run integration tests in docker

.kitchen.ec2.yml

@@ -12,6 +12,13 @@ transport:
   username: ec2-user
   ssh_key: <%= ENV['EC2_SSH_KEY_PATH'] %>
 
+provisioner:
+  name: chef_solo
+
+verifier:
+  name: inspec
+  sudo: true
+
 platforms:
   - name: windows-2008
     driver:
@@ -73,3 +80,9 @@ platforms:
   - name: aws-linux
     driver:
       image_id: ami-daaeaec7
+
+suites:
+  - name: default
+    run_list:
+      - recipe[os_prepare]
+    attributes:

.kitchen.vagrant.yml

@@ -0,0 +1,45 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_solo
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+  - name: centos-7.1
+  - name: centos-6.7
+  - name: centos-6.7-i386
+  - name: centos-5.11
+  - name: centos-5.11-i386
+  - name: debian-6.0.10
+  - name: debian-6.0.10-i386
+  - name: debian-7.8
+  - name: debian-7.8-i386
+  - name: debian-8.1
+  - name: debian-8.1-i386
+  - name: fedora-21
+  - name: fedora-21-i386
+  - name: fedora-22
+  - name: freebsd-9.3
+  - name: freebsd-10.2
+  - name: opensuse-13.2-x86_64
+  - name: opensuse-13.2-i386
+  - name: ubuntu-14.04
+  - name: ubuntu-14.04-i386
+  - name: ubuntu-12.04
+  - name: ubuntu-12.04-i386
+  - name: ubuntu-10.04
+  - name: ubuntu-10.04-i386
+  - name: mint-17.2-cinnamon
+    driver_config:
+      box: artem-sidorenko/mint-17.2-cinnamon
+
+suites:
+  - name: default
+    run_list:
+      - recipe[os_prepare]
+    attributes:

.kitchen.yml

@@ -1,45 +1,80 @@
 ---
 driver:
-  name: vagrant
+  name: dokken
+  chef_version: 12.5.1
+  privileged: true # because Docker and SystemD/Upstart
+
+transport:
+  name: dokken
 
 provisioner:
-  name: chef_solo
+  name: dokken
 
 verifier:
   name: inspec
   sudo: true
 
 platforms:
-  - name: centos-7.1
-  - name: centos-6.7
-  - name: centos-6.7-i386
-  - name: centos-5.11
-  - name: centos-5.11-i386
-  - name: debian-6.0.10
-  - name: debian-6.0.10-i386
-  - name: debian-7.8
-  - name: debian-7.8-i386
-  - name: debian-8.1
-  - name: debian-8.1-i386
-  - name: fedora-21
-  - name: fedora-21-i386
-  - name: fedora-22
-  - name: freebsd-9.3
-  - name: freebsd-10.2
-  - name: opensuse-13.2-x86_64
-  - name: opensuse-13.2-i386
-  - name: ubuntu-14.04
-  - name: ubuntu-14.04-i386
-  - name: ubuntu-12.04
-  - name: ubuntu-12.04-i386
-  - name: ubuntu-10.04
-  - name: ubuntu-10.04-i386
-  - name: mint-17.2-cinnamon
-    driver_config:
-      box: artem-sidorenko/mint-17.2-cinnamon
+- name: ubuntu-12.04
+  driver:
+    image: ubuntu:12.04
+- name: ubuntu-14.04
+  driver:
+    image: ubuntu:14.04
+- name: ubuntu-15.10
+  driver:
+    image: ubuntu:15.10
+    pid_one_command: /bin/systemd
+- name: ubuntu-16.04
+  driver:
+    image: ubuntu:16.04
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    pid_one_command: /bin/systemd
+- name: centos-6.6
+  driver:
+    image: centos:6.6
+- name: centos-6.7
+  driver:
+    image: centos:6.7
+    intermediate_instructions:
+      - RUN yum install -y initscripts
+- name: centos-7
+  driver:
+    image: centos:7
+    pid_one_command: /usr/lib/systemd/systemd
+- name: oracle-6.6
+  driver:
+    image: oraclelinux:6.6
+- name: oracle-6.7
+  driver:
+    image: oraclelinux:6.7
+- name: oracle-7.1
+  driver:
+    image: oraclelinux:7.1
+    pid_one_command: /usr/lib/systemd/systemd
+- name: debian-7
+  driver:
+    image: debian:7
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+- name: debian-8
+  driver:
+    image: debian:8
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+    pid_one_command: /bin/systemd
 
 suites:
-  - name: default
-    run_list:
-      - recipe[os_prepare]
-    attributes:
+- name: default
+  run_list:
+  - recipe[apt]
+  - recipe[yum]
+  - recipe[ssh-hardening]
+  - recipe[os_prepare]
+  attributes:
+    osprepare:
+      docker: true
+      application: false

.travis.yml

@@ -17,6 +17,12 @@ matrix:
     script: bundle exec rake lint test test:resources config=test/test.yaml
   - rvm: 2.2
     script: N=5 bundle exec rake test:functional test:resources config=test/test-extra.yaml
+  - rvm: 2.2
+    bundler_args: "--without guard tools"
+    script: DOCKER=true bundle exec rake test:integration OS='default-ubuntu-1204'
+  - rvm: 2.2
+    bundler_args: "--without guard tools"
+    script: DOCKER=true bundle exec rake test:integration OS='default-ubuntu-1604'
 deploy:
   provider: rubygems
   on:

Berksfile

@@ -4,3 +4,4 @@ source 'https://supermarket.chef.io'
 cookbook 'apt'
 cookbook 'os_prepare', path: './test/cookbooks/os_prepare'
 cookbook 'runit', github: 'hw-cookbooks/runit'
+cookbook 'ssh-hardening', git: 'https://github.com/dev-sec/chef-ssh-hardening.git'

Gemfile

@@ -23,6 +23,7 @@ group :integration do
   gem 'kitchen-vagrant'
   gem 'kitchen-inspec', '0.12.5'
   gem 'kitchen-ec2'
+  gem 'kitchen-dokken'
 end
 
 group :tools do

Rakefile

@@ -49,10 +49,10 @@ namespace :test do
     sh(Gem.ruby, 'test/docker_test.rb', *tests)
   end
 
-  task :vm do
-    concurrency = ENV['CONCURRENCY'] || 4
-    path = File.join(File.dirname(__FILE__), 'test', 'integration')
-    sh('sh', '-c', "cd #{path} && bundle exec kitchen test -c #{concurrency} -t .")
+  task :integration do
+    concurrency = ENV['CONCURRENCY'] || 1
+    os = ENV['OS'] || ''
+    sh('sh', '-c', "bundle exec kitchen test -c #{concurrency} #{os}")
   end
 
   task :ssh, [:target] do |_t, args|

test/cookbooks/os_prepare/attributes/default.rb

@@ -0,0 +1,2 @@
+default['osprepare']['docker'] = false
+default['osprepare']['application'] = true

test/cookbooks/os_prepare/recipes/default.rb

@@ -7,19 +7,21 @@
 
 # basic tests
 include_recipe('os_prepare::file')
-include_recipe('os_prepare::mount')
+include_recipe('os_prepare::mount') unless node['osprepare']['docker']
 include_recipe('os_prepare::service')
 include_recipe('os_prepare::package')
 include_recipe('os_prepare::registry_key')
-include_recipe('os_prepare::iptables')
+include_recipe('os_prepare::iptables') unless node['osprepare']['docker']
+
+# config file parsing
+include_recipe('os_prepare::json_yaml_csv_ini')
 
 # configure repos, eg. nginx
 include_recipe('os_prepare::apt')
 
 # application configuration
-include_recipe('os_prepare::postgres')
-include_recipe('os_prepare::auditctl')
-include_recipe('os_prepare::apache')
-
-# config file parsing
-include_recipe('os_prepare::json_yaml_csv_ini')
+if node['osprepare']['application']
+  include_recipe('os_prepare::postgres')
+  include_recipe('os_prepare::auditctl') unless node['osprepare']['docker']
+  include_recipe('os_prepare::apache')
+end

test/integration/default/apache_conf_spec.rb

@@ -1,15 +1,16 @@
 # encoding: utf-8
 
-if os.linux?
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+return unless os.linux?
 
-  # direct access to params of apache conf
-  describe apache_conf do
-    its('LogLevel') { should eq 'warn' }
-    its('MaxKeepAliveRequests') { should eq '100' }
-  end
+# direct access to params of apache conf
+describe apache_conf do
+  its('LogLevel') { should cmp 'warn' }
+  its('MaxKeepAliveRequests') { should cmp 100 }
+end
 
-  # only read one param
-  describe apache_conf.params('LogLevel') do
-    it { should include 'warn' }
-  end
+# only read one param
+describe apache_conf.params('LogLevel') do
+  it { should include 'warn' }
 end

test/integration/default/compare_matcher_spec.rb

@@ -11,12 +11,12 @@
     its('Port') { should cmp 22.0 }
     its('Port') { should_not cmp 22.1 }
 
-    its('LogLevel') { should eq 'INFO' }
-    its('LogLevel') { should_not eq 'info'}
+    its('LogLevel') { should eq 'VERBOSE' }
+    its('LogLevel') { should_not eq 'verbose'}
 
-    its('LogLevel') { should cmp 'INFO' }
-    its('LogLevel') { should cmp 'info' }
-    its('LogLevel') { should cmp 'InfO' }
+    its('LogLevel') { should cmp 'VERBOSE' }
+    its('LogLevel') { should cmp 'verbose' }
+    its('LogLevel') { should cmp 'VerBose' }
   end
 
   describe passwd.passwords.uniq do

test/integration/default/etc_group_spec.rb

@@ -1,5 +1,9 @@
 # encoding: utf-8
 
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+
+# lets define our own group
 root_group = 'root'
 
 if os[:family] == 'aix'

test/integration/default/file_spec.rb

@@ -1,5 +1,8 @@
 # encoding: utf-8
 
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+
 if os[:family] == 'freebsd'
   filedata = {
     user: 'root',
@@ -56,8 +59,8 @@
     # it { should have_mode }
     its('mode') { should eq 00765 }
     it { should be_mode 00765 }
-    its('mode') { should cmp '0765' }
-    its('mode') { should_not cmp '0777' }
+    its('mode') { should cmp 0765 }
+    its('mode') { should_not cmp 0777 }
 
     it { should be_readable }
     it { should be_readable.by('owner') }

test/integration/default/iptables_spec.rb

@@ -1,5 +1,8 @@
 # encoding: utf-8
 
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+
 case os[:family]
 when 'ubuntu', 'fedora'
   describe iptables do

test/integration/default/kernel_module_spec.rb

@@ -1,17 +1,18 @@
 # encoding: utf-8
 
-# Test kernel modules on all linux systems
-if os.linux?
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+return unless os.linux?
 
-  describe kernel_module('video') do
-    it { should be_loaded }
-  end
+# Test kernel modules on all linux systems
+describe kernel_module('video') do
+  it { should be_loaded }
+end
 
-  describe kernel_module('bridge') do
-    it { should_not be_loaded }
-  end
+describe kernel_module('bridge') do
+  it { should_not be_loaded }
+end
 
-  describe kernel_module('dhcp') do
-    it { should_not be_loaded }
-  end
+describe kernel_module('dhcp') do
+  it { should_not be_loaded }
 end

test/integration/default/kernel_parameter_spec.rb

@@ -1,5 +1,8 @@
 # encoding: utf-8
 
+# TODO: do not run those tests on docker yet
+return if ENV['DOCKER']
+
 # prepare values
 if ['ubuntu', 'centos', 'fedora', 'opensuse', 'debian'].include?(os[:family])
   test_values = {