Goss - Quick and Easy server validation
Goss in 45 seconds
Note: For an even faster way of doing this, see: autoadd
What is Goss?
Goss is a YAML based serverspec-like tool for validating a server’s configuration. It eases the process of writing tests by allowing the user to generate tests from the current system state. Once the test suite is written they can be executed, waited-on, or served as a health endpoint.
Why use Goss?
- Goss is EASY! - Goss in 45 seconds
- Goss is FAST! - small-medium test suits are near instantaneous, see benchmarks
- Goss is SMALL! - <10MB single self-contained binary
# Install latest version to /usr/local/bin curl -fsSL https://goss.rocks/install | sh # Install v0.2.4 version to ~/bin curl -fsSL https://goss.rocks/install | GOSS_VER=v0.2.4 GOSS_DST=~/bin sh
# See https://github.com/aelsabbahy/goss/releases for release versions curl -L https://github.com/aelsabbahy/goss/releases/download/_VERSION_/goss-linux-amd64 -o /usr/local/bin/goss chmod +rx /usr/local/bin/goss
Documentation is available here: https://github.com/aelsabbahy/goss/blob/master/docs/manual.md
Writing a simple sshd test
Let's write a simple sshd test using autoadd.
# Running it as root will allow it to also detect ports $ sudo goss autoadd sshd
$ cat goss.yaml port: tcp:22: listening: true ip: - 0.0.0.0 tcp6:22: listening: true ip: - '::' service: sshd: enabled: true running: true user: sshd: exists: true uid: 74 gid: 74 groups: - sshd home: /var/empty/sshd shell: /sbin/nologin group: sshd: exists: true gid: 74 process: sshd: running: true
Now that we have a test suite, we can:
- Run it once
goss validate ............... Total Duration: 0.021s # <- yeah, it's that fast.. Count: 15, Failed: 0
- keep running it until the system enters a valid state or we timeout
goss validate --retry-timeout 30s --sleep 1s
- serve the tests as a health endpoint
goss serve & curl localhost:8080/healthz # JSON endpoint goss serve --format json & curl localhost:8080/healthz
Patterns, matchers and metadata
Goss files can be manually edited to match:
- Advanced Matchers.
meta(arbitrary data) attributes are persisted when adding other resources with
user: sshd: title: UID must be between 50-100, GID doesn't matter. home is flexible meta: desc: Ensure sshd is enabled and running since it's needed for system management sev: 5 exists: true uid: # Validate that UID is between 50 and 100 and: gt: 50 lt: 100 home: # Home can be any of the following or: - /var/empty/sshd - /var/run/sshd package: kernel: installed: true versions: # Must have 3 kernels and none of them can be 4.4.0 and: - have-len: 3 - not: contain-element: 4.4.0
- package - add new package
- file - add new file
- addr - add new remote address:port - ex: google.com:80
- port - add new listening [protocol]:port - ex: 80 or udp:123
- service - add new service
- user - add new user
- group - add new group
- command - add new command
- dns - add new dns
- process - add new process name
- kernel-param - add new kernel-param
- mount - add new mount
- interface - add new network interface
- http - add new network http url
- goss - add new goss file, it will be imported from this one
Supported output formats
- rspecish (default) - Similar to rspec output
- documentation - Verbose test results
- JSON - Detailed test result
- nagios - Nagios/Sensu compatible output /w exit code 2 for failures.
- nagios_verbose - nagios output with verbose failure output.
- goss-ansible - Ansible module for Goss
- kitchen-goss - A test-kitchen verifier plugin for GOSS
- goss-fpm-files - Might be useful for building goss system packages
Currently goss only runs on Linux.
The following tests have limitations.
- Alpine apk
- sysV init
- OpenRC init