: false require_ansible_repo: false
require_ansible_omnibus: true require_ansible_omnibus: true
require_chef_for_busser: false require_chef_for_busser: false
require_ruby_for_busser: false require_ruby_for_busser: false
ansible_verbose: true ansible_verbose: true
roles_path: ../ansible-ssh-hardening/ roles_path: ../ansible-nginx-hardening/
requirements_path: requirements.yml
playbook: default.yml playbook: default.yml
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
platforms: platforms:
- name: ubuntu-12.04 - name: ubuntu-12.04
@ -23,6 +33,10 @@ platforms:
driver_config: driver_config:
box: opscode-ubuntu-14.04 box: opscode-ubuntu-14.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
- name: ubuntu-16.04
driver_config:
box: opscode-ubuntu-16.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
- name: centos-6.4 - name: centos-6.4
driver_config: driver_config:
box: opscode-centos-6.4 box: opscode-centos-6.4
@ -31,6 +45,12 @@ platforms:
driver_config: driver_config:
box: opscode-centos-6.5 box: opscode-centos-6.5
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
- name: centos-6.8
driver_config:
box: bento/centos-6.8
- name: centos-7
driver_config:
box: bento/centos-7.2
- name: oracle-6.4 - name: oracle-6.4
driver_config: driver_config:
box: oracle-6.4 box: oracle-6.4
@ -39,10 +59,9 @@ platforms:
driver_config: driver_config:
box: oracle-6.5 box: oracle-6.5
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
- name: debian-6 - name: oracle-7
driver_config: driver_config:
box: debian-6 box: boxcutter/ol72
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box
- name: debian-7 - name: debian-7
driver_config: driver_config:
box: debian-7 box: debian-7
@ -56,10 +75,7 @@ verifier:
name: inspec name: inspec
sudo: true sudo: true
inspec_tests: inspec_tests:
- https://github.com/dev-sec/tests-ssh-hardening - https://github.com/dev-sec/nginx-baseline/
suites: suites:
- name: nginx-ansible_1.9 - name: nginx
provisioner:
ansible_version: 1.9.4
- name: nginx-ansible_latest

@ -2,6 +2,9 @@
driver: driver:
name: docker name: docker
use_sudo: false use_sudo: false
privileged: true
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
transport: transport:
max_ssh_sessions: 5 max_ssh_sessions: 5
@ -10,51 +13,64 @@ provisioner:
name: ansible_playbook name: ansible_playbook
hosts: all hosts: all
require_ansible_repo: false require_ansible_repo: false
require_ansible_omnibus: true
require_chef_for_busser: false require_chef_for_busser: false
require_ruby_for_busser: false require_ruby_for_busser: false
ansible_verbose: true ansible_verbose: true
ansible_diff: true ansible_diff: true
requirements_path: requirements.yml hosts: all
roles_path: ../ansible-nginx-hardening/ roles_path: ../ansible-nginx-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
playbook: default.yml playbook: default.yml
requirements_path: requirements.yml
platforms: platforms:
- name: ubuntu-12.04 - name: centos6-ansible-latest
driver: driver:
image: ubuntu:12.04 image: rndmh3ro/docker-centos6-ansible:latest
- name: ubuntu-14.04 platform: centos
- name: centos7-ansible-latest
driver: driver:
image: ubuntu:14.04 image: rndmh3ro/docker-centos7-ansible:latest
- name: ubuntu-16.04 platform: centos
- name: oracle6-ansible-latest
driver: driver:
image: ubuntu:16.04 image: rndmh3ro/docker-oracle6-ansible:latest
- name: centos-6.7 platform: centos
- name: oracle7-ansible-latest
driver: driver:
image: centos:6.7 image: rndmh3ro/docker-oracle7-ansible:latest
- name: centos-6.8 platform: centos
- name: ubuntu1204-ansible-latest
driver: driver:
image: centos:6.8 image: rndmh3ro/docker-ubuntu1204-ansible:latest
- name: centos-7 platform: ubuntu
- name: ubuntu1404-ansible-latest
driver: driver:
image: centos:7 image: rndmh3ro/docker-ubuntu1404-ansible:latest
privileged: true platform: ubuntu
run_command: /usr/sbin/init - name: ubuntu1604-ansible-latest
- name: debian-7
driver: driver:
image: debian:7 image: rndmh3ro/docker-ubuntu1604-ansible:latest
- name: debian-8 platform: ubuntu
- name: debian7-ansible-latest
driver: driver:
image: debian:8 image: rndmh3ro/docker-debian7-ansible:latest
platform: debian
- name: debian8-ansible-latest
driver:
image: rndmh3ro/docker-debian8-ansible:latest
platform: debian
- name: debian9-ansible-latest
driver:
image: rndmh3ro/docker-debian9-ansible:latest
platform: debian
verifier: verifier:
name: inspec name: inspec
sudo: true sudo: true
inspec_tests: inspec_tests:
- https://github.com/dev-sec/tests-nginx-hardening - https://github.com/dev-sec/nginx-baseline
suites: suites:
- name: nginx-ansible_1.9 - name: nginx
provisioner:
ansible_version: 1.9.4
- name: nginx-ansible_latest

@ -1,23 +1,65 @@
--- ---
notifications: services: docker
webhooks: https://galaxy.ansible.com/api/v1/notifications/
language: python
python: "2.7"
env: env:
- ANSIBLE_VERSION=latest - distro: centos6
- ANSIBLE_VERSION=1.9.4 version: latest
init: /sbin/init
- distro: centos7
init: /usr/lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: oracle6
version: latest
init: /sbin/init
- distro: oracle7
init: /usr/lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: ubuntu1604
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: ubuntu1404
version: latest
init: /sbin/init
# - distro: debian7
# version: latest
# init: /sbin/init
- distro: debian8
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
init: /sbin/init
- distro: debian9
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
before_install: before_install:
- sudo apt-get update -qq # Pull container
- sudo apt-get install -qq python-apt python-pycurl - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
install:
- if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi
- echo -e 'localhost ansible_connection=local' > spec/inventory
- echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg
script: script:
- ansible-galaxy install -r requirements.yml - container_id=$(mktemp)
- ansible-playbook --syntax-check spec/travis.yml # Run container in detached state.
- ansible-playbook --sudo -v --diff spec/travis.yml - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
- ansible-playbook --sudo -v --diff spec/travis.yml --extra-vars "nginx_remove_default_site=false"
# Install ansible galaxy requirements
- 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
# Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/default.yml -vv'
# Verify role
- 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})'
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

23
Gemfile

@ -2,25 +2,6 @@
source 'https://rubygems.org' source 'https://rubygems.org'
if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
gem 'rack', '< 2.0'
gem 'ruby_dep', '< 1.4.0'
gem 'listen', '< 3.0.0'
end
group :test do
gem 'rake'
gem 'foodcritic', '~> 4.0'
gem 'thor-foodcritic'
gem 'coveralls', require: false
end
group :development do
gem 'guard'
gem 'guard-rspec'
gem 'guard-kitchen'
end
group :integration do group :integration do
gem 'test-kitchen', '~> 1.0' gem 'test-kitchen', '~> 1.0'
gem 'kitchen-ansible' gem 'kitchen-ansible'
@ -32,10 +13,6 @@ group :integration do
gem 'kitchen-docker' gem 'kitchen-docker'
end end
group :openstack do
gem 'kitchen-openstack'
end
group :tools do group :tools do
gem 'github_changelog_generator', '~> 1' gem 'github_changelog_generator', '~> 1'
end end

14
ansible.cfg Normal file

@ -0,0 +1,14 @@
# config file for ansible -- http://ansible.com/
# ==============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host}
role_path = /vagrant
scp_if_ssh = True

15
kitchen_vagrant_block.rb Normal file

@ -0,0 +1,15 @@
# This is a Vagrant block to allow proxy settings to be carried into Kitchen
# You need this for all of yum/apt etc. to work!
unless ENV['http_proxy'].empty? || Vagrant.has_plugin?("vagrant-proxyconf")
raise "Missing required plugin 'vagrant-proxyconf' to support HTTP(S) proxies, run `vagrant plugin install vagrant-proxyconf`"
end
Vagrant.configure(2) do |config|
config.proxy.http = "#{ENV['http_proxy']}"
config.proxy.https = "#{ENV['https_proxy']}"
config.proxy.no_proxy = "localhost,127.0.0.1"
# You may have vagrant-vbguest plugin installed to keep your images up to date
# - but will probably have VBoxAddition build issues with the foreign boxes listed in .kitchen.vagrant.yml
config.vbguest.auto_update = false
end