oVirt / ovirt-node-ng-image

The source for oVirt Node NG installer ISO and RPM image
GNU General Public License v2.0
19 stars 13 forks source link

Failure to deploy oVirt node with security profile (PCI-DSS) #113

Closed gpavinteractiv closed 1 year ago

gpavinteractiv commented 1 year ago

As reported on ovirt users mailing list:

I tried with el8 & el9 oVirt Node 4.5.4 isos, But in both cases, the installation failed when selecting the PCI-DSS security profile. Please see screenshots attached

According to 4.5.0 release note this is a supported feature :

BZ 2030226 [RFE] oVirt hypervisors should support running on hosts with the PCI-DSS security profile applied The oVirt Hypervisor is now capable of running on machine with PCI-DSS security profile.

https://bugzilla.redhat.com/show_bug.cgi?id=2030226

As the RFE says that deployment works, I guess this is a regression somewhere between 4.5.0 & 4.5.4

On the mailing list, @sandrobonazzola answered :

In the screenshot I see ssg-onn4-ds being selected, I would have expected it to be ssg-onn45-ds.xml as that's the one being created in https://github.com/oVirt/ovirt-node-ng-image. This one should be an easy fix, just changing the name of the file to match what's expected by anaconda.

Screenshot from 2023-04-03 15-41-15 Screenshot from 2023-04-03 15-56-03 Screenshot from 2023-04-03 15-56-18 Screenshot from 2023-04-03 15-56-31 Screenshot from 2023-04-03 15-56-55 Screenshot from 2023-04-03 15-57-11

michalskrivanek commented 1 year ago

"BZ 2030226 [RFE] oVirt hypervisors should ..." is probably just an automatic translation, you can see in the bug it was a RHV feature. We do not test this upstream in oVirt really, mostly because it's hard to keep up with the profile changes. It may work, I don't mind merging a patch if you post one and confirm it works.

gpavinteractiv commented 1 year ago

I don't have the know how to build an image with theses changes in order to test them. Could the build be done on oVirt infra, if such thing is possible, and I'll happily test and report ?

michalskrivanek commented 1 year ago

unfortunately not. for this project the automation is too tied with actual release. But it shouldnt' be that difficult to run locally, just prepare host as https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L40 and run priviledged container from https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L57 with the script and few variables like https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L66

gpavinteractiv commented 1 year ago

@michalskrivanek I'm totally unsure of the individual steps to build the iso.

On a clean centos stream 9, could you provide the exact command flow that will result in creating the container with the proper variables you mentioned and then run build.sh?

michalskrivanek commented 1 year ago

i dont' have it at hand, but really just copying from the workflow code it should be mkdir -p /host/modules mount --bind /lib/modules/$(uname -r) /host/modules podman run -it --privileged -v /host/modules:/host/modules quay.io/ovirt/buildcontainer:el9stream and then inside just check out the repo with your PR and run export SUPERMIN_MODULES=/host/modules export SUPERMIN_KERNEL=/host/modules/vmlinuz build.sh

gpavinteractiv commented 1 year ago

Thank! We have build the centos 9 iso with the aforementioned patch :

Change the name of the file to match what's expected by anaconda. From : ln -sf/usr/share/xml/scap/ssg/content/{ssg-rhel9,ssg-onn45}-ds.xml To : ln -sf /usr/share/xml/scap/ssg/content/{ssg-rhel9,ssg-onn4}-ds.xml

Please note that we kept linking from ssg-rhel9-ds.xml, as originally. However, there is also a ssg-cs9-ds.xml in the same folder.

The host has been provisioned and joined to the oVirt Cluster. It seems to be working properly.

sandrobonazzola commented 1 year ago

Please use the cs9 one as the OVAL tuple isn't matching between cs9 and rhel9.

Once deployed, you can check it with:

sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_pci-dss --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml and look at the report.

sandrobonazzola commented 1 year ago

Should be fixed by #115

gpavinteractiv commented 1 year ago

Sorry for coming back to you late.

I see that you have merged my initial patch linking to ssg-rhel9-ds.xml

In the meantime, I had followed your advice and retried builing an iso while linking to ssg-cs9-ds.xml

Two notes :