feat: add test for Rocky Linux 8 (#1)
All checks were successful
continuous-integration/drone/push Build is passing

Co-authored-by: Robert Kaussow <xoxys@rknet.org>
Co-committed-by: Robert Kaussow <xoxys@rknet.org>
This commit is contained in:
Robert Kaussow 2022-01-26 21:02:28 +01:00
parent 023da2b287
commit 363ee36566
14 changed files with 401 additions and 57 deletions

View File

@ -71,7 +71,7 @@ local PipelineDeployment(scenario='centos7') = {
'linting', 'linting',
], ],
trigger: { trigger: {
ref: ['refs/heads/master', 'refs/tags/**'], ref: ['refs/heads/master', 'refs/tags/**', 'refs/pull/**'],
}, },
}; };
@ -116,6 +116,7 @@ local PipelineDocumentation = {
}, },
depends_on: [ depends_on: [
'testing-centos7', 'testing-centos7',
'testing-rocky8',
], ],
}; };
@ -154,6 +155,7 @@ local PipelineNotification = {
[ [
PipelineLinting, PipelineLinting,
PipelineDeployment(scenario='centos7'), PipelineDeployment(scenario='centos7'),
PipelineDeployment(scenario='rocky8'),
PipelineDocumentation, PipelineDocumentation,
PipelineNotification, PipelineNotification,
] ]

View File

@ -62,6 +62,40 @@ trigger:
ref: ref:
- refs/heads/master - refs/heads/master
- refs/tags/** - refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: testing-rocky8
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:3
commands:
- molecule test -s rocky8
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/master
- refs/tags/**
- refs/pull/**
depends_on: depends_on:
- linting - linting
@ -108,6 +142,7 @@ trigger:
depends_on: depends_on:
- testing-centos7 - testing-centos7
- testing-rocky8
--- ---
kind: pipeline kind: pipeline
@ -147,6 +182,6 @@ depends_on:
--- ---
kind: signature kind: signature
hmac: 6fb4bbe578d0a67f6def789d5b7a11d422bca42f07695c24fac97950f02cf51a hmac: 4e3ffd7002957963c30b32275a59b62e7c19a1ccf7bd40369411bca13d94614e
... ...

View File

@ -1,15 +1,16 @@
--- ---
sshd_protocol: 2 sshd_protocol: 2
sshd_permit_root_login: 'yes' sshd_permit_root_login: "yes"
sshd_permit_empty_passwords: 'no' sshd_permit_empty_passwords: "no"
sshd_password_authentication: 'no' sshd_password_authentication: "no"
sshd_gssapi_authentication: 'yes' sshd_gssapi_authentication: "no"
sshd_strict_modes: 'yes' sshd_strict_modes: "yes"
sshd_allow_groups: [] sshd_allow_groups: []
sshd_ignore_rhosts: 'yes' sshd_ignore_rhosts: "yes"
sshd_hostbased_authentication: 'no' sshd_hostbased_authentication: "no"
sshd_client_alive_interval: 900 sshd_client_alive_interval: 900
sshd_client_alive_count_max: 0 sshd_client_alive_count_max: 0
sshd_ciphers: sshd_ciphers:
- chacha20-poly1305@openssh.com - chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com - aes256-gcm@openssh.com
@ -17,33 +18,37 @@ sshd_ciphers:
- aes256-ctr - aes256-ctr
- aes192-ctr - aes192-ctr
- aes128-ctr - aes128-ctr
sshd_kex: sshd_kex:
- curve25519-sha256@libssh.org - curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256 - diffie-hellman-group-exchange-sha256
sshd_moduli_minimum: 2048 sshd_moduli_minimum: 2048
sshd_macs: sshd_macs:
- hmac-sha2-512-etm@openssh.com - hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com - hmac-sha2-256-etm@openssh.com
- hmac-ripemd160-etm@openssh.com
- umac-128-etm@openssh.com - umac-128-etm@openssh.com
- hmac-sha2-512 - hmac-sha2-512
- hmac-sha2-256 - hmac-sha2-256
- hmac-ripemd160 - umac-128@openssh.com
sshd_allow_agent_forwarding: 'no'
sshd_x11_forwarding: 'yes' sshd_allow_agent_forwarding: "no"
sshd_allow_tcp_forwarding: 'yes' sshd_x11_forwarding: "yes"
sshd_allow_tcp_forwarding: "yes"
sshd_compression: delayed sshd_compression: delayed
sshd_log_level: INFO sshd_log_level: INFO
sshd_max_auth_tries: 6 sshd_max_auth_tries: 6
sshd_max_sessions: 10 sshd_max_sessions: 10
sshd_tcp_keep_alive: 'yes' sshd_tcp_keep_alive: "yes"
sshd_use_dns: 'yes' sshd_use_dns: "no"
sshd_disable_crypto_policy: False
# @var sshd_challenge_response_authentication:description: > # @var sshd_challenge_response_authentication:description: >
# If you disable password auth you should disable # If you disable password auth you should disable ChallengeResponseAuth also.
# ChallengeResponseAuth also.
# @end # @end
sshd_challenge_response_authentication: 'no' sshd_challenge_response_authentication: "no"
# @var sshd_google_auth_enabled:description: > # @var sshd_google_auth_enabled:description: >
# Google Authenticator required ChallengeResponseAuth! # Google Authenticator required ChallengeResponseAuth!

View File

@ -1 +1 @@
centos7 rocky8

View File

@ -0,0 +1,5 @@
---
- name: Converge
hosts: all
roles:
- role: xoxys.sshd

120
molecule/rocky8/create.yml Normal file
View File

@ -0,0 +1,120 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

View File

@ -0,0 +1,78 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

View File

@ -0,0 +1,24 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: rocky8-sshd
image: rocky-8
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

View File

@ -0,0 +1,15 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

View File

@ -0,0 +1,16 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_sshd_config_file(host):
sshd = host.file("/etc/ssh/sshd_config")
assert sshd.exists
assert sshd.user == "root"
assert sshd.group == "root"
assert sshd.mode == 0o600

View File

@ -1,4 +1,9 @@
--- ---
- name: Gather package facts
package_facts:
check_mode: False
when: sshd_disable_crypto_policy | bool
- block: - block:
- name: Hardening sshd config - name: Hardening sshd config
template: template:
@ -16,7 +21,8 @@
check_mode: no check_mode: no
- name: Remove all small primes - name: Remove all small primes
shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; shell:
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
notify: __sshd_restart notify: __sshd_restart
when: __sshd_register_moduli.stdout when: __sshd_register_moduli.stdout
@ -26,5 +32,16 @@
name: "{{ item }}" name: "{{ item }}"
state: present state: present
loop: "{{ sshd_allow_groups }}" loop: "{{ sshd_allow_groups }}"
- name: Disable SSH server CRYPTO_POLICY
copy:
src: etc/sysconfig/sshd
dest: /etc/sysconfig/sshd
owner: "root"
group: "root"
mode: "0640"
when:
- sshd_disable_crypto_policy | bool
- ('crypto-policies' in ansible_facts.packages)
become: True become: True
become_user: root become_user: root

View File

@ -5,18 +5,30 @@
path: "{{ item.path }}" path: "{{ item.path }}"
value: "{{ item.value }}" value: "{{ item.value }}"
loop: loop:
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" } - path: sshd/permitroot
- { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" } value: "{{ sshd_permit_root_login | default('') }}"
- { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" } - path: sshd/PermitEmptyPasswords
- { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" } value: "{{ sshd_permit_empty_passwords | default('') }}"
- { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" } - path: sshd/permitroot
- { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" } value: "{{ sshd_permit_root_login | default('') }}"
- { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" } - path: sshd/passwordauthentication
- { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" } value: "{{ sshd_password_authentication | default('') }}"
- { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" } - path: sshd/challengeresponse
- { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" } value: "{{ sshd_password_authentication | default('') }}"
- { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" } - path: sshd/IgnoreRhosts
- { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" } value: "{{ sshd_ignore_rhosts | default('') }}"
- path: sshd/HostbasedAuthentication
value: "{{ sshd_hostbased_authentication | default('') }}"
- path: sshd/ClientAliveInterval
value: "{{ sshd_client_alive_interval | default('') }}"
- path: sshd/ClientAliveCountMax
value: "{{ sshd_client_alive_count_max | default('') }}"
- path: sshd/Ciphers
value: "{{ sshd_ciphers | default('[]') | join(',') }}"
- path: sshd/KexAlgorithms
value: "{{ sshd_kex | default('[]') | join(',') }}"
- path: sshd/MACs
value: "{{ sshd_macs | default('[]') | join(',') }}"
loop_control: loop_control:
label: "variable: {{ item.path }}={{ item.value }}" label: "variable: {{ item.path }}={{ item.value }}"
notify: __sshd_restart notify: __sshd_restart
@ -30,7 +42,7 @@
- name: Create SSH Usergroup - name: Create SSH Usergroup
group: group:
name: "{{ item }}" name: "{{ item }}"
system: 'yes' system: "yes"
state: present state: present
loop: "{{ sshd_allow_groups }}" loop: "{{ sshd_allow_groups }}"
become: True become: True

View File

@ -1,9 +1,8 @@
#jinja2: lstrip_blocks: True #jinja2: lstrip_blocks: True
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file.
# sshd_config(5) for more information. # See sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
@ -20,30 +19,31 @@
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
{% if ansible_distribution_major_version is version('8', '<') %}
# The default requires explicit activation of protocol 1
Protocol {{ sshd_protocol }} Protocol {{ sshd_protocol }}
{% endif %}
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
{% if not sshd_disable_crypto_policy | bool %}
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
{% else %}
Ciphers {{ sshd_ciphers | join(',') }} Ciphers {{ sshd_ciphers | join(',') }}
KexAlgorithms {{ sshd_kex | join(',') }} KexAlgorithms {{ sshd_kex | join(',') }}
MACs {{ sshd_macs | join(',') }} MACs {{ sshd_macs | join(',') }}
{% endif %}
# Logging # Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH
SyslogFacility AUTHPRIV SyslogFacility AUTHPRIV
LogLevel {{ sshd_log_level }} LogLevel {{ sshd_log_level }}
@ -59,7 +59,6 @@ AllowGroups {{ sshd_allow_groups|join(',') }}
MaxAuthTries {{ sshd_max_auth_tries }} MaxAuthTries {{ sshd_max_auth_tries }}
MaxSessions {{ sshd_max_sessions }} MaxSessions {{ sshd_max_sessions }}
#RSAAuthentication yes
#PubkeyAuthentication yes #PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@ -71,12 +70,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none #AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody #AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication {{ sshd_hostbased_authentication }} HostbasedAuthentication {{ sshd_hostbased_authentication }}
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no #IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts {{ sshd_ignore_rhosts }} IgnoreRhosts {{ sshd_ignore_rhosts }}
@ -116,8 +110,8 @@ GSSAPICleanupCredentials no
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # WARNING: 'UsePAM no' is not supported on RH based systems and may
# problems. # cause several problems.
UsePAM yes UsePAM yes
AllowAgentForwarding {{ sshd_allow_agent_forwarding }} AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
@ -131,12 +125,13 @@ X11Forwarding {{ sshd_x11_forwarding }}
#PrintLastLog no #PrintLastLog no
TCPKeepAlive {{ sshd_tcp_keep_alive }} TCPKeepAlive {{ sshd_tcp_keep_alive }}
#UseLogin no #UseLogin no
{% if ansible_distribution_major_version is version('8', '<') %}
UsePrivilegeSeparation sandbox UsePrivilegeSeparation sandbox
{% endif %}
#PermitUserEnvironment no #PermitUserEnvironment no
Compression {{ sshd_compression }} Compression {{ sshd_compression }}
ClientAliveInterval {{ sshd_client_alive_interval }} ClientAliveInterval {{ sshd_client_alive_interval }}
ClientAliveCountMax {{ sshd_client_alive_count_max }} ClientAliveCountMax {{ sshd_client_alive_count_max }}
#ShowPatchLevel no
UseDNS {{ sshd_use_dns }} UseDNS {{ sshd_use_dns }}
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100

View File

@ -0,0 +1,20 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
# Configuration file for the sshd service.
# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
# System-wide crypto policy:
# To opt-out, uncomment the following line
CRYPTO_POLICY=