diff --git a/.isort.cfg b/.isort.cfg index 9cd040b..427a3bd 100644 --- a/.isort.cfg +++ b/.isort.cfg @@ -7,6 +7,6 @@ import_heading_thirdparty=Third-Party Libraries import_heading_firstparty=cisagov Libraries # Should be auto-populated by seed-isort-config hook -known_third_party=pytest,testinfra +known_third_party=testinfra # These must be manually set to correctly separate them from third party libraries known_first_party= diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 565cb44..48a590c 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -74,8 +74,13 @@ platforms: # - /sys/fs/cgroup:/sys/fs/cgroup:ro # command: /lib/systemd/systemd # pre_build_image: yes - - name: kali - image: kalilinux/kali-rolling + - name: kali_systemd + image: cisagov/docker-kali-ansible:latest + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + command: /lib/systemd/systemd + pre_build_image: yes provisioner: name: ansible lint: diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 09d4300..4f19334 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -4,7 +4,6 @@ import os # Third-Party Libraries -import pytest import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( @@ -12,7 +11,17 @@ ).get_hosts("all") -@pytest.mark.parametrize("x", [True]) -def test_packages(host, x): - """Run a dummy test, just to show what one would look like.""" - assert x +def test_packages(host): + """Test that the appropriate packages were installed.""" + distribution = host.system_info.distribution + if distribution == "amzn": + pkgs = ["tigervnc-server"] + elif distribution == "debian" or distribution == "kali": + pkgs = ["tigervnc-standalone-server", "tigervnc-common"] + else: + # We don't support this distribution + assert False + packages = [host.package(pkg) for pkg in pkgs] + installed = [package.is_installed for package in packages] + assert len(pkgs) != 0 + assert all(installed) diff --git a/templates/vncserver@.service b/templates/vncserver@.service index ac37ee8..84a20e3 100644 --- a/templates/vncserver@.service +++ b/templates/vncserver@.service @@ -7,7 +7,50 @@ Type=simple User={{ username }} PIDFile=/home/{{ username }}/.vnc/%H%i.pid ExecStartPre=/bin/sh -c "/usr/bin/vncserver -kill :%i > /dev/null 2>&1 || :" -ExecStart=/usr/bin/vncserver :%i -localhost no -alwaysshared -fg -geometry 1920x1080 +# We are currently testing the latest 1.1.0 Guacamole images +# (guacamole and guacd), and we are still seeing sporadic VNC +# disconnections by Guacamole (as described in +# https://github.com/cisagov/pca-gophish-composition-packer/pull/#1) +# when we do not start the VNC server with -SecurityType VncAuth (to +# disable the TLSVnc authentication). +# +# In the Guacamole PR with the potential fix for this issue, they state: +# +# Note that support for these callbacks was released in +# LibVNCServer/Client 0.9.11, so it will only work against 0.9.11 or +# later - the bug documented in GUACAMOLE-414 will still be present +# when using libvncserver/client prior to 0.9.11. +# +# We should be fine on that front, since our VNC server host is +# running with libvncserver version 0.9.12: +# +# dpkg -l | grep libvncserver +# ii libvncserver1:amd64 0.9.12+dfsg-8 amd64 API to write one's own VNC server +# +# Note that the error message in the VNC server is slightly different now: +# +# VNCSConnST: closing 10.224.1.13::60288: readTLS: Decryption has failed. (-24) +# ... +# TLS: TLS session wasn't terminated gracefully +# +# Here is what it looks like in the guacd Docker container log: +# +# guacd | guacd[567]: ERROR: Error handling message from VNC server. +# guacd | guacd[567]: INFO: Internal VNC client disconnected +# +# I see two possibilities: +# +# * Fairly unlikely: The Guacamole fix that was made back in April +# 2019 has not made its way into the Docker image created on +# Jan. 29, 2020. +# * More likely: There is an additional issue going on here that we +# are not aware of. +# * For now, we will continue to run without using TLSVnc +# authentication. +# +# Reminder to get rid of this in the future: +# https://github.com/cisagov/ansible-role-vnc-server/issues/5 +ExecStart=/usr/bin/vncserver :%i -localhost no -alwaysshared -fg -geometry 1920x1080 -SecurityTypes VncAuth ExecStop=/usr/bin/vncserver -kill :%i [Install]