Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce bootc remediation type #12497

Merged
merged 4 commits into from
Oct 22, 2024
Merged

Introduce bootc remediation type #12497

merged 4 commits into from
Oct 22, 2024

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Oct 15, 2024
edited
Loading

This PR introduces support for new remediation type "bootc".

Remediations of this type will be generated only internally by the future oscap-bootc script. They aren't supposed to be generated by any user.

The format of this remediation will be similar to "kickstart" remediation. However, only package installation and removal will be supported and different keywords will be used. Currently supported commands:

  • dnf install package_name
  • dnf remove package_name

Having a new remediation type instead of reusing "kickstart" will help us create SCAP content specific for the needs of bootable containers.

This PR is strongly connected to this PR: OpenSCAP/openscap#2166

@jan-cerny
Introduce new remediation type bootc
7b381cd 
This new remediation type will be used internally by the
oscap-bootc tool which will be used by users in their Container
files to build RHEL Image Mode (bootc) container images by for
example the `podman build` command.

The extra remediation type allow us to perform some remediations
before the actual `oscap` scan. It's mainly intended to collectively
install RPM packages required by the compliance profile to the container
images before XCCDF rules are evaluated.
@jan-cerny
Add bootc templates for package templates
5b7dc04 
Adds remediation of the "bootc" type for "package_installed"
and "package_removed" template.
@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Oct 15, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 15, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 15, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jan-cerny jan-cerny mentioned this pull request Oct 15, 2024
Merged
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jan-cerny jan-cerny added this to the 0.1.75 milestone Oct 17, 2024
@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 17, 2024

Code Climate has analyzed commit 58ef8f0 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 50.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (1.3% change).

View more on Code Climate.

@jan-cerny jan-cerny marked this pull request as ready for review October 18, 2024 08:24
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 18, 2024
@jan-cerny jan-cerny added the Infrastructure Our content build system label Oct 18, 2024
@matusmarhefka matusmarhefka self-assigned this Oct 22, 2024
matusmarhefka
matusmarhefka approved these changes Oct 22, 2024
View reviewed changes
Copy link
Member

@matusmarhefka matusmarhefka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I also tested building a data stream and generating bootc fix using openscap from OpenSCAP/openscap#2166 and it works as expected - it generates a Bash script which installs and then removes all the packages based on package_X_installed/package_X_removed rules which are selected in the profile.

@matusmarhefka
Copy link
Member

Note: Failing Automatus Sanity / Run Tests (pull_request) test is not caused by the changes in this PR.

@matusmarhefka matusmarhefka merged commit 8a9b90f into ComplianceAsCode:master Oct 22, 2024
103 of 104 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusmarhefka matusmarhefka matusmarhefka approved these changes

Assignees

@matusmarhefka matusmarhefka

Labels
Image Mode Bootable containers and Image Mode RHEL Infrastructure Our content build system
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @matusmarhefka