majic-ansible-roles Changeset

Changeset - 3a02e5b774b2

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 6 years ago 2020-01-07 22:34:33
branko@majic.rs

MAR-148: Clean-up TODO entries for the common role coming from bugs in earlier versions of software:

- Switch to using the systemd task for reloads.
- Add back validation of pipreqcheck activation script file
permissions.
- Add back validation of missing ntp/ntpdate packages.

3 files changed with 5 insertions and 18 deletions:

roles/common/handlers/main.yml

roles/common/molecule/default/tests/test_default.py

roles/common/molecule/default/tests/test_parameters_mandatory.py

0 comments (0 inline, 0 general)

roles/common/handlers/main.yml

➞

Show inline comments

 ---
 - name: Update PAM configuration
   command: "/usr/sbin/pam-auth-update --package"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
 - name: Restart SSH
   service:
     name: ssh
     state: restarted
 - name: Update CA certificate cache
   command: "/usr/sbin/update-ca-certificates --fresh"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
 - name: Restart ferm
   service:
     name: ferm
     state: restarted
 # @TODO: Replace this with use of systemd module once Ansible is upgraded to
 # version 2.2+.
 - name: Reload systemd
   command: "systemctl daemon-reload"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
     #   run the handlers manually as a way to bring the system to consistency
     #   after interrupted runs.
     - skip_ansible_lint
   systemd:
     daemon_reload: true
 - name: Restart NTP server
   service:
     name: ntp
     state: restarted
   when: ntp_servers | length > 0

roles/common/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -205,99 +205,97 @@ def test_check_certificate_script(host): @@
     check_certificate = host.file('/usr/local/bin/check_certificate.sh')
     assert check_certificate.is_file
     assert check_certificate.user == 'root'
     assert check_certificate.group == 'root'
     assert check_certificate.mode == 0o755
 def test_check_certificate_directory(host):
     check_certificate_dir = host.file('/etc/check_certificate')
     assert check_certificate_dir.is_directory
     assert check_certificate_dir.user == 'root'
     assert check_certificate_dir.group == 'root'
     assert check_certificate_dir.mode == 0o755
 def test_check_certificate_crontab(host):
     """
     Tests deployment of cron job for checking certificates.
     """
     check_certificate_crontab = host.file('/etc/cron.d/check_certificate')
     assert check_certificate_crontab.is_file
     assert check_certificate_crontab.user == 'root'
     assert check_certificate_crontab.group == 'root'
     assert check_certificate_crontab.mode == 0o644
     assert "0 0 * * * nobody /usr/local/bin/check_certificate.sh -q expiration" in check_certificate_crontab.content
 @pytest.mark.parametrize('virtualenv_activate_path', [
     '/var/lib/pipreqcheck/virtualenv/bin/activate',
     '/var/lib/pipreqcheck/virtualenv-py3/bin/activate',
 ])
 def test_pipreqcheck_virtualenv(host, virtualenv_activate_path):
     """
     Tests creation of Python virtual environment used for performing pip
     requirements upgrade checks.
     """
     with host.sudo():
         virtualenv_activate = host.file(virtualenv_activate_path)
         assert virtualenv_activate.is_file
         assert virtualenv_activate.user == 'pipreqcheck'
         assert virtualenv_activate.group == 'pipreqcheck'
         # @TODO: Possibly due to some timing issues, this file might
         # sometimes end-up being 0640, sometimes 0644.
         # assert virtualenv_activate.mode == 0o644
         assert virtualenv_activate.mode == 0o644
 @pytest.mark.parametrize('config_dir', [
     '/etc/pip_check_requirements_upgrades',
     '/etc/pip_check_requirements_upgrades-py3',
 ])
 def test_pipreqcheck_directories(host, config_dir):
     """
     Tests creation of directories used for storing configuration used by script
     that performs pip requirements upgrade checks.
     """
     with host.sudo():
         pipreqcheck_config_directory = host.file(config_dir)
         assert pipreqcheck_config_directory.is_directory
         assert pipreqcheck_config_directory.user == 'root'
         assert pipreqcheck_config_directory.group == 'pipreqcheck'
         assert pipreqcheck_config_directory.mode == 0o750
         pipreqcheck_config_directory_pipreqcheck = host.file(os.path.join(config_dir, 'pipreqcheck'))
         assert pipreqcheck_config_directory_pipreqcheck.is_directory
         assert pipreqcheck_config_directory_pipreqcheck.user == 'root'
         assert pipreqcheck_config_directory_pipreqcheck.group == 'pipreqcheck'
         assert pipreqcheck_config_directory_pipreqcheck.mode == 0o750
 @pytest.mark.parametrize('requirements_in_path, requirements_txt_path', [
     ('/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in',
      '/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt'),
     ('/etc/pip_check_requirements_upgrades-py3/pipreqcheck/requirements.in',
      '/etc/pip_check_requirements_upgrades-py3/pipreqcheck/requirements.txt'),
 ])
 def test_pipreqcheck_requirements(host, requirements_in_path, requirements_txt_path):
     """
     Tests deployment of requirements input and text file used for virtual
     environment utilised by script that perform pip requirements upgrade checks.
     """
     with host.sudo():
         requirements_in = host.file(requirements_in_path)
         assert requirements_in.is_file
         assert requirements_in.user == 'root'
         assert requirements_in.group == 'pipreqcheck'
         assert requirements_in.mode == 0o640
         requirements_txt = host.file(requirements_txt_path)
         requirements_txt.is_file
         assert requirements_txt.user == 'root'

roles/common/molecule/default/tests/test_parameters_mandatory.py

➞

Show inline comments

@@ @@ -88,62 +88,58 @@ def test_ferm_base_rules(host): @@
         assert iptables.rc == 0
         assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
             "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
         assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
             "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
         ip6tables = host.command('ip6tables-save')
         assert ip6tables.rc == 0
         assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
             "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
         assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
             "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout
 def test_pipreqcheck_virtualenv_user(host):
     """
     Tests if user/group for running the pip requirements upgrade checks have
     been created correctly.
     """
     group = host.group('pipreqcheck')
     assert group.exists
     assert group.gid == 1001
     user = host.user('pipreqcheck')
     assert user.exists
     assert user.home == '/var/lib/pipreqcheck'
     assert user.uid == 1001
     assert user.group == 'pipreqcheck'
     assert user.groups == ['pipreqcheck']
 def test_backup_configuration_absent(host):
     """
     Tests if backup configuration is absent. This should be the case when only
     mandatory parameters are provided.
     """
     with host.sudo():
         assert not host.file('/etc/duply/main/patterns/common').exists
 def test_ntp_software_not_installed(host):
     """
     Tests if NTP packages are absent.
     """
     # @TODO: This throws an exception. It seems version of Testinfra
     # used cannot properly check for absence of package.
     # assert not host.package('ntp').is_installed
     # assert not host.package('ntpdate').is_installed
     pass
     assert not host.package('ntp').is_installed
     assert not host.package('ntpdate').is_installed
 def test_ntp_listening_interfaces(host):
     """
     Tests if NTP server is not listening.
     """
     assert not host.socket('udp://:::123').is_listening

0 comments (0 inline, 0 general)