Adapt sysctl template for bootable containers #12552
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
/packit build |
jan-cerny
force-pushed
the
sysctl_bootc
branch
2 times, most recently
from
8d62301 to
5237ec2
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
jan-cerny
commented
Nov 5, 2024
Add an SCE check to the sysctl template special for bootable containers. We don't want to use OVAL check in this template because the OVAL check checks runtime status using OpenSCAP sysctl probe. The probe doesn't return meaningful results during podman build process and also it doesn't make sense to check runtime during the build. We need to check only the static configuration. Moreover, we update the Bash remediation to not set the runtime status during podman build process. We need to update the test `test_xccdf_values_in_ds.sh`. Bash variables whose names start with `$XCCDF_VALUE_` are valid in SCE content. The `$XCCDF_VALUE_` variables are exported by `oscap` so that the SCE check can use XCCDF Values in its code.
The flags "S" and "R" are set in FLAGS variable always. Since they're set always, we don't have to set them at all. We can remove the conditions that check for these flags and always use the code inside the conditions.
In fact, the `FLAGS` variable only holds information about if the rule is related to IPv6 or not. So we can rename it to a better name `IPV6` and make it a boolean variable.
jan-cerny
force-pushed
the
sysctl_bootc
branch
from
7386be5 to
e6e3371
Compare
|
I have rebased this PR on the top of the latest upstream master branch. Then, I have add support for multiple values in |
All occurrences of the sysctl settings must have the correct value. It isn't enough to have one correct entry to pass. If there are multiple entries and one of them has incorrect value we need to fail.
matusmarhefka
approved these changes
Nov 6, 2024
|
Code Climate has analyzed commit 257d257 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
matusmarhefka
merged commit b5456a8
into
ComplianceAsCode:master
104 of 105 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add an SCE check to the sysctl template special for bootable containers. We don't want to use OVAL check in this template because the OVAL check checks runtime status using OpenSCAP sysctl probe. The probe doesn't return meaningful results during podman build process and also it doesn't make sense to check runtime during the build. We need to check only the static configuration. Moreover, we update the Bash remediation to not set the runtime status during podman build process.