Skip to content
Snippets Groups Projects
Commit 8944cea9 authored by Jörg Sachse's avatar Jörg Sachse
Browse files

merge: create CI pipeline and implement advice from static code analysis

parent 6faf07e9
No related branches found
No related tags found
1 merge request!2merge: create CI pipeline and implement advice from static code analysis
# This file is a template, and might need editing before it works on your project.
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Getting-Started.gitlab-ci.yml
# This is a sample GitLab CI/CD configuration file that should run without any modifications.
# It demonstrates a basic 3 stage CI/CD pipeline. Instead of real tests or scripts,
# it uses echo commands to simulate the pipeline execution.
#
# A pipeline is composed of independent jobs that run scripts, grouped into stages.
# Stages run in sequential order, but jobs within stages run in parallel.
#
# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
stages: # List of stages for jobs, and their order of execution
- build
- test
variables:
IMAGE_TARGET: "$CI_REGISTRY_IMAGE/bullseye_subapp"
# CI_DEBUG_TRACE: "true"
default:
image:
name: "${IMAGE_TARGET}:latest"
build-env-job: # This job runs in the build stage, which runs first.
stage: build
timeout: 30m
tags:
- "docker"
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
before_script: []
script:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(printf "%s:%s" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD" | base64 | tr -d '\n')\"},\"$(printf "%s" "$CI_DEPENDENCY_PROXY_SERVER" | cut -d':' -f1)\":{\"auth\":\"$(printf "%s:%s" "$CI_DEPENDENCY_PROXY_USER" "$CI_DEPENDENCY_PROXY_PASSWORD" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
- >-
/kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/tests/Dockerfile"
--destination "${IMAGE_TARGET}:latest"
unit-test-job: # This job runs in the test stage.
stage: test # It only starts when the job in the build stage completes successfully.
script:
- sudo chmod o-w /builds/digital-preservation/ansible_lza_repair/
- echo "${VAULT_INSTALL_COMMON}" > /builds/digital-preservation/lza_install_common.pass
- echo "${VAULT_SERVER_HARDENING}" > /builds/digital-preservation/lza_server_hardening.pass
- echo "${VAULT_REPAIR}" > /builds/digital-preservation/lza_repair.pass
- echo "${VAULT_OSQUERY}" > /builds/digital-preservation/slub_osquery.pass
- rm -rf /builds/digital-preservation/ansible_vaults/
- git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git /builds/digital-preservation/ansible_vaults/
- ansible-playbook --user "lza" --become --tags ci /builds/digital-preservation/ansible_lza_repair/ci-playbook.yml
...@@ -3,14 +3,18 @@ ...@@ -3,14 +3,18 @@
connection: local connection: local
# Collect facts from remote system? Possible values: true, false # Collect facts from remote system? Possible values: true, false
gather_facts: true gather_facts: true
# any_error_fatal will mark all the hosts as failed if fails and immediately abort the playbook execution. Possible values: true, false # any_error_fatal will mark all the hosts as failed if fails and immediately
# abort the playbook execution. Possible values: true, false
any_errors_fatal: false any_errors_fatal: false
# max_fail_percentage allows you to abort the play if certain threshold of failures have been reached. # max_fail_percentage allows you to abort the play if certain threshold of
# failures have been reached.
max_fail_percentage: 30 max_fail_percentage: 30
serial: 30 serial: 30
# hide sensitive information in verbose/debugging output from others. Possible values: true, false # hide sensitive information in verbose/debugging output from others.
# Possible values: true, false
no_log: false no_log: false
# execution strategy, possible values: debug, linear, serial, free (https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html) # execution strategy, possible values: debug, linear, serial, free
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html
strategy: linear strategy: linear
roles: roles:
......
...@@ -4,11 +4,13 @@ ...@@ -4,11 +4,13 @@
systemd: systemd:
daemon-reload: "yes" daemon-reload: "yes"
- name: enable systemd-units
command: "systemctl enable /etc/systemd/user/{{ item.key }}.service"
loop: "{{ vault_service_files }}"
# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/systemd_module.html # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/systemd_module.html
- name: restart repairtools - name: restart repairtools
systemd: systemd:
name: "{{ item }}" name: "{{ item }}.service"
state: restarted state: restarted
loop: loop: "{{ vault_service_files }}"
- "repair_daemon_ddz.service"
- "repair_daemon_digas.service"
...@@ -3,6 +3,7 @@ galaxy_info: ...@@ -3,6 +3,7 @@ galaxy_info:
author: Jörg Sachse author: Jörg Sachse
description: role to install repair server for the SLUBarchiv digital preservation repository description: role to install repair server for the SLUBarchiv digital preservation repository
company: SLUB Dresden company: SLUB Dresden
namespace: "slub"
# If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD
# (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
license: public domain license: public domain
......
...@@ -6,7 +6,8 @@ ...@@ -6,7 +6,8 @@
register: missing_mountpoints register: missing_mountpoints
tags: [ci] tags: [ci]
- debug: - name: show missing mountpoints
debug:
# var: missing_mountpoints # var: missing_mountpoints
msg: "{{ item }}" msg: "{{ item }}"
loop: "{{ missing_mountpoints.results | flatten(levels=1) }}" loop: "{{ missing_mountpoints.results | flatten(levels=1) }}"
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
file: file:
path: "/etc/systemd/user/" path: "/etc/systemd/user/"
state: directory state: directory
mode: "755"
- name: Systemd-Unitfiles installieren - name: Systemd-Unitfiles installieren
template: template:
...@@ -14,16 +15,5 @@ ...@@ -14,16 +15,5 @@
with_dict: "{{ vault_service_files }}" with_dict: "{{ vault_service_files }}"
notify: notify:
- systemctl daemon-reload - systemctl daemon-reload
register: unitfiles_result - enable systemd-units
- restart repairtools
- name: Systemd-Units enablen
command: "systemctl enable /etc/systemd/user/{{ item.key }}.service" # noqa 301 303
with_dict: "{{ vault_service_files }}"
when: unitfiles_result.changed
- name: SystemD-Units starten
systemd:
name: "{{ item.key }}.service"
state: restarted
with_dict: "{{ vault_service_files }}"
when: unitfiles_result.changed
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
dest: "/etc/apt/preferences.d/{{ item.package_name }}" dest: "/etc/apt/preferences.d/{{ item.package_name }}"
owner: "root" owner: "root"
group: "root" group: "root"
mode: 0750 mode: "750"
loop: "{{ tool_versions }}" loop: "{{ tool_versions }}"
# FHS 3.0 specifies the correct path for the config: # FHS 3.0 specifies the correct path for the config:
...@@ -61,6 +61,7 @@ ...@@ -61,6 +61,7 @@
src: "{{ item.path }}" src: "{{ item.path }}"
dest: "/usr/local/etc/" dest: "/usr/local/etc/"
remote_src: true remote_src: true
mode: "644"
loop: "{{ cit_configs.files }}" loop: "{{ cit_configs.files }}"
- name: create caching directory - name: create caching directory
......
FROM debian:stable-slim FROM debian:stable-slim
RUN adduser lza;
### configure SLUB Debian Repository ### configure SLUB Debian Repository
RUN apt-get update; \ RUN apt-get update; \
apt-get install -y --no-install-recommends gnupg wget git; \ apt-get install -y --no-install-recommends gnupg wget git python3 ansible sudo; \
wget -O - http://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key | apt-key add - ; \ wget -O - http://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key | apt-key add - ; \
echo "deb http://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main" > /etc/apt/sources.list.d/slub.list; echo "deb http://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main" > /etc/apt/sources.list.d/slub.list; \
apt-get update;
RUN apt-get update && apt-get install -y --no-install-recommends openssh-server sudo python3 unzip
RUN mkdir /var/run/sshd
RUN echo 'root:root' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
RUN groupadd lza RUN echo "lza ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/lza-user
EXPOSE 22 USER lza
CMD ["/usr/sbin/sshd", "-D"]
...@@ -3,14 +3,18 @@ ...@@ -3,14 +3,18 @@
connection: docker connection: docker
# Collect facts from remote system? Possible values: true, false # Collect facts from remote system? Possible values: true, false
gather_facts: true gather_facts: true
# any_error_fatal will mark all the hosts as failed if fails and immediately abort the playbook execution. Possible values: true, false # any_error_fatal will mark all the hosts as failed if fails and immediately
# abort the playbook execution. Possible values: true, false
any_errors_fatal: false any_errors_fatal: false
# max_fail_percentage allows you to abort the play if certain threshold of failures have been reached. # max_fail_percentage allows you to abort the play if certain threshold of
# failures have been reached.
max_fail_percentage: 30 max_fail_percentage: 30
serial: 30 serial: 30
# hide sensitive information in verbose/debugging output from others. Possible values: true, false # hide sensitive information in verbose/debugging output from others.
# Possible values: true, false
no_log: false no_log: false
# execution strategy, possible values: debug, linear, serial, free (https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html) # execution strategy, possible values: debug, linear, serial, free
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html
strategy: linear strategy: linear
roles: roles:
......
#!/usr/bin/env bash #!/usr/bin/env bash
cd "$( dirname "${0}" )" || exit
RED="\\e[31m" RED="\\e[31m"
WHITE="\\e[0m" WHITE="\\e[0m"
ERROR="${RED}[ERROR]\t${WHITE}" ERROR="${RED}[ERROR]\t${WHITE}"
INFO="[INFO]\t"
DOCKER_CONTAINER_NAME="lza-repair-test" DOCKER_CONTAINER_NAME="lza-repair-test"
REQUIREMENTS="docker ansible-playbook" REQUIREMENTS_MANDATORY="ansible-lint ansible-playbook docker shellcheck yamllint"
export ANSIBLE_NOCOWS=true export ANSIBLE_NOCOWS=true
export ANSIBLE_ROLES_PATH=../ export ANSIBLE_ROLES_PATH=../
for REQUIREMENT in ${REQUIREMENTS}; do # requirements for mandatory tests
command -v "${REQUIREMENT}" >/dev/null 2>&1 || { echo >&2 "${ERROR}${REQUIREMENT} required but not installed. Aborting."; exit 1; } for REQUIREMENT in ${REQUIREMENTS_MANDATORY}; do
command -v "${REQUIREMENT}" >/dev/null 2>&1 || { echo -e >&2 "${ERROR}${REQUIREMENT} required but not installed. Aborting."; exit 1; }
done done
echo -e "${INFO}Self-test"
if command -v trivy > /dev/null; then
trivy conf ../
else
echo -e "${INFO}Skipping validation of Dockerfile with trivy, because it's not installed."
fi
shellcheck "${0}"
cd ../../ cd ../../
echo -e "${INFO}Role-test"
ansible-lint -x no-loop-var-prefix,command-instead-of-module tests/local/docker-playbook.yml
docker build -t ${DOCKER_CONTAINER_NAME} tests/ docker build -t ${DOCKER_CONTAINER_NAME} tests/
docker run -it --name ${DOCKER_CONTAINER_NAME} -d -p 5000:22 ${DOCKER_CONTAINER_NAME} docker run -it --name ${DOCKER_CONTAINER_NAME} -d -p 5000:22 ${DOCKER_CONTAINER_NAME}
pwd
ansible-playbook --inventory "tests/local/docker-inventory.ini" --user "root" --tags ci "tests/local/docker-playbook.yml" ansible-playbook --inventory "tests/local/docker-inventory.ini" --user "root" --tags ci "tests/local/docker-playbook.yml"
docker stop ${DOCKER_CONTAINER_NAME} docker stop ${DOCKER_CONTAINER_NAME} &> /dev/null
docker rm ${DOCKER_CONTAINER_NAME} docker rm ${DOCKER_CONTAINER_NAME} &> /dev/null
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment