openstack/ansible-hardening
Code Issues Proposed changes
7d2964acbd
ansible-hardening/tox.ini
Major Hayden 31424a42af Enable LSM instead of checking status 
This patch enables the appropriate Linux Security Module (LSM) for the system
rather than simply checking it. This brings the role more in line with the
STIG requirements and allows it to be used as a more generic role in other
non-OpenStack-Ansible deployments.

It shouldn't affect OpenStack-Ansible deployments since AppArmor is expected
to be running in those deployments.

Documentation and release notes are included.

Change-Id: Ia017f12be0d60ea74b54396bc8278e4db92295ba
2016-05-26 09:16:42 -05:00

132 lines
4.5 KiB
INI
Raw Blame History

[tox]
minversion = 1.6
skipsdist = True
envlist = docs,linters,functional
[testenv]
usedevelop = True
install_command = pip install -U {opts} {packages}
deps = -r{toxinidir}/test-requirements.txt
commands = /usr/bin/find . -type f -name "*.pyc" -delete
passenv =
HOME
whitelist_externals =
bash
cat
git
rm
setenv =
VIRTUAL_ENV={envdir}
ANSIBLE_HOST_KEY_CHECKING = False
ANSIBLE_SSH_CONTROL_PATH = /tmp/%%h-%%r
# TODO (odyssey4me) These are only here as they are non-standard folder
# names for Ansible 1.9.x. We are using the standard folder names for
# Ansible v2.x. We can remove this when we move to Ansible 2.x.
ANSIBLE_ACTION_PLUGINS = {homedir}/.ansible/plugins/action
ANSIBLE_CALLBACK_PLUGINS = {homedir}/.ansible/plugins/callback
ANSIBLE_FILTER_PLUGINS = {homedir}/.ansible/plugins/filter
ANSIBLE_LOOKUP_PLUGINS = {homedir}/.ansible/plugins/lookup
# This is required as the default is the current path or a path specified
# in ansible.cfg
ANSIBLE_LIBRARY = {homedir}/.ansible/plugins/library
# This is required as the default is '/etc/ansible/roles' or a path
# specified in ansible.cfg
ANSIBLE_ROLES_PATH = {homedir}/.ansible/roles:{toxinidir}/..
[testenv:docs]
commands=
python setup.py build_sphinx
# environment used by the -infra templated docs job
[testenv:venv]
deps = -r{toxinidir}/test-requirements.txt
commands = {posargs}
[testenv:pep8]
commands =
# Run hacking/flake8 check for all python files
bash -c "grep --recursive --binary-files=without-match \
--files-with-match '^.!.*python$' \
--exclude-dir .eggs \
--exclude-dir .git \
--exclude-dir .tox \
--exclude-dir *.egg-info \
--exclude-dir doc \
{toxinidir} | xargs flake8 --verbose"
[flake8]
# Ignores the following rules due to how ansible modules work in general
# F403 'from ansible.module_utils.basic import *' used;
# unable to detect undefined names
# H303 No wildcard (*) import.
ignore=F403,H303
[testenv:bashate]
commands =
# Run bashate check for all bash scripts
# Ignores the following rules:
# E003: Indent not multiple of 4 (we prefer to use multiples of 2)
# E006: Line longer than 79 columns (as many scripts use jinja
# templating, this is very difficult)
# E040: Syntax error determined using `bash -n` (as many scripts
# use jinja templating, this will often fail and the syntax
# error will be discovered in execution anyway)
bash -c "grep --recursive --binary-files=without-match \
--files-with-match '^.!.*\(ba\)\?sh$' \
--exclude-dir .tox \
--exclude-dir .git \
{toxinidir} | xargs bashate --error . --verbose --ignore=E003,E006,E040"
[testenv:ansible-syntax]
commands =
rm -rf {homedir}/.ansible
git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
{homedir}/.ansible/plugins
ansible-playbook -i {toxinidir}/tests/inventory \
--syntax-check \
--list-tasks \
-e "rolename={toxinidir}" \
-t ssh \
{toxinidir}/tests/test.yml
[testenv:ansible-lint]
commands =
ansible-lint {toxinidir}/tests/test.yml
[testenv:functional]
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
# images with apt config Apt::Get::AllowUnauthenticated set
# to true.
# NOTE(mhayden): V-38674: OpenStack infra images have graphical target
# enabled, so it must be skipped.
# V-38574: OpenStack infra images have non-standard pam
# configurations that don't match a standard CentOS 7 server
# or cloud image. It must be skipped.
commands =
rm -rf {homedir}/.ansible
git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
{homedir}/.ansible/plugins
ansible-playbook -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \
--skip-tag V-38462,V-38574,V-38674 \
{toxinidir}/tests/test.yml
[testenv:linters]
commands =
{[testenv:pep8]commands}
{[testenv:bashate]commands}
{[testenv:ansible-lint]commands}
{[testenv:ansible-syntax]commands}
[testenv:releasenotes]
commands = sphinx-build -a -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
View Git Blame Copy Permalink