Execute integration tests in DigitalOcean

.kitchen.do.local.yml

@@ -0,0 +1,21 @@
+# this file is used for configuration of DigitalOcean
+# for integration tests in the CI
+---
+driver:
+  name: digitalocean
+  size: 512mb
+
+transport:
+  ssh_key: '~/.ssh/ci_id_rsa'
+  max_wait_until_ready: 30
+
+platforms:
+- name: ubuntu-12-04-x64
+- name: ubuntu-14-04-x64
+- name: ubuntu-16-04-x64
+- name: centos-6-5-x64
+- name: centos-7-0-x64
+- name: debian-7-x64
+- name: debian-8-x64
+- name: fedora-24-x64
+- name: fedora-25-x64

.kitchen.yml

@@ -1,65 +1,29 @@
 ---
+
 driver:
-  name: dokken
-  chef_version: 12.5.1
-  privileged: true # because Docker and SystemD/Upstart
+  name: vagrant
 
-transport:
-  name: dokken
+platforms:
+- name: ubuntu-12.04
+- name: ubuntu-14.04
+- name: ubuntu-16.04
+- name: centos-6.8
+- name: centos-7.3
+- name: oracle-6.8
+- name: oracle-7.3
+- name: debian-7.11
+- name: debian-8.6
+- name: fedora-24
+- name: fedora-25
+- name: opensuse-leap-42.1
+- name: opensuse-13.2
 
 provisioner:
-  name: dokken
+  name: chef_solo
+  require_chef_omnibus: 12.5.1
 
 verifier:
   name: inspec
-  sudo: false
-
-platforms:
-- name: ubuntu-12.04
-  driver:
-    image: ubuntu:12.04
-- name: ubuntu-14.04
-  driver:
-    image: ubuntu:14.04
-- name: ubuntu-16.06
-  driver:
-    image: ubuntu:16.04
-    pid_one_command: /bin/systemd
-- name: centos-6.8
-  driver:
-    image: centos:6.8
-    intermediate_instructions:
-      - RUN yum install -y initscripts
-- name: centos-7
-  driver:
-    image: centos:7
-    pid_one_command: /usr/lib/systemd/systemd
-- name: oracle-6.6
-  driver:
-    image: oraclelinux:6.6
-- name: oracle-6.7
-  driver:
-    image: oraclelinux:6.7
-- name: oracle-7.1
-  driver:
-    image: oraclelinux:7.1
-    pid_one_command: /usr/lib/systemd/systemd
-- name: debian-6
-  driver:
-    image: debian:6
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    - RUN /usr/bin/apt-get install -y procps
-- name: debian-7
-  driver:
-    image: debian:7
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    - RUN /usr/bin/apt-get install -y procps
-- name: debian-8
-  driver:
-    image: debian:8
-    pid_one_command: /bin/systemd
 
 suites:
 - name: default
@@ -68,3 +32,14 @@ suites:
   verifier:
     inspec_tests:
     - https://github.com/dev-sec/linux-baseline
+- name: modules_disabled
+  run_list:
+  - recipe[os-hardening::default]
+  attributes:
+    os-hardening:
+      security:
+        kernel:
+          enable_module_loading: false
+  verifier:
+    inspec_tests:
+    - https://github.com/dev-sec/linux-baseline

.travis.yml

@@ -1,7 +1,41 @@
 ---
-rvm:
-- 2.3.1
+sudo: false
 language: ruby
-bundler_args: "--without development integration"
-gemfile:
-- Gemfile
+bundler_args: "--without development"
+dist: trusty
+cache: bundler
+
+rvm: 2.3.3
+
+before_install:
+  - gem update --system # see https://github.com/bundler/bundler/issues/5357
+
+env:
+ - INSTANCE=ubuntu-12-04
+ - INSTANCE=ubuntu-14-04
+ - INSTANCE=ubuntu-16-04
+ - INSTANCE=centos-6
+ - INSTANCE=centos-7
+ - INSTANCE=debian-7
+ - INSTANCE=debian-8
+ - INSTANCE=fedora-24
+ - INSTANCE=fedora-25
+
+script:
+  -  bundle exec rake prepare_do_env kitchen KITCHEN_LOCAL_YAML=.kitchen.do.local.yml
+
+matrix:
+  allow_failures: # allow failues of integration tests as the forks might miss the DO token
+  - env: INSTANCE=ubuntu-12-04
+  - env: INSTANCE=ubuntu-14-04
+  - env: INSTANCE=ubuntu-16-04
+  - env: INSTANCE=centos-6
+  - env: INSTANCE=centos-7
+  - env: INSTANCE=debian-7
+  - env: INSTANCE=debian-8
+  - env: INSTANCE=fedora-24
+  - env: INSTANCE=fedora-25
+  include:
+    - env: UNIT_AND_LINT=1
+      script:
+        - bundle exec rake lint spec

CONTRIBUTING.md

@@ -1,26 +1,25 @@
 # Contributor Guideline
 
-This document provides an overview of how you can participat in improving this project or extending it. We are grateful for all your help: bug reports and fixes, code contributions, documentation or ideas. Feel free to join, we appreciate your support!!
+This document provides an overview of how you can participate in improving this project or extending it. We are grateful for all your help: bug reports and fixes, code contributions, documentation or ideas. Feel free to join, we appreciate your support!!
 
 ## Communication
 
 ### GitHub repositories
 
 Much of the issues, goals and ideas are tracked in the respective projects in GitHub. Please use this channel to report bugs and post ideas.
 
-### Trello
-
-The overall hardening project is organized publicly on Trello. Feel free to join and add tasks and ideas for the overall project. [https://trello.com/b/gL9v8N1q/dt-hardening](https://trello.com/b/gL9v8N1q/dt-hardening)
-
 ## git and GitHub
 
 In order to contribute code please:
 
-1. Fork the project on GitHub
+1. Fork the repository
 2. Clone the project
-3. Add changes (and tests)
-4. Commit and push
-5. Create a merge-request
+3. Create a named feature branch (like `feature/add_component_x`)
+4. Do your changes (do not forget the tests)
+5. Run the tests, ensuring they all pass (and you are not decreasing the test coverage)
+6. [Rebase][rebase-squash] it to the latest master (to ensure your changes do apply)
+7. [Squash][rebase-squash] your commits to a small amount of logical separated commits (e.g. to avoid commits with something like "reverted or fixed last commit" in the commit chain)
+8. Submit a Merge Request to the master branch of this repository
 
 To have your code merged, see the expectations listed below.
 
@@ -30,7 +29,6 @@ Please follow common commit best-practices. Be explicit, have a short summary, a
 
 Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCommitMessages) and [here](http://robots.thoughtbot.com/5-useful-tips-for-a-better-commit-message).
 
-
 ## Expectations
 
 ### Don't reinvent the wheel
@@ -42,7 +40,7 @@ This hardening project doesn't intend to reinvent the configuration stack for se
 
 These projects are generally hosted on GitHub as well.
 
-In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/TelekomLabs/chef-os-hardening), [ssh-hardening](https://github.com/TelekomLabs/chef-ssh-hardening)).
+In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/dev-sec/chef-os-hardening), [ssh-hardening](https://github.com/dev-sec/chef-ssh-hardening)).
 
 
 ### Be explicit
@@ -86,3 +84,5 @@ Remember: Code is generally read much more often than written.
 ### Use Markdown
 
 Wherever possible, please refrain from any other formats and stick to simple markdown.
+
+[rebase-squash]: https://github.com/edx/edx-platform/wiki/How-to-Rebase-a-Pull-Request

Gemfile

@@ -22,7 +22,7 @@ group :development do
 end
 
 group :integration do
-  gem 'kitchen-dokken'
+  gem 'kitchen-digitalocean'
   gem 'kitchen-inspec'
   gem 'kitchen-vagrant'
   gem 'test-kitchen', '~> 1.0'

README.md

@@ -116,46 +116,43 @@ Configure attributes:
 
 ## Local Testing
 
-For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
+### Local testing
 
-Next install test-kitchen:
+Please install [chef-dk](https://downloads.chef.io/chefdk), [VirtualBox](https://www.virtualbox.org/) or VMware Workstation and [Vagrant](https://www.vagrantup.com/).
 
-    gem install test-kitchen kitchen-vagrant
+Linting is checked with [rubocop](https://github.com/bbatsov/rubocop) and [foodcritic](http://www.foodcritic.io/):
 
-Next install berkshelf for dependency management
-
-    gem install berkshelf
-
-Create a local kitchen configuration:
-
-    cp .kitchen.local.yml{.example,}
+```bash
+$ chef exec rake lint
+.....
+```
 
-You should now be able to run tests:
+Unit/spec tests are done with [chefspec](https://github.com/sethvargo/chefspec):
 
 ```bash
-# Install dependencies
-gem install bundler
-bundle install
-
-# Do lint checks
-bundle exec rake lint
+$ chef exec rake spec
+.....
+```
 
-# fast test on one machine
-bundle exec kitchen test default-ubuntu-1204
+Integration tests are done with [test-kitchen](https://github.com/sethvargo/chefspec):
 
-# test on all machines
-bundle exec kitchen test
+```bash
+$ chef exec rake kitchen
+.....
+# or you can use the kitchen directly
+$ kitchen test
+```
 
-# for development, it uses docker based vms
-bundle exec kitchen create default-ubuntu-1204
-bundle exec kitchen converge default-ubuntu-1204
+### CI testing of forks
 
-# if you like to use the vagrant setup, use
-KITCHEN_YAML=.kitchen.vagrant.yml bundle exec kitchen converge default-ubuntu-1404
-```
+You can enable testing of your fork in [Travis CI](http://travis-ci.org/). By default you will get linting and spec tests.
 
-http://kitchen.ci/docs/getting-started
+Integration tests of this repository are conducted using [DigitalOcean](http://digitalocean.com/).
 
+If you want to have integration tests for your fork, you will have to add following [environment variables](https://docs.travis-ci.com/user/environment-variables/#Defining-Variables-in-Repository-Settings) in the settings of your fork:
+- `DIGITALOCEAN_ACCESS_TOKEN` - [access token for DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-use-the-digitalocean-api-v2)
+- `CI_SSH_KEY` - private part of some ssh key, available on DigitalOcean for your instances, in base64 encoded form (e.g. `cat id_rsa | base64 -w0 ; echo`)
+- `DIGITALOCEAN_SSH_KEY_IDS` - ID in DigitalOcean of `CI_SSH_KEY`, see [this](https://github.com/test-kitchen/kitchen-digitalocean#installation-and-setup) for more information
 
 ## Contributors + Kudos