Test Driven (Docker) Infrastructure: Testing containers and docker hosts ## github.com/de-wiring/containerspec @aschmidt75 

Test Driven Development (TDD) is common sense. Today, infrastructure is code. Containers and Hosts can be spec'ed and tested 

https://speakerdeck.com/aschmidt75/continuous-lifecycle-2013- testgetriebenes-arbeiten-im-betrieb Why test IT infrastructure? 

https://speakerdeck.com/aschmidt75/testing-server-infrastructure-with-number-serverspec https://www.youtube.com/watch?v=o_90_W7Btwo How to test IT infrastructure? 

serverspec.org •  by @gosukenatorand community •  like unit-tests for your hosts •  independend of provisioning mechanisms •  != rspec-puppet •  readable DSL, based on ruby 

serverspec.org 

serverspec.org – Resource types •  files •  users, groups •  "network": bridge, port, gateway, interface, routing_table •  "os": cgroup, service, yumrepo, cron, kernel_module, iptables, ... •  x509: certificates, keys •  windows (yesh!): iis, registry_keys 

Ok, but that's for hosts. How do i test containers? 

Host level - Daemon •  Ensure that dockerd is installed •  Configured the way you want it to be (/etc/ default/docker) •  Running with given options (i.e. selinux) •  Running TLS-enabled with correct TLS setup 1 

Host level - Daemon •  Example spec at https://gist.github.com/aschmidt75/163c36450c9c24f21285 •  correct TLS keys & certs •  not listening on 0.0.0.0 •  not using docker.sock •  TLS works as expected •  ... 1 

Host level - Daemon 1 

Host level - Images •  Ensure that specific images are present •  Ensure that conditions on images are met, i.e. Maintainer is set, Ports are exposed, Environment entries are present a.s.o. •  Serverspec type does a "docker inspect", checks values. 2 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Images 2 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Images 2 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Images 2 h&p://www.infrabricks.de/blog/2015/04/16/docker-­‐container-­‐mit-­‐serverspetesten-­‐teil-­‐2/   

Host level - Containers •  Ensure that specific containers are present, running within certain conditions. •  i.e. not privileged, as a certain user, not as root, exposing ports (or not), having volumes mounted (ro), having capabilities dropped or added a.s.o. 3 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Containers 3 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Complete Setup •  Drawback of serverspec: Tests only a single image / container •  containerspec is based on cucumber •  tests multiple images/containers at once •  selects by name, image repo, ... 4 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Complete Setup 4 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Host level - Complete Setup 4 (*)  h&ps://github.com/de-­‐wiring/containerspec/wiki/Specifying-­‐and-­‐tes?ng-­‐a-­‐docker-­‐setup   

Container level •  Host: ✔ •  docker backend of serverspec allows for looking into containers: "docker exec" •  Everything can be tested inside containers – as long as testing binaries (i.e. netstat) are installed. 5 

Container level 5 h&p://www.infrabricks.de/blog/2015/04/16/docker-­‐container-­‐mit-­‐serverspetesten-­‐teil-­‐2/   

Build chains do not just produce application packages. With docker, they produce infrastructure. Testing Infrastructure is not that hard. 

Thanks! @aschmidt75 github.com/de-wiring [email protected]