Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing inspec against a container from within the host #145

Closed
ptemmer opened this issue Sep 6, 2017 · 2 comments
Closed

Executing inspec against a container from within the host #145

ptemmer opened this issue Sep 6, 2017 · 2 comments

Comments

@ptemmer
Copy link

ptemmer commented Sep 6, 2017

Hi there,

I'm not sure if this is the best place to ask my question. Apologies upfront in case it's not and please feel free to point me in the right direction.

Situation:
I'm using the vagrant driver in Kitchen to create a VM and execute the chef recipes that I want to test. Part of this recipe downloads and starts a Docker container. For example Apache or MySQL.

Problem:
Since I provision with vagrant, the Inspec resources in my tests are being applied to the host machine, not the docker container. For example, the resource "apache_conf" not check against the config in my docker container, but instead look for an Apache config on the host machine.

What are my options here?
The docker resources do not allow me to test the actual Apache or MySQL installations that are running inside the container.

Would this be my best bet?:

describe command('docker exec CONTAINER grep "some config" /etc/apache2/conf/*') do
  its('stdout') { should eq "some config" }
  its('stderr') { should eq '' }
  its('exit_status') { should eq 0 }
end

Or are there alternatives that would work better?

Thanks
@ptemmer ptemmer changed the title Running inspec in a container that is provisioned as part of a recipe Executing inspec against a container from within the host Sep 6, 2017
@cheeseplus
Copy link

So backing up this isn't really a kitchen or kitchen-inspec problem as they are doing exactly what they are told because the driver is Vagrant and hence why the tests are running against that host. I don't think there is anything uniquely suited to testing nested VMs/containers as that's not really a model that is easily supportable in a reasonable fashion so command is probably your best bet or just avoiding this nesting altogether.

@adamleff
Copy link
Contributor

I concur with @cheeseplus -- kitchen-inspec is designed to execute InSpec against a Test Kitchen instance. It does not currently have the ability to natively scan another target that lives on that instance. In fact, that would go against one of InSpec's core philosophies: do not modify the target in any way to scan it... in order to scan the docker container, we would need to install InSpec on the target in order to run InSpec via InSpec to get access to the container.

Please note that we do supply InSpec as a Docker container/layer at chef/inspec which you may be able to layer into your container and then just execute that via the command resource if necessary.

I'm going to close this issue as it's not a feature we support (and are not likely to support). Thank you for your issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cheeseplus @adamleff @ptemmer