mirror of
https://github.com/inspec/inspec
synced 2024-11-10 15:14:23 +00:00
WIP: Docker resource docs first commit (#2521)
* Docker resource docs Signed-off-by: kgarmoe <kgarmoe@chef.io>
This commit is contained in:
Kimberly Garmoe
Jared Quick
parent
e38d4b762b
commit
f7d7f63b02
1 changed files with 74 additions and 19 deletions
|
|
@ -5,7 +5,7 @@ platform: linux
|
|||
|
||||
# docker
|
||||
|
||||
Use the `docker` InSpec audit resource to test configuration data for docker daemon. It is a very comprehensive resource. Please have a look at [docker_container](docker_container) and [docker_image](docker_image), too.
|
||||
Use the `docker` InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](docker_container) and [docker_image](docker_image), too.
|
||||
|
||||
<br>
|
||||
|
||||
|
|
@ -25,8 +25,8 @@ or:
|
|||
|
||||
where
|
||||
|
||||
* `.where()` may specify a specific item and value, to which the matchers are compared
|
||||
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `'status'` are valid matchers for `containers`
|
||||
* `.where()` may specify a specific item and value, to which the resource parameters are compared
|
||||
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
|
||||
|
||||
The `docker` resource block also declares allows you to write test for many images:
|
||||
|
||||
|
|
@ -42,8 +42,7 @@ or if you want to query specific images:
|
|||
|
||||
where
|
||||
|
||||
* `.where()` may specify a specific item and value, to which the matchers are compared
|
||||
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `'status'` are valid matchers for `containers`
|
||||
* `.where()` may specify a specific filter and expected value, against which parameters are compared
|
||||
|
||||
<br>
|
||||
|
||||
|
|
@ -69,7 +68,7 @@ The following examples show how to use this InSpec audit resource.
|
|||
### Iterate over all containers to verify host coniguration
|
||||
|
||||
docker.containers.ids.each do |id|
|
||||
# call docker inspect for a specific container id
|
||||
# call Docker inspect for a specific container id
|
||||
describe docker.object(id) do
|
||||
its(%w(HostConfig Privileged)) { should cmp false }
|
||||
its(%w(HostConfig Privileged)) { should_not cmp true }
|
||||
|
|
@ -90,7 +89,9 @@ The following examples show how to use this InSpec audit resource.
|
|||
its(%w(Config Healthcheck)) { should_not eq nil }
|
||||
end
|
||||
|
||||
### Run the DevSec docker baseline profile
|
||||
<br>
|
||||
|
||||
## How to run the DevSec Docker baseline profile
|
||||
|
||||
There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
|
||||
|
||||
|
|
@ -108,13 +109,17 @@ Or execute the profile directly via URL:
|
|||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
## Resource Parameters
|
||||
|
||||
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
|
||||
|
||||
<br>
|
||||
|
||||
## Resource Parameter Examples
|
||||
|
||||
### containers
|
||||
|
||||
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
|
||||
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/).
|
||||
|
||||
describe docker.containers do
|
||||
its('ids') { should include 'sha:71b5df59...442b' }
|
||||
|
|
@ -124,10 +129,17 @@ For a full list of available matchers, please visit our [matchers page](https://
|
|||
its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
|
||||
end
|
||||
|
||||
### object('id')
|
||||
|
||||
`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
|
||||
|
||||
describe docker.object(id) do
|
||||
its('Configuration.Path') { should eq 'value' }
|
||||
end
|
||||
|
||||
### images
|
||||
|
||||
`images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
|
||||
`images` returns information about Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/).
|
||||
|
||||
describe docker.images do
|
||||
its('ids') { should include 'sha:12b5df59...442b' }
|
||||
|
|
@ -136,6 +148,14 @@ For a full list of available matchers, please visit our [matchers page](https://
|
|||
its('sizes') { should_not include "1.41 GB" }
|
||||
end
|
||||
|
||||
### info
|
||||
|
||||
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
|
||||
|
||||
describe docker.info do
|
||||
its('Configuration.Path') { should eq 'value' }
|
||||
end
|
||||
|
||||
### version
|
||||
|
||||
`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
|
||||
|
|
@ -145,20 +165,55 @@ For a full list of available matchers, please visit our [matchers page](https://
|
|||
its('Client.Version') { should cmp >= '1.12'}
|
||||
end
|
||||
|
||||
<br>
|
||||
|
||||
### info
|
||||
## Properties
|
||||
|
||||
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
|
||||
* `id`, `image`, `repo`, `tag`, `ports`, `command`
|
||||
|
||||
describe docker.info do
|
||||
its('Configuration.Path') { should eq 'value' }
|
||||
<br>
|
||||
|
||||
## Property Examples
|
||||
|
||||
### id
|
||||
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('id') { should_not eq '' }
|
||||
end
|
||||
|
||||
### image
|
||||
|
||||
### object('id')
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('image') { should eq 'busybox:latest' }
|
||||
end
|
||||
|
||||
`object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
|
||||
### repo
|
||||
|
||||
describe docker.object(id) do
|
||||
its('Configuration.Path') { should eq 'value' }
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('repo') { should eq 'busybox' }
|
||||
end
|
||||
|
||||
### tag
|
||||
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('tag') { should eq 'latest' }
|
||||
end
|
||||
|
||||
### ports
|
||||
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('ports') { should eq "0.0.0.0:1234->1234/tcp" }
|
||||
end
|
||||
|
||||
### command
|
||||
|
||||
describe docker_container(name: 'an-echo-server') do
|
||||
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
|
||||
end
|
||||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue