Testinfra test your salt infrastructure Philippe Pepiot - - PowerPoint PPT Presentation

▶

Dec 03, 2022 443 likes •767 views

Testinfra test your salt infrastructure Philippe Pepiot <phil@philpep.org> Author and maintainer of testinfra Software engineer and devops @ 1 #cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab Testinfra Test the actual

SLIDE 1

Testinfra test your salt infrastructure

Philippe Pepiot <phil@philpep.org> Author and maintainer of testinfra Software engineer and devops @

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

1

SLIDE 2

Testinfra

Test the actual state of your server configured by salt, ansible, puppet, chef and so on. In python! Tests are written in python too! https://testinfra.readthedocs.io https://github.com/philpep/testinfra Licence Apache 2

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

2

SLIDE 3

Infrastructure as code

yaml and jinja are code We manage the code in DVCS (git, mercurial) How to test it?

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

3

SLIDE 4

Test and staging servers

Good solution for a company Doesn't offer good concurrency when there are many developpers. Not an option for open source project with external contributors (salt formulas, ansible roles, puppet modules)

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

4

SLIDE 5

Virtualization

Run the deployment in a ephemeral test environment

Tools

qemu https://www.qemu.org docker https://docker.com lxc https://linuxcontainers.org

$your_favorite_container_tool

Openstack / EC2 / GCE / K8S

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

5

SLIDE 6

Test process

Run a VM or a container Deploy it with your config management tool Verify Destroy the VM or the container

Tools

Vagrant https://www.vagrantup.com Testkitchen http://kitchen.ci Molecule https://molecule.readthedocs.io

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

6

SLIDE 7

CI

Submit pull requests Review Test them automatically Jenkins https://jenkins.io Gitlab CI Travis https://travisci.org (we can run docker containers in travis !)

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

7

SLIDE 8

Verify the deployment

monitoring is good, but comes too late, we want to test before code is actually merged. As a maintainer of infrastructure code, testing PR is boring, red / green status helps a lot. Your infrastructure code is an API, testing it is a good way to keep it stable enough and make users confident with upgrades.

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

8

SLIDE 9

Testinfra

First version in 2015 In python with

pytest

integration

def test_apache_installed(host): if host.system_info.distribution == 'redhat': pkgname = 'httpd' else: pkgname = 'apache2' assert host.package(pkgname).is_installed

pytest

All function named

test_...

are tests The

host

bject is a

pytest

fixture defined in testinfra Lot of features (not covered here) https://docs.pytest.org

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

9

SLIDE 10

Running the tests

$ py.test mytest.py mytest.py::test_apache_installed[local://] PASSED $ py.test mytest.py [...] mytest.py::test_apache_installed[local://] FAILED [...] def test_apache_installed(host): if host.system_info.distribution == 'redhat': pkgname = 'httpd' else: pkgname = 'apache2' > assert host.package(pkgname).is_installed E AssertionError: assert False E + where False = <package apache2>.is_installed

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

10

SLIDE 11

Testinfra

testinfra runs commands locally or on a remote host write assertions on the actual state of the server some system abstractions (services, packages)

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

11

SLIDE 12

Connection backends

The

host

API is available through

testinfra.get_hosts()

Supports different connection types (local, paramiko, docker, salt, ansible, kubectl, winrm) With some connection options (user, use sudo, ansible inventory to use). Supports testing multiple hosts through pytest test parameterization!

$ py.test host=paramiko://user@host test.py::test_postgres[pramiko://user@host] PASSED $ py.test host=docker://boring,docker://wozniak test.py::test_postgres[docker://boring] PASSED test.py::test_postgres[docker://wozniak] PASSED $ py.test host 'salt://web*'

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

12

SLIDE 13

Run commands

>>> import testinfra >>> host = testinfra.get_host('ssh://somehost') >>> host.run('echo foo;echo bar >/dev/stderr; exit 42') CommandResult(rc=42, stdout='foo', stderr='bar')

Write assertions

>>> assert host.run('echo foo').stdout == 'bar' Traceback (most recent call last): [...] AssertionError

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

13

SLIDE 14

Modules

package

apt, rpm, *BSD

>>> host.package('nginx').is_installed True >>> host.package('nginx').version '1.2.12.2+wheezy3'

service

Systemd, Upstart, Sysv, *BSD

>>> host.service('nginx').is_enabled True >>> host.service('nginx').is_running False

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

14

SLIDE 15

Modules

https://testinfra.readthedocs.io/en/latest/modules.html ansible, file, group, interface, mount_point, package, pip_package, process, puppet_resource, facter, salt, service, socket, sudo, supervisor, sysctl, system_info, user

def test_postgres(host): postgresql = host.service('postgresql') assert postgresql.is_enabled assert postgresql.is_running with host.sudo('postgres'): assert host.check_output( "psql tAc 'show shared_buffers'" ) == '256MB' assert sum([p.pmem for p in host.process.filter(user='postgres') ]) < 80 assert len(host.socket('tcp://5432').clients) < 50

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

15

SLIDE 16

salt module

>>> host.salt("pkg.version", "nginx") '1.6.25' >>> host.salt("state.sls", "nginx.ng") {'pkg_|nginx_install_|nginx_|installed': { {'changes': {'nginx': {'new': '1.10.31+deb9u1', 'old': 'comment': 'The following packages were installed/updated: nginx' 'duration': 42310.523, 'name': 'nginx', 'result': True}}, 'file_|nginx_server_enabled_dir_|/etc/nginx/sitesenabled_|directory' 'comment': 'Directory /etc/nginx/sitesenabled is in the correct state' 'duration': 3.436, 'name': '/etc/nginx/sitesenabled', 'pchanges': {}, 'result': True}}

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

16

SLIDE 17

Test multihosts

import uuid import testinfra def test_nfs_responsive(): srv0 = testinfra.get_host('salt://minion0') srv1 = testinfra.get_host('salt://minion1') uid = str(uuid.uuid4()) srv0.check_output('echo %s > /nfs/test.tmp', uid) assert srv1.file('/nfs/test.tmp').content == uid

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

17

SLIDE 18

Reusing tests for monitoring

Infrastructure tests can be close to monitoring checks With the option

nagios

testinfra turns into a nagios compatible plugin Share your test code between CI and production monitoring

$ testinfra q nagios my_test.py TESTINFRA OK 1 passed, 0 failed, 0 skipped in 0.02 seconds

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

18

SLIDE 19

Testkitchen

testinfra can be used as a testkitchen verifier

verifier: name: shell command: testinfra host="paramiko:// ${KITCHEN_USERNAME}@${KITCHEN_HOSTNAME}:${KITCHEN_PORT} ?ssh_identity_file=${KITCHEN_SSH_KEY}" junitxml "junit${KITCHEN_INSTANCE}.xml" "test/integration/${KITCHEN_SUITE}"

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

19

SLIDE 20

Vagrant

$ vagrant sshconfig > .vagrant/sshconfig $ py.test hosts=default \ sshconfig=.vagrant/sshconfig tests/

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

20

SLIDE 21

Some test suites examples

https://github.com/ceph/cephansible https://github.com/freedomofpress/securedrop https://github.com/saltstackformulas/dockerformula https://github.com/saltstackformulas/elasticsearchformula https://github.com/saltstackformulas/kibanaformula

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

21

SLIDE 22

Others projects

serverspec (BDD, ruby) goss (json spec file, local only): https://github.com/aelsabbahy/goss inspec for chef https://www.inspec.io/

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

22

SLIDE 23

Roadmap

run tests asynchronously run background commands

with host.run('journalctl f') as output: testmyapp() assert 'some log' in output.stdout

Having a stable API for maintaining external modules

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

23

SLIDE 24

Example

write tests for https://github.com/saltstackformula/nginx formula using docker and testinfra

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

24

SLIDE 25

Dockerfile

FROM debian:stretch RUN aptget update && aptget y install saltminion \ systemdsysv nettools RUN rm /etc/systemd/system/multiuser.target.wants/salt* ADD testminion.conf /etc/salt/minion.d/minion.conf ADD nginx /srv/nginx RUN saltcall retcodepassthrough hardcrash \ state.sls nginx.ng CMD ["/sbin/init"]

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

25

SLIDE 26

testminion.conf

file_roots: base: /srv file_client: local log_level: info

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

26

SLIDE 27

test_nginx_formula.py

import os import subprocess import pytest import requests import testinfra ROOT = os.path.dirname(file) @pytest.fixture def host(): subprocess.check_call([ 'docker', 'build', 't', 'testnginxformula', ROOT]) docker_id = subprocess.check_output([ 'docker', 'run', 'd', 'privileged', 'testnginxformula', ]).decode().strip() yield testinfra.get_host('docker://' + docker_id) subprocess.check_output([ 'docker', 'rm', 'f', docker_id])

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

27

SLIDE 28

test_nginx_formula.py

def test_nginx(host): assert host.package('nginx').is_installed assert host.service('nginx').is_running assert host.socket('tcp://80').is_listening ip = host.interface('eth0').addresses[0] response = requests.get('http://{}'.format(ip)) assert response.status_code == 200

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

28

SLIDE 29

test_nginx_formula.py

def test_state_indempotence(host): summary = host.salt('state.sls', 'nginx.ng') assert all(s['result'] is True and s['changes'] == {} for s in summary.values())

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

29

SLIDE 30

test_nginx_formula.py

def test_pillars(host): ip = host.interface('eth0').addresses[0] response = requests.get('http://{}'.format(ip)) assert response.status_code == 200 assert response.headers['server'] == 'nginx/1.10.3' host.salt('state.sls', ['nginx.ng', ( "pillar={'nginx': {'ng': {'server': " "{'config': {'http': {'server_tokens': 'off'}" "}}}}}")]) response = requests.get('http://{}'.format(ip)) assert response.status_code == 200 assert response.headers['server'] == 'nginx'

#cfgmgmtcamp18 | january 2018 | Philippe Pepiot @philpep_ | Logilab

30

Testinfra test your salt infrastructure

Philippe Pepiot <phil@philpep.org> Author and maintainer of testinfra Software engineer and devops @

1

Testinfra

Test the actual state of your server configured by salt, ansible, puppet, chef and so on. In python! Tests are written in python too! https://testinfra.readthedocs.io https://github.com/philpep/testinfra Licence Apache 2

2

Infrastructure as code

yaml and jinja are code We manage the code in DVCS (git, mercurial) How to test it?

3

Test and staging servers

Good solution for a company Doesn't offer good concurrency when there are many developpers. Not an option for open source project with external contributors (salt formulas, ansible roles, puppet modules)

4

Virtualization

Run the deployment in a ephemeral test environment

Tools

qemu https://www.qemu.org docker https://docker.com lxc https://linuxcontainers.org

$your_favorite_container_tool

Openstack / EC2 / GCE / K8S

5

Test process

Run a VM or a container Deploy it with your config management tool Verify Destroy the VM or the container

Tools

Vagrant https://www.vagrantup.com Test­kitchen http://kitchen.ci Molecule https://molecule.readthedocs.io

6

CI

Submit pull requests Review Test them automatically Jenkins https://jenkins.io Gitlab CI Travis https://travis­ci.org (we can run docker containers in travis !)

7

Verify the deployment

8

Testinfra

First version in 2015 In python with

pytest

integration

def test_apache_installed(host): if host.system_info.distribution == 'redhat': pkgname = 'httpd' else: pkgname = 'apache2' assert host.package(pkgname).is_installed

pytest

All function named

test_...

are tests The

host

pytest

fixture defined in testinfra Lot of features (not covered here) https://docs.pytest.org

9

Running the tests

10

Testinfra

testinfra runs commands locally or on a remote host write assertions on the actual state of the server some system abstractions (services, packages)

11

Connection backends

The

host

API is available through

testinfra.get_hosts()

Supports different connection types (local, paramiko, docker, salt, ansible, kubectl, winrm) With some connection options (user, use sudo, ansible inventory to use). Supports testing multiple hosts through pytest test parameterization!

$ py.test ­­host=paramiko://user@host test.py::test_postgres[pramiko://user@host] PASSED $ py.test ­­host=docker://boring,docker://wozniak test.py::test_postgres[docker://boring] PASSED test.py::test_postgres[docker://wozniak] PASSED $ py.test ­­host 'salt://web*'

12

Run commands

>>> import testinfra >>> host = testinfra.get_host('ssh://somehost') >>> host.run('echo foo;echo bar >/dev/stderr; exit 42') CommandResult(rc=42, stdout='foo', stderr='bar')

Write assertions

>>> assert host.run('echo foo').stdout == 'bar' Traceback (most recent call last): [...] AssertionError

13

Modules

package

apt, rpm, *BSD

>>> host.package('nginx').is_installed True >>> host.package('nginx').version '1.2.1­2.2+wheezy3'

service

Systemd, Upstart, Sysv, *BSD

>>> host.service('nginx').is_enabled True >>> host.service('nginx').is_running False

14

Modules

https://testinfra.readthedocs.io/en/latest/modules.html ansible, file, group, interface, mount_point, package, pip_package, process, puppet_resource, facter, salt, service, socket, sudo, supervisor, sysctl, system_info, user

15

salt module

16

Test multi­hosts

import uuid import testinfra def test_nfs_responsive(): srv0 = testinfra.get_host('salt://minion0') srv1 = testinfra.get_host('salt://minion1') uid = str(uuid.uuid4()) srv0.check_output('echo %s > /nfs/test.tmp', uid) assert srv1.file('/nfs/test.tmp').content == uid

17

Reusing tests for monitoring

Infrastructure tests can be close to monitoring checks With the option

­­nagios

testinfra turns into a nagios compatible plugin Share your test code between CI and production monitoring

Vagrant https://www.vagrantup.com Testkitchen http://kitchen.ci Molecule https://molecule.readthedocs.io

Submit pull requests Review Test them automatically Jenkins https://jenkins.io Gitlab CI Travis https://travisci.org (we can run docker containers in travis !)

$ py.test host=paramiko://user@host test.py::test_postgres[pramiko://user@host] PASSED $ py.test host=docker://boring,docker://wozniak test.py::test_postgres[docker://boring] PASSED test.py::test_postgres[docker://wozniak] PASSED $ py.test host 'salt://web*'

>>> host.package('nginx').is_installed True >>> host.package('nginx').version '1.2.12.2+wheezy3'

Test multihosts

nagios

$ testinfra q nagios my_test.py TESTINFRA OK 1 passed, 0 failed, 0 skipped in 0.02 seconds

Testkitchen

testinfra can be used as a testkitchen verifier

verifier: name: shell command: testinfra host="paramiko:// ${KITCHEN_USERNAME}@${KITCHEN_HOSTNAME}:${KITCHEN_PORT} ?ssh_identity_file=${KITCHEN_SSH_KEY}" junitxml "junit${KITCHEN_INSTANCE}.xml" "test/integration/${KITCHEN_SUITE}"

$ vagrant sshconfig > .vagrant/sshconfig $ py.test hosts=default \ sshconfig=.vagrant/sshconfig tests/

https://github.com/ceph/cephansible https://github.com/freedomofpress/securedrop https://github.com/saltstackformulas/dockerformula https://github.com/saltstackformulas/elasticsearchformula https://github.com/saltstackformulas/kibanaformula

with host.run('journalctl f') as output: testmyapp() assert 'some log' in output.stdout

write tests for https://github.com/saltstackformula/nginx formula using docker and testinfra

testminion.conf

file_roots: base: /srv file_client: local log_level: info