Inspec (#232)

* Remove privileges from Docker container * Inspec setup * Use RedHat QE Jenkins profile and generating attributes from template
RedHatQE · Jun 26, 2018 · 3dfaf60 · 3dfaf60
1 parent 4925888
commit 3dfaf60
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,6 @@ build
 .coverage
 coverage.xml
 htmlcov/
+.pytest_cache/
+**/*.lock
+tests/profile.yml
diff --git a/.travis.yml b/.travis.yml
@@ -16,6 +16,7 @@ before_install:
   - travis_retry pip install -U pip
   - pip --version
 install:
+  - travis_retry gem install inspec
   - travis_retry pip install tox
   - tox --version
 script:

diff --git a/scripts/master.sh b/scripts/master.sh
@@ -26,7 +26,8 @@ ansible -i /dev/null \
 		detach=true \
 		command='/usr/lib/systemd/systemd \
 		--system' \
-		privileged=true"
+		capabilities=SYS_ADMIN \
+		$([[ $TRAVIS = true ]] && echo privileged=true)"
 # Fedora is lacking python in base image
 docker exec -it "${container_name}" "${pkg_mgr}" install -y python
 ansible -i "${inventory}" \
@@ -45,6 +46,11 @@ ansible-playbook -i "${inventory}" \
 	"${cinch}/cinch/site.yml" \
 	-e jenkins_user_password=somedummyvalue
 ########################################################
+# Run inspec against the container
+########################################################
+erb "${cinch}/tests/profile.yml.erb" > "${cinch}/tests/profile.yml"
+inspec exec "${cinch}/tests/cinch" --attrs "${cinch}/tests/profile.yml" -t "docker://${container_name}"
+########################################################
 # Finish and close up the container
 ########################################################
 echo "Saving image"

diff --git a/tests/cinch/README.md b/tests/cinch/README.md
@@ -0,0 +1,3 @@
+# Cinch InSpec Profile
+
+This example shows the implementation of an InSpec profile.
diff --git a/tests/cinch/controls/cinch.rb b/tests/cinch/controls/cinch.rb
@@ -0,0 +1 @@
+include_controls "jenkins"
diff --git a/tests/cinch/inspec.yml b/tests/cinch/inspec.yml
@@ -0,0 +1,12 @@
+name: cinch
+title: Cinch Profile
+maintainer: Alexander Braverman Masis
+copyright: Red Hat
+copyright_email: abraverm@redhat.com
+license: GPL-3.0
+summary: Cinch Compliance Profile
+version: 0.1.0
+depends:
+  - name: jenkins
+    git: https://github.com/RedHatQe/jenkins-profile.git
+    branch: master
diff --git a/tests/cinch/libraries/.gitkeep b/tests/cinch/libraries/.gitkeep
diff --git a/tests/profile.yml.erb b/tests/profile.yml.erb
@@ -0,0 +1,18 @@
+version: 2.60.3-1.1
+jenkins_home: /var/lib/jenkins
+ports:
+  - 8080
+jenkins_url: http://localhost:8080
+jenkins_settings:
+  - key: "hudson/useSecurity"
+    value:
+      - 'true'
+  - key: "hudson/securityRealm/@class"
+    value:
+      - 'hudson.security.HudsonPrivateSecurityRealm'
+  - key: hudson/slaveAgentPort
+    value:
+      - '50000'
+
+jenkins_plugins:
+<%= %x(cat cinch/files/jenkins-plugin-lists/default.txt | awk -F '==' '{print "  -", $1}') %>
diff --git a/tox.ini b/tox.ini
@@ -102,3 +102,6 @@ deps =
     {[testenv]deps}
     docker-py
 commands = bash ./tests/fedora_master.sh
+
+[testenv:inspec_master]
+commands = bash -c "inspec exec tests/cinch -t docker://jmaster"