use docker for testing

Author: Sebastian Gumprich

.kitchen.vagrant.yml

@@ -0,0 +1,75 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: ansible_playbook
+  hosts: all
+  require_ansible_repo: false
+  require_ansible_omnibus: true
+  require_chef_for_busser: false
+  require_ruby_for_busser: false
+  ansible_verbose: true
+  roles_path: ../ansible-mysql-hardening/
+  playbook: default.yml
+  requirements_path: requirements.yml
+  sudo_command: 'sudo -E -H'
+
+transport:
+  max_ssh_sessions: 5
+
+platforms:
+- name: ubuntu-12.04
+  driver_config:
+    box: opscode-ubuntu-12.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
+- name: ubuntu-14.04
+  driver_config:
+    box: opscode-ubuntu-14.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
+- name: ubuntu-16.04
+  driver_config:
+    box: opscode-ubuntu-16.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
+- name: centos-6.4
+  driver_config:
+    box: opscode-centos-6.4
+    box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
+- name: centos-6.5
+  driver_config:
+    box: opscode-centos-6.5
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
+- name: centos-6.8
+  driver_config:
+    box: bento/centos-6.8
+- name: centos-7
+  driver_config:
+    box: bento/centos-7.2
+- name: oracle-6.4
+  driver_config:
+    box: oracle-6.4
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
+- name: oracle-6.5
+  driver_config:
+    box: oracle-6.5
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+- name: oracle-7
+  driver_config:
+    box: boxcutter/ol72
+- name: debian-7
+  driver_config:
+    box: debian-7
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
+- name: debian-8
+  driver_config:
+    box: debian-8
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
+
+verifier:
+  name: inspec
+  sudo: true
+  inspec_tests:
+    - https://github.com/dev-sec/mysql-baseline/
+
+suites:
+- name: mysql

.kitchen.yml

@@ -1,62 +1,82 @@
 ---
 driver:
-  name: vagrant
+  name: docker
+  privileged: true
+  use_sudo: false
+
+transport:
+  max_ssh_sessions: 5
+
 provisioner:
   name: ansible_playbook
-  test_repo_uri: https://github.com/hardening-io/tests-mysql-hardening.git
   hosts: all
-  playbook: default.yml
   require_ansible_repo: false
   require_ansible_omnibus: true
-  requirements_path: requirements.yml
+  require_chef_for_busser: false
+  require_ruby_for_busser: false
   ansible_verbose: true
   ansible_diff: true
+  hosts: all
   roles_path: ../ansible-mysql-hardening/
+  playbook: default.yml
+  requirements_path: requirements.yml
   sudo_command: 'sudo -E -H'
 
 platforms:
-- name: ubuntu-12.04
-  driver_config:
-    box: opscode-ubuntu-12.04
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
-- name: ubuntu-14.04
-  driver_config:
-    box: opscode-ubuntu-14.04
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
-- name: centos-6.4
-  driver_config:
-    box: opscode-centos-6.4
-    box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
-- name: centos-6.5
-  driver_config:
-    box: opscode-centos-6.5
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
-- name: centos-7.2
-  driver_config:
-    box: opscode-centos-7.2
-    box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box
-- name: oracle-6.4
-  driver_config:
-    box: oracle-6.4
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
-- name: oracle-6.5
-  driver_config:
-    box: oracle-6.5
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
-- name: debian-6
-  driver_config:
-    box: debian-6
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box
-- name: debian-7
-  driver_config:
-    box: debian-7
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
-- name: debian-8
-  driver_config:
-    box: debian-8
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
+- name: centos6-ansible-latest
+  driver:
+    image: rndmh3ro/docker-centos6-ansible:latest
+    platform: centos
+- name: centos7-ansible-latest
+  driver:
+    image: rndmh3ro/docker-centos7-ansible:latest
+    platform: centos
+- name: oracle6-ansible-latest
+  driver:
+    image: rndmh3ro/docker-oracle6-ansible:latest
+    platform: centos
+- name: oracle7-ansible-latest
+  driver:
+    image: rndmh3ro/docker-oracle7-ansible:latest
+    platform: centos
+- name: ubuntu1204-ansible-latest
+  driver:
+    image: rndmh3ro/docker-ubuntu1204-ansible:latest
+    platform: ubuntu
+    run_command: /sbin/init
+- name: ubuntu1404-ansible-latest
+  driver:
+    image: rndmh3ro/docker-ubuntu1404-ansible:latest
+    platform: ubuntu
+- name: ubuntu1604-ansible-latest
+  driver:
+    image: rndmh3ro/docker-ubuntu1604-ansible:latest
+    platform: ubuntu
+- name: debian7-ansible-latest
+  driver:
+    image: rndmh3ro/docker-debian7-ansible:latest
+    platform: debian
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+- name: debian8-ansible-latest
+  driver:
+    image: rndmh3ro/docker-debian8-ansible:latest
+    platform: debian
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+    pid_one_command: /bin/systemd
+- name: debian9-ansible-latest
+  driver:
+    image: rndmh3ro/docker-debian9-ansible:latest
+    platform: debian
+
+verifier:
+  name: inspec
+  sudo: true
+  inspec_tests:
+    - https://github.com/dev-sec/mysql-baseline
+
 suites:
-- name: ansible_1.9
-  provisioner:
-    ansible_version: 1.9.4
-- name: ansible_latest
+- name: mysql

.travis.yml

@@ -1,21 +1,75 @@
 ---
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/
-language: python
-python: "2.7"
+services: docker
 
 env:
-  - ANSIBLE_VERSION=latest
-  - ANSIBLE_VERSION=1.9.4
+  - distro: centos6
+    version: latest
+    run_opts: "--privileged"
+    init: /sbin/init
+
+  - distro: centos7
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    version: latest
+
+  - distro: oracle6
+    version: latest
+    run_opts: "--privileged"
+    init: /sbin/init
+
+  - distro: oracle7
+    init: /usr/lib/systemd/systemd
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    version: latest
+
+# see https://github.com/dev-sec/mysql-baseline/issues/35
+#  - distro: ubuntu1604
+#    version: latest
+#    init: /lib/systemd/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
+#  - distro: ubuntu1404
+#    version: latest
+#    run_opts: "--privileged"
+#    init: /sbin/init
+
+  - distro: debian7
+    version: latest
+    run_opts: "--privileged"
+    init: /sbin/init
+
+#  - distro: debian8
+#    version: latest
+#    init: /bin/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
+ # - distro: debian9
+ #   version: latest
+ #   init: /lib/systemd/systemd
+ #   run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
 before_install:
- - sudo apt-get update -qq
- - sudo apt-get install -qq python-apt python-pycurl python-mysqldb
-install:
-  - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi
-  - echo -e 'localhost ansible_connection=local' > spec/inventory
-  - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg
+  # Pull container
+  - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
 
 script:
-  - ansible-playbook --syntax-check spec/travis.yml
-  - ansible-playbook --sudo -v --diff spec/travis.yml
+  - container_id=$(mktemp)
+  # Run container in detached state.
+  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+
+  # Install ansible galaxy requirements
+  - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/'
+
+  # Test role.
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml'
+
+  # Verify role
+  - 'inspec exec https://github.com/rndmh3ro/mysql-baseline/ -t docker://$(cat ${container_id})'
+
+after_failure:
+  # Check MySQL settings.
+  - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql/error.log'
+  - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.err'
+  - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.log'
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

default.yml

@@ -1,9 +1,26 @@
 ---
+
 - name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: localhost
+  pre_tasks:
+    - file: path="/etc/mysql" state=directory
+    - name: Copy initctl_faker into place for Ubuntu 14.04.
+      copy:
+        src: initctl_faker
+        dest: /sbin/initctl
+        mode: 0755
+        force: yes
+      when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04'
+      changed_when: false
+    - name: install procps for debian systems
+      apt: name=procps state=installed update_cache=yes
+      when: ansible_distribution == 'Debian'
   vars:
     overwrite_global_mycnf: no
-    mysql_root_password: "root"
+    mysql_root_password: iloverandompasswordsbutthiswilldo
+    mysql_user_password: iloverandompasswordsbutthiswilldo
+    mysql_config_file: /etc/mysql/mariadb.cnf
+    mysql_root_password_update: yes
   roles:
     - geerlingguy.mysql
     - ansible-mysql-hardening

initctl_faker

@@ -0,0 +1,24 @@
+#!/bin/sh
+ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')"
+
+case "$ALIAS_CMD" in
+    start|stop|restart|reload|status)
+        exec service $1 $ALIAS_CMD
+        ;;
+esac
+
+case "$1" in
+    list )
+        exec service --status-all
+        ;;
+    reload-configuration )
+        exec service $2 restart
+        ;;
+    start|stop|restart|reload|status)
+        exec service $2 $1
+        ;;
+    \?)
+        exit 0
+        ;;
+esac
+