From 82270dc5ef6eba05fa6817bfbea2c49385fe1679 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 11:41:14 +0100 Subject: [PATCH 01/44] Specify namespace to allow automatic role path resolution in Molecule --- meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index 0ffdc2f..147c452 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,6 +4,8 @@ dependencies: [] galaxy_info: author: "Jérémy Gardais" + namespace: ipr-cnrs + role_name: nftables description: "Manage Nftables rules and packages" license: WTFPL company: IPR From 8fad9d75fdc013ea71873a75216e916ee2f9db77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 11:47:32 +0100 Subject: [PATCH 02/44] Update cache on package install --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 8ca5b37..7ebd1c5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,6 +53,7 @@ package: name: '{{ nft_pkg_list | list }}' state: '{{ nft_pkg_state }}' + update_cache: true register: pkg_install_result until: pkg_install_result is success when: nft_enabled|bool From 6084cfce839d057631d3059c9f762145c3cb5a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 12:18:09 +0100 Subject: [PATCH 03/44] Add task names as required by ansible-lint --- tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7ebd1c5..4fc8902 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,7 +13,8 @@ loop_control: loop_var: groupname -- debug: var=nftables_group_rules +- name: Debug nftables_group_rules + debug: var=nftables_group_rules when: nft_debug - name: Import nftables-variables if nft_merged_groups is set @@ -36,7 +37,8 @@ loop_control: loop_var: varfile -- debug: var=nft_combined_rules +- name: Debug nft_combined_rules + debug: var=nft_combined_rules when: nft_debug - name: Load specific OS vars for nftables From 5df70d971f09296127618e5d77e094970e5e5be0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 12:44:26 +0100 Subject: [PATCH 04/44] Try using matrix with action-molecule --- .github/workflows/main.yml | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f8b2338..eccb701 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,20 +1,41 @@ --- -name: Molecule +name: ipr-cnrs.nftables.molecule on: push: - branches: [main] + branches: [master] pull_request: - branches: [main] + branches: [master] workflow_dispatch: jobs: - build: + molecule: runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + config: + - os: debian + tag: latest + - os: ubuntu + tag: latest + - os: centos + tag: latest + - os: fedora + tag: latest + - os: archlinux + tag: latest + - os: latest + tag: latest steps: - uses: actions/checkout@v2 + with: + path: ${{ github.repository }} - name: Ansible Molecule uses: MonolithProjects/action-molecule@v1.4.3 + with: + os: ${{ matrix.config.os }} + tag: ${{ matrix.config.tag }} From 933cf1df4e770c3b0a04bf47c0005f10f4a16bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:04:49 +0100 Subject: [PATCH 05/44] Create inventory file --- .github/workflows/main.yml | 2 ++ molecule/default/converge.yml | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index eccb701..41db952 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,6 +34,8 @@ jobs: with: path: ${{ github.repository }} + - run: echo -e "[all]\nlocalhost" > /etc/ansible/inventory + - name: Ansible Molecule uses: MonolithProjects/action-molecule@v1.4.3 with: diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 969a7b9..3fa8f74 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,7 +1,9 @@ --- - name: Converge - hosts: all + hosts: localhost + connection: local roles: - role: ipr-cnrs.nftables + nft_debug: true From 9dae659fec2febf2cf109f8ef7cec4037b31b318 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:06:08 +0100 Subject: [PATCH 06/44] Init Ansible dir --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 41db952..bd97be2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,7 +34,7 @@ jobs: with: path: ${{ github.repository }} - - run: echo -e "[all]\nlocalhost" > /etc/ansible/inventory + - run: mkdir -p /etc/ansible && echo -e "[all]\nlocalhost" > /etc/ansible/inventory - name: Ansible Molecule uses: MonolithProjects/action-molecule@v1.4.3 From 37919bb42801e8605f29c7c8b48958e3710f0f5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:28:36 +0100 Subject: [PATCH 07/44] Do not create inventory --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bd97be2..0927d1e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,7 +34,6 @@ jobs: with: path: ${{ github.repository }} - - run: mkdir -p /etc/ansible && echo -e "[all]\nlocalhost" > /etc/ansible/inventory - name: Ansible Molecule uses: MonolithProjects/action-molecule@v1.4.3 From 06c594f11ba8697c12fa60ea6427fdc0c93c0b51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:32:43 +0100 Subject: [PATCH 08/44] Debug os family detection in GitHub Actions --- tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 4fc8902..8a9edb6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,6 +41,10 @@ debug: var=nft_combined_rules when: nft_debug +- name: Debug ansible_os_family + debug: var=ansible_os_family + when: nft_debug + - name: Load specific OS vars for nftables include_vars: "{{ osname }}" with_first_found: From 574d9c46b874667ea222cb45afc2928e38055c28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:33:10 +0100 Subject: [PATCH 09/44] Disable other images for now --- .github/workflows/main.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0927d1e..3170fef 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,16 +18,16 @@ jobs: config: - os: debian tag: latest - - os: ubuntu - tag: latest - - os: centos - tag: latest - - os: fedora - tag: latest - - os: archlinux - tag: latest - - os: latest - tag: latest + # - os: ubuntu + # tag: latest + # - os: centos + # tag: latest + # - os: fedora + # tag: latest + # - os: archlinux + # tag: latest + # - os: latest + # tag: latest steps: - uses: actions/checkout@v2 From 26eb76412fb0aa560055e8b8a05460479007ee10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 13:53:23 +0100 Subject: [PATCH 10/44] Add config for Arch and Alpine --- vars/alpine.yml | 4 ++++ vars/archlinux.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 vars/alpine.yml create mode 100644 vars/archlinux.yml diff --git a/vars/alpine.yml b/vars/alpine.yml new file mode 100644 index 0000000..f015e96 --- /dev/null +++ b/vars/alpine.yml @@ -0,0 +1,4 @@ +--- +# vars file for Alpine +nft_pkg_list: + - nftables \ No newline at end of file diff --git a/vars/archlinux.yml b/vars/archlinux.yml new file mode 100644 index 0000000..4218564 --- /dev/null +++ b/vars/archlinux.yml @@ -0,0 +1,4 @@ +--- +# vars file for Archlinux-based distros +nft_pkg_list: + - nftables \ No newline at end of file From 811bd11e9d91f0d64eb5b3138074e62d1fe89ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:01:35 +0100 Subject: [PATCH 11/44] Do not remove iptables on test instances --- molecule/default/converge.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 3fa8f74..b61f60c 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,5 +5,7 @@ roles: - role: ipr-cnrs.nftables nft_debug: true + # can't remove iptables on an instance with docker + nft_old_pkg_manage: false From b96b750f8d7ac2b2c91321e8ab0c23ee63f60186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:05:10 +0100 Subject: [PATCH 12/44] Try centos/systemd --- .github/workflows/main.yml | 4 +++- molecule/default/molecule.yml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3170fef..8d4af6d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,8 +16,10 @@ jobs: fail-fast: false matrix: config: - - os: debian + - os: centos/systemd tag: latest + # - os: debian + # tag: latest # - os: ubuntu # tag: latest # - os: centos diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 9bf46e9..7c15791 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -5,7 +5,7 @@ driver: name: docker platforms: - name: instance - image: ubuntu:latest + image: centos/systemd:latest provisioner: name: ansible verifier: From 85bb753dd4fd7a47cad29fe3d6ba22e1f6116ef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:12:13 +0100 Subject: [PATCH 13/44] Use another action --- .github/workflows/main.yml | 33 +++++++++------------------------ 1 file changed, 9 insertions(+), 24 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d4af6d..ae09f50 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,30 +15,15 @@ jobs: strategy: fail-fast: false matrix: - config: - - os: centos/systemd - tag: latest - # - os: debian - # tag: latest - # - os: ubuntu - # tag: latest - # - os: centos - # tag: latest - # - os: fedora - # tag: latest - # - os: archlinux - # tag: latest - # - os: latest - # tag: latest - + image: + - debian + - centos steps: - - uses: actions/checkout@v2 + - name: checkout + uses: actions/checkout@v2 with: - path: ${{ github.repository }} - - - - name: Ansible Molecule - uses: MonolithProjects/action-molecule@v1.4.3 + path: "${{ github.repository }}" + - name: molecule + uses: robertdebock/molecule-action@2.6.17 with: - os: ${{ matrix.config.os }} - tag: ${{ matrix.config.tag }} + image: "${{ matrix.image }}" \ No newline at end of file From 652863dd97fa22fbe361654455595bb0a5ef61c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:14:39 +0100 Subject: [PATCH 14/44] OS family for CentOS is RedHat --- vars/{centos.yml => redhat.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename vars/{centos.yml => redhat.yml} (100%) diff --git a/vars/centos.yml b/vars/redhat.yml similarity index 100% rename from vars/centos.yml rename to vars/redhat.yml From 340f4f83e4ebaf2f47b8cdb8473bfebfa13dbd66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:15:13 +0100 Subject: [PATCH 15/44] Just run on Alpine --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ae09f50..1222cb6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -16,8 +16,8 @@ jobs: fail-fast: false matrix: image: - - debian - - centos + - alpine + #- centos steps: - name: checkout uses: actions/checkout@v2 From d786479bc167fbb8bf95c70ae93d6bb6a1aeeef1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 14:20:52 +0100 Subject: [PATCH 16/44] Try to run with systemd --- .github/workflows/main.yml | 12 +++--------- molecule/default/molecule.yml | 3 +++ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1222cb6..c4cde40 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,18 +12,12 @@ on: jobs: molecule: runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - image: - - alpine - #- centos steps: + - name: checkout uses: actions/checkout@v2 with: path: "${{ github.repository }}" + - name: molecule - uses: robertdebock/molecule-action@2.6.17 - with: - image: "${{ matrix.image }}" \ No newline at end of file + uses: robertdebock/molecule-action@2.6.17 \ No newline at end of file diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7c15791..94ad3e6 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,6 +6,9 @@ driver: platforms: - name: instance image: centos/systemd:latest + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro provisioner: name: ansible verifier: From da74b7d2b183b0655a484b20f220c6c850fcdb83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 22:40:29 +0100 Subject: [PATCH 17/44] Add Debian scenario --- molecule/debian/converge.yml | 9 +++++++++ molecule/debian/molecule.yml | 15 +++++++++++++++ molecule/debian/verify.yml | 10 ++++++++++ 3 files changed, 34 insertions(+) create mode 100644 molecule/debian/converge.yml create mode 100644 molecule/debian/molecule.yml create mode 100644 molecule/debian/verify.yml diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml new file mode 100644 index 0000000..934be3c --- /dev/null +++ b/molecule/debian/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: localhost + connection: local + roles: + - role: ipr-cnrs.nftables + nft_debug: true + # can't remove iptables on an instance with docker + nft_old_pkg_manage: false diff --git a/molecule/debian/molecule.yml b/molecule/debian/molecule.yml new file mode 100644 index 0000000..4b88e40 --- /dev/null +++ b/molecule/debian/molecule.yml @@ -0,0 +1,15 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: jrei/systemd-debian:latest + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro +provisioner: + name: ansible +verifier: + name: ansible diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml new file mode 100644 index 0000000..79044cd --- /dev/null +++ b/molecule/debian/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + assert: + that: true From 06fecc68b253ec4a7bbb303dbda46ac5e61eb992 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 23:29:36 +0100 Subject: [PATCH 18/44] Use robertdebock/molecule-action --- .github/workflows/main.yml | 28 +++++++++++++++++++++++++++- molecule/debian/converge.yml | 9 --------- molecule/debian/molecule.yml | 15 --------------- molecule/debian/verify.yml | 10 ---------- molecule/default/converge.yml | 2 ++ molecule/default/molecule.yml | 8 ++++++-- 6 files changed, 35 insertions(+), 37 deletions(-) delete mode 100644 molecule/debian/converge.yml delete mode 100644 molecule/debian/molecule.yml delete mode 100644 molecule/debian/verify.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c4cde40..24267b4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,6 +10,29 @@ on: workflow_dispatch: jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: molecule + uses: robertdebock/molecule-action@2.6.16 + with: + command: lint + test: + needs: + - lint + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + config: + - image: centos + tag: latest + - image: debian + tag: latest molecule: runs-on: ubuntu-latest steps: @@ -20,4 +43,7 @@ jobs: path: "${{ github.repository }}" - name: molecule - uses: robertdebock/molecule-action@2.6.17 \ No newline at end of file + uses: robertdebock/molecule-action@2.6.17 + with: + image: ${{ matrix.config.image }} + tag: ${{ matrix.config.tag }} \ No newline at end of file diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml deleted file mode 100644 index 934be3c..0000000 --- a/molecule/debian/converge.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Converge - hosts: localhost - connection: local - roles: - - role: ipr-cnrs.nftables - nft_debug: true - # can't remove iptables on an instance with docker - nft_old_pkg_manage: false diff --git a/molecule/debian/molecule.yml b/molecule/debian/molecule.yml deleted file mode 100644 index 4b88e40..0000000 --- a/molecule/debian/molecule.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -platforms: - - name: instance - image: jrei/systemd-debian:latest - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/debian/verify.yml b/molecule/debian/verify.yml deleted file mode 100644 index 79044cd..0000000 --- a/molecule/debian/verify.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Example assertion - assert: - that: true diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index b61f60c..04950ba 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -2,6 +2,8 @@ - name: Converge hosts: localhost connection: local + become: yes + gather_facts: yes roles: - role: ipr-cnrs.nftables nft_debug: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 94ad3e6..b5e2b94 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,11 +1,15 @@ --- dependency: name: galaxy +lint: | + set -e + yamllint . + ansible-lint driver: name: docker platforms: - - name: instance - image: centos/systemd:latest + - name: "nftables-${image:-debian}-${tag:-latest}" + image: "${image:-debian}:${tag:-latest}" privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro From 5416e209045d08ccd7975f63baf3ab750ae04912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 23:30:37 +0100 Subject: [PATCH 19/44] Fix YAML syntax --- .github/workflows/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 24267b4..55d5dcb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,8 +33,6 @@ jobs: tag: latest - image: debian tag: latest - molecule: - runs-on: ubuntu-latest steps: - name: checkout From 3b55e702813308a1fdd2b45a4246637df46b37af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 23:35:43 +0100 Subject: [PATCH 20/44] Remove empty lines (yamllint) --- molecule/default/converge.yml | 4 +--- tasks/main.yml | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 04950ba..f79c26f 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -8,6 +8,4 @@ - role: ipr-cnrs.nftables nft_debug: true # can't remove iptables on an instance with docker - nft_old_pkg_manage: false - - + nft_old_pkg_manage: false \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 8a9edb6..3746cc7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -185,5 +185,4 @@ register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) - notify: ['Restart nftables service'] - + notify: ['Restart nftables service'] \ No newline at end of file From 9fd12fe79066967732c0eabf6f082cc840fb578d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sat, 7 Aug 2021 23:37:58 +0100 Subject: [PATCH 21/44] Skip lint for now --- .github/workflows/main.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 55d5dcb..d5442b0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,20 +10,7 @@ on: workflow_dispatch: jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@v2 - with: - path: "${{ github.repository }}" - - name: molecule - uses: robertdebock/molecule-action@2.6.16 - with: - command: lint test: - needs: - - lint runs-on: ubuntu-latest strategy: fail-fast: false From 9fabd5a845102192819d48558e154dcb2a2bba25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 15:41:28 +0100 Subject: [PATCH 22/44] Use Molecule provisioned images --- .github/workflows/main.yml | 22 +++++++++++----------- molecule/default/converge.yml | 4 +--- molecule/default/molecule.yml | 15 ++++++++++----- 3 files changed, 22 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d5442b0..b1ae0a3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,14 +12,14 @@ on: jobs: test: runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - config: - - image: centos - tag: latest - - image: debian - tag: latest + # strategy: + # fail-fast: false + # matrix: + # config: + # - image: centos + # tag: latest + # - image: debian + # tag: latest steps: - name: checkout @@ -29,6 +29,6 @@ jobs: - name: molecule uses: robertdebock/molecule-action@2.6.17 - with: - image: ${{ matrix.config.image }} - tag: ${{ matrix.config.tag }} \ No newline at end of file + # with: + # image: ${{ matrix.config.image }} + # tag: ${{ matrix.config.tag }} \ No newline at end of file diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index f79c26f..40473ca 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,8 +1,6 @@ --- - name: Converge - hosts: localhost - connection: local - become: yes + hosts: all gather_facts: yes roles: - role: ipr-cnrs.nftables diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b5e2b94..ddd57d9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,11 +8,16 @@ lint: | driver: name: docker platforms: - - name: "nftables-${image:-debian}-${tag:-latest}" - image: "${image:-debian}:${tag:-latest}" - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro + - name: ubuntu-latest + image: ubuntu:latest + - name: centos-latest + image: centos-latest + # - name: "nftables-${image:-debian}-${tag:-latest}" + # image: "${image:-debian}:${tag:-latest}" + # command: /lib/systemd/systemd + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:ro provisioner: name: ansible verifier: From 8bd7607c09ee2e76e736f359eb9900168d2702f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 15:52:26 +0100 Subject: [PATCH 23/44] Typo --- molecule/default/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ddd57d9..4775aca 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -11,7 +11,7 @@ platforms: - name: ubuntu-latest image: ubuntu:latest - name: centos-latest - image: centos-latest + image: centos:latest # - name: "nftables-${image:-debian}-${tag:-latest}" # image: "${image:-debian}:${tag:-latest}" # command: /lib/systemd/systemd From a6f7fde29aa1202a2441bf0f1c64e2bff1659309 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 17:59:44 +0100 Subject: [PATCH 24/44] Try centos-systemd --- molecule/default/molecule.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 4775aca..a1d6107 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -11,7 +11,9 @@ platforms: - name: ubuntu-latest image: ubuntu:latest - name: centos-latest - image: centos:latest + image: centos/systemd:latest + command: /usr/sbin/init + privileged: true # - name: "nftables-${image:-debian}-${tag:-latest}" # image: "${image:-debian}:${tag:-latest}" # command: /lib/systemd/systemd From a5aa2c6e4a0a3ff6ca23318b2138f26ea14065bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 19:09:08 +0100 Subject: [PATCH 25/44] Add some actual verification tasks --- molecule/default/verify.yml | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 79044cd..51f4828 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -5,6 +5,32 @@ hosts: all gather_facts: false tasks: - - name: Example assertion + + - name: list rules + command: nft list ruleset + register: nft + + - name: check rules assert: - that: true + that: + - '"type filter hook input priority 0; policy drop;" in nft.stdout' + - '"type filter hook output priority 0; policy drop;" in nft.stdout' + + - name: service status - active + command: systemctl is-active nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "active"' + + - name: service status - enabled + command: systemctl is-enabled nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "enabled"' + From be4f52b72820d7aa6c0d2d26b5d19db906943c33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 19:43:58 +0100 Subject: [PATCH 26/44] Use jrei/systemd-ubuntu --- .github/workflows/main.yml | 13 +------------ molecule/default/molecule.yml | 8 +------- molecule/default/verify.yml | 3 +-- 3 files changed, 3 insertions(+), 21 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b1ae0a3..c696e54 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,14 +12,6 @@ on: jobs: test: runs-on: ubuntu-latest - # strategy: - # fail-fast: false - # matrix: - # config: - # - image: centos - # tag: latest - # - image: debian - # tag: latest steps: - name: checkout @@ -28,7 +20,4 @@ jobs: path: "${{ github.repository }}" - name: molecule - uses: robertdebock/molecule-action@2.6.17 - # with: - # image: ${{ matrix.config.image }} - # tag: ${{ matrix.config.tag }} \ No newline at end of file + uses: robertdebock/molecule-action@2.6.17 \ No newline at end of file diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index a1d6107..f812a2f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -9,17 +9,11 @@ driver: name: docker platforms: - name: ubuntu-latest - image: ubuntu:latest + image: jrei/systemd-ubuntu:latest - name: centos-latest image: centos/systemd:latest command: /usr/sbin/init privileged: true - # - name: "nftables-${image:-debian}-${tag:-latest}" - # image: "${image:-debian}:${tag:-latest}" - # command: /lib/systemd/systemd - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro provisioner: name: ansible verifier: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 51f4828..6ffd192 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -5,7 +5,7 @@ hosts: all gather_facts: false tasks: - + - name: list rules command: nft list ruleset register: nft @@ -33,4 +33,3 @@ assert: that: - 'status.stdout == "enabled"' - From 4eb6a5ae3bf22fb4646a20b1096347bb3c9bb556 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 20:09:42 +0100 Subject: [PATCH 27/44] Run ubuntu as privileged --- molecule/default/molecule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index f812a2f..ed1a71e 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -10,6 +10,9 @@ driver: platforms: - name: ubuntu-latest image: jrei/systemd-ubuntu:latest + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro - name: centos-latest image: centos/systemd:latest command: /usr/sbin/init From 5e7b20680b31d9e523bbfd63f22dc4619f4b16d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 20:47:20 +0100 Subject: [PATCH 28/44] Fix systemd-ubuntu --- molecule/default/molecule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ed1a71e..42df407 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -10,6 +10,7 @@ driver: platforms: - name: ubuntu-latest image: jrei/systemd-ubuntu:latest + command: /usr/sbin/init privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro From 9940f37baa33eaa247b27e7c3f7bfc8162092566 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 20:55:56 +0100 Subject: [PATCH 29/44] Mute lint warnings related to testing --- molecule/default/.ansible-lint | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 molecule/default/.ansible-lint diff --git a/molecule/default/.ansible-lint b/molecule/default/.ansible-lint new file mode 100644 index 0000000..ef17823 --- /dev/null +++ b/molecule/default/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - command-instead-of-module + - no-changed-when \ No newline at end of file From 95321f21f94cbfae6e30c4fd63d9bd6a5e0dddc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 21:01:57 +0100 Subject: [PATCH 30/44] Mute role-name warnings --- molecule/default/.ansible-lint | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/molecule/default/.ansible-lint b/molecule/default/.ansible-lint index ef17823..6a84406 100644 --- a/molecule/default/.ansible-lint +++ b/molecule/default/.ansible-lint @@ -1,3 +1,4 @@ skip_list: - command-instead-of-module - - no-changed-when \ No newline at end of file + - no-changed-when + - role-name \ No newline at end of file From 73bc1c464b1041703710171dbfdfac5740cb515a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 21:16:06 +0100 Subject: [PATCH 31/44] Fix ansible-lint config location --- molecule/default/.ansible-lint => .ansible-lint | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename molecule/default/.ansible-lint => .ansible-lint (100%) diff --git a/molecule/default/.ansible-lint b/.ansible-lint similarity index 100% rename from molecule/default/.ansible-lint rename to .ansible-lint From d73b5bbc8fb96dafd607c5387a622b957d184c9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 21:27:18 +0100 Subject: [PATCH 32/44] Debug rules prior to verification --- molecule/default/verify.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 6ffd192..55c986a 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -10,6 +10,9 @@ command: nft list ruleset register: nft + - name: debug rules + debug: var=nft + - name: check rules assert: that: From a0fd38056ab5e5c448f97193b0ef2bca528d1bd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 21:40:13 +0100 Subject: [PATCH 33/44] Adjust test to differences between CentOS and Debian --- molecule/default/verify.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 55c986a..9ce8fae 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -16,8 +16,12 @@ - name: check rules assert: that: - - '"type filter hook input priority 0; policy drop;" in nft.stdout' - - '"type filter hook output priority 0; policy drop;" in nft.stdout' + # The whole line is: + # type filter hook input priority 0; policy drop; + # However on CentOS will return "priority 0", while Debian will + # show "priority filter" + - '"type filter hook input" in nft.stdout' + - '"type filter hook output" in nft.stdout' - name: service status - active command: systemctl is-active nftables.service From 0669fe16230db8639a2b6d913d47881dc3b71ad9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 21:48:02 +0100 Subject: [PATCH 34/44] Test for key files generated by the role --- molecule/default/verify.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 9ce8fae..4397e91 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -6,6 +6,36 @@ gather_facts: false tasks: + - name: check for nftables.d + stat: + path: /etc/nftables.d + register: s + + - name: check nftables.d + assert: + that: + - p.stat.exists and p.stat.isdir + + - name: check for nftables.conf + stat: + path: /etc/nftables.conf + register: s + + - name: check nftables.conf + assert: + that: + - p.stat.exists + + - name: check for nftables.conf + stat: + path: /etc/nftables.d/filter-input.nft + register: s + + - name: check filter-input.nft + assert: + that: + - p.stat.exists + - name: list rules command: nft list ruleset register: nft From 7e31500c36823c1f406bda642ef10262f6ef27ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 22:14:21 +0100 Subject: [PATCH 35/44] Fix variable name --- molecule/default/verify.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 4397e91..3ac7ebe 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -9,7 +9,7 @@ - name: check for nftables.d stat: path: /etc/nftables.d - register: s + register: p - name: check nftables.d assert: @@ -19,7 +19,7 @@ - name: check for nftables.conf stat: path: /etc/nftables.conf - register: s + register: p - name: check nftables.conf assert: @@ -29,7 +29,7 @@ - name: check for nftables.conf stat: path: /etc/nftables.d/filter-input.nft - register: s + register: p - name: check filter-input.nft assert: From c8fd17d52b1b3cd531dc12ba0b21b06d5897126b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 22:14:36 +0100 Subject: [PATCH 36/44] Add Debian and Fedora --- molecule/default/molecule.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 42df407..783d484 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,16 +8,25 @@ lint: | driver: name: docker platforms: - - name: ubuntu-latest + - name: systemd-ubuntu-latest image: jrei/systemd-ubuntu:latest command: /usr/sbin/init privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro - - name: centos-latest + - name: systemd-centos-latest image: centos/systemd:latest command: /usr/sbin/init privileged: true + - name: systemd-debian-latest + image: jrei/systemd-debian:latest + command: /usr/sbin/init + privileged: true + - name: systemd-fedora-latest + image: jrei/systemd-fedora:latest + command: /usr/sbin/init + privileged: true + provisioner: name: ansible verifier: From 32c4ab5215d7df3f9ce0272305cfa21f3908cd6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 23:19:44 +0100 Subject: [PATCH 37/44] Because we just can't have init in one place... --- molecule/default/molecule.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 783d484..df30d48 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,20 +8,24 @@ lint: | driver: name: docker platforms: + - name: systemd-ubuntu-latest image: jrei/systemd-ubuntu:latest command: /usr/sbin/init privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro + - name: systemd-centos-latest image: centos/systemd:latest command: /usr/sbin/init privileged: true + - name: systemd-debian-latest image: jrei/systemd-debian:latest - command: /usr/sbin/init + command: /sbin/init privileged: true + - name: systemd-fedora-latest image: jrei/systemd-fedora:latest command: /usr/sbin/init From a75f5bc391053ca6e87f173ac59e12ad3a3f03c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 23:27:47 +0100 Subject: [PATCH 38/44] Add volumes to all images --- molecule/default/molecule.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index df30d48..7dbce30 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -20,16 +20,22 @@ platforms: image: centos/systemd:latest command: /usr/sbin/init privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro - name: systemd-debian-latest image: jrei/systemd-debian:latest command: /sbin/init privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro - name: systemd-fedora-latest image: jrei/systemd-fedora:latest command: /usr/sbin/init privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro provisioner: name: ansible From 0030b9bfcb949c9942853c7b82c1f7ab041a0fe0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 23:37:47 +0100 Subject: [PATCH 39/44] Add archlinux platform --- molecule/default/molecule.yml | 32 ++++++++++++++++++++++++-------- molecule/default/prepare.yml | 6 ++++++ 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 molecule/default/prepare.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7dbce30..4b86051 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -15,6 +15,9 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp - name: systemd-centos-latest image: centos/systemd:latest @@ -22,20 +25,33 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp - - name: systemd-debian-latest - image: jrei/systemd-debian:latest - command: /sbin/init - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro + # - name: systemd-debian-latest + # image: jrei/systemd-debian:latest + # command: /sbin/init + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:ro - - name: systemd-fedora-latest - image: jrei/systemd-fedora:latest + # - name: systemd-fedora-latest + # image: jrei/systemd-fedora:latest + # command: /usr/sbin/init + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:ro + + - name: archlinux + image: archlinux:latest command: /usr/sbin/init privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp provisioner: name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..6becc85 --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,6 @@ +--- +- name: prepare + hosts: archlinux + package: + name: python + update_cache: true \ No newline at end of file From a8a41dfc91e85adf4468fd3c4bb297a506b0a0fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 23:39:52 +0100 Subject: [PATCH 40/44] Fix syntax --- molecule/default/prepare.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 6becc85..cc78500 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,6 +1,7 @@ --- - name: prepare hosts: archlinux - package: - name: python - update_cache: true \ No newline at end of file + tasks: + - package: + name: python + update_cache: true \ No newline at end of file From ad499e949fec2079826281854a417bcba2866839 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Sun, 8 Aug 2021 23:48:08 +0100 Subject: [PATCH 41/44] Leave systems that work for now --- molecule/default/molecule.yml | 18 +++++++++--------- molecule/default/prepare.yml | 7 ------- 2 files changed, 9 insertions(+), 16 deletions(-) delete mode 100644 molecule/default/prepare.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 4b86051..00c8420 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -43,15 +43,15 @@ platforms: # volumes: # - /sys/fs/cgroup:/sys/fs/cgroup:ro - - name: archlinux - image: archlinux:latest - command: /usr/sbin/init - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro - tmpfs: - - /run - - /tmp + # - name: archlinux + # image: archlinux:latest + # command: /usr/sbin/init + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:ro + # tmpfs: + # - /run + # - /tmp provisioner: name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index cc78500..0000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: prepare - hosts: archlinux - tasks: - - package: - name: python - update_cache: true \ No newline at end of file From 6a491d63f0500459859c87674f72b937ff424c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:05:17 +0100 Subject: [PATCH 42/44] Add separate scenario for Archlinux with custom Dockerfile --- molecule/archlinux/Dockerfile.j2 | 7 ++++ molecule/archlinux/converge.yml | 9 ++++ molecule/archlinux/molecule.yml | 19 +++++++++ molecule/archlinux/verify.yml | 72 ++++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 9 ---- 5 files changed, 107 insertions(+), 9 deletions(-) create mode 100644 molecule/archlinux/Dockerfile.j2 create mode 100644 molecule/archlinux/converge.yml create mode 100644 molecule/archlinux/molecule.yml create mode 100644 molecule/archlinux/verify.yml diff --git a/molecule/archlinux/Dockerfile.j2 b/molecule/archlinux/Dockerfile.j2 new file mode 100644 index 0000000..4c583c0 --- /dev/null +++ b/molecule/archlinux/Dockerfile.j2 @@ -0,0 +1,7 @@ +FROM archlinux:latest +ENV container=docker + +RUN pacman -Sy --noconfirm python + +VOLUME ["/sys/fs/cgroup", "/tmp", "/run"] +CMD ["/usr/sbin/init"] \ No newline at end of file diff --git a/molecule/archlinux/converge.yml b/molecule/archlinux/converge.yml new file mode 100644 index 0000000..40473ca --- /dev/null +++ b/molecule/archlinux/converge.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + gather_facts: yes + roles: + - role: ipr-cnrs.nftables + nft_debug: true + # can't remove iptables on an instance with docker + nft_old_pkg_manage: false \ No newline at end of file diff --git a/molecule/archlinux/molecule.yml b/molecule/archlinux/molecule.yml new file mode 100644 index 0000000..893931b --- /dev/null +++ b/molecule/archlinux/molecule.yml @@ -0,0 +1,19 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: archlinux + image: archlinux:latest + command: /usr/sbin/init + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp +provisioner: + name: ansible +verifier: + name: ansible diff --git a/molecule/archlinux/verify.yml b/molecule/archlinux/verify.yml new file mode 100644 index 0000000..3ac7ebe --- /dev/null +++ b/molecule/archlinux/verify.yml @@ -0,0 +1,72 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + + - name: check for nftables.d + stat: + path: /etc/nftables.d + register: p + + - name: check nftables.d + assert: + that: + - p.stat.exists and p.stat.isdir + + - name: check for nftables.conf + stat: + path: /etc/nftables.conf + register: p + + - name: check nftables.conf + assert: + that: + - p.stat.exists + + - name: check for nftables.conf + stat: + path: /etc/nftables.d/filter-input.nft + register: p + + - name: check filter-input.nft + assert: + that: + - p.stat.exists + + - name: list rules + command: nft list ruleset + register: nft + + - name: debug rules + debug: var=nft + + - name: check rules + assert: + that: + # The whole line is: + # type filter hook input priority 0; policy drop; + # However on CentOS will return "priority 0", while Debian will + # show "priority filter" + - '"type filter hook input" in nft.stdout' + - '"type filter hook output" in nft.stdout' + + - name: service status - active + command: systemctl is-active nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "active"' + + - name: service status - enabled + command: systemctl is-enabled nftables.service + register: status + + - name: check service status + assert: + that: + - 'status.stdout == "enabled"' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 00c8420..526cbb7 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -43,15 +43,6 @@ platforms: # volumes: # - /sys/fs/cgroup:/sys/fs/cgroup:ro - # - name: archlinux - # image: archlinux:latest - # command: /usr/sbin/init - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro - # tmpfs: - # - /run - # - /tmp provisioner: name: ansible From 40c632734fb0364b7968f460f042d31d9638b01c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:32:28 +0100 Subject: [PATCH 43/44] Restore systemd-debian-latest image --- molecule/default/molecule.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 526cbb7..f052b5e 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -29,12 +29,15 @@ platforms: - /run - /tmp - # - name: systemd-debian-latest - # image: jrei/systemd-debian:latest - # command: /sbin/init - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro + - name: systemd-debian-latest + image: jrei/systemd-debian:latest + command: /sbin/init + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp # - name: systemd-fedora-latest # image: jrei/systemd-fedora:latest From e696d9b482e6d5429242c5eb474c486605bb039b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krawczyk?= <616047+kravietz@users.noreply.github.com> Date: Mon, 9 Aug 2021 10:38:07 +0100 Subject: [PATCH 44/44] Restore systemd-fedora-latest image --- molecule/default/molecule.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index f052b5e..6921c7f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -39,13 +39,15 @@ platforms: - /run - /tmp - # - name: systemd-fedora-latest - # image: jrei/systemd-fedora:latest - # command: /usr/sbin/init - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro - + - name: systemd-fedora-latest + image: jrei/systemd-fedora:latest + command: /usr/sbin/init + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + tmpfs: + - /run + - /tmp provisioner: name: ansible