From ef9463a5bcb23a7060026ed74fa1408a05d88a4b Mon Sep 17 00:00:00 2001 From: Rohan Yadav Date: Mon, 6 Jan 2025 14:09:00 +0530 Subject: [PATCH] feat(fips): update packaging tests --- test/packaging/ansible/README.md | 3 +- .../ansible/installation-privileged.yml | 61 ++++++++------ test/packaging/ansible/installation-root.yml | 21 +++-- .../ansible/installation-unprivileged.yml | 57 +++++++------ .../ansible/shutdown-and-terminate.yml | 82 +++++++++++-------- test/packaging/ansible/test.yml | 22 +++-- 6 files changed, 142 insertions(+), 104 deletions(-) diff --git a/test/packaging/ansible/README.md b/test/packaging/ansible/README.md index 9acc84c7a..5194dc49a 100644 --- a/test/packaging/ansible/README.md +++ b/test/packaging/ansible/README.md @@ -9,7 +9,8 @@ localhost ansible_connection=local [testing_hosts] amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 -amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512' ``` ## Playbooks diff --git a/test/packaging/ansible/installation-privileged.yml b/test/packaging/ansible/installation-privileged.yml index c0d939bc6..59f58e443 100644 --- a/test/packaging/ansible/installation-privileged.yml +++ b/test/packaging/ansible/installation-privileged.yml @@ -1,13 +1,12 @@ --- - -- name: installation-privileged +- name: Installation-privileged hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -21,30 +20,38 @@ NRIA_MODE: PRIVILEGED block: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" - - name: install agent - include_role: - name: caos.ansible_roles.infra_agent - vars: - repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true - - name: assert privileged caps - include_role: - name: caos.ansible_roles.assert_privileged_caps - vars: - executable: "/usr/bin/newrelic-infra" - caps: - - cap_dac_read_search - - cap_sys_ptrace.ep + - name: Assert privileged caps + ansible.builtin.include_role: + name: caos.ansible_roles.assert_privileged_caps + vars: + executable: "/usr/bin/newrelic-infra" + caps: + - cap_dac_read_search + - cap_sys_ptrace.ep - - name: Assert rootless - include_role: - name: caos.ansible_roles.assert_files - vars: - processes: - - name: newrelic-infra-service - owner: "{{ agent_user }}" - files: - - name: /usr/bin/newrelic-infra - permissions: "{{ bin_mode }}" + - name: Assert rootless + ansible.builtin.include_role: + name: caos.ansible_roles.assert_files + vars: + processes: + - name: newrelic-infra-service + owner: "{{ agent_user }}" + files: + - name: /usr/bin/newrelic-infra + permissions: "{{ bin_mode }}" ... diff --git a/test/packaging/ansible/installation-root.yml b/test/packaging/ansible/installation-root.yml index 5ccae8481..4a61f9566 100644 --- a/test/packaging/ansible/installation-root.yml +++ b/test/packaging/ansible/installation-root.yml @@ -1,13 +1,13 @@ --- -- name: installation-root +- name: Installation-root hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -20,14 +20,23 @@ block: - - name: install agent - include_role: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true + - name: Assert root - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.assert_files vars: processes: diff --git a/test/packaging/ansible/installation-unprivileged.yml b/test/packaging/ansible/installation-unprivileged.yml index 041e6166c..a882ee169 100644 --- a/test/packaging/ansible/installation-unprivileged.yml +++ b/test/packaging/ansible/installation-unprivileged.yml @@ -1,13 +1,12 @@ --- - -- name: installation-unprivileged +- name: Installation-unprivileged hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -21,28 +20,36 @@ NRIA_MODE: UNPRIVILEGED block: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" - - name: install agent - include_role: - name: caos.ansible_roles.infra_agent - vars: - repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true - - name: assert no privileged caps - include_role: - name: caos.ansible_roles.assert_privileged_caps - vars: - executable: "/usr/bin/newrelic-infra" - caps: [] + - name: Assert no privileged caps + ansible.builtin.include_role: + name: caos.ansible_roles.assert_privileged_caps + vars: + executable: "/usr/bin/newrelic-infra" + caps: [] - - name: Assert rootless - include_role: - name: caos.ansible_roles.assert_files - vars: - processes: - - name: newrelic-infra-service - owner: "{{ agent_user }}" - files: - - name: /usr/bin/newrelic-infra - permissions: "{{ bin_mode }}" + - name: Assert rootless + ansible.builtin.include_role: + name: caos.ansible_roles.assert_files + vars: + processes: + - name: newrelic-infra-service + owner: "{{ agent_user }}" + files: + - name: /usr/bin/newrelic-infra + permissions: "{{ bin_mode }}" ... diff --git a/test/packaging/ansible/shutdown-and-terminate.yml b/test/packaging/ansible/shutdown-and-terminate.yml index 3b42ffb70..19e15d272 100644 --- a/test/packaging/ansible/shutdown-and-terminate.yml +++ b/test/packaging/ansible/shutdown-and-terminate.yml @@ -1,47 +1,57 @@ --- -- name: install agent linux (HNR) +- name: Install agent linux (HNR) hosts: testing_hosts_linux - gather_facts: yes + gather_facts: true become: true vars: agent_user: root pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true tasks: - - name: install agent - include_role: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: display_name: "{{ iid }}:{{ inventory_hostname }}" repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" -- name: install agent windows (HNR) + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + display_name: "{{ iid }}:{{ inventory_hostname }}" + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true + +- name: Install agent windows (HNR) hosts: testing_hosts_windows - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true tasks: - - name: install agent - include_role: + - name: Install agent + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: display_name: "{{ iid }}:{{ inventory_hostname }}" -- name: test agent behaviour on host shutdown +- name: Test agent behaviour on host shutdown hosts: testing_hosts vars: # Add here hosts of the instances that doesn't support Smart HNR (shutdown detection) e.g. - "amd64:ubuntu14.04" @@ -56,80 +66,80 @@ }} tasks: - - name: pause a bit to let the agent send some data - pause: + - name: Pause a bit to let the agent send some data + ansible.builtin.pause: minutes: 1 - - name: restart the agent - include_role: + - name: Restart the agent + ansible.builtin.include_role: name: caos.ansible_roles.service_status vars: service_name: "newrelic-infra" action: "restart" - - name: pause for a bit to let the agent initialize - pause: + - name: Pause for a bit to let the agent initialize + ansible.builtin.pause: seconds: 30 - name: Get entity id - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent_get_entity_id - - name: assert agent restart don't trigger shutdown event - include_role: + - name: Assert agent restart don't trigger shutdown event + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" expect_change_event: false since_sec_ago: 30 - - name: stop instances - include_role: + - name: Stop instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: stop instance_id: "{{ iid }}" - - name: pause for a bit to let the event fire - pause: + - name: Pause for a bit to let the event fire + ansible.builtin.pause: seconds: 30 - - name: assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" expect_change_event: "{{ host_supports_shutdown_detection }}" timestamp_ref: "{{ ec2_stop_time_sec | int }}" - - name: start instances - include_role: + - name: Start instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: start instance_id: "{{ iid }}" - - name: assert the agent performed connect to the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert the agent performed connect to the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "running" expect_change_event: "{{ host_supports_shutdown_detection }}" timestamp_ref: "{{ ec2_start_time_sec | int }}" - - name: terminate instances - include_role: + - name: Terminate instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: terminate instance_id: "{{ iid }}" - - name: pause for a bit to let the event fire - pause: + - name: Pause for a bit to let the event fire + ansible.builtin.pause: seconds: 30 - - name: assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" diff --git a/test/packaging/ansible/test.yml b/test/packaging/ansible/test.yml index 700ecd22f..77d1e92cb 100644 --- a/test/packaging/ansible/test.yml +++ b/test/packaging/ansible/test.yml @@ -1,30 +1,34 @@ --- -- name: pinned version agent installation +- name: Pinned version agent installation import_playbook: installation-pinned.yml + when: "'-fips' not in inventory_hostname" # Not supported in initial release of FIPS -- name: agent installation as root +- name: Agent installation as root import_playbook: installation-root.yml -- name: privileged mode agent installation +- name: Privileged mode agent installation import_playbook: installation-privileged.yml -- name: unprivileged mode agent installation +- name: Unprivileged mode agent installation import_playbook: installation-unprivileged.yml -- name: agent installation via newrelic-cli +- name: Agent installation via newrelic-cli import_playbook: installation-newrelic-cli.yml + when: "'-fips' not in inventory_hostname" # FIPS not supported via newrelic-cli in initial release -- name: installation windows +- name: Installation windows import_playbook: installation-windows.yml -- name: log forwarder +- name: Log forwarder import_playbook: log-forwarder.yml + when: "'-fips' not in inventory_hostname" # TODO: Update for FIPS -- name: agent upgrade +- name: Agent upgrade import_playbook: agent-upgrade.yml + when: "'-fips' not in inventory_hostname" # Not supported in initial release of FIPS -- name: shutdown , terminate and HNR alerts +- name: Shutdown , terminate and HNR alerts import_playbook: shutdown-and-terminate.yml ...