...
 
Commits (30)
......@@ -20,11 +20,13 @@ platforms:
# wheezy chef package is 10.12
driver:
require_chef_omnibus: 12.0.3
provision_command:
- /bin/true
- name: debian-buster
- name: debian-bullseye
- name: ubuntu-18.04
- name: centos-7
driver:
require_chef_omnibus: 12
require_chef_omnibus: 13
provision_command:
- yum install -y rubygems
......@@ -154,6 +154,21 @@ suites:
chef:
server_url:
http://localhost:4000
- name: sys_ferm
run_list:
- recipe[sys::ferm]
attributes:
sys:
ferm:
rules:
ip:
filter:
INPUT:
- 'policy ACCEPT;'
OUTPUT:
- 'policy ACCEPT;'
FORWARD:
- 'policy DROP;'
- name: sys_mail
run_list:
- recipe[sys::mail]
......@@ -166,6 +181,27 @@ suites:
array:
- '| /bin/true'
- /tmp/mail.test
- name: sys_ssh
run_list:
- recipe[sys::ssh]
attributes:
sys:
ssh:
authorize:
root:
keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ7mI0iEdW2GmHZv+0OknkPDkQaBowEDzfaal2A+eRR
config:
root:
'*':
AddKeysToAgent: ask
ssh_config:
- '*.example.org':
SendEnv: TGIF
sshd:
config:
ClientAliveInterval: 4711
X11Forwarding: 'no'
- name: sys_sudo
run_list:
- recipe[sys::sudo]
......
......@@ -2,7 +2,7 @@
language: ruby
cache: bundler
dist: xenial
dist: bionic
services: docker
......@@ -53,11 +53,11 @@ jobs:
- stage: chefspec
script: bundle exec rake chefspec
env: CHEF_VERSION=13.8
rvm: 2.5
- stage: chefspec
script: bundle exec rake chefspec
env: CHEF_VERSION=14
- stage: chefspec
script: bundle exec rake chefspec
rvm: 2.5
- stage: kitchen
env: KITCHEN_PLATFORM=debian-stretch
script: bundle exec kitchen test $KITCHEN_PLATFORM
......@@ -67,7 +67,9 @@ jobs:
script: bundle exec kitchen test $KITCHEN_PLATFORM
- env: KITCHEN_PLATFORM=debian-wheezy
script: bundle exec kitchen test $KITCHEN_PLATFORM
- env: KITCHEN_PLATFORM=ubuntu-18.04
- env: KITCHEN_PLATFORM=debian-bullseye
script: bundle exec kitchen test $KITCHEN_PLATFORM
- env: KITCHEN_PLATFORM=ubuntu-1804
script: bundle exec kitchen test $KITCHEN_PLATFORM
- env: KITCHEN_PLATFORM=centos-7
script: bundle exec kitchen test $KITCHEN_PLATFORM
......
......@@ -14,7 +14,8 @@ begin
require 'foodcritic'
FoodCritic::Rake::LintTask.new do |task|
task.options = {
:exclude_paths => ['example_config/**/*']
exclude_paths: ['example_config/**/*'],
fail_tags: %w[!FC091 !FC092]
}
end
rescue LoadError
......
# Cookbook Name:: sys
# File:: definitions/sys_ssh_authorize.rb
#
# Copyright 2012, Victor Penso
# Copyright 2012-2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
# Matthias Pausch <m.pausch@gsi.de>
# Victor Penso <v.penso@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -30,8 +38,8 @@ define :sys_ssh_authorize, :keys => Array.new, :managed => false do
else
if node['etc']['passwd'].has_key?(account)
# path to the user SSH configuration
dot_ssh = "#{node['etc']['passwd'][account].dir}/.ssh"
gid = node['etc']['passwd'][account].gid
dot_ssh = "#{node['etc']['passwd'][account]['dir']}/.ssh"
gid = node['etc']['passwd'][account]['gid']
elsif node['sys']['accounts'].key?(account) &&
node['sys']['accounts'][account].key?('home')
dot_ssh = "#{node['sys']['accounts'][account]['home']}/.ssh"
......
#
# Copyright 2013, Victor Penso
# Cookbook Name:: sys
# File:: definitions/sys_ssh_config.rb
#
# Copyright 2013-2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
# Matthias Pausch <m.pausch@gsi.de>
# Victor Penso <v.penso@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -22,10 +31,10 @@ define :sys_ssh_config, :config => Hash.new do
log("Can't deploy SSH config: configuration for account [#{account}] missing") { level :warn }
else
# path to the user SSH configuration
dot_ssh = "#{node['etc']['passwd'][account].dir}/.ssh"
dot_ssh = "#{node['etc']['passwd'][account]['dir']}/.ssh"
directory dot_ssh do
owner account
group node['etc']['passwd'][account].gid
group node['etc']['passwd'][account]['gid']
mode "0700"
end
# path to the user keys file
......@@ -33,7 +42,7 @@ define :sys_ssh_config, :config => Hash.new do
template ssh_config do
source 'user_ssh_config_generic.erb'
owner account
group node['etc']['passwd'][account].gid
group node['etc']['passwd'][account]['gid']
cookbook 'sys'
mode "0600"
variables(
......
name 'sys'
maintainer 'GSI HPC department'
maintainer_email 'hpc@gsi.de'
license 'Apache 2.0'
license 'Apache-2.0'
description 'System Software configuration and maintenance'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
if respond_to?(:source_url)
......
......@@ -48,9 +48,8 @@ unless node['sys']['ferm']['rules'].empty?
end
end
package 'ferm' do
action :upgrade
end
package 'libnet-dns-perl' # required for @resolve in ferm.conf
package 'ferm'
fermserviceaction = :enable
fermaction = :start
......
<%= template_header %>
node_name '<%= node['fqdn'] %>'
chef_server_url '<%= @server_url %>'
client_key "<%= @client_key %>"
<% if @trusted_certs_dir -%>
trusted_certs_dir "<%= @trusted_certs_dir %>"
<% end -%>
<%- if @verify_ssl == 'all' -%>
# Verify all HTTPS connections
ssl_verify_mode :verify_peer
<%- elsif @verify_ssl == 'chef-server' -%>
# Verify only connections to chef-server
verify_api_cert true
<%- end -%>
validation_client_name "<%= @validation_client_name %>"
validation_key "<%= @validation_key %>"
log_level <%= @log_level %>
log_location <%= @use_syslog?'SyslogLogger.new("chef-client")':'STDOUT' %>
file_backup_path "/var/backups/chef"
file_cache_path "/var/cache/chef"
pid_file "/var/run/chef/client.pid"
# configuration for Ohai:
<%- unless @odisable.empty? -%>
<%# Make sure to write symbols into the configuration file %>
<%- plugins = @odisable.map { |p| p.capitalize.to_sym } -%>
Ohai::Config[:disabled_plugins] = <%= plugins %>
<%- end %>
Ohai::Config[:plugin_path] << "<%= @opath %>"
<%= @custom_config %>
<%= template_header %>
node_name '<%= node['fqdn'] %>'
chef_server_url '<%= @server_url %>'
client_key "<%= @client_key %>"
<% if @trusted_certs_dir -%>
trusted_certs_dir "<%= @trusted_certs_dir %>"
<% end -%>
<%- if @verify_ssl == 'all' -%>
# Verify all HTTPS connections
ssl_verify_mode :verify_peer
<%- elsif @verify_ssl == 'chef-server' -%>
# Verify only connections to chef-server
verify_api_cert true
<%- end -%>
validation_client_name "<%= @validation_client_name %>"
validation_key "<%= @validation_key %>"
log_level <%= @log_level %>
log_location <%= @use_syslog?'SyslogLogger.new("chef-client")':'STDOUT' %>
file_backup_path "/var/backups/chef"
file_cache_path "/var/cache/chef"
pid_file "/var/run/chef/client.pid"
# configuration for Ohai:
<%- unless @odisable.empty? -%>
<%# Make sure to write symbols into the configuration file %>
<%- plugins = @odisable.map { |p| p.capitalize.to_sym } -%>
Ohai::Config[:disabled_plugins] = <%= plugins %>
<%- end %>
Ohai::Config[:plugin_path] << "<%= @opath %>"
<%= @custom_config %>
<%= template_header %>
node_name '<%= node['fqdn'] %>'
chef_server_url '<%= @server_url %>'
client_key "<%= @client_key %>"
<% if @trusted_certs_dir -%>
trusted_certs_dir "<%= @trusted_certs_dir %>"
<% end -%>
<%- if @verify_ssl == 'all' -%>
# Verify all HTTPS connections
ssl_verify_mode :verify_peer
<%- elsif @verify_ssl == 'chef-server' -%>
# Verify only connections to chef-server
verify_api_cert true
<%- end -%>
validation_client_name "<%= @validation_client_name %>"
validation_key "<%= @validation_key %>"
log_level <%= @log_level %>
log_location <%= @use_syslog?'SyslogLogger.new("chef-client")':'STDOUT' %>
file_backup_path "/var/backups/chef"
file_cache_path "/var/cache/chef"
pid_file "/var/run/chef/client.pid"
# configuration for Ohai:
<%- unless @odisable.empty? -%>
<%# Make sure to write symbols into the configuration file %>
<%- plugins = @odisable.map { |p| p.capitalize.to_sym } -%>
Ohai::Config[:disabled_plugins] = <%= plugins %>
<%- end %>
Ohai::Config[:plugin_path] << "<%= @opath %>"
<%= @custom_config %>
......@@ -2,10 +2,6 @@
<%= template_header %>
#
# Configuration file for ferm(1), created by Chef cookbook sys::ferm
#
<% node['sys']['ferm']['rules'].each do |domain, tables| -%>
domain <%= domain %> {
<% tables.each do |table, chains| -%>
......
source 'http://rubygems.org'
group :jessie do
# net-ssh >= 5 requires ruby 2.2 and
# net-telnet >= 0.2 requires ruby 2.3
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.2.0')
gem 'net-ssh', '< 5'
gem 'net-telnet', '< 0.2'
end
end
group :wheezy do
# net-ssh >= 5 requires ruby 2.2
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem 'rake', '< 12.3'
end
end
# Cookbook Name:: sys
# Integration tests for recipe sys::ferm
#
# Copyright 2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'spec_helper'
describe package('ferm') do
it { should be_installed }
end
describe service('ferm') do
xit { should be_enabled } # test fails on Stretch
it { should be_running }
end
describe file('/etc/ferm/ferm.conf') do
it { should exist }
end
require 'serverspec'
set :backend, :exec
source 'http://rubygems.org'
group :jessie do
# net-ssh >= 5 requires ruby 2.2 and
# net-telnet >= 0.2 requires ruby 2.3
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.2.0')
gem 'net-ssh', '< 5'
gem 'net-telnet', '< 0.2'
end
end
group :wheezy do
# net-ssh >= 5 requires ruby 2.2
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem 'rake', '< 12.3'
end
end
# Cookbook Name:: sys
# Integration tests for recipe sys::ssh
#
# Copyright 2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# SSH is dificult to test as it is already configured and running inside vagrant VMs
#
require 'spec_helper'
### node['sys']['sshd']['config']:
describe package('openssh-server') do
it { should be_installed }
end
describe service('ssh') do
it { should be_enabled }
it { should be_running }
end
describe file('/etc/ssh/sshd_config') do
it { should exist }
# picked up default:
its(:content) { should match(/^UsePAM yes$/) }
# overwritten default:
its(:content) { should match(/^X11Forwarding no$/) }
its(:content) { should_not match(/^X11Forwarding yes$/) }
# custom setting:
its(:content) { should match(/^ClientAliveInterval 4711/) }
end
### node['sys']['ssh']['ssh_config']:
describe file('/etc/ssh/ssh_config') do
it { should exist }
its(:content) { should match(/Host \*\.example\.org\n\s+SendEnv TGIF/m) }
end
### node['sys']['ssh']['authorize']
describe user('root') do
it { should exist }
end
describe file('/root/.ssh') do
it { should exist }
it { should be_directory }
it { should be_mode('700') }
end
describe file('/root/.ssh/authorized_keys') do
it { should exist }
its(:content) do
should include 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ7mI0iEdW2GmHZv+0OknkPDkQaBowEDzfaal2A+eRR'
end
end
### node['sys']['ssh']['config']:
describe file('/root/.ssh/config') do
it { should exist }
it { should be_mode('600') }
its(:content) do
should match(/^Host \*\n\s*AddKeysToAgent ask$/m)
end
end
require 'serverspec'
set :backend, :exec
#
# Cookbook Name:: sys
# Tests for custom resource sys_systemd_unit
#
# Copyright 2015 - 2019 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
# Copyright 2015-2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Dennis Klein
# Christopher Huhn
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -22,7 +23,8 @@
require 'spec_helper'
describe 'lwrp: sys_systemd_unit' do
# skip this test on travis as it is very slow and times out with Chef >= 13
describe 'lwrp: sys_systemd_unit', unless: ENV['TRAVIS'] do
before { skip('Testing the sys_systemd_unit LWRP makes Travis jobs timeout on Chef 13') }
......
......@@ -101,9 +101,9 @@ describe 'sys::mail' do
it "manages #{etc_postfix_virtual}" do
expect(chef_run).to create_template(etc_postfix_virtual).with_mode('0600')
expect(chef_run.template(etc_postfix_virtual))
.to notify("execute[#{update_virtual}]").to(:run).immediately
expect(chef_run.execute(update_virtual)).to do_nothing
expect(chef_run.execute(update_virtual))
.to notify("execute[update-virtual]").to(:run).immediately
expect(chef_run.execute('update-virtual')).to do_nothing
expect(chef_run.execute('update-virtual'))
.to notify("service[#{postfix}]").to(:reload).delayed
end
......
......@@ -8,9 +8,11 @@ describe 'sys::multipath' do
end
context 'with some test attributes' do
before do
chef_run.node.default['sys']['multipath']['defaults']['user_friendly_names'] = 'yes'
chef_run.converge(described_recipe)
cached(:chef_run) do
ChefSpec::SoloRunner.new do |node|
node.default['sys']['multipath']['defaults']['user_friendly_names'] =
'yes'
end.converge(described_recipe)
end
it 'installs multipath-tools' do
......
#
# Cookbook Name:: sys
# Unit tests for recipe sys::ssh
#
# Copyright 2015-2020 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
# Christopher Huhn <c.huhn@gsi.de>
# Dennis Klein <d.klein@gsi.de>
# Matthias Pausch <m.pausch@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'spec_helper'
describe 'sys::ssh' do
......@@ -15,22 +39,25 @@ describe 'sys::ssh' do
.and_return(0)
allow(File).to receive(:directory?).and_call_original
allow(File).to receive(:directory?).with('/home/jdoe').and_return(true)
end
chef_run.node.default['sys']['sshd']['config'] = {
'variable' => "value",
'X11Forwarding' => "overwritten" }
chef_run.node.default['sys']['ssh']['config'] = { "ssh" => "omg" }
chef_run.node.default['sys']['ssh']['authorize'] = {
'jdoe' => {
keys: [ "BBB" ],
managed: true
cached(:chef_run) do
ChefSpec::SoloRunner.new do |node|
node.default['sys']['sshd']['config'] = {
'variable' => "value",
'X11Forwarding' => "overwritten" }
node.default['sys']['ssh']['config'] = { "ssh" => "omg" }
node.default['sys']['ssh']['authorize'] = {
'jdoe' => {
keys: [ "BBB" ],
managed: true
}
}
}
chef_run.node.default['etc']['passwd']['jdoe']['keys'] = [ "AAA" ]
chef_run.node.default['etc']['passwd']['jdoe']['uid'] = 1000
chef_run.node.default['etc']['passwd']['jdoe']['gid'] = 1000
chef_run.node.default['etc']['passwd']['jdoe']['dir'] = '/home/jdoe'
chef_run.converge(described_recipe)
node.default['etc']['passwd']['jdoe']['keys'] = [ "AAA" ]
node.default['etc']['passwd']['jdoe']['uid'] = 1000
node.default['etc']['passwd']['jdoe']['gid'] = 1000
node.default['etc']['passwd']['jdoe']['dir'] = '/home/jdoe'
end.converge(described_recipe)
end
it 'installs openssh-server' do
......