Workaround package_nfs-utils_removed issue on bootable containers #12871
Conversation
matusmarhefka
added
RHEL10
There was a problem hiding this comment.
Unfortunately, this doesn't work. The oscap-im still tries to remove nfs-utils, therefore, the build fails. There is a mix of reasons for that.
Firstly, the rule package_nfs-utils-removed still contains the bootc style remediation. You need to add a back end turn off:
--- a/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml
@@ -40,3 +40,5 @@ template:
name: package_removed
vars:
pkgname: nfs-utils
+ backends:
+ bootc: "off"Second, the nfs-utils is removed as a dependency of gssproxy which is removed because the removal of gssproxy is requested by rule package_gssproxy_removed. See the output of dnf from oscap-im run after we solved the first point.
Removing:
gssproxy x86_64 0.9.2-8.el10 @System 269 k
Removing dependent packages:
beakerlib noarch 1.31.3-1.el10_0 @epel 442 k
beakerlib-redhat noarch 1-35.el9 @beaker-harness 22 k
nfs-utils x86_64 1:2.8.2-0.el10 @System 1.3 M
I think you will need to handle the gssproxy similar way and also turn off the back end for the template in the rule package_gssproxy_removed.
The rule is affected by https://issues.redhat.com/browse/RHEL-74244 which causes that RHEL 10 bootable container hardened with STIG profile fails to build. Therefore, until this issue is resolved, we will have a special RHEL 10 only remediation which workarounds the problem on bootable containers. Moreover, the `nfs-utils` package is removed as a dependency of `gssproxy` package so the same workaround is also needed for the rule `package_gssproxy_removed`.
matusmarhefka
force-pushed
the
nfs-utils_bootc
branch
from
53fe0bd to
b67b0e1
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffNew data stream is missing bootc remediation for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'.
New data stream is missing bootc remediation for rule 'xccdf_org.ssgproject.content_rule_package_nfs-utils_removed'. |
|
Code Climate has analyzed commit b67b0e1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
The rule is affected by https://issues.redhat.com/browse/RHEL-74244 which causes that RHEL 10 bootable container hardened with STIG profile fails to build. Therefore, until this issue is resolved, we will have a special RHEL 10 only remediation which workarounds the problem on bootable containers.