Closed jhrozek closed 3 years ago
@mrogers950 PTAL
Do you think it's OK to keep using the :latest
tag? Or should I build and push a separate tag so that we can make a clean switch when RHEL-8.5 goes GA? See e.g. commit 8e18e9ceb0a4d539271b5406276e8ea87f1a8054 for comparison.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: jhrozek
The full list of commands accepted by this bot can be found here.
The pull request process is described here
STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content"
STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/
error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory
On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote:
STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory
But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?
On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote:
STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory
But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?
@jhrozek it's probably due to the context the image is built. you probably have to specify the path with reference to that context (which my guess it's the repo's root directory)
@mrogers950 PTAL
Do you think it's OK to keep using the
:latest
tag? Or should I build and push a separate tag so that we can make a clean switch when RHEL-8.5 goes GA? See e.g. commit 8e18e9c for comparison.
I think moving to the specific tag would be best.
On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote:
STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory
But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?
Just the way CI builds work I think, In the release repo we point directly to the CI Dockerfiles for the images and its not aware of the other files in the src repo.. If you move the repo file's contents into an echo command contained in the Dockerfile, then it should be buildable in CI.
On Wed, Oct 13, 2021 at 01:24:55PM -0700, Matt Rogers wrote:
On Mon, Oct 11, 2021 at 10:18:46PM -0700, Juan Osorio Robles wrote:
STEP 3: LABEL name="openscap-ocp" run="podman run --privileged -v /:/host -eHOSTROOT=/host -ePROFILE=xccdf_org.ssgproject.content_profile_coreos-fedramp -eCONTENT=ssg-rhcos4-ds.xml -eREPORT_DIR=/reports -eRULE=xccdf_org.ssgproject.content_rule_selinux_state" io.k8s.display-name="OpenSCAP container for OCP4 node scans" io.k8s.description="OpenSCAP security scanner for scanning hosts through a host mount" io.openshift.tags="compliance openscap scan" io.openshift.wants="scap-content" STEP 4: COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/ error: build error: error building at STEP "COPY jhrozek-openscap-1.3.5-epel-8.repo /etc/yum.repos.d/": error adding sources [/tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo]: error checking on source /tmp/build/inputs/jhrozek-openscap-1.3.5-epel-8.repo under "/tmp/build/inputs": copier: stat: "/jhrozek-openscap-1.3.5-epel-8.repo": no such file or directory
But do you know why the file can't be found? It is added to the repo and 'make openscap-image' works locally. Do I also need to add the file somewhere else?Just the way CI builds work I think, In the release repo we point directly to the CI Dockerfiles for the images and its not aware of the other files in the src repo.. If you move the repo file's contents into an echo command contained in the Dockerfile, then it should be buildable in CI.
Interesting, that must be a new change then (or we didn't test the images in CI earlier?) because we already used to have the repo as an external file.
Anyway, done.
oops, sorry, forgot to add the explicit tag /hold
/hold cancel
/lgtm
RHEL-8.5 is going to use openscap 1.3.5 that fixes several crashes. In the meantime, we can use that release from a personal COPR repository.