Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 07:04:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Removed Documentation for docker resources from core

Browse source 
Signed-off-by: Vasu1105 <vjagdale@progress.com>
This commit is contained in:
Vasu1105 2024-09-06 12:26:06 +05:30
parent 0af7439257
commit 40c36e84a2
5 changed files with 0 additions and 743 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

234
docs-chef-io/content/inspec/resources/docker.md
View file

@ -1,234 +0,0 @@
+++
title = "docker resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "docker"
identifier = "inspec/resources/os/docker.md docker resource"
parent = "inspec/resources/os"
+++
Use the `docker` Chef InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](/inspec/resources/docker_container/) and [docker_image](/inspec/resources/docker_image/), too.
## Availability
### Install
{{< readfile file="content/inspec/reusable/md/inspec_installation.md" >}}
### Version
This resource first became available in v1.21.0 of InSpec.
## Syntax
A `docker` resource block allows you to write tests for many containers:
describe docker.containers do
its('images') { should_not include 'u12:latest' }
end
or:
describe docker.containers.where { names == 'flamboyant_allen' } do
it { should be_running }
end
where
- `.where()` may specify a specific item and value, to which the resource parameters are compared
- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
The `docker` resource block also declares allows you to write test for many images:
describe docker.images do
its('repositories') { should_not include 'insecure_image' }
end
or if you want to query specific images:
describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do
it { should_not exist }
end
where
- `.where()` may specify a specific filter and expected value, against which parameters are compared
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Return all running containers
docker.containers.running?.ids.each do |id|
describe docker.object(id) do
its('State.Health.Status') { should eq 'healthy' }
end
end
### Verify a Docker Server and Client version
describe docker.version do
its('Server.Version') { should cmp >= '1.12'}
its('Client.Version') { should cmp >= '1.12'}
end
### Iterate over all containers to verify host configuration
docker.containers.ids.each do |id|
# call Docker inspect for a specific container id
describe docker.object(id) do
its(%w(HostConfig Privileged)) { should cmp false }
its(%w(HostConfig Privileged)) { should_not cmp true }
end
end
### Iterate over all images to verify the container was built without ADD instruction
docker.images.ids.each do |id|
describe command("docker history #{id}| grep 'ADD'") do
its('stdout') { should eq '' }
end
end
### Verify that health-checks are enabled for a container
describe docker.object('71b5df59442b') do
its(%w(Config Healthcheck)) { should_not eq nil }
end
## How to run the DevSec Docker baseline profile
There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
Clone the profile:
git clone https://github.com/dev-sec/cis-docker-benchmark.git
and then run:
inspec exec cis-docker-benchmark
Or execute the profile directly via URL:
inspec exec https://github.com/dev-sec/cis-docker-benchmark
## Resource Parameters
- `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
## Resource Parameter Examples
### containers
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/).
describe docker.containers do
its('ids') { should include 'sha:71b5df59...442b' }
its('commands') { should_not include '/bin/sh' }
its('images') { should_not include 'u12:latest' }
its('ports') { should include '0.0.0.0:1234->1234/tcp' }
its('labels') { should include 'License=GPLv2' }
end
### object('id')
`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
describe docker.object(id) do
its('Configuration.Path') { should eq 'value' }
end
### images
`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/).
describe docker.images do
its('ids') { should include 'sha:12b5df59...442b' }
its('repositories') { should_not include 'my_image' }
its('tags') { should_not include 'unwanted_tag' }
its('sizes') { should_not include '1.41 GB' }
end
### plugins
`plugins` returns information about Docker plugins as returned by [docker plugin ls](https://docs.docker.com/engine/reference/commandline/plugin/).
describe docker.plugins do
its('names') { should include ['store/weaveworks/net-plugin', 'docker4x/cloudstor'] }
its('ids') { should cmp ['6ea8176de74b', '771d3ee7c7ea'] }
its('versions') { should cmp ['2.3.0', '18.03.1-ce-aws1'] }
its('enabled') { should cmp [true, false] }
end
### info
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
describe docker.info do
its('Configuration.Path') { should eq 'value' }
end
### version
`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
describe docker.version do
its('Server.Version') { should cmp >= '1.12'}
its('Client.Version') { should cmp >= '1.12'}
end
## Properties
- `id`
- `image`
- `repo`
- `tag`
- `ports`
- `command`
## Property Examples
### id
describe docker_container(name: 'an-echo-server') do
its('id') { should_not eq '' }
end
### image
describe docker_container(name: 'an-echo-server') do
its('image') { should eq 'busybox:latest' }
end
### repo
describe docker_container(name: 'an-echo-server') do
its('repo') { should eq 'busybox' }
end
### tag
describe docker_container(name: 'an-echo-server') do
its('tag') { should eq 'latest' }
end
### ports
describe docker_container(name: 'an-echo-server') do
its('ports') { should eq '0.0.0.0:1234->1234/tcp' }
end
### command
describe docker_container(name: 'an-echo-server') do
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
end
## Matchers
{{< readfile file="content/inspec/reusable/md/inspec_matchers_link.md" >}}

157
docs-chef-io/content/inspec/resources/docker_container.md
View file

@ -1,157 +0,0 @@
+++
title = "docker_container resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "docker_container"
identifier = "inspec/resources/os/docker_container.md docker_container resource"
parent = "inspec/resources/os"
+++
Use the `docker_container` Chef InSpec audit resource to test a Docker container.
## Availability
### Install
This resource is distributed with Chef InSpec.
### Version
This resource is available from the InSpec version 1.21.0.
## Syntax
A `docker_container` resource block declares the configuration data to be tested:
describe docker_container('container') do
it { should exist }
it { should be_running }
its('id') { should_not eq '' }
its('image') { should eq 'busybox:latest' }
its('repo') { should eq 'busybox' }
its('tag') { should eq 'latest' }
its('ports') { should eq [] }
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
end
## Resource Parameter Examples
### name
The container name can be provided with the `name` resource parameter.
describe docker_container(name: 'an-echo-server') do
it { should exist }
it { should be_running }
end
### container id
Alternatively, you can pass in the container id.
describe docker_container(id: '71b5df59442b') do
it { should exist }
it { should be_running }
end
## Property Examples
The following examples show how to use this Chef InSpec resource.
### id
The `id` property tests the container ID.
its('id') { should eq 'sha:71b5df59...442b' }
### Repo
The `repo` property tests the value of the image repository.
its('repo') { should eq 'REPO' }
### tag
The `tag` property tests the value of the image tag.
its('tag') { should eq 'LATEST' }
### ports
The `ports` property tests the value of the Docker ports.
its('ports') { should eq '0.0.0.0:1234->1234/tcp' }
### command
The `command` property tests the value of the container run command.
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
### Verify a running container
describe docker_container('an-echo-server') do
it { should exist }
it { should be_running }
its('id') { should_not eq '' }
its('image') { should eq 'busybox:latest' }
its('repo') { should eq 'busybox' }
its('tag') { should eq 'latest' }
its('ports') { should eq [] }
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
end
## Matchers
{{< readfile file="content/inspec/reusable/md/inspec_matchers_link.md" >}}
The specific matchers of this resource are: `exist`, `be_running`, `have_volume?`.
### exist
The `exist` matcher specifies if the container exists.
it { should exist }
### be_running
The `be_running` matcher checks if the container is running.
it { should be_running }
### have_volume?
The `have_volume?` matcher checks if the container has mounted volumes.
it { should have_volume?(destination_path_in_container, source_path_in_source) }
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Ensures container exists
The below test passes if the container `wonderful_wozniak` exists as part of the Docker instances.
describe docker_container('wonderful_wozniak') do
it { should exist }
end
### Ensures container is in running status
The below test passes if the container `trusting_williams` exists as part of the Docker instances and the status is running.
describe docker_container('trusting_williams') do
it { should be_running }
end
### Ensures container has mounted volumes
The below test passes if the container `quizzical_williamson` exists as part of the Docker instances, the status is running, and has mounted volume on `/app` in the container from the source path of `/var/lib/docker/volumes/myvol2/_data`
describe docker_container('quizzical_williamson') do
it { should have_volume('/app', '/var/lib/docker/volumes/myvol2/_data') }
end

156
docs-chef-io/content/inspec/resources/docker_image.md
View file

@ -1,156 +0,0 @@
+++
title = "docker_image resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "docker_image"
identifier = "inspec/resources/os/docker_image.md docker_image resource"
parent = "inspec/resources/os"
+++
Use the `docker_image` Chef InSpec audit resource to verify a Docker image. A Docker Image is a template that contains the application and all the dependencies required to run an application on Docker.
## Availability
### Install
This resource is distributed with Chef InSpec.
### Version
This resource is available from the InSpec version, 1.21.0.
## Syntax
A `docker_image` resource block declares the image.
describe docker_image('ALPINE:LATEST') do
it { should exist }
its('id') { should eq 'sha256:4a415e...a526' }
its('repo') { should eq 'ALPINE' }
its('tag') { should eq 'LATEST' }
end
### Resource Parameter Examples
The resource allows you to pass with an image ID.
describe docker_image(id: ID) do
...
end
If the tag is missing for an image, `LATEST` is assumed as default.
describe docker_image('ALPINE') do
...
end
You can also pass the repository and tag values as separate values.
describe docker_image(repo: 'ALPINE', tag: 'LATEST') do
...
end
## Properties
### id
The `id` property returns the full image ID.
its('id') { should eq 'sha256:4a415e3663882fbc554ee830889c68a33b3585503892cc718a4698e91ef2a526' }
### image
The `image` property tests the value of the image. It is a combination of `repository/tag`.
its('image') { should eq 'ALPINE:LATEST' }
### repo
The `repo` property tests the value of the repository name.
its('repo') { should eq 'ALPINE' }
### tag
The `tag` property tests the value of the image tag.
its('tag') { should eq 'LATEST' }
### Low-level information of docker image as docker_image's property
#### inspection
The property allows testing the low-level information of docker image returned by `docker inspect [docker_image]`. Use hash format `'key' => 'value` for testing the information.
its(:inspection) { should include "Key" => "Value" }
its(:inspection) { should include "Key" =>
{
"SubKey" => "Value1",
"SubKey" => "Value2"
}
}
Additionally, all keys of the low-level information are valid properties and can be passed in three ways when writing the test.
- Serverspec's syntax
its(['key']) { should eq some_value }
its(['key1.key2.key3']) { should include some_value }
- InSpec's syntax
its(['key']) { should eq some_value }
its(['key1', 'key2', 'key3']) { should include some_value }
- Combination of Serverspec and InSpec
its(['key1.key2', 'key3']) { should include some_value }
## Matchers
{{< readfile file="content/inspec/reusable/md/inspec_matchers_link.md" >}}
This resource has the following special matchers.
### exist
The `exist` matcher tests if the image is available on the node.
it { should exist }
## Examples
### Test if a docker image exists and verifies the image properties: ID, image, repo, and tag
describe docker_image('ALPINE:LATEST') do
it { should exist }
its('id') { should eq 'sha256:4a415e...a526' }
its('image') { should eq 'ALPINE:LATEST' }
its('repo') { should eq 'ALPINE' }
its('tag') { should eq 'LATEST' }
end
### Test if a docker image exists and verifies the low-level information: Architecture, Config.Cmd, and GraphDriver
describe docker_image('ubuntu:latest') do
it { should exist }
its(['Architecture']) { should eq 'ARM64' }
its(['Config.Cmd']) { should include 'BASH' }
its(['GraphDriver.Data.MergedDir']) { should include "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged" }
its(:inspection) { should include 'Architecture' => 'ARM64' }
its(:inspection) { should_not include 'Architecture' => 'i386' }
its(:inspection) { should include "GraphDriver" =>
{
"Data" => {
"MergedDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/merged",
"UpperDir" => "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/diff",
"WorkDir"=> "/var/lib/docker/overlay2/4336ba2a87c8d82abaa9ee5afd3ac20ea275bf05502d74d8d8396f8f51a4736c/work"
},
"Name" => "overlay2"
}
}
end

74
docs-chef-io/content/inspec/resources/docker_plugin.md
View file

@ -1,74 +0,0 @@
+++
title = "docker_plugin resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "docker_plugin"
identifier = "inspec/resources/os/docker_plugin.md docker_plugin resource"
parent = "inspec/resources/os"
+++
Use the `docker_plugin` Chef InSpec audit resource to verify a Docker plugin.
## Syntax
A `docker_plugin` resource block declares the plugin:
describe docker_plugin('rexray/ebs') do
it { should exist }
its('id') { should_not eq '0ac30b93ad40' }
its('version') { should eq '0.11.1' }
it { should be_enabled }
end
## Resource Parameter Examples
The resource allows you to pass in an plugin id:
describe docker_plugin(id: plugin_id) do
it { should be_enabled }
end
## Properties
### id
The `id` property returns the full plugin id:
its('id') { should eq '0ac30b93ad40' }
### version
The `version` property tests the value of plugin version:
its('version') { should eq '0.11.0' }
## Examples
### Test a Docker plugin
describe docker_plugin('rexray/ebs') do
it { should exist }
its('id') { should_not eq '0ac30b93ad40' }
its('version') { should eq '0.11.1' }
it { should be_enabled }
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers](/inspec/matchers/).
### exist
The `exist` matcher tests if the plugin is available on the node:
describe docker_plugin('rexray/ebs') do
it { should exist }
end
### enabled
The `be_enabled` matches tests if the plugin is enabled

122
docs-chef-io/content/inspec/resources/docker_service.md
View file

@ -1,122 +0,0 @@
+++
title = "docker_service resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "docker_service"
identifier = "inspec/resources/os/docker_service.md docker_service resource"
parent = "inspec/resources/os"
+++
Use the `docker_service` Chef InSpec audit resource to verify a docker swarm service.
## Availability
### Install
{{< readfile file="content/inspec/reusable/md/inspec_installation.md" >}}
### Version
This resource first became available in v1.51.0 of InSpec.
## Syntax
A `docker_service` resource block declares the service by name:
describe docker_service('foo') do
it { should exist }
its('id') { should eq 'docker-service-id' }
its('repo') { should eq 'alpine' }
its('tag') { should eq 'latest' }
end
## Resource Parameter Examples
The resource allows you to pass in a service id:
describe docker_service(id: 'docker-service-id') do
...
end
You can also pass in the fully-qualified image:
describe docker_service(image: 'localhost:5000/alpine:latest') do
...
end
## Property Examples
The following examples show how to use Chef InSpec `docker_service` resource.
### id
The `id` property returns the service id:
its('id') { should eq 'docker-service-id' }
### image
The `image` property is a combination of `repository:tag` it tests the value of the image:
its('image') { should eq 'alpine:latest' }
### mode
The `mode` property tests the value of the service mode:
its('mode') { should eq 'replicated' }
### name
The `name` property tests the value of the service name:
its('name') { should eq 'foo' }
### ports
The `ports` property tests the value of the service's published ports:
its('ports') { should include '*:8000->8000/tcp' }
### repo
The `repo` property tests the value of the repository name:
its('repo') { should eq 'alpine' }
### replicas
The `replicas` property tests the value of the service's replica count:
its('replicas') { should eq '3/3' }
### tag
The `tag` property tests the value of image tag:
its('tag') { should eq 'latest' }
### Test a docker service
describe docker_service('foo') do
it { should exist }
its('id') { should eq 'docker-service-id' }
its('repo') { should eq 'alpine' }
its('tag') { should eq 'latest' }
end
## Matchers
{{< readfile file="content/inspec/reusable/md/inspec_matchers_link.md" >}}
This resource has the following special matchers.
### exist
The `exist` matcher tests if the image is available on the node:
it { should exist }