Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spurious testinfra failures when servers have non-default hostnames #6145

Closed
cfm opened this issue Oct 18, 2021 · 1 comment · Fixed by #6153
Closed

spurious testinfra failures when servers have non-default hostnames #6145

cfm opened this issue Oct 18, 2021 · 1 comment · Fixed by #6153
Labels
bug config_tests

Comments

@cfm
Copy link
Member

cfm commented Oct 18, 2021
edited
Loading

Description

If a production instance is configured with hostnames other than the recommended app and mon, securedrop-admin verify will report spurious testinfra failures.

First noticed in #6127 (comment).

Steps to Reproduce

  1. securedrop-admin sdconfig with non-default hostnames, e.g. those provisioned by molecule create -s libvirt-prod-focal: 
    app_hostname: app-prod
monitor_hostname: mon-prod
  2. securedrop-admin install
  3. securedrop-admin setup -t
  4. securedrop-admin verify

Expected Behavior

All testinfra tests pass.

Actual Behavior

Hostname-dependent testinfra tests fail, including:

  • app/test_ossec_agent.py::test_hosts_files
  • mon/test_ossec_server.py::test_ossec_connectivity
  • mon/test_ossec_server.py::test_hosts_files
  • mon/test_postfix.py::test_postfix_generic_maps

Comments

Originally posted by @zenmonkeykstop in #6103 (comment):

testinfra tests take their expected values from a bunch of variables in a yaml file, with some of said values (like server IPs) in prod runs being overridden from the install_files/ansible-base/group_vars/all/site-specific file created by ./securedrop-admin sdconfig. Looks like the server hostnames are not being overridden. So if they're not named according to the reccos in the docs I'd expect to see this error. Would be an easy fix to override them too methinks - check molecule/testinfra/conftest.py.

securedrop/molecule/testinfra/conftest.py

Lines 49 to 50 in 2882d1e

_prod_override('app_ip', 'app_ip')
_prod_override('mon_ip', 'monitor_ip')

@cfm
Copy link
Member Author

cfm commented Oct 19, 2021

It's turns out it's not enough to do—

--- a/molecule/testinfra/conftest.py
+++ b/molecule/testinfra/conftest.py
@@ -47,7 +47,9 @@ def securedrop_import_testinfra_vars(hostname, with_header=False):
                 hostvars[vars_key] = prodvars[prod_key]
 
         _prod_override('app_ip', 'app_ip')
+        _prod_override('app_hostname', 'app_hostname')
         _prod_override('mon_ip', 'monitor_ip')
+        _prod_override('mon_hostname', 'monitor_hostname')
         _prod_override('sasl_domain', 'sasl_domain')
         _prod_override('sasl_username', 'sasl_username')
         _prod_override('sasl_password', 'sasl_password')

—because then remote Ansible runs (i.e., securedrop-admin verify) will fail trying to connect to the servers by their {app,monitor}_hostnames, for which there are no aliases in ~/.ssh/config. That is, securedrop-admin tailsconfig always aliases the servers as app and mon, whatever their configured hostnames. That seems proper for connection aliases, so we'll have to find a cleverer way of overriding or injecting the configured hostnames here.

@cfm cfm mentioned this issue Oct 22, 2021
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug config_tests
Projects
None yet
Milestone
No milestone
1 participant
@cfm