-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update oscap-bootc to verify it runs in bootable container env #2180
Update oscap-bootc to verify it runs in bootable container env #2180
Conversation
The script is updated to first verify that it runs in a bootable container environment - `bootc` package must be installed and `/run/.containerenv` file must exist which indicates we are running inside a container. If it is not running inside a bootable container environment it informs user and exits. Another change is that installation of `openscap-engine-sce` package has been moved from specfile into the script as the script already installs other requirements which are needed by SCE checks from CaC/content.
@@ -92,7 +92,6 @@ Summary: OpenSCAP Utilities | |||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} | |||
Requires: rpmdevtools rpm-build | |||
Requires: %{name}-scanner%{?_isa} = %{epoch}:%{version}-%{release} | |||
Requires: %{name}-engine-sce%{?_isa} = %{epoch}:%{version}-%{release} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this disrupt any existing deployment? For example, if someone installs the utils package expecting it will also install sce engine so they can use sce content and they don't realize they are missing this package now that is not installed when installing the utils anymore. Might be a well hidden corner case, but this could break someone's use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was only added because of oscap-bootc
in https://github.com/OpenSCAP/openscap/pull/2169/files#diff-e361a9e64280ac40f420ea0d5c0fd49d76d21287b799ee013f2377c0cecc8814 so it should be safe to remove for now. It is not expected that SCE checks will be used outside of oscap-bootc
use case. If it will change in the future then the openscap-engine-sce
package will need to be added as a dependency to other sub-packages like openscap-scanner
, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Becker is correct, but this change hasn't been released yet, so if we remove it now we just revert to the previous state which is fine, therefore Matus is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense, thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have built a CS 9 bootable container image hardened with STIG profile. Then, I verified that openscap-engine-sce is installed in the image. Then, I booted a VM from the container image. Then I verified that the openscap-engine-sce is installed in the VM. Then, I verified that the oscap-bootc command doesn't run there and errors with an error message.
The script is updated to first verify that it runs in a bootable container environment -
bootc
package must be installed and/run/.containerenv
file must exist which indicates we are running inside a container. If it is not running inside a bootable container environment it informs user and exits.Another change is that installation of
openscap-engine-sce
package has been moved from specfile into the script as the script already installs other requirements which are needed by SCE checks from CaC/content.