Created
March 30, 2019 01:33
-
-
Save chaim1221/ba5655497768e081c88f4d5c7d1aabec to your computer and use it in GitHub Desktop.
kitchen gist :p
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| celiyah@ce-t430-dev:~/Code/machete-kvm/src$ kitchen verify | |
| -----> Starting Kitchen (v1.23.2) | |
| -----> Creating <hv-debian-9>... | |
| Bringing machine 'default' up with 'virtualbox' provider... | |
| ==> default: Importing base box 'bento/debian-9'... | |
| ==> default: Matching MAC address for NAT networking... | |
| ==> default: Checking if box 'bento/debian-9' version '201812.27.0' is up to date... | |
| ==> default: Setting the name of the VM: kitchen-src-hv-debian-9 | |
| ==> default: Fixed port collision for 22 => 2222. Now on port 2200. | |
| ==> default: Clearing any previously set network interfaces... | |
| ==> default: Preparing network interfaces based on configuration... | |
| default: Adapter 1: nat | |
| ==> default: Forwarding ports... | |
| default: 22 (guest) => 2200 (host) (adapter 1) | |
| ==> default: Running 'pre-boot' VM customizations... | |
| ==> default: Booting VM... | |
| ==> default: Waiting for machine to boot. This may take a few minutes... | |
| default: SSH address: 127.0.0.1:2200 | |
| default: SSH username: vagrant | |
| default: SSH auth method: private key | |
| default: | |
| default: Vagrant insecure key detected. Vagrant will automatically replace | |
| default: this with a newly generated keypair for better security. | |
| default: | |
| default: Inserting generated public key within guest... | |
| default: Removing insecure key from the guest if it's present... | |
| default: Key inserted! Disconnecting and reconnecting using new SSH key... | |
| ==> default: Machine booted and ready! | |
| ==> default: Checking for guest additions in VM... | |
| default: The guest additions on this VM do not match the installed version of | |
| default: VirtualBox! In most cases this is fine, but in rare cases it can | |
| default: prevent things such as shared folders from working properly. If you see | |
| default: shared folder errors, please make sure the guest additions within the | |
| default: virtual machine match the version of VirtualBox you have installed on | |
| default: your host and reload your VM. | |
| default: | |
| default: Guest Additions Version: 5.2.22 | |
| default: VirtualBox Version: 6.0 | |
| ==> default: Setting hostname... | |
| ==> default: Mounting shared folders... | |
| default: /tmp/omnibus/cache => /home/celiyah/.kitchen/cache | |
| ==> default: Machine not provisioned because `--no-provision` is specified. | |
| [SSH] Established | |
| Vagrant instance <hv-debian-9> created. | |
| Finished creating <hv-debian-9> (1m2.81s). | |
| -----> Converging <hv-debian-9>... | |
| Preparing files for transfer | |
| Preparing dna.json | |
| Resolving cookbook dependencies with Berkshelf 7.0.6... | |
| Removing non-cookbook files before transfer | |
| Preparing validation.pem | |
| Preparing client.rb | |
| -----> Installing Chef Omnibus (install only if missing) | |
| Downloading https://omnitruck.chef.io/install.sh to file /tmp/install.sh | |
| Trying wget... | |
| Download complete. | |
| debian 9 x86_64 | |
| Getting information for chef stable for debian... | |
| downloading https://omnitruck.chef.io/stable/chef/metadata?v=&p=debian&pv=9&m=x86_64 | |
| to file /tmp/install.sh.1007/metadata.txt | |
| trying wget... | |
| sha1 2c6ea2da9f18be3cc33b3f8cc16319bb15a34f59 | |
| sha256 b8cb3bb5e5a83010c3fdc1b87caf5b81292ecd5cf5b6b9a699ea010cfc4eb32b | |
| url https://packages.chef.io/files/stable/chef/14.11.21/debian/9/chef_14.11.21-1_amd64.deb | |
| version 14.11.21 | |
| downloaded metadata file looks valid... | |
| /tmp/omnibus/cache/chef_14.11.21-1_amd64.deb exists | |
| Comparing checksum with sha256sum... | |
| WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING | |
| You are installing an omnibus package without a version pin. If you are installing | |
| on production servers via an automated process this is DANGEROUS and you will | |
| be upgraded without warning on new releases, even to new major releases. | |
| Letting the version float is only appropriate in desktop, test, development or | |
| CI/CD environments. | |
| WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING | |
| Installing chef | |
| installing with dpkg... | |
| Selecting previously unselected package chef. | |
| (Reading database ... 29681 files and directories currently installed.) | |
| Preparing to unpack .../chef_14.11.21-1_amd64.deb ... | |
| Unpacking chef (14.11.21-1) ... | |
| Setting up chef (14.11.21-1) ... | |
| Thank you for installing Chef! | |
| Transferring files to <hv-debian-9> | |
| Starting Chef Client, version 14.11.21 | |
| Creating a new client identity for hv-debian-9 using the validator key. | |
| resolving cookbooks for run list: ["machete.kvm::tools", "machete.kvm::kvm", "machete.kvm::firewall"] | |
| Synchronizing Cookbooks: | |
| - sshd (2.0.0) | |
| - machete.kvm (0.1.8) | |
| - firewall (2.7.0) | |
| - git (9.0.1) | |
| - docker (4.9.2) | |
| - chef-sugar (5.0.1) | |
| - iproute2 (2.0.1) | |
| - build-essential (8.2.1) | |
| - mingw (2.1.0) | |
| - seven_zip (3.1.0) | |
| - windows (5.3.0) | |
| Installing Cookbook Gems: | |
| Compiling Cookbooks... | |
| Recipe: iproute2::default | |
| * apt_package[iproute] action install | |
| - install version 1:4.9.0-1+deb9u1 of package iproute | |
| Converging 27 resources | |
| Recipe: git::package | |
| * git_client[default] action install | |
| * apt_package[default :create git] action install | |
| - install version 1:2.11.0-3+deb9u4 of package git | |
| Recipe: machete.kvm::tools | |
| * apt_package[lsof, nano, tree, vim, wget, curl, sudo, telnet, net-tools] action install | |
| - install version 1.7.0-5 of package tree | |
| - install version 2:8.0.0197-4+deb9u1 of package vim | |
| * apt_package[iputils-ping] action install (up to date) | |
| Recipe: machete.kvm::kvm | |
| * execute[apt-get update] action run | |
| - execute sudo apt-get update | |
| * apt_package[qemu-kvm] action install | |
| - install version 1:2.8+dfsg-6+deb9u5 of package qemu-kvm | |
| * apt_package[libvirt-daemon] action install | |
| - install version 3.0.0-4+deb9u3 of package libvirt-daemon | |
| * apt_package[virtinst] action install | |
| - install version 1:1.4.0-5 of package virtinst | |
| * apt_package[virt-manager] action install | |
| - install version 1:1.4.0-5 of package virt-manager | |
| * apt_package[virt-viewer] action install (up to date) | |
| * apt_package[bridge-utils] action install (up to date) | |
| * group[libvirtd] action create | |
| - create group libvirtd | |
| Recipe: firewall::default | |
| * firewall[default] action install | |
| * apt_package[iptables-persistent] action install | |
| - install version 1.0.4+nmu2 of package iptables-persistent | |
| * service[netfilter-persistent] action enable (up to date) | |
| * service[netfilter-persistent] action start (up to date) | |
| * apt_package[iptables-persistent] action nothing (skipped due to action :nothing) | |
| * service[netfilter-persistent] action nothing (skipped due to action :nothing) | |
| * firewall_rule[allow loopback] action create | |
| * firewall_rule[allow icmp] action create (skipped due to only_if) | |
| * firewall_rule[allow world to ssh] action create | |
| * firewall_rule[allow world to winrm] action create (skipped due to only_if) | |
| * firewall_rule[allow world to mosh] action create (skipped due to only_if) | |
| * firewall_rule[established] action create | |
| * firewall_rule[ipv6_icmp] action create (skipped due to only_if) | |
| Recipe: iproute2::default | |
| * apt_package[iproute] action nothing (skipped due to action :nothing) | |
| Recipe: machete.kvm::firewall | |
| * openssh_server[/etc/ssh/sshd_config] action create | |
| * execute[check_sshd_config] action nothing (skipped due to action :nothing) | |
| * service[ssh] action nothing (skipped due to action :nothing) | |
| * template[/etc/ssh/sshd_config] action create | |
| - update content in file /etc/ssh/sshd_config from bdda5b to 9dcbe4 | |
| --- /etc/ssh/sshd_config 2018-12-27 04:14:21.260000000 +0000 | |
| +++ /etc/ssh/.chef-sshd_config20190330-1081-4kg9td 2019-03-30 00:57:07.638137787 +0000 | |
| @@ -1,126 +1,26 @@ | |
| -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | |
| - | |
| -# This is the sshd server system-wide configuration file. See | |
| -# sshd_config(5) for more information. | |
| - | |
| -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
| - | |
| -# The strategy used for options in the default sshd_config shipped with | |
| -# OpenSSH is to specify options with their default value where | |
| -# possible, but leave them commented. Uncommented options override the | |
| -# default value. | |
| - | |
| -#Port 22 | |
| -#AddressFamily any | |
| -#ListenAddress 0.0.0.0 | |
| -#ListenAddress :: | |
| - | |
| -#HostKey /etc/ssh/ssh_host_rsa_key | |
| -#HostKey /etc/ssh/ssh_host_ecdsa_key | |
| -#HostKey /etc/ssh/ssh_host_ed25519_key | |
| - | |
| -# Ciphers and keying | |
| -#RekeyLimit default none | |
| - | |
| -# Logging | |
| -#SyslogFacility AUTH | |
| -#LogLevel INFO | |
| - | |
| -# Authentication: | |
| - | |
| -#LoginGraceTime 2m | |
| -#PermitRootLogin prohibit-password | |
| -#StrictModes yes | |
| -#MaxAuthTries 6 | |
| -#MaxSessions 10 | |
| - | |
| -#PubkeyAuthentication yes | |
| - | |
| -# Expect .ssh/authorized_keys2 to be disregarded by default in future. | |
| -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | |
| - | |
| -#AuthorizedPrincipalsFile none | |
| - | |
| -#AuthorizedKeysCommand none | |
| -#AuthorizedKeysCommandUser nobody | |
| - | |
| -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
| -#HostbasedAuthentication no | |
| -# Change to yes if you don't trust ~/.ssh/known_hosts for | |
| -# HostbasedAuthentication | |
| -#IgnoreUserKnownHosts no | |
| -# Don't read the user's ~/.rhosts and ~/.shosts files | |
| -#IgnoreRhosts yes | |
| - | |
| -# To disable tunneled clear text passwords, change to no here! | |
| -#PasswordAuthentication yes | |
| -#PermitEmptyPasswords no | |
| - | |
| -# Change to yes to enable challenge-response passwords (beware issues with | |
| -# some PAM modules and threads) | |
| +# | |
| +# Generated by Chef for hv-debian-9.vagrantup.com. | |
| +# Local modifications will be overwritten. | |
| +# | |
| +Port 22 | |
| +AcceptEnv LANG LC_* | |
| ChallengeResponseAuthentication no | |
| - | |
| -# Kerberos options | |
| -#KerberosAuthentication no | |
| -#KerberosOrLocalPasswd yes | |
| -#KerberosTicketCleanup yes | |
| -#KerberosGetAFSToken no | |
| - | |
| -# GSSAPI options | |
| -#GSSAPIAuthentication no | |
| -#GSSAPICleanupCredentials yes | |
| -#GSSAPIStrictAcceptorCheck yes | |
| -#GSSAPIKeyExchange no | |
| - | |
| -# Set this to 'yes' to enable PAM authentication, account processing, | |
| -# and session processing. If this is enabled, PAM authentication will | |
| -# be allowed through the ChallengeResponseAuthentication and | |
| -# PasswordAuthentication. Depending on your PAM configuration, | |
| -# PAM authentication via ChallengeResponseAuthentication may bypass | |
| -# the setting of "PermitRootLogin without-password". | |
| -# If you just want the PAM account and session checks to run without | |
| -# PAM authentication, then enable this but set PasswordAuthentication | |
| -# and ChallengeResponseAuthentication to 'no'. | |
| +GSSAPIAuthentication yes | |
| +GSSAPICleanupCredentials no | |
| +HostKey /etc/ssh/ssh_host_rsa_key | |
| +HostKey /etc/ssh/ssh_host_ed25519_key | |
| +HostKey /etc/ssh/ssh_host_ecdsa_key | |
| +HostbasedAuthentication no | |
| +IgnoreRhosts yes | |
| +MaxAuthTries 4 | |
| +PasswordAuthentication no | |
| +PermitEmptyPasswords no | |
| +PermitRootLogin no | |
| +PrintMotd no | |
| +Protocol 2 | |
| +Subsystem sftp /usr/libexec/openssh/sftp-server | |
| +SyslogFacility AUTH | |
| UsePAM yes | |
| +X11Forwarding no | |
| -#AllowAgentForwarding yes | |
| -#AllowTcpForwarding yes | |
| -#GatewayPorts no | |
| -X11Forwarding yes | |
| -#X11DisplayOffset 10 | |
| -#X11UseLocalhost yes | |
| -#PermitTTY yes | |
| -PrintMotd no | |
| -#PrintLastLog yes | |
| -#TCPKeepAlive yes | |
| -#UseLogin no | |
| -#UsePrivilegeSeparation sandbox | |
| -#PermitUserEnvironment no | |
| -#Compression delayed | |
| -#ClientAliveInterval 0 | |
| -#ClientAliveCountMax 3 | |
| -#UseDNS no | |
| -#PidFile /var/run/sshd.pid | |
| -#MaxStartups 10:30:100 | |
| -#PermitTunnel no | |
| -#ChrootDirectory none | |
| -#VersionAddendum none | |
| - | |
| -# no default banner path | |
| -#Banner none | |
| - | |
| -# Allow client to pass locale environment variables | |
| -AcceptEnv LANG LC_* | |
| - | |
| -# override default of no subsystems | |
| -Subsystem sftp /usr/lib/openssh/sftp-server | |
| - | |
| -# Example of overriding settings on a per-user basis | |
| -#Match User anoncvs | |
| -# X11Forwarding no | |
| -# AllowTcpForwarding no | |
| -# PermitTTY no | |
| -# ForceCommand cvs server | |
| -UseDNS no | |
| -GSSAPIAuthentication no | |
| * execute[check_sshd_config] action run | |
| - execute /usr/sbin/sshd -t -f /etc/ssh/sshd_config | |
| * service[ssh] action restart | |
| - restart service service[ssh] | |
| * firewall_rule[local loopback] action create | |
| * firewall_rule[deny icmp in] action create | |
| * firewall_rule[ssh] action create | |
| * firewall_rule[ssh] action create | |
| * firewall_rule[https] action create (skipped due to only_if) | |
| * iproute2_link[docker0] action delete[2019-03-30T00:57:07+00:00] ERROR: iproute2_link[docker0] (machete.kvm::firewall line 87) had an error: RuntimeError: /sbin/ip link set dev docker0 down failed: | |
| ----- stderr ----- | |
| Cannot find device "docker0" | |
| ------ stdout ----- | |
| ; ignore_failure is set, continuing | |
| ================================================================================ | |
| Error executing action `delete` on resource 'iproute2_link[docker0]' | |
| ================================================================================ | |
| RuntimeError | |
| ------------ | |
| /sbin/ip link set dev docker0 down failed: | |
| ----- stderr ----- | |
| Cannot find device "docker0" | |
| ------ stdout ----- | |
| Cookbook Trace: | |
| --------------- | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/default.rb:9:in `shellout' | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/link.rb:112:in `shellout' | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/link.rb:45:in `state=' | |
| /tmp/kitchen/cache/cookbooks/iproute2/resources/link.rb:71:in `block (2 levels) in class_from_file' | |
| /tmp/kitchen/cache/cookbooks/iproute2/resources/link.rb:71:in `block in class_from_file' | |
| Resource Declaration: | |
| --------------------- | |
| # In /tmp/kitchen/cache/cookbooks/machete.kvm/recipes/firewall.rb | |
| 87: ip_link 'docker0' do | |
| 88: type 'bridge' | |
| 89: state 'down' | |
| 90: action :delete | |
| 91: | |
| 92: ignore_failure true # for idempotency | |
| 93: end | |
| Compiled Resource: | |
| ------------------ | |
| # Declared in /tmp/kitchen/cache/cookbooks/machete.kvm/recipes/firewall.rb:87:in `from_file' | |
| iproute2_link("docker0") do | |
| action [:delete] | |
| default_guard_interpreter :default | |
| declared_type :ip_link | |
| cookbook_name "machete.kvm" | |
| recipe_name "firewall" | |
| type "bridge" | |
| state "down" | |
| ignore_failure true | |
| device "docker0" | |
| end | |
| System Info: | |
| ------------ | |
| chef_version=14.11.21 | |
| platform=debian | |
| platform_version=9.6 | |
| ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux] | |
| program_name=/opt/chef/bin/chef-client | |
| executable=/opt/chef/bin/chef-client | |
| Recipe: firewall::default | |
| * firewall[default] action restart | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| * file[/etc/iptables/rules.v4] action create | |
| - update content in file /etc/iptables/rules.v4 from 99d4c2 to 402ecf | |
| --- /etc/iptables/rules.v4 2019-03-30 00:57:07.070421766 +0000 | |
| +++ /etc/iptables/.chef-rules20190330-1081-dgqhs3.v4 2019-03-30 00:57:07.945983798 +0000 | |
| @@ -1,8 +1,21 @@ | |
| -# Generated by iptables-save v1.6.0 on Sat Mar 30 00:57:07 2019 | |
| +# position 1 | |
| *filter | |
| -:INPUT ACCEPT [34:24119] | |
| -:FORWARD ACCEPT [0:0] | |
| -:OUTPUT ACCEPT [35:3133] | |
| +# position 2 | |
| +:INPUT DROP | |
| +# position 3 | |
| +:FORWARD DROP | |
| +# position 4 | |
| +:OUTPUT ACCEPT | |
| +# position 5 | |
| +-A INPUT -p icmp --icmp-type any -j DROP | |
| +# position 50 | |
| +-A INPUT -i lo -m comment --comment "allow loopback" -j ACCEPT | |
| +-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "allow world to ssh" -j ACCEPT | |
| +-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "established" -j ACCEPT | |
| +-A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -m comment --comment "ssh" -j ACCEPT | |
| +-A OUTPUT -p tcp -m tcp -m multiport --dports 22 -m state --state ESTABLISHED -m comment --comment "ssh" -j ACCEPT | |
| +# position 51 | |
| +-A OUTPUT -o lo -j ACCEPT | |
| +# position 100 | |
| COMMIT | |
| -# Completed on Sat Mar 30 00:57:07 2019 | |
| * service[netfilter-persistent] action restart | |
| - restart service service[netfilter-persistent] | |
| Running handlers: | |
| Running handlers complete | |
| Chef Client finished, 26/46 resources updated in 01 minutes 57 seconds | |
| Downloading files from <hv-debian-9> | |
| Finished converging <hv-debian-9> (2m29.38s). | |
| -----> Setting up <hv-debian-9>... | |
| Finished setting up <hv-debian-9> (0m0.00s). | |
| -----> Verifying <hv-debian-9>... | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.kvm"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"} | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/tools"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2200 | |
| ✔ debian mothership: System Package vim | |
| ✔ System Package vim should be installed | |
| ✔ System Package iputils-ping should be installed | |
| ↺ rhel mothership: Operating System Detection | |
| ↺ Skipped control due to only_if condition. | |
| ✔ any mothership: System Package git | |
| ✔ System Package git should be installed | |
| ✔ System Package lsof should be installed | |
| ✔ System Package nano should be installed | |
| ✔ System Package tree should be installed | |
| ✔ System Package wget should be installed | |
| ✔ System Package curl should be installed | |
| ✔ System Package sudo should be installed | |
| ✔ System Package telnet should be installed | |
| ✔ System Package net-tools should be installed | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/kvm"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.kvm"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2200 | |
| ✔ debian mothership: System Package qemu-kvm | |
| ✔ System Package qemu-kvm should be installed | |
| ✔ System Package libvirt-daemon should be installed | |
| ✔ System Package virtinst should be installed | |
| ↺ rhel mothership: Operating System Detection | |
| ↺ Skipped control due to only_if condition. | |
| ✔ any mothership: Groups with name == "libvirtd" | |
| ✔ Groups with name == "libvirtd" should exist | |
| ✔ Groups with name == "libvirtd" members should include "root" | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/firewall"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2200 | |
| ✔ debian mothership: debian mothership firewall | |
| ✔ Service ufw should not be running | |
| ✔ Service netfilter-persistent should be enabled | |
| ✔ Service netfilter-persistent should be running | |
| ↺ rhel mothership: rhel mothership firewall | |
| ↺ Skipped control due to only_if condition. | |
| ✔ any mothership: mothership firewall | |
| ✔ Service sshd should be installed | |
| ✔ Service sshd should be enabled | |
| ✔ Service sshd should be running | |
| ✔ SSHD Configuration Port should cmp == 22 | |
| ✔ SSHD Configuration PermitRootLogin should eq "no" | |
| ✔ SSHD Configuration MaxAuthTries should cmp == 4 | |
| ✔ SSHD Configuration HostbasedAuthentication should eq "no" | |
| ✔ SSHD Configuration IgnoreRhosts should eq "yes" | |
| ✔ SSHD Configuration PermitEmptyPasswords should eq "no" | |
| ✔ SSHD Configuration PasswordAuthentication should eq "no" | |
| ✔ SSHD Configuration ChallengeResponseAuthentication should eq "no" | |
| ✔ SSHD Configuration GSSAPIAuthentication should eq "yes" | |
| ✔ SSHD Configuration GSSAPICleanupCredentials should eq "no" | |
| ✔ SSHD Configuration UsePAM should eq "yes" | |
| ✔ SSHD Configuration X11Forwarding should eq "no" | |
| ✔ SSHD Configuration Subsystem should match "sftp\t/usr/libexec/openssh/sftp-server" | |
| ✔ SSHD Configuration Protocol should cmp == 2 | |
| ✔ Iptables should have rule "-P INPUT DROP" | |
| ✔ Iptables should have rule "-P FORWARD DROP" | |
| ✔ Iptables should have rule "-P OUTPUT ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -i lo -m comment --comment \"allow loopback\" -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -o lo -j ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -p icmp -m icmp --icmp-type any -j DROP" | |
| ✔ Iptables should have rule "-A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -p tcp -m tcp -m multiport --dports 22 -m state --state ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| Profile Summary: 6 successful controls, 0 control failures, 3 controls skipped | |
| Test Summary: 44 successful, 0 failures, 3 skipped | |
| Finished verifying <hv-debian-9> (0m2.98s). | |
| -----> Creating <hv-centos-7>... | |
| Bringing machine 'default' up with 'virtualbox' provider... | |
| ==> default: Importing base box 'bento/centos-7'... | |
| ==> default: Matching MAC address for NAT networking... | |
| ==> default: Checking if box 'bento/centos-7' version '201812.27.0' is up to date... | |
| ==> default: Setting the name of the VM: kitchen-src-hv-centos-7 | |
| ==> default: Fixed port collision for 22 => 2222. Now on port 2201. | |
| ==> default: Clearing any previously set network interfaces... | |
| ==> default: Preparing network interfaces based on configuration... | |
| default: Adapter 1: nat | |
| ==> default: Forwarding ports... | |
| default: 22 (guest) => 2201 (host) (adapter 1) | |
| ==> default: Running 'pre-boot' VM customizations... | |
| ==> default: Booting VM... | |
| ==> default: Waiting for machine to boot. This may take a few minutes... | |
| default: SSH address: 127.0.0.1:2201 | |
| default: SSH username: vagrant | |
| default: SSH auth method: private key | |
| default: Warning: Remote connection disconnect. Retrying... | |
| default: Warning: Connection reset. Retrying... | |
| default: | |
| default: Vagrant insecure key detected. Vagrant will automatically replace | |
| default: this with a newly generated keypair for better security. | |
| default: | |
| default: Inserting generated public key within guest... | |
| default: Removing insecure key from the guest if it's present... | |
| default: Key inserted! Disconnecting and reconnecting using new SSH key... | |
| ==> default: Machine booted and ready! | |
| ==> default: Checking for guest additions in VM... | |
| default: The guest additions on this VM do not match the installed version of | |
| default: VirtualBox! In most cases this is fine, but in rare cases it can | |
| default: prevent things such as shared folders from working properly. If you see | |
| default: shared folder errors, please make sure the guest additions within the | |
| default: virtual machine match the version of VirtualBox you have installed on | |
| default: your host and reload your VM. | |
| default: | |
| default: Guest Additions Version: 5.2.22 | |
| default: VirtualBox Version: 6.0 | |
| ==> default: Setting hostname... | |
| ==> default: Mounting shared folders... | |
| default: /tmp/omnibus/cache => /home/celiyah/.kitchen/cache | |
| ==> default: Machine not provisioned because `--no-provision` is specified. | |
| [SSH] Established | |
| Vagrant instance <hv-centos-7> created. | |
| Finished creating <hv-centos-7> (0m47.50s). | |
| -----> Converging <hv-centos-7>... | |
| Preparing files for transfer | |
| Preparing dna.json | |
| Resolving cookbook dependencies with Berkshelf 7.0.6... | |
| Removing non-cookbook files before transfer | |
| Preparing validation.pem | |
| Preparing client.rb | |
| -----> Installing Chef Omnibus (install only if missing) | |
| Downloading https://omnitruck.chef.io/install.sh to file /tmp/install.sh | |
| Trying wget... | |
| Download complete. | |
| el 7 x86_64 | |
| Getting information for chef stable for el... | |
| downloading https://omnitruck.chef.io/stable/chef/metadata?v=&p=el&pv=7&m=x86_64 | |
| to file /tmp/install.sh.12722/metadata.txt | |
| trying wget... | |
| sha1 8861da401e22eec58fe1565b314968fff73e03a9 | |
| sha256 633f211df89e1483341afb35230a29589e1a51e0f5f91fea5594a90d734a8c78 | |
| url https://packages.chef.io/files/stable/chef/14.11.21/el/7/chef-14.11.21-1.el7.x86_64.rpm | |
| version 14.11.21 | |
| downloaded metadata file looks valid... | |
| /tmp/omnibus/cache/chef-14.11.21-1.el7.x86_64.rpm exists | |
| Comparing checksum with sha256sum... | |
| WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING | |
| You are installing an omnibus package without a version pin. If you are installing | |
| on production servers via an automated process this is DANGEROUS and you will | |
| be upgraded without warning on new releases, even to new major releases. | |
| Letting the version float is only appropriate in desktop, test, development or | |
| CI/CD environments. | |
| WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING | |
| Installing chef | |
| installing with rpm... | |
| warning: /tmp/omnibus/cache/chef-14.11.21-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY | |
| Preparing... ################################# [100%] | |
| Updating / installing... | |
| 1:chef-14.11.21-1.el7 ################################# [100%] | |
| Thank you for installing Chef! | |
| Transferring files to <hv-centos-7> | |
| Starting Chef Client, version 14.11.21 | |
| Creating a new client identity for hv-centos-7 using the validator key. | |
| resolving cookbooks for run list: ["machete.kvm::tools", "machete.kvm::kvm", "machete.kvm::firewall"] | |
| Synchronizing Cookbooks: | |
| - machete.kvm (0.1.8) | |
| - git (9.0.1) | |
| - iproute2 (2.0.1) | |
| - chef-sugar (5.0.1) | |
| - build-essential (8.2.1) | |
| - seven_zip (3.1.0) | |
| - mingw (2.1.0) | |
| - sshd (2.0.0) | |
| - firewall (2.7.0) | |
| - docker (4.9.2) | |
| - windows (5.3.0) | |
| Installing Cookbook Gems: | |
| Compiling Cookbooks... | |
| Recipe: iproute2::default | |
| * yum_package[iproute] action install (up to date) | |
| Converging 27 resources | |
| Recipe: git::package | |
| * git_client[default] action install | |
| * yum_package[default :create git] action install | |
| - install version 0:1.8.3.1-20.el7.x86_64 of package git | |
| Recipe: machete.kvm::tools | |
| * yum_package[lsof, nano, tree, vim, wget, curl, sudo, telnet, net-tools] action install | |
| - install version 0:4.87-6.el7.x86_64 of package lsof | |
| - install version 0:2.3.1-10.el7.x86_64 of package nano | |
| - install version 0:1.6.0-10.el7.x86_64 of package tree | |
| - install version 2:7.4.160-5.el7.x86_64 of package vim | |
| - install version 1:0.17-64.el7.x86_64 of package telnet | |
| * yum_package[iputils] action install (up to date) | |
| Recipe: machete.kvm::kvm | |
| * execute[yum updateinfo] action run | |
| - execute yum updateinfo | |
| * yum_package[qemu-kvm] action install | |
| - install version 10:1.5.3-160.el7_6.1.x86_64 of package qemu-kvm | |
| * yum_package[libvirt] action install | |
| - install version 0:4.5.0-10.el7_6.6.x86_64 of package libvirt | |
| * yum_package[virt-install] action install | |
| - install version 0:1.5.0-1.el7.noarch of package virt-install | |
| * yum_package[virt-manager] action install | |
| - install version 0:1.5.0-1.el7.noarch of package virt-manager | |
| * yum_package[virt-viewer] action install | |
| - install version 0:5.0-11.el7.x86_64 of package virt-viewer | |
| * yum_package[bridge-utils] action install (up to date) | |
| * group[libvirtd] action create | |
| - create group libvirtd | |
| Recipe: firewall::default | |
| * firewall[default] action install | |
| * yum_package[iptables] action install (up to date) | |
| * yum_package[iptables-services] action install | |
| - install version 0:1.4.21-28.el7.x86_64 of package iptables-services | |
| * service[iptables] action enable | |
| - enable service service[iptables] | |
| * service[iptables] action start | |
| - start service service[iptables] | |
| * yum_package[iptables] action nothing (skipped due to action :nothing) | |
| * yum_package[iptables-services] action nothing (skipped due to action :nothing) | |
| * service[iptables] action nothing (skipped due to action :nothing) | |
| * firewall_rule[allow loopback] action create | |
| * firewall_rule[allow icmp] action create (skipped due to only_if) | |
| * firewall_rule[allow world to ssh] action create | |
| * firewall_rule[allow world to winrm] action create (skipped due to only_if) | |
| * firewall_rule[allow world to mosh] action create (skipped due to only_if) | |
| * firewall_rule[established] action create | |
| * firewall_rule[ipv6_icmp] action create (skipped due to only_if) | |
| Recipe: iproute2::default | |
| * yum_package[iproute] action nothing (skipped due to action :nothing) | |
| Recipe: machete.kvm::firewall | |
| * openssh_server[/etc/ssh/sshd_config] action create | |
| * execute[check_sshd_config] action nothing (skipped due to action :nothing) | |
| * service[sshd] action nothing (skipped due to action :nothing) | |
| * template[/etc/ssh/sshd_config] action create | |
| - update content in file /etc/ssh/sshd_config from 50a9d7 to 27e5ee | |
| --- /etc/ssh/sshd_config 2018-12-28 02:17:19.736288387 +0000 | |
| +++ /etc/ssh/.chef-sshd_config20190330-14113-1cuhic7 2019-03-30 00:59:46.960642507 +0000 | |
| @@ -1,141 +1,25 @@ | |
| -# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ | |
| - | |
| -# This is the sshd server system-wide configuration file. See | |
| -# sshd_config(5) for more information. | |
| - | |
| -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin | |
| - | |
| -# The strategy used for options in the default sshd_config shipped with | |
| -# OpenSSH is to specify options with their default value where | |
| -# possible, but leave them commented. Uncommented options override the | |
| -# default value. | |
| - | |
| -# If you want to change the port on a SELinux system, you have to tell | |
| -# SELinux about this change. | |
| -# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER | |
| # | |
| -#Port 22 | |
| -#AddressFamily any | |
| -#ListenAddress 0.0.0.0 | |
| -#ListenAddress :: | |
| - | |
| +# Generated by Chef for hv-centos-7.vagrantup.com. | |
| +# Local modifications will be overwritten. | |
| +# | |
| +Port 22 | |
| +AcceptEnv LANG LANGUAGE LC_* XMODIFIERS | |
| +ChallengeResponseAuthentication no | |
| +GSSAPIAuthentication yes | |
| +GSSAPICleanupCredentials no | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| -#HostKey /etc/ssh/ssh_host_dsa_key | |
| -HostKey /etc/ssh/ssh_host_ecdsa_key | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| - | |
| -# Ciphers and keying | |
| -#RekeyLimit default none | |
| - | |
| -# Logging | |
| -#SyslogFacility AUTH | |
| +HostKey /etc/ssh/ssh_host_ecdsa_key | |
| +HostbasedAuthentication no | |
| +IgnoreRhosts yes | |
| +MaxAuthTries 4 | |
| +PasswordAuthentication no | |
| +PermitEmptyPasswords no | |
| +PermitRootLogin no | |
| +Protocol 2 | |
| +Subsystem sftp /usr/libexec/openssh/sftp-server | |
| SyslogFacility AUTHPRIV | |
| -#LogLevel INFO | |
| - | |
| -# Authentication: | |
| - | |
| -#LoginGraceTime 2m | |
| -#PermitRootLogin yes | |
| -#StrictModes yes | |
| -#MaxAuthTries 6 | |
| -#MaxSessions 10 | |
| - | |
| -#PubkeyAuthentication yes | |
| - | |
| -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | |
| -# but this is overridden so installations will only check .ssh/authorized_keys | |
| -AuthorizedKeysFile .ssh/authorized_keys | |
| - | |
| -#AuthorizedPrincipalsFile none | |
| - | |
| -#AuthorizedKeysCommand none | |
| -#AuthorizedKeysCommandUser nobody | |
| - | |
| -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
| -#HostbasedAuthentication no | |
| -# Change to yes if you don't trust ~/.ssh/known_hosts for | |
| -# HostbasedAuthentication | |
| -#IgnoreUserKnownHosts no | |
| -# Don't read the user's ~/.rhosts and ~/.shosts files | |
| -#IgnoreRhosts yes | |
| - | |
| -# To disable tunneled clear text passwords, change to no here! | |
| -#PasswordAuthentication yes | |
| -#PermitEmptyPasswords no | |
| -PasswordAuthentication yes | |
| - | |
| -# Change to no to disable s/key passwords | |
| -#ChallengeResponseAuthentication yes | |
| -ChallengeResponseAuthentication no | |
| - | |
| -# Kerberos options | |
| -#KerberosAuthentication no | |
| -#KerberosOrLocalPasswd yes | |
| -#KerberosTicketCleanup yes | |
| -#KerberosGetAFSToken no | |
| -#KerberosUseKuserok yes | |
| - | |
| -# GSSAPI options | |
| -GSSAPIAuthentication no | |
| -GSSAPICleanupCredentials no | |
| -#GSSAPIStrictAcceptorCheck yes | |
| -#GSSAPIKeyExchange no | |
| -#GSSAPIEnablek5users no | |
| - | |
| -# Set this to 'yes' to enable PAM authentication, account processing, | |
| -# and session processing. If this is enabled, PAM authentication will | |
| -# be allowed through the ChallengeResponseAuthentication and | |
| -# PasswordAuthentication. Depending on your PAM configuration, | |
| -# PAM authentication via ChallengeResponseAuthentication may bypass | |
| -# the setting of "PermitRootLogin without-password". | |
| -# If you just want the PAM account and session checks to run without | |
| -# PAM authentication, then enable this but set PasswordAuthentication | |
| -# and ChallengeResponseAuthentication to 'no'. | |
| -# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several | |
| -# problems. | |
| UsePAM yes | |
| +X11Forwarding no | |
| -#AllowAgentForwarding yes | |
| -#AllowTcpForwarding yes | |
| -#GatewayPorts no | |
| -X11Forwarding yes | |
| -#X11DisplayOffset 10 | |
| -#X11UseLocalhost yes | |
| -#PermitTTY yes | |
| -#PrintMotd yes | |
| -#PrintLastLog yes | |
| -#TCPKeepAlive yes | |
| -#UseLogin no | |
| -#UsePrivilegeSeparation sandbox | |
| -#PermitUserEnvironment no | |
| -#Compression delayed | |
| -#ClientAliveInterval 0 | |
| -#ClientAliveCountMax 3 | |
| -#ShowPatchLevel no | |
| -#UseDNS yes | |
| -#PidFile /var/run/sshd.pid | |
| -#MaxStartups 10:30:100 | |
| -#PermitTunnel no | |
| -#ChrootDirectory none | |
| -#VersionAddendum none | |
| - | |
| -# no default banner path | |
| -#Banner none | |
| - | |
| -# Accept locale-related environment variables | |
| -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
| -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
| -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |
| -AcceptEnv XMODIFIERS | |
| - | |
| -# override default of no subsystems | |
| -Subsystem sftp /usr/libexec/openssh/sftp-server | |
| - | |
| -# Example of overriding settings on a per-user basis | |
| -#Match User anoncvs | |
| -# X11Forwarding no | |
| -# AllowTcpForwarding no | |
| -# PermitTTY no | |
| -# ForceCommand cvs server | |
| -UseDNS no | |
| - restore selinux security context | |
| * execute[check_sshd_config] action run | |
| - execute /sbin/sshd -t -f /etc/ssh/sshd_config | |
| * service[sshd] action restart | |
| - restart service service[sshd] | |
| * firewall_rule[local loopback] action create | |
| * firewall_rule[deny icmp in] action create | |
| * firewall_rule[ssh] action create | |
| * firewall_rule[ssh] action create | |
| * firewall_rule[https] action create (skipped due to only_if) | |
| * iproute2_link[docker0] action delete[2019-03-30T00:59:47+00:00] ERROR: iproute2_link[docker0] (machete.kvm::firewall line 87) had an error: RuntimeError: /sbin/ip link set dev docker0 down failed: | |
| ----- stderr ----- | |
| Cannot find device "docker0" | |
| ------ stdout ----- | |
| ; ignore_failure is set, continuing | |
| ================================================================================ | |
| Error executing action `delete` on resource 'iproute2_link[docker0]' | |
| ================================================================================ | |
| RuntimeError | |
| ------------ | |
| /sbin/ip link set dev docker0 down failed: | |
| ----- stderr ----- | |
| Cannot find device "docker0" | |
| ------ stdout ----- | |
| Cookbook Trace: | |
| --------------- | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/default.rb:9:in `shellout' | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/link.rb:112:in `shellout' | |
| /tmp/kitchen/cache/cookbooks/iproute2/libraries/link.rb:45:in `state=' | |
| /tmp/kitchen/cache/cookbooks/iproute2/resources/link.rb:71:in `block (2 levels) in class_from_file' | |
| /tmp/kitchen/cache/cookbooks/iproute2/resources/link.rb:71:in `block in class_from_file' | |
| Resource Declaration: | |
| --------------------- | |
| # In /tmp/kitchen/cache/cookbooks/machete.kvm/recipes/firewall.rb | |
| 87: ip_link 'docker0' do | |
| 88: type 'bridge' | |
| 89: state 'down' | |
| 90: action :delete | |
| 91: | |
| 92: ignore_failure true # for idempotency | |
| 93: end | |
| Compiled Resource: | |
| ------------------ | |
| # Declared in /tmp/kitchen/cache/cookbooks/machete.kvm/recipes/firewall.rb:87:in `from_file' | |
| iproute2_link("docker0") do | |
| action [:delete] | |
| default_guard_interpreter :default | |
| declared_type :ip_link | |
| cookbook_name "machete.kvm" | |
| recipe_name "firewall" | |
| type "bridge" | |
| state "down" | |
| ignore_failure true | |
| device "docker0" | |
| end | |
| System Info: | |
| ------------ | |
| chef_version=14.11.21 | |
| platform=centos | |
| platform_version=7.6.1810 | |
| ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux] | |
| program_name=/opt/chef/bin/chef-client | |
| executable=/opt/chef/bin/chef-client | |
| Recipe: firewall::default | |
| * firewall[default] action restart | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| (skipped due to only_if) | |
| * file[/etc/sysconfig/iptables] action create | |
| - update content in file /etc/sysconfig/iptables from 2fa384 to 402ecf | |
| --- /etc/sysconfig/iptables 2018-11-04 17:03:01.000000000 +0000 | |
| +++ /etc/sysconfig/.chef-iptables20190330-14113-yvb7di 2019-03-30 00:59:47.229562774 +0000 | |
| @@ -1,15 +1,21 @@ | |
| -# sample configuration for iptables service | |
| -# you can edit this manually or use system-config-firewall | |
| -# please do not ask us to add additional ports/services to this default configuration | |
| +# position 1 | |
| *filter | |
| -:INPUT ACCEPT [0:0] | |
| -:FORWARD ACCEPT [0:0] | |
| -:OUTPUT ACCEPT [0:0] | |
| --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| --A INPUT -p icmp -j ACCEPT | |
| --A INPUT -i lo -j ACCEPT | |
| --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| --A INPUT -j REJECT --reject-with icmp-host-prohibited | |
| --A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
| +# position 2 | |
| +:INPUT DROP | |
| +# position 3 | |
| +:FORWARD DROP | |
| +# position 4 | |
| +:OUTPUT ACCEPT | |
| +# position 5 | |
| +-A INPUT -p icmp --icmp-type any -j DROP | |
| +# position 50 | |
| +-A INPUT -i lo -m comment --comment "allow loopback" -j ACCEPT | |
| +-A INPUT -p tcp -m tcp -m multiport --dports 22 -m comment --comment "allow world to ssh" -j ACCEPT | |
| +-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "established" -j ACCEPT | |
| +-A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -m comment --comment "ssh" -j ACCEPT | |
| +-A OUTPUT -p tcp -m tcp -m multiport --dports 22 -m state --state ESTABLISHED -m comment --comment "ssh" -j ACCEPT | |
| +# position 51 | |
| +-A OUTPUT -o lo -j ACCEPT | |
| +# position 100 | |
| COMMIT | |
| - restore selinux security context | |
| * service[iptables] action restart | |
| - restart service service[iptables] | |
| Running handlers: | |
| Running handlers complete | |
| Chef Client finished, 28/48 resources updated in 01 minutes 19 seconds | |
| Downloading files from <hv-centos-7> | |
| Finished converging <hv-centos-7> (1m50.92s). | |
| -----> Setting up <hv-centos-7>... | |
| Finished setting up <hv-centos-7> (0m0.00s). | |
| -----> Verifying <hv-centos-7>... | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.kvm"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"} | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/tools"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2201 | |
| ↺ debian mothership: Operating System Detection | |
| ↺ Skipped control due to only_if condition. | |
| ✔ rhel mothership: System Package vim-enhanced | |
| ✔ System Package vim-enhanced should be installed | |
| ✔ System Package iputils should be installed | |
| ✔ any mothership: System Package git | |
| ✔ System Package git should be installed | |
| ✔ System Package lsof should be installed | |
| ✔ System Package nano should be installed | |
| ✔ System Package tree should be installed | |
| ✔ System Package wget should be installed | |
| ✔ System Package curl should be installed | |
| ✔ System Package sudo should be installed | |
| ✔ System Package telnet should be installed | |
| ✔ System Package net-tools should be installed | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/kvm"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.kvm"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2201 | |
| ↺ debian mothership: Operating System Detection | |
| ↺ Skipped control due to only_if condition. | |
| ✔ rhel mothership: System Package qemu-kvm | |
| ✔ System Package qemu-kvm should be installed | |
| ✔ System Package libvirt should be installed | |
| ✔ System Package virt-install should be installed | |
| ✔ any mothership: Groups with name == "libvirtd" | |
| ✔ Groups with name == "libvirtd" should exist | |
| ✔ Groups with name == "libvirtd" members should include "root" | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/firewall"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2201 | |
| ↺ debian mothership: debian mothership firewall | |
| ↺ Skipped control due to only_if condition. | |
| ✔ rhel mothership: rhel mothership firewall | |
| ✔ firewalld should not be running | |
| ✔ Service iptables should be enabled | |
| ✔ Service iptables should be running | |
| ✔ any mothership: mothership firewall | |
| ✔ Service sshd should be installed | |
| ✔ Service sshd should be enabled | |
| ✔ Service sshd should be running | |
| ✔ SSHD Configuration Port should cmp == 22 | |
| ✔ SSHD Configuration PermitRootLogin should eq "no" | |
| ✔ SSHD Configuration MaxAuthTries should cmp == 4 | |
| ✔ SSHD Configuration HostbasedAuthentication should eq "no" | |
| ✔ SSHD Configuration IgnoreRhosts should eq "yes" | |
| ✔ SSHD Configuration PermitEmptyPasswords should eq "no" | |
| ✔ SSHD Configuration PasswordAuthentication should eq "no" | |
| ✔ SSHD Configuration ChallengeResponseAuthentication should eq "no" | |
| ✔ SSHD Configuration GSSAPIAuthentication should eq "yes" | |
| ✔ SSHD Configuration GSSAPICleanupCredentials should eq "no" | |
| ✔ SSHD Configuration UsePAM should eq "yes" | |
| ✔ SSHD Configuration X11Forwarding should eq "no" | |
| ✔ SSHD Configuration Subsystem should match "sftp\t/usr/libexec/openssh/sftp-server" | |
| ✔ SSHD Configuration Protocol should cmp == 2 | |
| ✔ Iptables should have rule "-P INPUT DROP" | |
| ✔ Iptables should have rule "-P FORWARD DROP" | |
| ✔ Iptables should have rule "-P OUTPUT ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -i lo -m comment --comment \"allow loopback\" -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -o lo -j ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -p icmp -m icmp --icmp-type any -j DROP" | |
| ✔ Iptables should have rule "-A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -p tcp -m tcp -m multiport --dports 22 -m state --state ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| Profile Summary: 6 successful controls, 0 control failures, 3 controls skipped | |
| Test Summary: 44 successful, 0 failures, 3 skipped | |
| Finished verifying <hv-centos-7> (31m55.51s). | |
| -----> Verifying <virt-debian-9>... | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.docker"} | |
| Loaded tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"} | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/tools"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.tools"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2222 | |
| ✔ debian mothership: System Package vim | |
| ✔ System Package vim should be installed | |
| ✔ System Package iputils-ping should be installed | |
| ↺ rhel mothership: Operating System Detection | |
| ↺ Skipped control due to only_if condition. | |
| ✔ any mothership: System Package git | |
| ✔ System Package git should be installed | |
| ✔ System Package lsof should be installed | |
| ✔ System Package nano should be installed | |
| ✔ System Package tree should be installed | |
| ✔ System Package wget should be installed | |
| ✔ System Package curl should be installed | |
| ✔ System Package sudo should be installed | |
| ✔ System Package telnet should be installed | |
| ✔ System Package net-tools should be installed | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/docker"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.docker"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2222 | |
| ✔ any virt: Directory /mnt/data | |
| ✔ Directory /mnt/data should exist | |
| ✔ Directory /mnt/data owner should cmp == "root" | |
| ✔ Directory /mnt/data group should cmp == "root" | |
| ✔ Command: `docker` should exist | |
| ✔ Docker Container machete1 should exist | |
| ✔ Docker Container machete1 should be running | |
| ✔ Docker Container sqlserver should exist | |
| ✔ Docker Container sqlserver should be running | |
| ✔ Docker Container sqlserver command should eq "/opt/mssql/bin/sqlservr" | |
| ✔ Docker Container sqlserver ports should eq "0.0.0.0:1433->1433/tcp" | |
| ✔ Docker Container sqlserver repo should eq "mcr.microsoft.com/mssql/server" | |
| ✔ Docker Container sqlserver tag should eq "2017-latest" | |
| ✔ #<Inspec::Resources::DockerContainerFilter:0x00007fe71412d268> with names == "machete1" networks should cmp == "bridge" | |
| ✔ #<Inspec::Resources::DockerContainerFilter:0x00007fe7141127d8> with names == "sqlserver" mounts should cmp == "sql-databases" | |
| ✔ #<Inspec::Resources::DockerContainerFilter:0x00007fe7141127d8> with names == "sqlserver" networks should cmp == "bridge" | |
| Profile: tests from {:path=>"/home/celiyah/Code/machete-kvm/src/test/integration/firewall"} (tests from {:path=>".home.celiyah.Code.machete-kvm.src.test.integration.firewall"}) | |
| Version: (not specified) | |
| Target: ssh://vagrant@127.0.0.1:2222 | |
| ✔ debian mothership: debian mothership firewall | |
| ✔ Service ufw should not be running | |
| ✔ Service netfilter-persistent should be enabled | |
| ✔ Service netfilter-persistent should be running | |
| ↺ rhel mothership: rhel mothership firewall | |
| ↺ Skipped control due to only_if condition. | |
| ✔ any mothership: mothership firewall | |
| ✔ Service sshd should be installed | |
| ✔ Service sshd should be enabled | |
| ✔ Service sshd should be running | |
| ✔ SSHD Configuration Port should cmp == 22 | |
| ✔ SSHD Configuration PermitRootLogin should eq "no" | |
| ✔ SSHD Configuration MaxAuthTries should cmp == 4 | |
| ✔ SSHD Configuration HostbasedAuthentication should eq "no" | |
| ✔ SSHD Configuration IgnoreRhosts should eq "yes" | |
| ✔ SSHD Configuration PermitEmptyPasswords should eq "no" | |
| ✔ SSHD Configuration PasswordAuthentication should eq "no" | |
| ✔ SSHD Configuration ChallengeResponseAuthentication should eq "no" | |
| ✔ SSHD Configuration GSSAPIAuthentication should eq "yes" | |
| ✔ SSHD Configuration GSSAPICleanupCredentials should eq "no" | |
| ✔ SSHD Configuration UsePAM should eq "yes" | |
| ✔ SSHD Configuration X11Forwarding should eq "no" | |
| ✔ SSHD Configuration Subsystem should match "sftp\t/usr/libexec/openssh/sftp-server" | |
| ✔ SSHD Configuration Protocol should cmp == 2 | |
| ✔ Iptables should have rule "-P INPUT DROP" | |
| ✔ Iptables should have rule "-P FORWARD DROP" | |
| ✔ Iptables should have rule "-P OUTPUT ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -i lo -m comment --comment \"allow loopback\" -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -o lo -j ACCEPT" | |
| ✔ Iptables should have rule "-A INPUT -p icmp -m icmp --icmp-type any -j DROP" | |
| ✔ Iptables should have rule "-A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| ✔ Iptables should have rule "-A OUTPUT -p tcp -m tcp -m multiport --dports 22 -m state --state ESTABLISHED -m comment --comment ssh -j ACCEPT" | |
| Profile Summary: 5 successful controls, 0 control failures, 2 controls skipped | |
| Test Summary: 54 successful, 0 failures, 2 skipped | |
| Finished verifying <virt-debian-9> (0m3.24s). | |
| -----> Kitchen is finished. (38m14.51s) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment