Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

molecule scenario ssh_hardening if failing due to missing docker image #790

Closed
seven-beep opened this issue Sep 6, 2024 · 1 comment · Fixed by #801
Closed

molecule scenario ssh_hardening if failing due to missing docker image #790

seven-beep opened this issue Sep 6, 2024 · 1 comment · Fixed by #801
Labels

Comments

@seven-beep
Copy link
Contributor

Description

As title say.

Reproduction steps

# molecule check -s ssh_hardening
WARNING  Driver docker does not provide a schema.
INFO     ssh_hardening scenario test matrix: dependency, destroy, create, prepare, converge, check, destroy
INFO     Performing prerun with role_name_check=0...
INFO     Running ssh_hardening > dependency
WARNING  Skipping, missing the requirements file.
WARNING  Skipping, missing the requirements file.
INFO     Running ssh_hardening > destroy
INFO     Sanity checks: 'docker'

PLAY [Destroy] *****************************************************************

TASK [Set async_dir for HOME env] **********************************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.045)       0:00:00.045 ******
ok: [localhost]

TASK [Destroy molecule instance(s)] ********************************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.057)       0:00:00.102 ******
changed: [localhost] => (item=instance)

TASK [Wait for instance(s) deletion to complete] *******************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.690)       0:00:00.793 ******
FAILED - RETRYING: [localhost]: Wait for instance(s) deletion to complete (300 retries left).
ok: [localhost] => (item=instance)

TASK [Delete docker networks(s)] ***********************************************
Friday 06 September 2024  13:39:35 +0200 (0:00:05.590)       0:00:06.383 ******
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Friday 06 September 2024  13:39:35 +0200 (0:00:00.034)       0:00:06.418 ******
===============================================================================
Wait for instance(s) deletion to complete ------------------------------- 5.59s
Destroy molecule instance(s) -------------------------------------------- 0.69s
Set async_dir for HOME env ---------------------------------------------- 0.06s
Delete docker networks(s) ----------------------------------------------- 0.03s
Playbook run took 0 days, 0 hours, 0 minutes, 6 seconds
INFO     Running ssh_hardening > create

PLAY [Create] ******************************************************************

TASK [Set async_dir for HOME env] **********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.045)       0:00:00.045 ******
ok: [localhost]

TASK [Log into a Docker registry] **********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.047)       0:00:00.092 ******
skipping: [localhost] => (item=None)
skipping: [localhost]

TASK [Check presence of custom Dockerfiles] ************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.049)       0:00:00.142 ******
ok: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})

TASK [Create Dockerfiles from image names] *************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.313)       0:00:00.455 ******
skipping: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})
skipping: [localhost]

TASK [Synchronization the context] *********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.056)       0:00:00.512 ******
skipping: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})
skipping: [localhost]

TASK [Discover local Docker images] ********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.041)       0:00:00.553 ******
ok: [localhost] => (item={'changed': False, 'skipped': True, 'skip_reason': 'Conditional result was False', 'false_condition': 'not item.pre_build_image | default(false)', 'item': {'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']}, 'ansible_loop_var': 'item', 'i': 0, 'ansible_index_var': 'i'})

TASK [Create docker network(s)] ************************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.579)       0:00:01.133 ******
skipping: [localhost]

TASK [Build an Ansible compatible image (new)] *********************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.031)       0:00:01.165 ******
skipping: [localhost] => (item=molecule_local/rndmh3ro/docker--ansible:latest)
skipping: [localhost]

TASK [Determine the CMD directives] ********************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.038)       0:00:01.203 ******
ok: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})

TASK [Create molecule instance(s)] *********************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.056)       0:00:01.260 ******
changed: [localhost] => (item=instance)

TASK [Wait for instance(s) creation to complete] *******************************
Friday 06 September 2024  13:39:38 +0200 (0:00:00.707)       0:00:01.968 ******
failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j852982516930.5450', 'results_file': '/home/user/.ansible_async/j852982516930.5450', 'changed': True, 'item': {'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']}, 'ansible_loop_var': 'item'}) => {"ansible_job_id": "j852982516930.5450", "ansible_loop_var": "item", "attempts": 2, "changed": false, "finished": 1, "item": {"ansible_job_id": "j852982516930.5450", "ansible_loop_var": "item", "changed": true, "failed": 0, "finished": 0, "item": {"cgroupns_mode": "host", "command": "/lib/systemd/systemd", "image": "rndmh3ro/docker--ansible:latest", "name": "instance", "pre_build_image": true, "privileged": true, "volumes": ["/sys/fs/cgroup:/sys/fs/cgroup:rw"]}, "results_file": "/home/user/.ansible_async/j852982516930.5450", "started": 1}, "msg": "Error pulling image rndmh3ro/docker--ansible:latest - 404 Client Error for http+docker://localhost/v1.47/images/create?tag=latest&fromImage=rndmh3ro%2Fdocker--ansible: Not Found (\"pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\")", "results_file": "/home/user/.ansible_async/j852982516930.5450", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
FAILED - RETRYING: [localhost]: Wait for instance(s) creation to complete (300 retries left).

PLAY RECAP *********************************************************************
localhost                  : ok=5    changed=1    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0

Friday 06 September 2024  13:39:43 +0200 (0:00:05.555)       0:00:07.523 ******
===============================================================================
Wait for instance(s) creation to complete ------------------------------- 5.56s
Create molecule instance(s) --------------------------------------------- 0.71s
Discover local Docker images -------------------------------------------- 0.58s
Check presence of custom Dockerfiles ------------------------------------ 0.31s
Create Dockerfiles from image names ------------------------------------- 0.06s
Determine the CMD directives -------------------------------------------- 0.06s
Log into a Docker registry ---------------------------------------------- 0.05s
Set async_dir for HOME env ---------------------------------------------- 0.05s
Synchronization the context --------------------------------------------- 0.04s
Build an Ansible compatible image (new) --------------------------------- 0.04s
Create docker network(s) ------------------------------------------------ 0.03s
Playbook run took 0 days, 0 hours, 0 minutes, 7 seconds
CRITICAL Ansible return code was 2, command was: ansible-playbook --inventory /home/user/.cache/molecule/ansible-collection-hardening/ssh_hardening/inventory --skip-tags molecule-notest,notest /home/user/.local/pipx/venvs/molecule/lib/python3.11/site-packages/molecule_plugins/docker/playbooks/create.yml

# cat /home/user/.ansible_async/j852982516930.5450
{"failed": true, "msg": "Error pulling image rndmh3ro/docker--ansible:latest - 404 Client Error for http+docker://localhost/v1.47/images/create?tag=latest&fromImage=rndmh3ro%2Fdocker--ansible: Not Found (\"pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\")", "invocation": {"module_args": {"name": "instance", "docker_host": "unix://var/run/docker.sock", "tls_verify": false, "hostname": "instance", "image": "rndmh3ro/docker--ansible:latest", "state": "started", "recreate": false, "log_driver": "json-file", "command": "/lib/systemd/systemd", "command_handling": "compatibility", "privileged": true, "volumes": ["/sys/fs/cgroup:/sys/fs/cgroup:rw"], "networks_cli_compatible": true, "labels": {"owner": "molecule"}, "container_default_behavior": "compatibility", "cgroupns_mode": "host", "comparisons": {"platform": "ignore"}, "validate_certs": false, "api_version": "auto", "timeout": 60, "tls": false, "use_ssh_client": false, "debug": false, "cleanup": false, "force_kill": false, "ignore_image": false, "image_comparison": "desired-image", "image_label_mismatch": "ignore", "keep_volumes": true, "output_logs": false, "pull": "missing", "pull_check_mode_behavior": "image_not_present", "purge_networks": false, "restart": false, "healthy_wait_timeout": 300.0, "tls_hostname": null, "ca_path": null, "client_cert": null, "client_key": null, "ssl_version": null, "default_host_ip": null, "image_name_mismatch": null, "kill_signal": null, "paused": false, "removal_wait_timeout": null, "auto_remove": false, "blkio_weight": null, "capabilities": null, "cap_drop": null, "cgroup_parent": null, "cpu_period": null, "cpu_quota": null, "cpuset_cpus": null, "cpuset_mems": null, "cpu_shares": null, "entrypoint": null, "cpus": null, "detach": true, "interactive": false, "devices": null, "device_read_bps": null, "device_write_bps": null, "device_read_iops": null, "device_write_iops": null, "device_requests": null, "device_cgroup_rules": null, "dns_servers": null, "dns_opts": null, "dns_search_domains": null, "domainname": null, "env": null, "env_file": null, "etc_hosts": null, "groups": null, "healthcheck": null, "init": false, "ipc_mode": null, "kernel_memory": null, "links": null, "log_options": null, "mac_address": null, "memory": "0", "memory_reservation": null, "memory_swap": null, "memory_swappiness": null, "stop_timeout": null, "network_mode": null, "networks": null, "oom_killer": null, "oom_score_adj": null, "pid_mode": null, "pids_limit": null, "platform": null, "read_only": false, "restart_policy": null, "restart_retries": null, "runtime": null, "security_opts": null, "shm_size": null, "stop_signal": null, "storage_opts": null, "sysctls": null, "tmpfs": null, "tty": false, "ulimits": null, "user": null, "userns_mode": null, "uts": null, "volume_driver": null, "volumes_from": null, "working_dir": null, "mounts": null, "exposed_ports": null, "publish_all_ports": null, "published_ports": null}}}

# docker pull rndmh3ro/docker--ansible:latest
Error response from daemon: pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Current Behavior

Molecule scenario is no available.

Expected Behavior

Molecule scenario should be utilsable.

OS / Environment

Debian 12

Ansible Version

ansible [core 2.17.1]
  config file = None
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0] (/home/user/.local/pipx/venvs/ansible-core/bin/python)
  jinja version = 3.1.4
  libyaml = True

Collection Version

latest

Additional information

No response

@seven-beep seven-beep added the bug label Sep 6, 2024
@rndmh3ro
Copy link
Member

rndmh3ro commented Sep 6, 2024

It's not clear (because we did not document it) but to test locally, you have to set the following env-variable:

MOLECULE_DISTRO: debian12 molecule test -s ssh_hardening

See the supported list here: https://github.com/dev-sec/ansible-collection-hardening/blob/master/.github/workflows/ssh_hardening.yml#L39

@seven-beep seven-beep changed the title molecule scenarion ssh_hardening if failing due to missing docker image molecule scenario ssh_hardening if failing due to missing docker image Sep 8, 2024
@schurzi schurzi linked a pull request Oct 7, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants