bab6fcad3c
Now that we've got base server stuff rewritten in ansible, remove the old puppet versions. Depends-On: https://review.openstack.org/588326 Change-Id: I5c82fe6fd25b9ddaa77747db377ffa7e8bf23c7b
93 lines
2.9 KiB
Ruby
Executable File
93 lines
2.9 KiB
Ruby
Executable File
require 'puppet-openstack_infra_spec_helper/spec_helper_acceptance'
|
|
|
|
describe 'openstack_project::server' do
|
|
|
|
def pp_path
|
|
base_path = File.dirname(__FILE__)
|
|
File.join(base_path, 'fixtures')
|
|
end
|
|
|
|
def puppet_manifest
|
|
manifest_path = File.join(pp_path, 'default.pp')
|
|
File.read(manifest_path)
|
|
end
|
|
|
|
def postconditions_puppet_manifest
|
|
manifest_path = File.join(pp_path, 'postconditions.pp')
|
|
File.read(manifest_path)
|
|
end
|
|
|
|
before(:all) do
|
|
# The ssh_authorized_key resource uses the key comment as a universal
|
|
# identifier, so if a user's key is already in root's authorized keys, it
|
|
# conflicts with adding the key for the user itself. Move root's key list
|
|
# aside temporarily.
|
|
shell('mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak')
|
|
# epel is needed to install exim
|
|
if os[:family] == 'redhat'
|
|
shell('yum-config-manager --enable epel')
|
|
end
|
|
end
|
|
|
|
it 'should work with no errors' do
|
|
apply_manifest(puppet_manifest, catch_failures: true)
|
|
end
|
|
|
|
it 'should be idempotent' do
|
|
apply_manifest(puppet_manifest, catch_changes: true)
|
|
end
|
|
|
|
it 'should turn root ssh back on' do
|
|
apply_manifest(postconditions_puppet_manifest, catch_failures: true)
|
|
shell('mv /root/.ssh/authorized_keys.bak /root/.ssh/authorized_keys')
|
|
end
|
|
|
|
['mordred',
|
|
'corvus',
|
|
'clarkb',
|
|
'fungi',
|
|
'jhesketh',
|
|
'pabelanger',
|
|
'ianw',
|
|
'shrews',
|
|
'dmsimard',
|
|
'yolanda',
|
|
'rcarrillocruz',
|
|
'frickler'].each do |user|
|
|
describe user(user) do
|
|
it { should exist }
|
|
end
|
|
end
|
|
|
|
['slukjanov',
|
|
'elizabeth',
|
|
'nibz'].each do |user|
|
|
describe user(user) do
|
|
it { should_not exist }
|
|
end
|
|
end
|
|
|
|
exim = os[:family] == 'ubuntu' ? 'exim4' : 'exim'
|
|
ntp = os[:family] == 'ubuntu' ? 'ntp' : 'ntpd'
|
|
services = ['rsyslog', 'unbound', exim, 'snmpd', ntp]
|
|
if os[:family] == 'ubuntu'
|
|
services.push('openafs-client')
|
|
end
|
|
services.each do |service|
|
|
describe service(service) do
|
|
it { should be_running }
|
|
end
|
|
end
|
|
|
|
describe command('iptables -S') do
|
|
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
|
|
its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
|
|
end
|
|
|
|
end
|