openshift / compliance-operator

Operator providing OpenShift cluster compliance checks
Apache License 2.0
110 stars 110 forks source link

Switch to using openscap 1.3.5 #729

Closed jhrozek closed 3 years ago

jhrozek commented 3 years ago

RHEL-8.5 is going to use openscap 1.3.5 that fixes several crashes. In the meantime, we can use that release from a personal COPR repository.

jhrozek commented 3 years ago

@mrogers950 PTAL

Do you think it's OK to keep using the :latest tag? Or should I build and push a separate tag so that we can make a clean switch when RHEL-8.5 goes GA? See e.g. commit 8e18e9ceb0a4d539271b5406276e8ea87f1a8054 for comparison.

openshift-ci[bot] commented 3 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhrozek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/compliance-operator/blob/master/OWNERS)~~ [jhrozek] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
JAORMX commented 3 years ago
 STEP 3: LABEL     name="openscap-ocp"     run="podman run --privileged -v /:/host  -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state"     io.k8s.display-name="OpenSCAP container for OCP4 node scans"     io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount"     io.openshift.tags="compliance openscap scan"     io.openshift.wants="scap-content"
STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/
error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory 
jhrozek commented 3 years ago

On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote:

 STEP 3: LABEL     name="openscap-ocp"     run="podman run --privileged -v /:/host  -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state"     io.k8s.display-name="OpenSCAP container for OCP4 node scans"     io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount"     io.openshift.tags="compliance openscap scan"     io.openshift.wants="scap-content"
STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/
error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory 

But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?

JAORMX commented 3 years ago

On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote: STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?

@jhrozek it's probably due to the context the image is built. you probably have to specify the path with reference to that context (which my guess it's the repo's root directory)

mrogers950 commented 3 years ago

@mrogers950 PTAL

Do you think it's OK to keep using the :latest tag? Or should I build and push a separate tag so that we can make a clean switch when RHEL-8.5 goes GA? See e.g. commit 8e18e9c for comparison.

I think moving to the specific tag would be best.

mrogers950 commented 3 years ago

On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote: STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?

Just the way CI builds work I think, In the release repo we point directly to the CI Dockerfiles for the images and its not aware of the other files in the src repo.. If you move the repo file's contents into an echo command contained in the Dockerfile, then it should be buildable in CI.

jhrozek commented 3 years ago

On Wed, Oct 13, 2021 at 01:24:55PM -0700, Matt Rogers wrote:

On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote: STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?

Just the way CI builds work I think, In the release repo we point directly to the CI Dockerfiles for the images and its not aware of the other files in the src repo.. If you move the repo file's contents into an echo command contained in the Dockerfile, then it should be buildable in CI.

Interesting, that must be a new change then (or we didn't test the images in CI earlier?) because we already used to have the repo as an external file.

Anyway, done.

jhrozek commented 3 years ago

oops, sorry, forgot to add the explicit tag /hold

jhrozek commented 3 years ago

/hold cancel

JAORMX commented 3 years ago

/lgtm