Change-Id: Ib924de131cca35052b50555c280484ef0161ebaamaster^2
--- | |||||
driver: | |||||
name: openstack | |||||
openstack_username: <%= ENV['OS_USERNAME'] %> | |||||
openstack_api_key: <%= ENV['OS_PASSWORD'] %> | |||||
openstack_auth_url: <%= ENV['OS_AUTH_URL'] %> | |||||
openstack_domain_name: <%= ENV['OS_DOMAIN_NAME'] %> | |||||
openstack_project_name: <%= ENV['OS_PROJECT_NAME'] %> | |||||
openstack_identity_api_version: <%= ENV['OS_IDENTITY_VERSION'] || 3 %> | |||||
availability_zone: <%= ENV['OS_AZ'] || 'nova' %> | |||||
openstack_network_name: <%= ENV['OS_FLOATING_NETWORK_NAME'] || 'public' %> | |||||
security_groups: | |||||
- kitchen | |||||
network_id: <%= ENV['OS_INTERNAL_NETWORK_ID'] || '21790488-0dc2-4864-9016-ae4f09d8a67f' %> | |||||
user_data: user_data.sh | |||||
require_chef_omnibus: false | |||||
floating_ip_pool: <%= ENV['OS_FLOATING_NETWORK_NAME'] || 'public' %> | |||||
image_id: <%= ENV['OS_IMAGE_ID'] || '60878bd4-cb4a-4d71-ae02-2a8ee4476d10' %> | |||||
flavor_id: <%= ENV['OS_FLAVOR_ID'] || 'ac2a36af-f9a0-4af7-8220-e85cff4d2bce' %> | |||||
read_timeout: 180 | |||||
write_timeout: 180 | |||||
connect_timeout: 180 | |||||
transport: | |||||
username: kitchen | |||||
password: kitchen | |||||
connection_timeout: 10 | |||||
connection_retries: 5 | |||||
provisioner: | |||||
name: salt_solo | |||||
salt_install: bootstrap | |||||
salt_bootstrap_url: https://bootstrap.saltstack.com | |||||
salt_version: <%= ENV['SALT_VERSION'] || '2018.3.0' %> | |||||
require_chef: false | |||||
log_level: error | |||||
formula: iptables | |||||
state_top: | |||||
base: | |||||
"*": | |||||
- iptables | |||||
pillars: | |||||
top.sls: | |||||
base: | |||||
"*": | |||||
- iptables | |||||
verifier: | |||||
name: inspec | |||||
sudo: true | |||||
platforms: | |||||
- name: saltstack-ubuntu-<%= ENV['UBUNTU_DISTRO'] || 'xenial' %>-salt-<%= ENV['SALT_VERSION'] || '2018.3.0' %> | |||||
suites: | |||||
- name: iptables | |||||
provisioner: | |||||
pillars-from-files: | |||||
iptables.sls: tests/pillar/iptables.sls |
--- | |||||
driver: | |||||
name: docker | |||||
hostname: iptables.ci.local | |||||
use_sudo: false | |||||
provisioner: | |||||
name: salt_solo | |||||
salt_install: bootstrap | |||||
salt_bootstrap_url: https://bootstrap.saltstack.com | |||||
salt_version: latest | |||||
require_chef: false | |||||
log_level: error | |||||
formula: iptables | |||||
grains: | |||||
noservices: True | |||||
state_top: | |||||
base: | |||||
"*": | |||||
- iptables | |||||
pillars: | |||||
top.sls: | |||||
base: | |||||
"*": | |||||
- iptables | |||||
verifier: | |||||
name: inspec | |||||
sudo: true | |||||
platforms: | |||||
- name: <%=ENV['PLATFORM'] || 'saltstack-ubuntu-xenial-salt-stable' %> | |||||
driver_config: | |||||
image: <%=ENV['PLATFORM'] || 'epcim/salt:saltstack-ubuntu-xenial-salt-stable'%> | |||||
platform: ubuntu | |||||
suites: | |||||
- name: iptables | |||||
provisioner: | |||||
pillars-from-files: | |||||
iptables.sls: tests/pillar/iptables.sls |
python: | python: | ||||
- "2.7.13" | - "2.7.13" | ||||
sudo: required | sudo: required | ||||
services: | |||||
- docker | |||||
install: | install: | ||||
- pip install PyYAML | |||||
- pip install virtualenv | |||||
- | | - | | ||||
test -e Gemfile || cat <<EOF > Gemfile | |||||
source 'https://rubygems.org' | |||||
gem 'rake' | |||||
gem 'test-kitchen' | |||||
gem 'kitchen-docker' | |||||
gem 'kitchen-inspec' | |||||
gem 'inspec', '<3.0.0' | |||||
#Version was frozen, because of issues in the version of inspec >3.0.0 -- see https://mirantis.jira.com/browse/PROD-24324 for more info | |||||
gem 'kitchen-salt', :git => 'https://github.com/salt-formulas/kitchen-salt.git' | |||||
- bundle install | |||||
git clone https://gerrit.mcp.mirantis.com/salt-formulas/salt-formulas-scripts | |||||
./salt-formulas-scripts/bootstrap-openstack-kitchen.sh | |||||
env: | env: | ||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=iptables | |||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=iptables | |||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=iptables | |||||
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=iptables | |||||
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2018.3 SUITE=iptables | |||||
- UBUNTU_DISTRO=xenial SALT_VERSION=2018.3 SUITE=iptables | |||||
- UBUNTU_DISTRO=xenial SALT_VERSION=2017.7 SUITE=iptables | |||||
- UBUNTU_DISTRO=bionic SALT_VERSION=2018.3 SUITE=iptables | |||||
- UBUNTU_DISTRO=bionic SALT_VERSION=2017.7 SUITE=iptables | |||||
before_script: | before_script: | ||||
- set -o pipefail | - set -o pipefail | ||||
- make test | tail | - make test | tail | ||||
script: | script: | ||||
- test ! -e .kitchen.yml || bundle exec kitchen converge ${SUITE} || true | |||||
- test ! -e .kitchen.yml || bundle exec kitchen verify ${SUITE} -t tests/integration | |||||
- test ! -e .kitchen.openstack.yml || bundle exec kitchen converge ${SUITE} || true | |||||
- test ! -e .kitchen.openstack.yml || bundle exec kitchen verify ${SUITE} -t tests/integration | |||||
notifications: | notifications: | ||||
on: | on: |
service: | service: | ||||
v4: | v4: | ||||
enabled: true | enabled: true | ||||
persistent_config: /etc/iptables.v4 | |||||
persistent_config: /etc/iptables/rules.v4 | |||||
modules: | modules: | ||||
- nf_conntrack_ftp | - nf_conntrack_ftp | ||||
- nf_conntrack_pptp | - nf_conntrack_pptp | ||||
v6: | v6: | ||||
enabled: false | enabled: false | ||||
persistent_config: /etc/iptables.v6 | |||||
persistent_config: /etc/iptables/rules.v6 | |||||
modules: | modules: | ||||
- nf_conntrack_ipv6 | - nf_conntrack_ipv6 | ||||
defaults: | defaults: | ||||
comment: "Log my packets" | comment: "Log my packets" | ||||
nat: | nat: | ||||
chains: | chains: | ||||
OUTPUT: | |||||
PREROUTING: | |||||
OUTPUT: {} | |||||
PREROUTING: {} | |||||
POSTROUTING: | POSTROUTING: | ||||
policy: ACCEPT | policy: ACCEPT | ||||
ruleset: | ruleset: |
action: LOG | action: LOG | ||||
nat: | nat: | ||||
chains: | chains: | ||||
OUTPUT: | |||||
PREROUTING: | |||||
OUTPUT: {} | |||||
PREROUTING: {} | |||||
POSTROUTING: | POSTROUTING: | ||||
policy: ACCEPT | policy: ACCEPT | ||||
ruleset: | ruleset: |
#!/bin/bash -xe | |||||
# Speedup reverse hostname lookup | |||||
sed -i "s/127.0.0.1.*/127.0.0.1 localhost $(hostname)/" /etc/hosts | |||||
# Enabling password auth for kitchen user | |||||
sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config | |||||
# Disable sshd NS lookups | |||||
echo "UseDNS no" >> /etc/ssh/sshd_config | |||||
service ssh restart | |||||
# Create user 'kitchen' with password 'kitchen' | |||||
useradd -m -G adm,sudo -p '$6$DqOdqb/l$hOpDWFPeC8/45Oo8NbqZyqLZxYd.Vtlujf9A4OdwUKgBjRcETuc9Gd2C7OyI99MY2N/pACrbV8WymqV.H1XZ1.' -s /bin/bash kitchen | |||||
# Passwordless sudo for user 'kitchen' | |||||
echo "kitchen ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/99-kitchen | |||||
# Secure kitchen home | |||||
chown kitchen:root /home/kitchen -R | |||||
chmod 0700 /home/kitchen |