This patch enables the appropriate Linux Security Module (LSM) for the system rather than simply checking it. This brings the role more in line with the STIG requirements and allows it to be used as a more generic role in other non-OpenStack-Ansible deployments. It shouldn't affect OpenStack-Ansible deployments since AppArmor is expected to be running in those deployments. Documentation and release notes are included. Change-Id: Ia017f12be0d60ea74b54396bc8278e4db92295ba
132 lines
4.5 KiB
132 lines
4.5 KiB
minversion = 1.6
skipsdist = True
envlist = docs,linters,functional
usedevelop = True
install_command = pip install -U {opts} {packages}
deps = -r{toxinidir}/test-requirements.txt
commands = /usr/bin/find . -type f -name "*.pyc" -delete
passenv =
whitelist_externals =
setenv =
# TODO (odyssey4me) These are only here as they are non-standard folder
# names for Ansible 1.9.x. We are using the standard folder names for
# Ansible v2.x. We can remove this when we move to Ansible 2.x.
ANSIBLE_ACTION_PLUGINS = {homedir}/.ansible/plugins/action
ANSIBLE_CALLBACK_PLUGINS = {homedir}/.ansible/plugins/callback
ANSIBLE_FILTER_PLUGINS = {homedir}/.ansible/plugins/filter
ANSIBLE_LOOKUP_PLUGINS = {homedir}/.ansible/plugins/lookup
# This is required as the default is the current path or a path specified
# in ansible.cfg
ANSIBLE_LIBRARY = {homedir}/.ansible/plugins/library
# This is required as the default is '/etc/ansible/roles' or a path
# specified in ansible.cfg
ANSIBLE_ROLES_PATH = {homedir}/.ansible/roles:{toxinidir}/..
python setup.py build_sphinx
# environment used by the -infra templated docs job
deps = -r{toxinidir}/test-requirements.txt
commands = {posargs}
commands =
# Run hacking/flake8 check for all python files
bash -c "grep --recursive --binary-files=without-match \
--files-with-match '^.!.*python$' \
--exclude-dir .eggs \
--exclude-dir .git \
--exclude-dir .tox \
--exclude-dir *.egg-info \
--exclude-dir doc \
{toxinidir} | xargs flake8 --verbose"
# Ignores the following rules due to how ansible modules work in general
# F403 'from ansible.module_utils.basic import *' used;
# unable to detect undefined names
# H303 No wildcard (*) import.
commands =
# Run bashate check for all bash scripts
# Ignores the following rules:
# E003: Indent not multiple of 4 (we prefer to use multiples of 2)
# E006: Line longer than 79 columns (as many scripts use jinja
# templating, this is very difficult)
# E040: Syntax error determined using `bash -n` (as many scripts
# use jinja templating, this will often fail and the syntax
# error will be discovered in execution anyway)
bash -c "grep --recursive --binary-files=without-match \
--files-with-match '^.!.*\(ba\)\?sh$' \
--exclude-dir .tox \
--exclude-dir .git \
{toxinidir} | xargs bashate --error . --verbose --ignore=E003,E006,E040"
commands =
rm -rf {homedir}/.ansible
git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
ansible-playbook -i {toxinidir}/tests/inventory \
--syntax-check \
--list-tasks \
-e "rolename={toxinidir}" \
-t ssh \
commands =
ansible-lint {toxinidir}/tests/test.yml
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
# images with apt config Apt::Get::AllowUnauthenticated set
# to true.
# NOTE(mhayden): V-38674: OpenStack infra images have graphical target
# enabled, so it must be skipped.
# V-38574: OpenStack infra images have non-standard pam
# configurations that don't match a standard CentOS 7 server
# or cloud image. It must be skipped.
commands =
rm -rf {homedir}/.ansible
git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
ansible-playbook -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \
--skip-tag V-38462,V-38574,V-38674 \
commands =
commands = sphinx-build -a -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html