As I am working on developing a component for YaK, I have to stick to standards on how to write code in Ansible as well as many other constraints regarding security. I always thought of docker being a server component that facilitate deployment and scaling, but it is much more than that: In this blog, I will use it on my laptop to run different tools to improve my code and, finally, server security.
Despite embedded constraints to have a consistent formatting, Ansible has some flexibility in how you can write the code that you could have difference between two components written by two different people. Thus “linter” my code is a must to make it more consistent and more robust.
Of course, it is possible to ensure that code is fine with gitlab pipelines on on every commit or merge, but if you never linted your code and doing it on a whole component, you will have lots of failures and warnings to deal with. It is preferable to do it step by step, or better said, role by role.
It is also possible to install ansible-lint inside yakenv container, but packages dependencies might arise.
The best solution I found, for the time being, was to use a container image provided by Ansible developers: ansible creator.
With this image, we have the benefit that comes with containers:
- we do not touch our yakenv image
- it is fully functional out of the box, or out of the container :).
- it is updated and maintained by the community
Starting the container is easy as triggering the command below and mapping the volume to my GIT repo:
docker run --rm -it -v /home/ols/GIT:/data ghcr.io/ansible/creator-ee
Next, in the container, we can simply find all files to lint to ansible-lint like this:
$ cd /data/components/weblogic_domain $ ansible-lint --offline
A summary of analyze will be shown at end of report:
Failed after min profile: 16 failure(s), 27 warning(s) on 148 files.
As you can see, there is lots of work to do. This is why I prefer to do it role by role:
ansible-lint --offline roles/common/jdk-install/
Once all issues and warnings have been resolved, it is possible to enable a pre-commit hook that will automatically lint the code.
Even it is delivered without any warranty, I like to run testssl.sh script to avoid bad configuration on SSL part of the component. As for ansible-lint, I could install it inside YaK container or on the target server to run, but there is another solution: Use of pre-configured container with all necessary libraries like openssl, for example.
Running this container is also very easy:
docker run --rm -ti drwetter/testssl.sh https://<server ip>:8443
The last argument is the URL to test. Then, it will run for about 5 minutes and test protocols, ciphers, certificate, HTTP responses and few known vulnerabilities. It will also simulate many different clients and Operating Systems.
Containerizing client application are great. And it works on WSL without any difference as on Linux (Thanks containers!). Nevertheless, analyzing, understanding and resolving generated reports still requires a certain level of expertise.