Merge branch 'molecule-tests'

Naturally it's not complete yet, but it's a start. Relates to #17
pyllyukko · Dec 21, 2024 · c7c8616 · c7c8616
2 parents a01df7f + da6f441
commit c7c8616
Show file tree

Hide file tree

Showing 14 changed files with 274 additions and 11 deletions.
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
@@ -0,0 +1,17 @@
+name: molecule
+on: [push, pull_request]
+
+env:
+  ANSIBLE_FORCE_COLOR: '1'
+
+jobs:
+  molecule-slackware:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install dependencies
+        run: |
+          pip install --user molecule[docker] molecule-plugins[docker]
+      - name: Run Molecule
+        run: molecule test
diff --git a/converge.yml b/converge.yml
@@ -0,0 +1,55 @@
+- name: Fail if molecule group is missing
+  hosts: localhost
+  tasks:
+    - name: Print some info
+      ansible.builtin.debug:
+        msg: "{{ groups }}"
+
+    - name: Assert group existence
+      ansible.builtin.assert:
+        that: "'molecule' in groups"
+        fail_msg: |
+          molecule group was not found inside inventory groups: {{ groups }}
+
+- name: Converge
+  hosts: molecule
+  vars_files:
+    - vars.yml
+  gather_facts: true
+  tasks:
+    - name: Check uname
+      ansible.builtin.raw: uname -a
+      register: result
+      changed_when: false
+
+    - name: Print some info
+      ansible.builtin.assert:
+        that: result.stdout | regex_search("^Linux")
+
+    # TODO: We are not testing everything here, but it's a start
+    - name: Banners
+      ansible.builtin.import_tasks: tasks/banners.yml
+    - name: PAM
+      ansible.builtin.import_tasks: tasks/pam.yml
+    - name: Services
+      ansible.builtin.import_tasks: tasks/services.yml
+    - name: login_defs
+      ansible.builtin.import_tasks: tasks/login_defs.yml
+    - name: Permissions
+      ansible.builtin.import_tasks: tasks/filesystem.yml
+    - name: CA certificates
+      ansible.builtin.import_tasks: tasks/ca-certs.yml
+    - name: Misc
+      ansible.builtin.import_tasks: tasks/misc.yml
+    - name: Cgroup
+      ansible.builtin.import_tasks: tasks/cgroup.yml
+    - name: Display manager
+      ansible.builtin.import_tasks: tasks/display_managers.yml
+    - name: Kernel
+      ansible.builtin.import_tasks: tasks/kernel.yml
+    - name: Logging
+      ansible.builtin.import_tasks: tasks/logging.yml
+
+  handlers:
+    - name: Handlers
+      ansible.builtin.import_tasks: tasks/handlers.yml
diff --git a/molecule/default/create.yml b/molecule/default/create.yml
@@ -0,0 +1,79 @@
+- name: Create
+  hosts: localhost
+  gather_facts: false
+  vars:
+    molecule_inventory:
+      all:
+        hosts: {}
+        molecule: {}
+  tasks:
+    - name: Create a container
+      community.docker.docker_container:
+        name: "{{ item.name }}"
+        image: "{{ item.image }}"
+        state: started
+        command: sleep 1d
+        log_driver: json-file
+      register: result
+      loop: "{{ molecule_yml.platforms }}"
+
+    - name: Print some info
+      ansible.builtin.debug:
+        msg: "{{ result.results }}"
+
+    - name: Fail if container is not running
+      when: >
+        item.container.State.ExitCode != 0 or
+        not item.container.State.Running
+      ansible.builtin.include_tasks:
+        file: tasks/create-fail.yml
+      loop: "{{ result.results }}"
+      loop_control:
+        label: "{{ item.container.Name }}"
+
+    - name: Add container to molecule_inventory
+      vars:
+        inventory_partial_yaml: |
+          all:
+            children:
+              molecule:
+                hosts:
+                  "{{ item.name }}":
+                    ansible_connection: community.docker.docker
+      ansible.builtin.set_fact:
+        molecule_inventory: >
+          {{ molecule_inventory | combine(inventory_partial_yaml | from_yaml, recursive=true) }}
+      loop: "{{ molecule_yml.platforms }}"
+      loop_control:
+        label: "{{ item.name }}"
+
+    - name: Dump molecule_inventory
+      ansible.builtin.copy:
+        content: |
+          {{ molecule_inventory | to_yaml }}
+        dest: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
+        mode: "0600"
+
+    - name: Force inventory refresh
+      ansible.builtin.meta: refresh_inventory
+
+    - name: Fail if molecule group is missing
+      ansible.builtin.assert:
+        that: "'molecule' in groups"
+        fail_msg: |
+          molecule group was not found inside inventory groups: {{ groups }}
+      run_once: true # noqa: run-once[task]
+
+# we want to avoid errors like "Failed to create temporary directory"
+- name: Validate that inventory was refreshed
+  hosts: molecule
+  gather_facts: false
+  tasks:
+    - name: Check uname
+      ansible.builtin.raw: uname -a
+      register: result
+      changed_when: false
+
+    - name: Display uname info
+      ansible.builtin.debug:
+        msg: "{{ result.stdout }}"
diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml
@@ -0,0 +1,19 @@
+- name: Destroy molecule containers
+  hosts: molecule
+  gather_facts: false
+  tasks:
+    - name: Stop and remove container
+      delegate_to: localhost
+      community.docker.docker_container:
+        name: "{{ inventory_hostname }}"
+        state: absent
+        auto_remove: true
+
+- name: Remove dynamic molecule inventory
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Remove dynamic inventory file
+      ansible.builtin.file:
+        path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
+        state: absent
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -0,0 +1,12 @@
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+platforms:
+  - name: molecule-slackware
+    image: pyllyukko/slackware
+provisioner:
+  name: ansible
+  # This playbook needs to reside in the project root directory so that the all the files and templates are found properly
+  playbooks:
+    converge: ../../converge.yml
diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml
@@ -0,0 +1,5 @@
+collections:
+  - name: community.docker
+    version: ">=3.10.4"
+  - name: community.general
+  - name: ansible.posix
diff --git a/tasks/display_managers.yml b/tasks/display_managers.yml
@@ -86,6 +86,10 @@
         content: |
           user-db:user
           system-db:local
+      register: result
+      failed_when:
+        - result.failed
+        - result.msg != "Destination directory /etc/dconf/profile does not exist"
     # CIS Debian Linux 11 Benchmark v1.0.0 - 09-22-2022
     #   1.8.6 Ensure GDM automatic mounting of removable media is disabled
     # https://access.redhat.com/solutions/20107

diff --git a/tasks/filesystem.yml b/tasks/filesystem.yml
@@ -28,6 +28,10 @@
           sed -i 's:^\(\s\+mount -n devtmpfs /dev -t devtmpfs -o size=[0-9]\+M\)$:\1,noexec,nosuid:' "${SOURCE_TREE}/init"
           sed -i '/^mount -n tmpfs \/run -t tmpfs -o mode=0755,size=[0-9]\+M,nodev,nosuid,noexec$/amount --make-shared /run' "${SOURCE_TREE}/init"
       tags: configuration
+      register: result
+      failed_when:
+        - result.failed
+        - result.msg != "Path /sbin/mkinitrd does not exist !"
 #- name: Remount /proc with hidepid=2
 #  become: true
 #  mount:
@@ -38,9 +42,18 @@
 #    fstype: proc
 
 # fstab
+- name: Stat /etc/fstab.new
+  tags:
+    - fstab
+    - check
+  ansible.builtin.stat:
+    path: /etc/fstab.new
+  register: stat_result
 - name: Create /etc/fstab.new
   tags: fstab
   become: true
+  # For idempotence
+  when: not stat_result.stat.exists
   block:
     - name: Create temp file for fstab.awk
       ansible.builtin.tempfile:
@@ -123,10 +136,16 @@
       block:
         - name: Ping
           block:
+            - name: Install libcap package (Slackware)
+              community.general.slackpkg:
+                name: libcap
+                state: present
+              tags: packages
             - name: Set CAP_NET_RAW capability to /bin/ping
               community.general.capabilities:
                 path: /bin/ping
-                capability: cap_net_raw+ep
+                # See https://github.com/ansible-collections/community.general/issues/4067
+                capability: cap_net_raw=ep
                 state: present
             - name: Remove SUID bit from /bin/ping
               tags: suid
@@ -358,6 +377,11 @@
         owner: root
         group: root
       tags: permissions
+      register: result
+      # Might not exist in Docker containers etc.
+      failed_when:
+        - result.failed
+        - result.msg != "file (/etc/modprobe.d) is absent, cannot continue"
     # Slackware Linux Benchmark v1.1 - 4.1 Network Parameter Modifications, 4.2 Additional Network Parameter Modifications & SN.8 Additional Kernel Tunings
     - name: chmod sysctl configurations
       ansible.builtin.file:

diff --git a/tasks/handlers.yml b/tasks/handlers.yml
@@ -6,7 +6,8 @@
   tags:
     - configuration
     - pki
-  changed_when: true
+  register: result
+  changed_when: '"0 added, 0 removed; done." not in result.stdout'
 # This will usually return 255 with "sysctl: cannot stat /proc/.+: No such file or directory"
 - name: Load sysctl settings
   become: true
@@ -17,6 +18,8 @@
     - result.failed
     - result.rc != 255
     - "'sysctl: cannot stat' not in result.stderr"
+    # Might be a container that doesn't have procps-ng
+    - "'No such file or directory' not in result.msg"
   changed_when: true
 - name: Create rkhunter.dat
   ansible.builtin.command: /usr/bin/rkhunter --propupd
@@ -96,6 +99,13 @@
   register: result
   failed_when:
     - result.failed
-    - '"dconf: not found" not in result.stderr'
+    - '"dconf: command not found" not in result.stderr'
   # dconf seems to always update the db files
   changed_when: true
+# For installation of logrotate package
+# If/when "permissions" is applied before "logging"
+- name: chmod /etc/cron.daily
+  become: true
+  ansible.builtin.file:
+    path: /etc/cron.daily
+    mode: g-rwx,o-rwx
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
@@ -1,4 +1,11 @@
 ---
+- name: mkdir /etc/sysctl.d
+  ansible.builtin.file:
+    path: /etc/sysctl.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
 - name: Create harden.conf sysctl settings file
   become: true
   ansible.builtin.copy:

diff --git a/tasks/logging.yml b/tasks/logging.yml
@@ -1,4 +1,15 @@
 ---
+# For tests that might not have this installed
+- name: Install logrotate package (Slackware)
+  when: ansible_distribution == "Slackware"
+  become: true
+  community.general.slackpkg:
+    name: logrotate
+    state: present
+  tags:
+    - packages
+    - slackware
+  notify: chmod /etc/cron.daily
 - name: Configure generic log retention period to {{ log_retention_time_in_months }} months
   become: true
   ansible.builtin.replace:

diff --git a/tasks/login_defs-slackware.yml b/tasks/login_defs-slackware.yml
@@ -92,13 +92,15 @@
   when: ansible_distribution == "Slackware"
   become: true
   block:
+    # http://ftp.slackware.com/pub/slackware/slackware64-15.0/source/a/etc/group.new
+    # Didn't want to use replace here, as this is herecy.
+    # But this was the only way I could make this idempotent.
     - name: Remove all members from certain groups (Slackware)
-      ansible.builtin.command: gpasswd -M "" {{ item }}
-      register: result
-      changed_when: true
-      failed_when:
-        - result.failed == true
-        - '"is not a member of" not in result.stderr'
+      ansible.builtin.replace:
+        path: /etc/group
+        regexp: '^({{ item }}:x:[0-9]+:).*$'
+        replace: '\g<1>'
+        validate: '/bin/grep "^{{ item }}:x:[0-9]\+:$" %s'
       tags: accounts
       with_items:
         - root
@@ -128,10 +130,24 @@
         - wheel
         - audio
 
-- name: Fix gshadow (Slackware)
+- name: Check if gshadow needs fixing (Slackware)
   when: ansible_distribution == "Slackware"
   become: true
+  ansible.builtin.command: grpck -r
+  tags: check
+  changed_when: false
+  failed_when: false
+  register: grpck
+- name: Fix gshadow (Slackware)
+  when:
+    - ansible_distribution == "Slackware"
+    - '"no matching group file entry in /etc/gshadow" in grpck.stdout'
+  become: true
+  # yes might return 141
   ansible.builtin.shell: set -o pipefail; yes | grpck
   register: result
   changed_when:
     - result.rc != 0
+  failed_when:
+    - result.failed == true
+    - '"grpck: the files have been updated" not in result.stdout'
diff --git a/tasks/login_defs.yml b/tasks/login_defs.yml
@@ -51,6 +51,7 @@
   tags:
     - configuration
     - passwords
+# Required at least for getent
 - name: Install glibc package (Slackware)
   when: ansible_distribution == "Slackware"
   become: true
@@ -152,8 +153,9 @@
 # CIS Debian Linux 10 Benchmark v1.0.0 - 6.2.17 Ensure no duplicate GIDs exist
 - name: Verify integrity of group files
   become: true
-  ansible.builtin.command: grpck -r # noqa no-changed-when
+  ansible.builtin.command: grpck -r
   tags: check
+  changed_when: false
 
 - name: Remove pi from adm group (Raspberry Pi OS)
   when: ansible_distribution == "Debian"