From 0aaa8225d90d098425dc6971e8afd5b54dfb5d7f Mon Sep 17 00:00:00 2001 From: Rohan Yadav Date: Wed, 8 Jan 2025 17:28:35 +0530 Subject: [PATCH] feat(fips): update tests to run for fips packages * update harvest tests to run for fips packages * chore: update action versions * update packaging tests * assume role for 2 hours as tests can take longer than 1 hour --- .../component_prerelease_testing.yml | 25 +++--- build/build.mk | 6 ++ .../ansible/group_vars/localhost/main.yml | 20 +++++ test/harvest/ansible/README.md | 3 +- .../roles/build-harvest-tests/tasks/main.yml | 32 ++++++-- .../roles/build-harvest-tests/vars/main.yml | 4 + .../roles/run-harvest-tests/tasks/main.yml | 21 +++-- .../roles/run-harvest-tests/vars/main.yml | 1 + test/harvest/ansible/test.yml | 18 ++-- test/packaging/ansible/README.md | 3 +- test/packaging/ansible/agent-upgrade.yml | 2 + .../packaging/ansible/installation-pinned.yml | 25 ++++-- .../ansible/installation-privileged.yml | 61 ++++++++------ test/packaging/ansible/installation-root.yml | 21 +++-- .../ansible/installation-unprivileged.yml | 57 +++++++------ .../ansible/shutdown-and-terminate.yml | 82 +++++++++++-------- test/packaging/ansible/test.yml | 23 ++++-- .../provision/terraform/caos.auto.tfvars.dist | 4 +- test/provision/terraform/inventory.tmpl | 5 +- 19 files changed, 264 insertions(+), 149 deletions(-) diff --git a/.github/workflows/component_prerelease_testing.yml b/.github/workflows/component_prerelease_testing.yml index 6e86df4b5..30d0274f3 100644 --- a/.github/workflows/component_prerelease_testing.yml +++ b/.github/workflows/component_prerelease_testing.yml @@ -39,10 +39,10 @@ jobs: provision: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 @@ -79,10 +79,10 @@ jobs: needs: [ provision ] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 @@ -120,13 +120,14 @@ jobs: needs: [ harvest-tests ] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 + role-duration-seconds: 7200 - name: Set branch name run: | @@ -154,10 +155,10 @@ jobs: needs: [ harvest-tests ] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 @@ -188,10 +189,10 @@ jobs: needs: [ packaging-tests-linux ] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 @@ -229,10 +230,10 @@ jobs: needs: [ packaging-tests-windows ] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ env.AWS_ASSUME_ROLE }} aws-region: us-east-2 diff --git a/build/build.mk b/build/build.mk index 222c9e0f6..be6fa345d 100644 --- a/build/build.mk +++ b/build/build.mk @@ -174,6 +174,12 @@ build-harvest-tests: CGO_ENABLED=0 build-harvest-tests: deps $(GO_BIN) test -c ./test/harvest -tags="harvest" -v +.PHONY: build-harvest-tests-fips +build-harvest-tests-fips: CGO_ENABLED=1 +build-harvest-tests-fips: GOEXPERIMENT=boringcrypto +build-harvest-tests-fips: deps + $(GO_BIN) test -c ./test/harvest -tags="harvest,fips" -v + .PHONY: proxy-test proxy-test: diff --git a/test/automated/ansible/group_vars/localhost/main.yml b/test/automated/ansible/group_vars/localhost/main.yml index d54bad1ff..151e8f3f9 100644 --- a/test/automated/ansible/group_vars/localhost/main.yml +++ b/test/automated/ansible/group_vars/localhost/main.yml @@ -271,6 +271,16 @@ instances: platform: "linux" python_interpreter: "/usr/bin/python3" launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3" + ################################# + # amazon linux 2023 amd64 FIPS + ################################# + - ami: "ami-085fa628e46dcb929" + type: "t3a.small" + name: "amd64:al-2023-fips" + username: "ec2-user" + platform: "linux" + python_interpreter: "/usr/bin/python3" + launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3" ############################ # amazon linux 2023 arm64 ############################ @@ -281,6 +291,16 @@ instances: platform: "linux" python_interpreter: "/usr/bin/python3" launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3" + ################################# + # amazon linux 2023 arm64 FIPS + ################################# + - ami: "ami-06014e12b8efb52e2" + type: "t4g.small" + name: "arm64:al-2023-fips" + username: "ec2-user" + platform: "linux" + python_interpreter: "/usr/bin/python3" + launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3" ############################ # windows amd64 ############################ diff --git a/test/harvest/ansible/README.md b/test/harvest/ansible/README.md index d9183426d..6a787cc22 100644 --- a/test/harvest/ansible/README.md +++ b/test/harvest/ansible/README.md @@ -10,7 +10,8 @@ localhost ansible_connection=local [testing_hosts] amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 -amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512' ``` ## Playbooks diff --git a/test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml b/test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml index 2d7d4d7ae..c4211b988 100644 --- a/test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml +++ b/test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml @@ -1,21 +1,41 @@ --- -- name: build harvest tests for every os/arch combination - ansible.builtin.shell: "CGO_ENABLED=0 GOOS=linux GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}" +- name: Build harvest tests for Linux arch combination + ansible.builtin.shell: > + CGO_ENABLED=0 GOOS=linux GOARCH={{ item }} make build-harvest-tests && + mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }} args: chdir: "{{ agent_root_dir }}" + creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}" loop: "{{ goos_arch.linux }}" -- name: build harvest tests for every os/arch combination - ansible.builtin.shell: "GOOS=darwin GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}" +- name: Build harvest tests for Linux arch combination - FIPS + ansible.builtin.shell: > + CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GOARCH={{ item }} + {% if item == 'arm64' %}CC=aarch64-linux-gnu-gcc{% endif %} + make build-harvest-tests-fips && + mv {{ default_binary_name }} {{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }} args: chdir: "{{ agent_root_dir }}" + creates: "{{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}" + loop: "{{ goos_arch.linux_fips }}" + +- name: Build harvest tests for Darwin arch combination + ansible.builtin.shell: > + GOOS=darwin GOARCH={{ item }} make build-harvest-tests && + mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }} + args: + chdir: "{{ agent_root_dir }}" + creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}" loop: "{{ goos_arch.darwin }}" -- name: build harvest tests for every os/arch combination - ansible.builtin.shell: "GOOS=windows GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe" +- name: Build harvest tests for Windows arch combination + ansible.builtin.shell: > + GOOS=windows GOARCH={{ item }} make build-harvest-tests && + mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe args: chdir: "{{ agent_root_dir }}" + creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe" loop: "{{ goos_arch.windows }}" diff --git a/test/harvest/ansible/roles/build-harvest-tests/vars/main.yml b/test/harvest/ansible/roles/build-harvest-tests/vars/main.yml index 34e8ea214..e27f1872f 100644 --- a/test/harvest/ansible/roles/build-harvest-tests/vars/main.yml +++ b/test/harvest/ansible/roles/build-harvest-tests/vars/main.yml @@ -3,11 +3,15 @@ agent_root_dir: "" default_binary_name: "harvest.test" os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test" +os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test" goos_arch: linux: - "amd64" - "arm" - "arm64" + linux_fips: + - "amd64" + - "arm64" darwin: - "amd64" - "arm64" diff --git a/test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml b/test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml index 7103b9a96..8fadf93f9 100644 --- a/test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml +++ b/test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml @@ -1,15 +1,26 @@ --- -- name: register os/arch specific binary name - set_fact: - os_arch_binary_name: "{{ os_arch_binary_name_tpl | replace('%GOOS%',ansible_system|lower) | replace('%GOARCH%',architecture_map[ansible_architecture]) }}" +- name: Register os/arch specific binary name + ansible.builtin.set_fact: + os_arch_binary_name: "{{ os_arch_binary_name_tpl + | replace('%GOOS%', ansible_system | lower) + | replace('%GOARCH%', architecture_map[ansible_architecture]) }}" + when: "'-fips' not in inventory_hostname" -- name: copy binary +- name: Register os/arch specific binary name - FIPS + ansible.builtin.set_fact: + os_arch_binary_name: "{{ os_arch_binary_name_tpl_fips + | replace('%GOOS%', ansible_system | lower) + | replace('%GOARCH%', architecture_map[ansible_architecture]) }}" + when: "'-fips' in inventory_hostname" + +- name: Copy binary ansible.builtin.copy: src: "{{ agent_root_dir }}/{{ os_arch_binary_name }}" dest: "{{ ansible_user_dir }}/{{ os_arch_binary_name }}" mode: '0755' -- include_tasks: "execute-tests-{{ ansible_system }}.yaml" +- name: Include OS-specific test tasks + ansible.builtin.include_tasks: "execute-tests-{{ ansible_system }}.yaml" ... diff --git a/test/harvest/ansible/roles/run-harvest-tests/vars/main.yml b/test/harvest/ansible/roles/run-harvest-tests/vars/main.yml index bec821faf..2eab081fe 100644 --- a/test/harvest/ansible/roles/run-harvest-tests/vars/main.yml +++ b/test/harvest/ansible/roles/run-harvest-tests/vars/main.yml @@ -6,4 +6,5 @@ architecture_map: 64-bit: "amd64" os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}" +os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}" tests_to_run_regex: ".*" diff --git a/test/harvest/ansible/test.yml b/test/harvest/ansible/test.yml index 6f6c80f08..5f3a88ef8 100644 --- a/test/harvest/ansible/test.yml +++ b/test/harvest/ansible/test.yml @@ -4,22 +4,24 @@ # It will build the harvest tests binaries for specified architectures/os combinations # and copy and run them in the testing_hosts hosts -- hosts: localhost +- name: Build harvest tests on localhost + hosts: localhost become: false - gather_facts: no + gather_facts: false tasks: - - name: build harvest tests - include_role: + - name: Build harvest tests + ansible.builtin.include_role: name: build-harvest-tests -- hosts: testing_hosts - gather_facts: yes +- name: Copy and run harvest tests on testing hosts + hosts: testing_hosts + gather_facts: true tasks: - - name: copy and run harvest tests - include_role: + - name: Copy and run harvest tests + ansible.builtin.include_role: name: run-harvest-tests ... diff --git a/test/packaging/ansible/README.md b/test/packaging/ansible/README.md index 9acc84c7a..5194dc49a 100644 --- a/test/packaging/ansible/README.md +++ b/test/packaging/ansible/README.md @@ -9,7 +9,8 @@ localhost ansible_connection=local [testing_hosts] amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 -amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python +amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512' ``` ## Playbooks diff --git a/test/packaging/ansible/agent-upgrade.yml b/test/packaging/ansible/agent-upgrade.yml index 292624334..4d4214b63 100644 --- a/test/packaging/ansible/agent-upgrade.yml +++ b/test/packaging/ansible/agent-upgrade.yml @@ -14,6 +14,8 @@ tasks: - name: agent upgrade tests suite + # TODO: https://new-relic.atlassian.net/browse/NR-355851 Update when two releases with FIPS are done + # Also add FIPS tests vars: target_agent_version: "1.57.1" diff --git a/test/packaging/ansible/installation-pinned.yml b/test/packaging/ansible/installation-pinned.yml index 115aee92b..ca331425c 100644 --- a/test/packaging/ansible/installation-pinned.yml +++ b/test/packaging/ansible/installation-pinned.yml @@ -1,13 +1,12 @@ --- - -- name: installation-pinned +- name: Installation-pinned hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -18,16 +17,26 @@ target_agent_version: "1.57.1" # minimum version for ubuntu sles 15.6 block: - - - name: install agent - include_role: + - name: Install agent + # when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: target_version: "{{ target_agent_version }}" repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + # TODO: https://new-relic.atlassian.net/browse/NR-355845 Uncomment when FIPS version is available for the minimum version + # - name: Install agent - FIPS + # when: "'-fips' in inventory_hostname" + # ansible.builtin.include_role: + # name: caos.ansible_roles.infra_agent + # vars: + # target_version: "{{ target_agent_version }}" + # repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + # fips_enabled: true + - name: Assert version - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.assert_version vars: target_versions: diff --git a/test/packaging/ansible/installation-privileged.yml b/test/packaging/ansible/installation-privileged.yml index c0d939bc6..59f58e443 100644 --- a/test/packaging/ansible/installation-privileged.yml +++ b/test/packaging/ansible/installation-privileged.yml @@ -1,13 +1,12 @@ --- - -- name: installation-privileged +- name: Installation-privileged hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -21,30 +20,38 @@ NRIA_MODE: PRIVILEGED block: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" - - name: install agent - include_role: - name: caos.ansible_roles.infra_agent - vars: - repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true - - name: assert privileged caps - include_role: - name: caos.ansible_roles.assert_privileged_caps - vars: - executable: "/usr/bin/newrelic-infra" - caps: - - cap_dac_read_search - - cap_sys_ptrace.ep + - name: Assert privileged caps + ansible.builtin.include_role: + name: caos.ansible_roles.assert_privileged_caps + vars: + executable: "/usr/bin/newrelic-infra" + caps: + - cap_dac_read_search + - cap_sys_ptrace.ep - - name: Assert rootless - include_role: - name: caos.ansible_roles.assert_files - vars: - processes: - - name: newrelic-infra-service - owner: "{{ agent_user }}" - files: - - name: /usr/bin/newrelic-infra - permissions: "{{ bin_mode }}" + - name: Assert rootless + ansible.builtin.include_role: + name: caos.ansible_roles.assert_files + vars: + processes: + - name: newrelic-infra-service + owner: "{{ agent_user }}" + files: + - name: /usr/bin/newrelic-infra + permissions: "{{ bin_mode }}" ... diff --git a/test/packaging/ansible/installation-root.yml b/test/packaging/ansible/installation-root.yml index 5ccae8481..4a61f9566 100644 --- a/test/packaging/ansible/installation-root.yml +++ b/test/packaging/ansible/installation-root.yml @@ -1,13 +1,13 @@ --- -- name: installation-root +- name: Installation-root hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -20,14 +20,23 @@ block: - - name: install agent - include_role: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true + - name: Assert root - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.assert_files vars: processes: diff --git a/test/packaging/ansible/installation-unprivileged.yml b/test/packaging/ansible/installation-unprivileged.yml index 041e6166c..a882ee169 100644 --- a/test/packaging/ansible/installation-unprivileged.yml +++ b/test/packaging/ansible/installation-unprivileged.yml @@ -1,13 +1,12 @@ --- - -- name: installation-unprivileged +- name: Installation-unprivileged hosts: testing_hosts_linux become: true - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true @@ -21,28 +20,36 @@ NRIA_MODE: UNPRIVILEGED block: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" - - name: install agent - include_role: - name: caos.ansible_roles.infra_agent - vars: - repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true - - name: assert no privileged caps - include_role: - name: caos.ansible_roles.assert_privileged_caps - vars: - executable: "/usr/bin/newrelic-infra" - caps: [] + - name: Assert no privileged caps + ansible.builtin.include_role: + name: caos.ansible_roles.assert_privileged_caps + vars: + executable: "/usr/bin/newrelic-infra" + caps: [] - - name: Assert rootless - include_role: - name: caos.ansible_roles.assert_files - vars: - processes: - - name: newrelic-infra-service - owner: "{{ agent_user }}" - files: - - name: /usr/bin/newrelic-infra - permissions: "{{ bin_mode }}" + - name: Assert rootless + ansible.builtin.include_role: + name: caos.ansible_roles.assert_files + vars: + processes: + - name: newrelic-infra-service + owner: "{{ agent_user }}" + files: + - name: /usr/bin/newrelic-infra + permissions: "{{ bin_mode }}" ... diff --git a/test/packaging/ansible/shutdown-and-terminate.yml b/test/packaging/ansible/shutdown-and-terminate.yml index 3b42ffb70..19e15d272 100644 --- a/test/packaging/ansible/shutdown-and-terminate.yml +++ b/test/packaging/ansible/shutdown-and-terminate.yml @@ -1,47 +1,57 @@ --- -- name: install agent linux (HNR) +- name: Install agent linux (HNR) hosts: testing_hosts_linux - gather_facts: yes + gather_facts: true become: true vars: agent_user: root pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true tasks: - - name: install agent - include_role: + - name: Install agent + when: "'-fips' not in inventory_hostname" + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: display_name: "{{ iid }}:{{ inventory_hostname }}" repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" -- name: install agent windows (HNR) + - name: Install agent - FIPS + when: "'-fips' in inventory_hostname" + ansible.builtin.include_role: + name: caos.ansible_roles.infra_agent + vars: + display_name: "{{ iid }}:{{ inventory_hostname }}" + repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent" + fips_enabled: true + +- name: Install agent windows (HNR) hosts: testing_hosts_windows - gather_facts: yes + gather_facts: true pre_tasks: - name: Initial cleanup - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: uninstall: true tasks: - - name: install agent - include_role: + - name: Install agent + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent vars: display_name: "{{ iid }}:{{ inventory_hostname }}" -- name: test agent behaviour on host shutdown +- name: Test agent behaviour on host shutdown hosts: testing_hosts vars: # Add here hosts of the instances that doesn't support Smart HNR (shutdown detection) e.g. - "amd64:ubuntu14.04" @@ -56,80 +66,80 @@ }} tasks: - - name: pause a bit to let the agent send some data - pause: + - name: Pause a bit to let the agent send some data + ansible.builtin.pause: minutes: 1 - - name: restart the agent - include_role: + - name: Restart the agent + ansible.builtin.include_role: name: caos.ansible_roles.service_status vars: service_name: "newrelic-infra" action: "restart" - - name: pause for a bit to let the agent initialize - pause: + - name: Pause for a bit to let the agent initialize + ansible.builtin.pause: seconds: 30 - name: Get entity id - include_role: + ansible.builtin.include_role: name: caos.ansible_roles.infra_agent_get_entity_id - - name: assert agent restart don't trigger shutdown event - include_role: + - name: Assert agent restart don't trigger shutdown event + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" expect_change_event: false since_sec_ago: 30 - - name: stop instances - include_role: + - name: Stop instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: stop instance_id: "{{ iid }}" - - name: pause for a bit to let the event fire - pause: + - name: Pause for a bit to let the event fire + ansible.builtin.pause: seconds: 30 - - name: assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert that the agent detecteded host shutdown and disconnected from the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" expect_change_event: "{{ host_supports_shutdown_detection }}" timestamp_ref: "{{ ec2_stop_time_sec | int }}" - - name: start instances - include_role: + - name: Start instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: start instance_id: "{{ iid }}" - - name: assert the agent performed connect to the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert the agent performed connect to the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "running" expect_change_event: "{{ host_supports_shutdown_detection }}" timestamp_ref: "{{ ec2_start_time_sec | int }}" - - name: terminate instances - include_role: + - name: Terminate instances + ansible.builtin.include_role: name: caos.ansible_roles.ec2_instance vars: action: terminate instance_id: "{{ iid }}" - - name: pause for a bit to let the event fire - pause: + - name: Pause for a bit to let the event fire + ansible.builtin.pause: seconds: 30 - - name: assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection) - include_role: + - name: Assert that the agent detecteded host termination and disconnected from the backend (only on hosts that support shutdown detection) + ansible.builtin.include_role: name: caos.ansible_roles.assert_host_status_event vars: host_status: "shutdown" diff --git a/test/packaging/ansible/test.yml b/test/packaging/ansible/test.yml index 700ecd22f..561ee9c7b 100644 --- a/test/packaging/ansible/test.yml +++ b/test/packaging/ansible/test.yml @@ -1,30 +1,35 @@ --- -- name: pinned version agent installation +- name: Pinned version agent installation import_playbook: installation-pinned.yml + when: "'-fips' not in inventory_hostname" # TODO: https://new-relic.atlassian.net/browse/NR-355841 -- name: agent installation as root +- name: Agent installation as root import_playbook: installation-root.yml -- name: privileged mode agent installation +- name: Privileged mode agent installation import_playbook: installation-privileged.yml -- name: unprivileged mode agent installation +- name: Unprivileged mode agent installation import_playbook: installation-unprivileged.yml -- name: agent installation via newrelic-cli +- name: Agent installation via newrelic-cli import_playbook: installation-newrelic-cli.yml + when: "'-fips' not in inventory_hostname" # FIPS not supported via newrelic-cli in initial release -- name: installation windows +- name: Installation windows import_playbook: installation-windows.yml -- name: log forwarder +- name: Log forwarder import_playbook: log-forwarder.yml + when: "'-fips' not in inventory_hostname" # We only have AL-2023 images for FIPS for now -- name: agent upgrade +- name: Agent upgrade import_playbook: agent-upgrade.yml + when: "'-fips' not in inventory_hostname" # TODO: https://new-relic.atlassian.net/browse/NR-355851 -- name: shutdown , terminate and HNR alerts +- name: Shutdown , terminate and HNR alerts import_playbook: shutdown-and-terminate.yml + when: "'al-2023' not in inventory_hostname" # TODO: https://new-relic.atlassian.net/browse/NR-282854 AL-2023 fails this test 80% of the time ... diff --git a/test/provision/terraform/caos.auto.tfvars.dist b/test/provision/terraform/caos.auto.tfvars.dist index 3989fa16a..e2be356b8 100644 --- a/test/provision/terraform/caos.auto.tfvars.dist +++ b/test/provision/terraform/caos.auto.tfvars.dist @@ -2,9 +2,9 @@ ec2_prefix = "PREFIX:TAG_OR_UNIQUE_NAME" windows_ec2 = ["windows_2016", "windows_2019", "windows_2022"] -linux_ec2_amd = ["amd64:ubuntu24.04", "amd64:ubuntu22.04", "amd64:ubuntu20.04", "amd64:ubuntu18.04", "amd64:ubuntu16.04", "amd64:centos-stream", "amd64:sles-12.5", "amd64:sles-15.3", "amd64:sles-15.4", "amd64:sles-15.5", "amd64:sles-15.6", "amd64:redhat-8.4", "amd64:redhat-9.0", "amd64:debian-bookworm", "amd64:al-2", "amd64:al-2023"] +linux_ec2_amd = ["amd64:ubuntu24.04", "amd64:ubuntu22.04", "amd64:ubuntu20.04", "amd64:ubuntu18.04", "amd64:ubuntu16.04", "amd64:centos-stream", "amd64:sles-12.5", "amd64:sles-15.3", "amd64:sles-15.4", "amd64:sles-15.5", "amd64:sles-15.6", "amd64:redhat-8.4", "amd64:redhat-9.0", "amd64:debian-bookworm", "amd64:al-2", "amd64:al-2023", "amd64:al-2023-fips"] -linux_ec2_arm = ["arm64:ubuntu24.04", "arm64:ubuntu22.04", "arm64:ubuntu20.04", "arm64:ubuntu18.04", "arm64:ubuntu16.04", "arm64:centos-stream", "arm64:sles-15.3", "arm64:sles-15.4", "arm64:sles-15.5", "arm64:sles-15.6", "arm64:redhat-9.0", "arm64:debian-bookworm", "arm64:al-2", "arm64:al-2023"] +linux_ec2_arm = ["arm64:ubuntu24.04", "arm64:ubuntu22.04", "arm64:ubuntu20.04", "arm64:ubuntu18.04", "arm64:ubuntu16.04", "arm64:centos-stream", "arm64:sles-15.3", "arm64:sles-15.4", "arm64:sles-15.5", "arm64:sles-15.6", "arm64:redhat-9.0", "arm64:debian-bookworm", "arm64:al-2", "arm64:al-2023", "arm64:al-2023-fips"] ssh_pub_key = "AAAAB3NzaC1yc2EAAAADAQABAAABAQDH9C7BS2XrtXGXFFyL0pNku/Hfy84RliqvYKpuslJFeUivf5QY6Ipi8yXfXn6TsRDbdxfGPi6oOR60Fa+4cJmCo6N5g57hBS6f2IdzQBNrZr7i1I/a3cFeK6XOc1G1tQaurx7Pu+qvACfJjLXKG66tHlaVhAHd/1l2FocgFNUDFFuKS3mnzt9hKys7sB4aO3O0OdohN/0NJC4ldV8/OmeXqqfkiPWcgPx3C8bYyXCX7QJNBHKrzbX1jW51Px7SIDWFDV6kxGwpQGGBMJg/k79gjjM+jhn4fg1/VP/Fx37mAnfLqpcTfiOkzSE80ORGefQ1XfGK/Dpa3ITrzRYW8xlR caos-dev-arm" pvt_key = "~/.ssh/caos-dev-arm.cer" diff --git a/test/provision/terraform/inventory.tmpl b/test/provision/terraform/inventory.tmpl index 8b682061e..18c47f5d9 100644 --- a/test/provision/terraform/inventory.tmpl +++ b/test/provision/terraform/inventory.tmpl @@ -15,12 +15,12 @@ windows_amd64 [linux_amd64] %{ for index, vms in agent-ids ~} -%{ if platform[index] == "linux" && strcontains(vms, "amd64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ endif } +%{ if platform[index] == "linux" && strcontains(vms, "amd64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]} ansible_ssh_common_args='-o StrictHostKeyChecking=no%{ if strcontains(vms, "fips") } -o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512%{ endif }'%{ endif } %{ endfor ~} [linux_arm64] %{ for index, vms in agent-ids ~} -%{ if platform[index] == "linux" && strcontains(vms, "arm64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ endif } +%{ if platform[index] == "linux" && strcontains(vms, "arm64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]} ansible_ssh_common_args='-o StrictHostKeyChecking=no%{ if strcontains(vms, "fips") } -o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512%{ endif }'%{ endif } %{ endfor ~} [windows_amd64] @@ -30,7 +30,6 @@ windows_amd64 [testing_hosts_linux:vars] ansible_ssh_private_key_file=~/.ssh/caos-dev-arm.cer -ansible_ssh_common_args='-o StrictHostKeyChecking=no' [windows_amd64:vars] ansible_winrm_transport=basic