openstack/ansible-hardening
Code Issues Proposed changes
14fa6e5060
ansible-hardening/tox.ini
Major Hayden 14fa6e5060 Enable chrony [+Docs] 
This patch enables chrony and performs basic configuration to meet the
STIG requirements.

These tasks can't be enabled in OpenStack CI due to conflicts with existing
NTP daemons in the CI image.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If6736c0f4a16de1ba41a4cfa00f5f72f8baf0054
2016-12-09 10:32:24 +00:00

146 lines
3.6 KiB
INI
Raw Blame History

[tox]
minversion = 2.0
skipsdist = True
envlist = docs,linters,functional
[testenv]
usedevelop = True
install_command =
pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages}
deps =
-r{toxinidir}/test-requirements.txt
commands =
/usr/bin/find . -type f -name "*.pyc" -delete
passenv =
HOME
http_proxy
HTTP_PROXY
https_proxy
HTTPS_PROXY
no_proxy
NO_PROXY
whitelist_externals =
bash
setenv =
PYTHONUNBUFFERED=1
ROLE_NAME=openstack-ansible-security
TEST_CHECK_MODE=true
TEST_IDEMPOTENCE=true
VIRTUAL_ENV={envdir}
WORKING_DIR={toxinidir}
[testenv:docs]
commands=
bash -c "rm -rf doc/build"
doc8 doc
python setup.py build_sphinx
[doc8]
# Settings for doc8:
extensions = .rst
allow-long-titles=1
[testenv:releasenotes]
commands =
sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
# environment used by the -infra templated docs job
[testenv:venv]
commands =
{posargs}
[testenv:tests_clone]
commands =
bash -c "if [ ! -d "{toxinidir}/tests/common" ]; then \
git clone https://git.openstack.org/openstack/openstack-ansible-tests {toxinidir}/tests/common; \
fi"
[testenv:pep8]
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-pep8.sh"
[flake8]
# Ignores the following rules due to how ansible modules work in general
# F403 'from ansible.module_utils.basic import *' used;
# unable to detect undefined names
ignore=F403
[testenv:bashate]
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-bashate.sh"
[testenv:ansible]
deps =
{[testenv]deps}
-rhttp://git.openstack.org/cgit/openstack/openstack-ansible-tests/plain/test-ansible-deps.txt
[testenv:ansible-syntax]
deps =
{[testenv:ansible]deps}
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-syntax.sh"
[testenv:ansible-lint]
deps =
{[testenv:ansible]deps}
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-lint.sh"
[testenv:functional]
deps =
{[testenv:ansible]deps}
setenv =
{[testenv]setenv}
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
# building images with apt config
# Apt::Get::AllowUnauthenticated set to true.
# NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in
# the images. This can be added back in once
# https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images.
ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660 -e security_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
[testenv:func_rhel7]
deps =
{[testenv:ansible]deps}
setenv =
{[testenv]setenv}
# NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
ANSIBLE_PARAMETERS=-e stig_version=rhel7 -e security_rhel7_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
[testenv:linters]
deps =
{[testenv:ansible]deps}
commands =
{[testenv:pep8]commands}
{[testenv:bashate]commands}
{[testenv:ansible-lint]commands}
{[testenv:ansible-syntax]commands}
{[testenv:docs]commands}
View Git Blame Copy Permalink