From 0e30e09ab2d0fb14482847872531ed2b8c6f488f Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Wed, 19 Jun 2024 22:49:31 +0200 Subject: [PATCH 01/30] install python3.7 in prepare.yml --- molecule/default/prepare.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 984f492..8a5c763 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,4 +1,3 @@ ---- - name: Prepare hosts: all @@ -8,6 +7,14 @@ pre_tasks: - name: Install python raw: apt update; apt install -y python3 + - name: Install software-properties-common + raw: apt update; apt install -y software-properties-common + - name: Add deadsnakes PPA + raw: add-apt-repository ppa:deadsnakes/ppa; apt update + - name: Install python3.7 + raw: apt install -y python3.7 + - name: Gathering Facts + setup: vars: easyrsa_servers: - name: elastic @@ -16,7 +23,6 @@ easyrsa_clients: - name: logstash pass: 'nk}$Q%];a3Gy$E!QvT8E' - - name: kibana-backend pass: 'nk}$Q%];a3Gy$E!QvT8E' - name: beats pass: 'nk}$Q%];a3Gy$E!QvT8E' @@ -28,3 +34,4 @@ easyrsa_download: [] easyrsa_download_pki: true easyrsa_download_dir: '~/' + ansible_python_interpreter: /usr/bin/python3.7 From b006aa9d0fbcc6cc9062390ccc33a6c3cd188552 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 1 Jul 2024 14:37:14 +0200 Subject: [PATCH 02/30] trigger workflow --- molecule/default/prepare.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 8a5c763..519e9ae 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,20 +1,11 @@ - - name: Prepare hosts: all - gather_facts: false + gather_facts: true roles: - nkakouros.easyrsa pre_tasks: - name: Install python raw: apt update; apt install -y python3 - - name: Install software-properties-common - raw: apt update; apt install -y software-properties-common - - name: Add deadsnakes PPA - raw: add-apt-repository ppa:deadsnakes/ppa; apt update - - name: Install python3.7 - raw: apt install -y python3.7 - - name: Gathering Facts - setup: vars: easyrsa_servers: - name: elastic @@ -23,6 +14,7 @@ easyrsa_clients: - name: logstash pass: 'nk}$Q%];a3Gy$E!QvT8E' + - name: kibana-backend pass: 'nk}$Q%];a3Gy$E!QvT8E' - name: beats pass: 'nk}$Q%];a3Gy$E!QvT8E' @@ -34,4 +26,3 @@ easyrsa_download: [] easyrsa_download_pki: true easyrsa_download_dir: '~/' - ansible_python_interpreter: /usr/bin/python3.7 From 57424cc62cdf75d8f772d1de7211964fc655fc97 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 1 Jul 2024 15:47:57 +0200 Subject: [PATCH 03/30] change python version --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a76bed9..d228ea2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,3 @@ ---- - name: CI on: # yamllint disable-line rule:truthy @@ -47,7 +45,9 @@ jobs: - uses: actions/checkout@v2 - name: Setup Python - uses: actions/setup-python@v2.2.1 + uses: actions/setup-python@v2 + with: + python-version: '3.7' - name: Install molecule run: pip3 install molecule[ansible,ansible-base,docker,lint] From 9d528ea6aafebc9e479009da368fbc86df354467 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Sat, 6 Jul 2024 12:08:41 +0200 Subject: [PATCH 04/30] extract version number from variable --- tasks/outputs/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/outputs/index.yml b/tasks/outputs/index.yml index 9bf8e4c..75e6702 100644 --- a/tasks/outputs/index.yml +++ b/tasks/outputs/index.yml @@ -5,14 +5,14 @@ - name: "{{ beats_flavor }}: Extract the beats index template on Linux" shell: >- {{ beats_linux_exec }} export template > \ - /tmp/{{ beats_flavor }}.{{ beats_full_version }}.template.json + /tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json args: executable: /bin/bash changed_when: false - name: "{{ beats_flavor }}: Download the index template on Linux" fetch: - src: "/tmp/{{ beats_flavor }}.{{ beats_full_version }}.template.json" + src: "/tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" dest: "{{ beats_index_template_download_dir }}" flat: true when: ansible_os_family != 'Windows' From e377ceee2c69d351274b4cf9f0577bb3211efc50 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Sat, 6 Jul 2024 12:09:15 +0200 Subject: [PATCH 05/30] remove condition since the variables cannot be compared --- tasks/core/install/Debian.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/core/install/Debian.yml b/tasks/core/install/Debian.yml index fdd1585..456d1d2 100644 --- a/tasks/core/install/Debian.yml +++ b/tasks/core/install/Debian.yml @@ -54,7 +54,6 @@ when: beats_disable_auto_update | bool when: - beats_flavor != 'winlogbeat' - - beats_full_version is version(beats_user_version, '<') # These two are needed because if the config file does not exist, running the # beat executable even to create the keystore will fail. @@ -79,5 +78,3 @@ - name: Load winlogbeat install tasks for Linux include_tasks: "Debian-winlogbeat.yml" - when: - - beats_full_version is version(beats_user_version, '<') From 9a3dc1b0103e44bb5b3740a1703225eebcb6ab56 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Sat, 6 Jul 2024 12:11:26 +0200 Subject: [PATCH 06/30] make idempotence pass --- tasks/core/configure.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/core/configure.yml b/tasks/core/configure.yml index 5a001e2..8a9e3b1 100644 --- a/tasks/core/configure.yml +++ b/tasks/core/configure.yml @@ -35,6 +35,7 @@ beat_uuid: uuid: "{{ beats_uuid }}" when: beats_uuid is not none + changed_when: false when: ansible_os_family != 'Windows' - name: "{{ beats_flavor }}: configuration tasks for Windows" From c244c569ad9168c4734b9307a375614abe261022 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Sat, 6 Jul 2024 12:50:03 +0200 Subject: [PATCH 07/30] make all tasks pass --- handlers/main.yml | 2 +- molecule/default/molecule.yml | 14 +++++++++++--- molecule/default/prepare.yml | 8 +++++++- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 67f35ad..a7b6858 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -16,7 +16,7 @@ - name: "{{ beats_flavor }}: Check that beats service has started successfully" assert: - that: "ansible_facts.services['{{ beats_service_name }}.service']['state'] == 'running'" + that: "ansible_facts.services[beats_service_name + '.service']['state'] == 'running'" msg: "{{ beats_service_name }}.service failed to start" listen: beats-restart-service when: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 17f2392..8334fb4 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,5 +1,4 @@ --- - dependency: name: galaxy driver: @@ -10,16 +9,25 @@ lint: | ansible-lint -c molecule/default/ansible-lint.yml . flake8 platforms: - - name: "${MOLECULE_INSTANCE_NAME:-systemd-ubuntu-18.04}" - image: "${MOLECULE_DISTRO:-jrei/systemd-ubuntu:18.04}" + - name: "${MOLECULE_INSTANCE_NAME:-systemd-ubuntu-20.04}" + image: "${MOLECULE_DISTRO:-jrei/systemd-ubuntu:20.04}" volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro published_ports: - '5067:5067/tcp' command: /lib/systemd/systemd privileged: true + pre_build_image: true provisioner: name: ansible + config_options: + defaults: + duplicate_dict_key: error + any_unparsed_is_failed: true + unparsed_is_failed: true + any_errors_fatal: true + remote_tmp: /tmp + local_tmp: /tmp options: vvv: true env: diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 519e9ae..3834de7 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -6,6 +6,12 @@ pre_tasks: - name: Install python raw: apt update; apt install -y python3 + - name: Install sudo + raw: apt install -y sudo + - name: Ensure /etc/easyrsa/pki directory exists + file: + path: /etc/easyrsa/pki + state: directory vars: easyrsa_servers: - name: elastic @@ -25,4 +31,4 @@ easyrsa_download: [] easyrsa_download_pki: true - easyrsa_download_dir: '~/' + easyrsa_download_dir: '~' From 38227e0d0a95236e5b0b00b1e7efe1234542ffaa Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Sat, 6 Jul 2024 12:50:22 +0200 Subject: [PATCH 08/30] write molecule tests --- molecule/default/verify.yml | 200 +++++++++++++++++++++++++++++++++++- 1 file changed, 198 insertions(+), 2 deletions(-) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 10bfaac..9bf0013 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,16 +1,22 @@ --- -# TODO add more tests here - - name: Verify hosts: all vars: role_path: ../../ + beats_service_name: "{{ beats_flavor if beats_flavor != 'heartbeat' + else 'heartbeat-elastic' }}{{ + '@' + beats_installation_name + if beats_installation_name != 'default' + else '' + }}" + role_name: ansible-role-beats vars_files: - "{{ role_path }}/defaults/main.yml" - converge-vars.yml pre_tasks: - import_tasks: "{{ role_path }}/tasks/variables.yml" + - import_tasks: "{{ role_path }}/tasks/core/version.yml" tasks: - name: Check http monitoring is on wait_for: @@ -26,3 +32,193 @@ when: beats_flavor == 'filebeat' register: _result failed_when: not _result.stat.exists | bool + + - name: Tasks specific to Linux systems + block: + - name: Tasks specific to Debian systems + block: + - name: "{{ beats_flavor }}: Check if dependencies are installed" + command: dpkg -s {{ item }} + register: result + failed_when: "'installed' not in result.stdout" + loop: "{{ _beats_packages['all'] | union(_beats_packages[beats_flavor] | default([])) }}" + + - name: Check that apt-transport-https is installed + command: dpkg -s apt-transport-https + register: result + failed_when: "'installed' not in result.stdout" + + - name: Tasks excluding winlogbeat + block: + - name: Check that the Elastic repository key is added + command: apt-key finger + register: result + failed_when: "'4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4' not in result.stdout" + + - name: Check that the Elastic repository is added + command: grep -r 'https://artifacts.elastic.co/packages/' /etc/apt/sources.list.d/ + register: result + failed_when: "'https://artifacts.elastic.co/packages/' not in result.stdout" + + - name: Check that {{ beats_flavor }} is installed + command: dpkg -s {{ beats_flavor if beats_flavor != 'heartbeat' else 'heartbeat-elastic' }} + register: result + failed_when: "'installed' not in result.stdout" + + - name: Check that automatic updates are disabled for {{ beats_flavor }} + command: cat /etc/apt/apt.conf.d/55beats-disable + register: result + failed_when: beats_flavor not in result.stdout + when: beats_flavor != 'winlogbeat' + when: ansible_os_family == 'Debian' + + - name: Check that the certificates directory exists + stat: + path: "{{ beats_certificates_dir }}" + register: result + failed_when: not result.stat.exists or not result.stat.isdir + + - name: Check that the certificates are uploaded + stat: + path: "{{ beats_certificates_dir }}/{{ item.value | basename }}" + register: result + failed_when: not result.stat.exists or not result.stat.isreg + loop: "{{ beats_certificates | dict2items }}" + loop_control: + loop_var: item + + - name: Check that the environment variables file exists and has correct permissions + stat: + path: "{{ beats_path_config }}/{{ beats_installation_name }}.env.vars" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0644' + + - name: Check that the systemd override file directory exists and has correct permissions + stat: + path: "/etc/systemd/system/{{ beats_service_name }}.service.d/" + register: result + failed_when: not result.stat.exists or not result.stat.isdir or result.stat.mode != '0755' + when: beats_systemd_override is not none + + - name: Check that the systemd override file exists and has correct permissions + stat: + path: "/etc/systemd/system/{{ beats_service_name }}.service.d/{{ role_name }}.override.conf" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0644' or result.stat.gr_name != 'root' or result.stat.pw_name != 'root' + when: beats_systemd_override is not none + + - name: Check that the instatiate-able service file exists and has correct permissions + stat: + path: "/etc/systemd/system/{{ beats_flavor if beats_flavor != 'heartbeat' else 'heartbeat-elastic' }}@.service" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0644' + when: beats_installation_name != 'default' + + + - name: Check that the configuration file is present with correct permissions + stat: + path: "{{ beats_path_config }}/{{ beats_flavor }}.yml" + register: config_file_stat + failed_when: > + not config_file_stat.stat.exists or + not config_file_stat.stat.isreg or + config_file_stat.stat.mode != '0644' or + config_file_stat.stat.gr_name != 'root' or + config_file_stat.stat.pw_name != 'root' + + - name: Check the content of the configuration file + command: cat "{{ beats_path_config }}/{{ beats_flavor }}.yml" + register: config_file_content + failed_when: > + config_file_content.rc != 0 or + beats_flavor not in config_file_content.stdout + + + - name: Check that the uuid file exists + stat: + path: "{{ beats_path_data }}/meta.json" + register: result + failed_when: not result.stat.exists or not result.stat.isreg + when: beats_uuid is not none + + - name: Check that the uuid file has correct content + command: cat "{{ beats_path_data }}/meta.json" + register: result + failed_when: result.rc != 0 or beats_uuid not in result.stdout + when: beats_uuid is not none + + - name: Tasks specific to auditbeat + block: + - name: Check that journald-audit is disabled + systemd: + name: systemd-journald-audit.socket + register: service_status + failed_when: service_status.status.LoadState != 'masked' or service_status.status.ActiveState != 'inactive' + when: beats_auditbeat_mask_journald_audit | bool + + - name: Check that the rules directory exists and has correct permissions + stat: + path: "{{ beats_auditbeat_rules_dir }}" + register: result + failed_when: not result.stat.exists or not result.stat.isdir or result.stat.mode != '0755' + + + - name: Check that the rule files are uploaded and have correct permissions + stat: + path: "{{ beats_auditbeat_rules_dir }}/{{ item.src | basename | regex_replace('^(.*)[.]j2', '\\1') }}" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0600' or result.stat.gr_name != 'root' or result.stat.pw_name != 'root' + loop: "{{ beats_auditbeat_rule_files }}" + loop_control: + loop_var: item + when: item.src is defined + + - name: Check that the inline rules are uploaded and have correct permissions + stat: + path: "{{ beats_auditbeat_rules_dir }}/{{ item.dest }}" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0600' or result.stat.gr_name != 'root' or result.stat.pw_name != 'root' + loop: "{{ beats_auditbeat_rule_files }}" + loop_control: + loop_var: item + when: item.src is not defined + + - name: Check that the inline rules have correct content + command: cat "{{ beats_auditbeat_rules_dir }}/{{ item.dest }}" + register: result + failed_when: result.rc != 0 or item.content not in result.stdout + loop: "{{ beats_auditbeat_rule_files }}" + loop_control: + loop_var: item + when: item.src is not defined + when: beats_flavor == 'auditbeat' + + - name: Check that the index template file exists on the remote host + stat: + path: "/tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" + register: result + failed_when: not result.stat.exists or not result.stat.isreg + + - name: Check that the index template file has been downloaded + stat: + path: "{{ beats_index_template_download_dir }}/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" + register: result + failed_when: not result.stat.exists or not result.stat.isreg + + when: ansible_os_family != 'Windows' + + - name: Check that the scripts directory exists and has correct permissions + stat: + path: "{{ beats_path_config }}/scripts/" + register: result + failed_when: not result.stat.exists or not result.stat.isdir or result.stat.mode != '0644' or result.stat.gr_name != 'root' or result.stat.pw_name != 'root' + when: beats_processor_scripts | length > 0 + + - name: Check that the scripts are uploaded and have correct permissions + stat: + path: "{{ beats_path_config }}/scripts/{{ item | basename }}" + register: result + failed_when: not result.stat.exists or not result.stat.isreg or result.stat.mode != '0644' or result.stat.gr_name != 'root' or result.stat.pw_name != 'root' + loop: "{{ beats_processor_scripts }}" + loop_control: + loop_var: item \ No newline at end of file From 894bb156e49847f95999ec67dd4cd6ead4184a62 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 14:28:41 +0200 Subject: [PATCH 09/30] add condition --- molecule/default/verify.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 9bf0013..87845c4 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -69,6 +69,7 @@ command: cat /etc/apt/apt.conf.d/55beats-disable register: result failed_when: beats_flavor not in result.stdout + when: beats_disable_auto_update | bool when: beats_flavor != 'winlogbeat' when: ansible_os_family == 'Debian' From 7dd6d14d007400cd2121484ce9587f86d03211c4 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 14:39:16 +0200 Subject: [PATCH 10/30] upgrade to version 8 and fix so that role passes --- molecule/default/converge-vars.yml | 2 +- molecule/default/verify.yml | 4 ++-- tasks/outputs/index.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/molecule/default/converge-vars.yml b/molecule/default/converge-vars.yml index 5d911f5..d10c36c 100644 --- a/molecule/default/converge-vars.yml +++ b/molecule/default/converge-vars.yml @@ -4,7 +4,7 @@ beats_flavor: "{{ lookup('env', 'MOLECULE_BEATS_FLAVOR') | default('auditbeat', beats_unset_facts: true # Installation -beats_major_version: 7 +beats_major_version: 8 beats_minor_version: "{{ '*' if beats_flavor != 'winlogbeat' else '12' }}" beats_patch_version: "{{ '*' if beats_flavor != 'winlogbeat' else '0' }}" beats_enable_service: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 87845c4..7cb0a7f 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -196,13 +196,13 @@ - name: Check that the index template file exists on the remote host stat: - path: "/tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" + path: "/tmp/{{ beats_flavor }}.{{ beats_full_version }}.template.json" register: result failed_when: not result.stat.exists or not result.stat.isreg - name: Check that the index template file has been downloaded stat: - path: "{{ beats_index_template_download_dir }}/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" + path: "{{ beats_index_template_download_dir }}/{{ beats_flavor }}.{{ beats_full_version }}.template.json" register: result failed_when: not result.stat.exists or not result.stat.isreg diff --git a/tasks/outputs/index.yml b/tasks/outputs/index.yml index 75e6702..9bf8e4c 100644 --- a/tasks/outputs/index.yml +++ b/tasks/outputs/index.yml @@ -5,14 +5,14 @@ - name: "{{ beats_flavor }}: Extract the beats index template on Linux" shell: >- {{ beats_linux_exec }} export template > \ - /tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json + /tmp/{{ beats_flavor }}.{{ beats_full_version }}.template.json args: executable: /bin/bash changed_when: false - name: "{{ beats_flavor }}: Download the index template on Linux" fetch: - src: "/tmp/{{ beats_flavor }}.{{ beats_full_version.split()[2] }}.template.json" + src: "/tmp/{{ beats_flavor }}.{{ beats_full_version }}.template.json" dest: "{{ beats_index_template_download_dir }}" flat: true when: ansible_os_family != 'Windows' From 64accdfd86333eca77ef9d3f9ebf1763ed921a9c Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 15:22:44 +0200 Subject: [PATCH 11/30] fix github actions --- .github/workflows/main.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d228ea2..0eec7f1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,10 +47,15 @@ jobs: - name: Setup Python uses: actions/setup-python@v2 with: - python-version: '3.7' + python-version: '3.12' - name: Install molecule - run: pip3 install molecule[ansible,ansible-base,docker,lint] + run: pip3 install ansible-core molecule molecule-docker + + - name: Install Ansible collections + run: | + ansible-galaxy collection install ansible.windows + ansible-galaxy collection install community.general - name: Run molecule run: molecule test From a0ea47e4eab7744cf23554022d9c8f8f1a2ca01e Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 17:50:17 +0200 Subject: [PATCH 12/30] update workflow --- .github/workflows/main.yml | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0eec7f1..cdcc919 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,12 +19,16 @@ jobs: strategy: matrix: distro: - - image: jrei/systemd-ubuntu:16.04 - instance: systemd-ubuntu-16.04 - - image: jrei/systemd-ubuntu:18.04 - instance: systemd-ubuntu-18.04 + #- image: jrei/systemd-ubuntu:16.04 + # instance: systemd-ubuntu-16.04 + #- image: jrei/systemd-ubuntu:18.04 + # instance: systemd-ubuntu-18.04 - image: jrei/systemd-ubuntu:20.04 instance: systemd-ubuntu-20.04 + #- image: jrei/systemd-ubuntu:22.04 + # instance: systemd-ubuntu-22.04 + #- image: jrei/systemd-ubuntu:24.04 + # instance: systemd-ubuntu-24.04 # - image: jrei/systemd-centos:7 # instance: systemd-centos-7 # - image: jrei/systemd-centos:8 @@ -35,12 +39,6 @@ jobs: # instance: systemd-debian-10 beats_flavor: - auditbeat - - filebeat - - heartbeat - - journalbeat - - metricbeat - - packetbeat - - winlogbeat steps: - uses: actions/checkout@v2 @@ -50,12 +48,7 @@ jobs: python-version: '3.12' - name: Install molecule - run: pip3 install ansible-core molecule molecule-docker - - - name: Install Ansible collections - run: | - ansible-galaxy collection install ansible.windows - ansible-galaxy collection install community.general + run: pip3 install ansible molecule molecule-docker - name: Run molecule run: molecule test From cf584ee4d1b530c47a03a944947190860d0edd4f Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:06:04 +0200 Subject: [PATCH 13/30] make workflow pass --- .github/workflows/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cdcc919..47bf987 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,6 +50,15 @@ jobs: - name: Install molecule run: pip3 install ansible molecule molecule-docker + - name: Pull image and run it + run: | + docker pull ${{ matrix.distro.image }} + docker run -d --name ${{ matrix.distro.instance }} \ + -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + -p 5067:5067/tcp \ + --privileged \ + ${{ matrix.distro.image }} /lib/systemd/systemd + - name: Run molecule run: molecule test env: From 461f5f1862e62c04845de28b425a64a16022b80d Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:12:40 +0200 Subject: [PATCH 14/30] change remote_tmp --- molecule/default/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 8334fb4..d014c66 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -26,7 +26,7 @@ provisioner: any_unparsed_is_failed: true unparsed_is_failed: true any_errors_fatal: true - remote_tmp: /tmp + remote_tmp: /tmp/.ansible-${USER}/tmp local_tmp: /tmp options: vvv: true From 6ebafd023c3eb40f0712d3a6c9558928c40406f9 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:20:23 +0200 Subject: [PATCH 15/30] change remote user --- .github/workflows/main.yml | 9 --------- molecule/default/molecule.yml | 3 ++- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 47bf987..cdcc919 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,15 +50,6 @@ jobs: - name: Install molecule run: pip3 install ansible molecule molecule-docker - - name: Pull image and run it - run: | - docker pull ${{ matrix.distro.image }} - docker run -d --name ${{ matrix.distro.instance }} \ - -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ - -p 5067:5067/tcp \ - --privileged \ - ${{ matrix.distro.image }} /lib/systemd/systemd - - name: Run molecule run: molecule test env: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index d014c66..04653b9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -18,6 +18,7 @@ platforms: command: /lib/systemd/systemd privileged: true pre_build_image: true + user: root provisioner: name: ansible config_options: @@ -26,7 +27,7 @@ provisioner: any_unparsed_is_failed: true unparsed_is_failed: true any_errors_fatal: true - remote_tmp: /tmp/.ansible-${USER}/tmp + remote_tmp: /tmp/.ansible-${USER} local_tmp: /tmp options: vvv: true From 33846ce8b4ce99d17c072e4ed7189d2b0510a37e Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:28:54 +0200 Subject: [PATCH 16/30] debugging --- .github/workflows/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cdcc919..abae8b9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -51,8 +51,11 @@ jobs: run: pip3 install ansible molecule molecule-docker - name: Run molecule - run: molecule test + run: molecule converge || true env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} + + - name: Check docker images + run: docker ps -a \ No newline at end of file From 0bb06f0fe246e15719dafc0e7e1489f405e8996f Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:48:43 +0200 Subject: [PATCH 17/30] change gather_facts --- molecule/default/prepare.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 3834de7..715dc08 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,6 +1,6 @@ - name: Prepare hosts: all - gather_facts: true + gather_facts: false roles: - nkakouros.easyrsa pre_tasks: @@ -12,6 +12,8 @@ file: path: /etc/easyrsa/pki state: directory + - name: Gathering Facts + setup: vars: easyrsa_servers: - name: elastic From 7f81f9bc7981d920227100f8805c0e4468bdab3b Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Mon, 8 Jul 2024 18:57:33 +0200 Subject: [PATCH 18/30] change ubuntu version --- .github/workflows/main.yml | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index abae8b9..c2235db 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,28 +15,12 @@ on: # yamllint disable-line rule:truthy jobs: molecule: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: matrix: distro: - #- image: jrei/systemd-ubuntu:16.04 - # instance: systemd-ubuntu-16.04 - #- image: jrei/systemd-ubuntu:18.04 - # instance: systemd-ubuntu-18.04 - image: jrei/systemd-ubuntu:20.04 instance: systemd-ubuntu-20.04 - #- image: jrei/systemd-ubuntu:22.04 - # instance: systemd-ubuntu-22.04 - #- image: jrei/systemd-ubuntu:24.04 - # instance: systemd-ubuntu-24.04 - # - image: jrei/systemd-centos:7 - # instance: systemd-centos-7 - # - image: jrei/systemd-centos:8 - # instance: systemd-centos-8 - # - image: jrei/systemd-debian:9 - # instance: systemd-debian-9 - # - image: jrei/systemd-debian:10 - # instance: systemd-debian-10 beats_flavor: - auditbeat steps: @@ -57,5 +41,5 @@ jobs: MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - name: Check docker images - run: docker ps -a \ No newline at end of file + - name: Check docker + run: docker --version && docker ps -a \ No newline at end of file From 2692249b3b8d97327afc3bb696679f68fcfab2dc Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Tue, 9 Jul 2024 11:14:19 +0200 Subject: [PATCH 19/30] debugging --- .github/workflows/main.yml | 25 +++++++++++++++++++++---- molecule/default/molecule.yml | 3 +++ 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c2235db..70bb8d3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,12 +34,29 @@ jobs: - name: Install molecule run: pip3 install ansible molecule molecule-docker - - name: Run molecule - run: molecule converge || true + - name: Run molecule create + run: molecule create + env: + MOLECULE_DISTRO: ${{ matrix.distro.image }} + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} + MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} + + - name: Check docker + run: docker --version && docker ps -a + + - name: Run molecule prepare + run: molecule prepare env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - name: Check docker - run: docker --version && docker ps -a \ No newline at end of file + - name: Check docker__ + run: docker --version && docker ps -a + + - name: Run molecule + run: molecule converge + env: + MOLECULE_DISTRO: ${{ matrix.distro.image }} + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} + MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 04653b9..2ea23c4 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -35,5 +35,8 @@ provisioner: IN_MOLECULE: 'true' scenario: name: default + create_sequence: + - depencency + - create verifier: name: ansible From 063b02782f00ec72bfce99c2b1fba317a43508ef Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Tue, 9 Jul 2024 11:16:21 +0200 Subject: [PATCH 20/30] fix typo --- molecule/default/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 2ea23c4..f2fcc95 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -36,7 +36,7 @@ provisioner: scenario: name: default create_sequence: - - depencency + - dependency - create verifier: name: ansible From f4dcdbc644e0a20309eef22c58748af716883494 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 12:13:28 +0200 Subject: [PATCH 21/30] update molecule.yml to make github actions pass --- molecule/default/molecule.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index f2fcc95..7dd7833 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -12,13 +12,12 @@ platforms: - name: "${MOLECULE_INSTANCE_NAME:-systemd-ubuntu-20.04}" image: "${MOLECULE_DISTRO:-jrei/systemd-ubuntu:20.04}" volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /sys/fs/cgroup:/sys/fs/cgroup:rw published_ports: - '5067:5067/tcp' - command: /lib/systemd/systemd + command: /usr/sbin/init privileged: true pre_build_image: true - user: root provisioner: name: ansible config_options: @@ -27,7 +26,7 @@ provisioner: any_unparsed_is_failed: true unparsed_is_failed: true any_errors_fatal: true - remote_tmp: /tmp/.ansible-${USER} + remote_tmp: /tmp local_tmp: /tmp options: vvv: true From 5af081be23c990b212afba42e80ea7daed1d80a5 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 12:37:56 +0200 Subject: [PATCH 22/30] run molecule as root in github actions --- .github/workflows/main.yml | 26 +++----------------------- molecule/default/prepare.yml | 2 +- 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 70bb8d3..0a2f435 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,7 @@ on: # yamllint disable-line rule:truthy jobs: molecule: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest strategy: matrix: distro: @@ -34,28 +34,8 @@ jobs: - name: Install molecule run: pip3 install ansible molecule molecule-docker - - name: Run molecule create - run: molecule create - env: - MOLECULE_DISTRO: ${{ matrix.distro.image }} - MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} - MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - - name: Check docker - run: docker --version && docker ps -a - - - name: Run molecule prepare - run: molecule prepare - env: - MOLECULE_DISTRO: ${{ matrix.distro.image }} - MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} - MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - - name: Check docker__ - run: docker --version && docker ps -a - - - name: Run molecule - run: molecule converge + - name: Run molecule test + run: sudo molecule test env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 715dc08..57eacd8 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,6 +1,6 @@ - name: Prepare hosts: all - gather_facts: false + gather_facts: true roles: - nkakouros.easyrsa pre_tasks: From c97e643ba54506cd1ad6e7f50f35564d4a5fba31 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 16:59:09 +0200 Subject: [PATCH 23/30] update to run with correct sudo --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0a2f435..33340e9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,7 +35,7 @@ jobs: run: pip3 install ansible molecule molecule-docker - name: Run molecule test - run: sudo molecule test + run: sudo $(which molecule) test env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} From 5d94f0b50e735f9a5ef9c26421c20c0ce2f42318 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:07:33 +0200 Subject: [PATCH 24/30] add sudo when installing --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 33340e9..6f40596 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,7 +32,7 @@ jobs: python-version: '3.12' - name: Install molecule - run: pip3 install ansible molecule molecule-docker + run: sudo pip3 install ansible molecule molecule-docker - name: Run molecule test run: sudo $(which molecule) test From 15ec3db4d621dd5f9e3828e4e19fbbb6c24c0dde Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:15:49 +0200 Subject: [PATCH 25/30] add debugging information --- .github/workflows/main.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6f40596..e3faca7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,8 +34,19 @@ jobs: - name: Install molecule run: sudo pip3 install ansible molecule molecule-docker - - name: Run molecule test - run: sudo $(which molecule) test + - name: Run molecule create + run: sudo $(which molecule) create + env: + MOLECULE_DISTRO: ${{ matrix.distro.image }} + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} + MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} + + - name: Check docker + run: docker --version && docker ps -a + + + - name: Run molecule converge + run: sudo $(which molecule) converge env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} From fa5387710308e6dac5058c2e8151e7f1b730c271 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:17:28 +0200 Subject: [PATCH 26/30] remove sudo --- .github/workflows/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e3faca7..3857c82 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,10 +32,10 @@ jobs: python-version: '3.12' - name: Install molecule - run: sudo pip3 install ansible molecule molecule-docker + run: pip3 install ansible molecule molecule-docker - name: Run molecule create - run: sudo $(which molecule) create + run: molecule create env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} @@ -46,7 +46,7 @@ jobs: - name: Run molecule converge - run: sudo $(which molecule) converge + run: molecule converge env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} From 9a8b56c4ec3df564a26ddd82817c2c732848aab4 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:30:33 +0200 Subject: [PATCH 27/30] fix so that the container is created --- .github/workflows/main.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3857c82..c7cb7ba 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,7 @@ on: # yamllint disable-line rule:truthy jobs: molecule: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: matrix: distro: @@ -44,10 +44,19 @@ jobs: - name: Check docker run: docker --version && docker ps -a + - name: Run molecule prepare + run: molecule prepare + env: + MOLECULE_DISTRO: ${{ matrix.distro.image }} + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} + MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - name: Run molecule converge + - name: Check docker__ + run: docker --version && docker ps -a + + - name: Run molecule run: molecule converge env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} - MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} + MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} \ No newline at end of file From 548a422ddf882a57c66217deb9598e2a6b3a9cc0 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:34:39 +0200 Subject: [PATCH 28/30] add back sudo, but runs on a different image --- .github/workflows/main.yml | 26 +++----------------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c7cb7ba..9479075 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,30 +32,10 @@ jobs: python-version: '3.12' - name: Install molecule - run: pip3 install ansible molecule molecule-docker + run: sudo pip3 install ansible molecule molecule-docker - - name: Run molecule create - run: molecule create - env: - MOLECULE_DISTRO: ${{ matrix.distro.image }} - MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} - MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - - name: Check docker - run: docker --version && docker ps -a - - - name: Run molecule prepare - run: molecule prepare - env: - MOLECULE_DISTRO: ${{ matrix.distro.image }} - MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} - MOLECULE_BEATS_FLAVOR: ${{ matrix.beats_flavor }} - - - name: Check docker__ - run: docker --version && docker ps -a - - - name: Run molecule - run: molecule converge + - name: Run molecule test + run: sudo $(which molecule) test env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} From f9e2cff640ae19c6dca0bf569c95860ef47e4a4f Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:36:39 +0200 Subject: [PATCH 29/30] remove sudo --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9479075..9b1e340 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -32,10 +32,10 @@ jobs: python-version: '3.12' - name: Install molecule - run: sudo pip3 install ansible molecule molecule-docker + run: pip3 install ansible molecule molecule-docker - name: Run molecule test - run: sudo $(which molecule) test + run: molecule test env: MOLECULE_DISTRO: ${{ matrix.distro.image }} MOLECULE_INSTANCE_NAME: ${{ matrix.distro.instance }} From 76c6bb81c1af56fc59ba22814494824c0d7b8a72 Mon Sep 17 00:00:00 2001 From: Abhinav Kalra Date: Fri, 12 Jul 2024 17:57:34 +0200 Subject: [PATCH 30/30] fix so that the role can be run without being root --- molecule/default/prepare.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 57eacd8..dd610e0 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -34,3 +34,4 @@ easyrsa_download: [] easyrsa_download_pki: true easyrsa_download_dir: '~' + ansible_user_id: "{{ lookup('pipe', 'id -un') }}" \ No newline at end of file