From 6a491d63f0500459859c87674f72b937ff424c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:05:17 +0100 Subject: [PATCH] Add separate scenario for Archlinux with custom Dockerfile --- molecule/archlinux/Dockerfile.j2 | 7 ++++ molecule/archlinux/converge.yml | 9 ++++ molecule/archlinux/molecule.yml | 19 +++++++++ molecule/archlinux/verify.yml | 72 ++++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 9 ---- 5 files changed, 107 insertions(+), 9 deletions(-) create mode 100644 molecule/archlinux/Dockerfile.j2 create mode 100644 molecule/archlinux/converge.yml create mode 100644 molecule/archlinux/molecule.yml create mode 100644 molecule/archlinux/verify.yml diff --git a/molecule/archlinux/Dockerfile.j2 b/molecule/archlinux/Dockerfile.j2 new file mode 100644 index 0000000..4c583c0 --- /dev/null +++ b/molecule/archlinux/Dockerfile.j2 @@ -0,0 +1,7 @@ +FROM archlinux:latest +ENV container=docker + +RUN pacman -Sy --noconfirm python + +VOLUME ["/sys/fs/cgroup", "/tmp", "/run"] +CMD ["/usr/sbin/init"] \ No newline at end of file diff --git a/molecule/archlinux/converge.yml b/molecule/archlinux/converge.yml new file mode 100644 index 0000000..40473ca --- /dev/null +++ b/molecule/archlinux/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + gather_facts: yes + roles: + - role: ipr-cnrs.nftables + nft_debug: true + # can't remove iptables on an instance with docker + nft_old_pkg_manage: false \ No newline at end of file diff --git a/molecule/archlinux/molecule.yml b/molecule/archlinux/molecule.yml new file mode 100644 index 0000000..893931b --- /dev/null +++ b/molecule/archlinux/molecule.yml @@ -0,0 +1,19 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: archlinux + image: archlinux:latest + command: /usr/sbin/init + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp +provisioner: + name: ansible +verifier: + name: ansible diff --git a/molecule/archlinux/verify.yml b/molecule/archlinux/verify.yml new file mode 100644 index 0000000..3ac7ebe --- /dev/null +++ b/molecule/archlinux/verify.yml @@ -0,0 +1,72 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + + - name: check for nftables.d + stat: + path: /etc/nftables.d + register: p + + - name: check nftables.d + assert: + that: + - p.stat.exists and p.stat.isdir + + - name: check for nftables.conf + stat: + path: /etc/nftables.conf + register: p + + - name: check nftables.conf + assert: + that: + - p.stat.exists + + - name: check for nftables.conf + stat: + path: /etc/nftables.d/filter-input.nft + register: p + + - name: check filter-input.nft + assert: + that: + - p.stat.exists + + - name: list rules + command: nft list ruleset + register: nft + + - name: debug rules + debug: var=nft + + - name: check rules + assert: + that: + # The whole line is: + # type filter hook input priority 0; policy drop; + # However on CentOS will return "priority 0", while Debian will + # show "priority filter" + - '"type filter hook input" in nft.stdout' + - '"type filter hook output" in nft.stdout' + + - name: service status - active + command: systemctl is-active nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "active"' + + - name: service status - enabled + command: systemctl is-enabled nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "enabled"' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 00c8420..526cbb7 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -43,15 +43,6 @@ platforms: # volumes: # - /sys/fs/cgroup:/sys/fs/cgroup:ro - # - name: archlinux - # image: archlinux:latest - # command: /usr/sbin/init - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro - # tmpfs: - # - /run - # - /tmp provisioner: name: ansible