diff --git a/devops/scripts/run_prod_testinfra b/devops/scripts/run_prod_testinfra index a8011886be6..22393d93d77 100755 --- a/devops/scripts/run_prod_testinfra +++ b/devops/scripts/run_prod_testinfra @@ -23,7 +23,7 @@ echo "Installing test dependencies, this may take a while..." torify python3 -m pip install --quiet --no-deps --require-hashes -r securedrop/requirements/python3/develop-requirements.txt cd molecule/testinfra -CI_SD_ENV=${TEST_ENV:-prod} SECUREDROP_TESTINFRA_TARGET_HOST=${TEST_ENV:-prod} py.test -v -n 4 --disable-warnings -m "not skip_in_prod" +CI_SD_ENV=${TEST_ENV:-prod} SECUREDROP_TESTINFRA_TARGET_HOST=${TEST_ENV:-prod} py.test -v -n 2 --disable-warnings -m "not skip_in_prod" deactivate echo "--------" diff --git a/molecule/testinfra/app/apache/test_apache_system_config.py b/molecule/testinfra/app/apache/test_apache_system_config.py index 1b26842982c..0b363fc0134 100644 --- a/molecule/testinfra/app/apache/test_apache_system_config.py +++ b/molecule/testinfra/app/apache/test_apache_system_config.py @@ -158,9 +158,11 @@ def test_apache_logfiles_no_extras(host): `test_apache_logfiles_present` config test. Here, we confirm that the total number of Apache logfiles exactly matches the number permitted on the Application Server, whether staging or prod. + Long-running instances may have rotated and gzipped logfiles, so this + test should only look for files ending in '.log'. """ # We need elevated privileges to read files inside /var/log/apache2 with host.sudo(): - c = host.run("find /var/log/apache2 -mindepth 1 | wc -l") + c = host.run("find /var/log/apache2 -mindepth 1 -name '*.log' | wc -l") assert int(c.stdout) == \ len(securedrop_test_vars.allowed_apache_logfiles) diff --git a/molecule/testinfra/common/test_user_config.py b/molecule/testinfra/common/test_user_config.py index f687ea64cec..6e2ef4b259f 100644 --- a/molecule/testinfra/common/test_user_config.py +++ b/molecule/testinfra/common/test_user_config.py @@ -84,6 +84,7 @@ def test_tmux_installed(host): assert host.package("tmux").is_installed +@pytest.mark.skip_in_prod def test_sudoers_tmux_env_deprecated(host): """ Previous version of the Ansible config set the tmux config diff --git a/molecule/testinfra/mon/test_mon_network.py b/molecule/testinfra/mon/test_mon_network.py index da3714f8307..01ec6d5bd3d 100644 --- a/molecule/testinfra/mon/test_mon_network.py +++ b/molecule/testinfra/mon/test_mon_network.py @@ -45,6 +45,7 @@ def test_mon_iptables_rules(host): assert iptables_expected == iptables +@pytest.mark.skip_in_prod @pytest.mark.parametrize('ossec_service', [ dict(host="0.0.0.0", proto="tcp", port=22, listening=True), dict(host="0.0.0.0", proto="udp", port=1514, listening=True), diff --git a/molecule/testinfra/vars/prod.yml b/molecule/testinfra/vars/prod.yml index c28774f7acd..ee6c7ec135d 100644 --- a/molecule/testinfra/vars/prod.yml +++ b/molecule/testinfra/vars/prod.yml @@ -42,7 +42,7 @@ apparmor_enforce: - "/usr/lib/NetworkManager/nm-dhcp-client.action" - "/usr/lib/connman/scripts/dhclient-script" - "/usr/sbin/ntpd" - - "/usr/sbin/tcpdump" + - "/usr/sbin/haveged" - "system_tor" - "/usr/sbin/apache2" - "/usr/sbin/apache2//DEFAULT_URI"