Skip to content
Snippets Groups Projects
Commit 0594cad6 authored by Stéphane Diemer's avatar Stéphane Diemer
Browse files

Merge branch 't33830-security-repository-migration' into 'master'

Security repository migration | refs #33830

See merge request mediaserver/envsetup!70
parents b6f942cc 8edadaa7
Branches master stable
No related tags found
No related merge requests found
Showing
with 0 additions and 771 deletions
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_manager_is_installed(host):
p = host.package("ubicast-skyreach")
assert p.is_installed
def test_manager_user(host):
u = host.user("skyreach")
assert u.name == "skyreach"
def test_manager_nginx(host):
f = host.file("/etc/nginx/sites-available/skyreach.conf")
assert f.exists
def test_manager_service(host):
s = host.service("skyreach")
assert s.is_running
assert s.is_enabled
def test_manager_socket(host):
s = host.socket("tcp://0.0.0.0:443")
assert s.is_listening
def test_fail2ban_conf(host):
f = host.file("/etc/fail2ban/jail.d/skyreach.conf")
assert f.exists
def test_fail2ban_service(host):
s = host.service("fail2ban")
assert s.is_running
def test_postfix_service(host):
s = host.service("postfix")
assert s.is_running
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_munin_is_installed(host):
p = host.package("munin-node")
assert p.is_installed
def test_monitor_is_installed(host):
p = host.package("ubicast-monitor")
assert p.is_installed
def test_monitor_runtime_is_installed(host):
p = host.package("ubicast-monitor-runtime")
assert p.is_installed
def test_monitor_user(host):
u = host.user("msmonitor")
assert u.name == "msmonitor"
def test_monitor_nginx(host):
f = host.file("/etc/nginx/sites-available/msmonitor.conf")
assert f.exists
def test_monitor_service(host):
s = host.service("msmonitor")
assert s.is_running
assert s.is_enabled
def test_monitor_socket(host):
s = host.socket("tcp://0.0.0.0:443")
assert s.is_listening
def test_fail2ban_conf(host):
f = host.file("/etc/fail2ban/jail.d/monitor.conf")
assert f.exists
def test_fail2ban_service(host):
s = host.service("fail2ban")
assert s.is_running
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_netcapture_is_installed(host):
p = host.package("python3-miris-netcapture")
assert p.is_installed
def test_docker_is_installed(host):
p = host.package("docker-ce")
assert p.is_installed
def test_netcapture_conf(host):
f = host.file("/etc/miris/netcapture.json")
assert f.exists
def test_miris_api_conf(host):
f = host.file("/etc/miris/conf/api.json")
assert f.exists
def test_docker_service(host):
s = host.service("docker")
assert s.is_running
assert s.is_enabled
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_apache2_is_installed(host):
p = host.package("apache2")
assert not p.is_installed
def test_nginx_is_installed(host):
p = host.package("nginx")
assert p.is_installed
def test_nginx_removed_default(host):
f = host.file("/etc/nginx/sites-enabled/default.conf")
assert not f.exists
def test_nginx_removed_old_ssl(host):
f = host.file("/etc/nginx/conf.d/ssl.conf")
assert not f.exists
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_ntp_is_installed(host):
p = host.package("ntp")
assert p.is_installed
def test_systemd_timesyncd_override(host):
f = host.file(
"/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf"
)
assert f.exists
assert f.contains("[Unit]")
assert f.contains("ConditionFileIsExecutable=!")
def test_systemd_timesyncd_disabled(host):
s = host.service("systemd-timesyncd")
assert not s.is_running
assert not s.is_enabled
def test_ntp_service(host):
s = host.service("ntp")
assert s.is_running
assert s.is_enabled
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_postfix_is_installed(host):
p = host.package("postfix")
assert p.is_installed
def test_postfix_main(host):
f = host.file("/etc/postfix/main.cf")
assert f.exists
def test_mailname(host):
f = host.file("/etc/mailname")
assert f.exists
def test_aliases(host):
f = host.file("/etc/aliases")
assert f.exists
assert f.contains("devnull:")
assert f.contains("root:")
def test_postfix_virtual(host):
f = host.file("/etc/postfix/virtual")
assert f.exists
assert f.contains("postmaster@")
assert f.contains("bounces@")
assert f.contains("noreply@")
def test_postfix_generic(host):
f = host.file("/etc/postfix/generic")
assert f.exists
assert f.contains("root@")
def test_postfix_service(host):
s = host.service("postfix")
assert s.is_running
assert s.is_enabled
def test_postfix_listen(host):
s = host.socket("tcp://127.0.0.1:25")
assert s.is_listening
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_psycopg2_is_installed(host):
p = host.package("python3-psycopg2")
assert p.is_installed
def test_postgres_is_installed(host):
p = host.package("postgresql")
assert p.is_installed
def test_postgres_user(host):
u = host.user("postgres")
assert u.name == "postgres"
def test_postgres_service(host):
s = host.service("postgresql@11-main")
assert s.is_running
def test_postgres_socket(host):
s = host.socket("tcp://127.0.0.1:5432")
assert s.is_listening
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_python3_is_installed(host):
p = host.package("python3")
assert p.is_installed
assert p.version.startswith("3.")
../default/converge.yml
\ No newline at end of file
---
driver:
name: docker
platforms:
- name: ms0-${CI_PIPELINE_ID:-default}
environment:
HOSTALIASES: /etc/hosts.aliases
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- data-${CI_PIPELINE_ID:-ha}:/data:rw
tmpfs:
- /tmp
- /run
groups:
- mediaserver
- live
- celerity
- name: ms1-${CI_PIPELINE_ID:-default}
environment:
HOSTALIASES: /etc/hosts.aliases
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- data-${CI_PIPELINE_ID:-ha}:/data:rw
tmpfs:
- /tmp
- /run
groups:
- mediaserver
- live
- name: ms2-${CI_PIPELINE_ID:-default}
image: registry.ubicast.net/docker/debian-systemd:buster
environment:
HOSTALIASES: /etc/hosts.aliases
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- data-${CI_PIPELINE_ID:-ha}:/data:rw
tmpfs:
- /tmp
- /run
groups:
- mediaserver
- live
- name: db0-${CI_PIPELINE_ID:-default}
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /tmp
- /run
groups:
- postgres
- name: db1-${CI_PIPELINE_ID:-default}
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /tmp
- /run
groups:
- postgres
- name: db2-${CI_PIPELINE_ID:-default}
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /tmp
- /run
groups:
- postgres
provisioner:
name: ansible
options:
D: true
env:
ANSIBLE_ROLES_PATH: ../../roles
ANSIBLE_LIBRARY: ../../library
ANSIBLE_ACTION_PLUGINS: ../../plugins/action
ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
SKYREACH_SYSTEM_KEY: ${SKYREACH_SYSTEM_KEY_HA}
inventory:
group_vars:
postgres:
repmgr_password: "testrepmgr"
verifier:
name: testinfra
options:
verbose: true
...
import socket
def get_status(host):
ip = host.interface('eth0').addresses[0]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 8543))
data = s.recv(1024)
return data.rstrip().decode('utf-8')
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("mediaserver")
def test_psycopg2_is_installed(host):
p = host.package("haproxy")
assert p.is_installed
def test_postgres_service(host):
s = host.service("haproxy")
assert s.is_running
def test_haproxy_socket(host):
s = host.socket("tcp://0.0.0.0:54321")
assert s.is_listening
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("mediaserver")
def test_server_is_installed(host):
p = host.package("ubicast-mediaserver")
assert p.is_installed
def test_server_user(host):
u = host.user("msuser")
assert u.name == "msuser"
def test_server_nginx(host):
f = host.file("/etc/nginx/sites-available/mediaserver-msuser.conf")
assert f.exists
def test_server_service(host):
s = host.service("mediaserver")
assert s.is_running
assert s.is_enabled
def test_server_socket(host):
s = host.socket("tcp://0.0.0.0:443")
assert s.is_listening
def test_fail2ban_conf(host):
f = host.file("/etc/fail2ban/jail.d/mediaserver.conf")
assert f.exists
def test_fail2ban_service(host):
s = host.service("fail2ban")
assert s.is_running
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("postgres")
def test_psycopg2_is_installed(host):
p = host.package("python3-psycopg2")
assert p.is_installed
def test_postgres_is_installed(host):
p = host.package("postgresql")
assert p.is_installed
def test_postgres_user(host):
u = host.user("postgres")
assert u.name == "postgres"
def test_postgres_service(host):
s = host.service("postgresql@11-main")
assert s.is_running
def test_postgres_socket(host):
s = host.socket("tcp://127.0.0.1:5432")
assert s.is_listening
../default/converge.yml
\ No newline at end of file
---
driver:
name: docker
platforms:
- name: ms-${CI_PIPELINE_ID:-default}
environment:
HOSTALIASES: /etc/hosts.aliases
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /tmp
- /run
groups:
- mediaserver
- postgres
- celerity
- live
- mirismanager
- mediaimport
- msmonitor
- name: mw-${CI_PIPELINE_ID:-default}
environment:
HOSTALIASES: /etc/hosts.aliases
image: registry.ubicast.net/docker/debian-systemd:buster
command: /lib/systemd/systemd
privileged: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
tmpfs:
- /tmp
- /run
groups:
- mediaworker
provisioner:
name: ansible
options:
D: true
env:
ANSIBLE_ROLES_PATH: ../../roles
ANSIBLE_LIBRARY: ../../library
ANSIBLE_ACTION_PLUGINS: ../../plugins/action
ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
SKYREACH_SYSTEM_KEY: ${SKYREACH_SYSTEM_KEY_STD}
verifier:
name: testinfra
options:
verbose: true
...
import socket
def get_status(host):
ip = host.interface('eth0').addresses[0]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 8543))
data = s.recv(1024)
return data.rstrip().decode('utf-8')
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("mediaserver")
def test_server_is_installed(host):
p = host.package("ubicast-mediaserver")
assert p.is_installed
def test_server_user(host):
u = host.user("msuser")
assert u.name == "msuser"
def test_server_nginx(host):
f = host.file("/etc/nginx/sites-available/mediaserver-msuser.conf")
assert f.exists
def test_server_service(host):
s = host.service("mediaserver")
assert s.is_running
assert s.is_enabled
def test_server_socket(host):
s = host.socket("tcp://0.0.0.0:443")
assert s.is_listening
def test_fail2ban_conf(host):
f = host.file("/etc/fail2ban/jail.d/mediaserver.conf")
assert f.exists
def test_fail2ban_service(host):
s = host.service("fail2ban")
assert s.is_running
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("postgres")
def test_psycopg2_is_installed(host):
p = host.package("python3-psycopg2")
assert p.is_installed
def test_postgres_is_installed(host):
p = host.package("postgresql")
assert p.is_installed
def test_postgres_user(host):
u = host.user("postgres")
assert u.name == "postgres"
def test_postgres_service(host):
s = host.service("postgresql@11-main")
assert s.is_running
def test_postgres_socket(host):
s = host.socket("tcp://127.0.0.1:5432")
assert s.is_listening
#!/usr/bin/env ansible-playbook
---
- name: PYTHON
hosts: all
gather_facts: false
tasks:
- name: ensure python3 is installed
register: python_install
changed_when: "'es_pyinstall' in python_install.stdout_lines"
raw: command -v python3 || echo es_pyinstall && apt update && apt install -y python3-minimal python3-apt
- name: Converge
hosts: postgres
pre_tasks:
- name: check running in a docker container
register: check_if_docker
stat:
path: /.dockerenv
- name: set docker flag variable
set_fact:
in_docker: "{{ check_if_docker.stat.exists | d(false) }}"
roles:
- base
- postgres-ha
post_tasks:
- name: deploy letsencrypt certificate
when: letsencrypt_enabled | d(false)
include_role:
name: letsencrypt
- name: configure network
when: network_apply | d(false)
include_role:
name: network
- name: configure proxy
when: proxy_apply | d(false)
include_role:
name: proxy
...
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment