Load all the profile if not loaded for Ubuntu

[alanmcanonical]

trafficstars

Description:

• Load all the profile if not loaded for Ubuntu without change the mode of loaded profiles

Rationale:

• We change the default mode to enforce for Ubuntu so if the var_apparmor_mode has been changed it means the customs tailored the benchmark and don't want to enforce all existing profiles. In order to preserve the modes of loaded profiles and still to be compliant, we should only load the not loaded profiles into complain mode.

[openshift-ci[bot]]

Hi @alanmcanonical. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12482 This image was built from commit: a137692ec3c4b3984add74fb0b19ef5cb7becf45

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12482

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12482 make deploy-local

[vojtapolasek]

@alanmcanonical is it expected that test scenarios fail to initialize the testing environment for this rule in containers?

[alanmcanonical]

@alanmcanonical is it expected that test scenarios fail to initialize the testing environment for this rule in containers?

No. It should succeed to create testing environment. I will have a look

[alanmcanonical]

The apparmor is expected to fail inside the container environment. See here. The docker and podman provide minimal support for apparmor. These tests pass if we tests in qemu/kvm environment.

[dodys]

@Mab879 hey! could you please give some advice here. We are trying for this rule to not run a container, but the tests are still being executed if platform: machine is set. we also mentioned this behavior in #12511

[vojtapolasek]

@alanmcanonical could you please rebase so that this PR is in effect? https://github.com/ComplianceAsCode/content/pull/12512

[alanmcanonical]

The #12512 is not a complete fix for #12511 . We need to investigate into the ssg test system more to see what we can do to fix this

[vojtapolasek]

@alanmcanonical I see. I think the issue might take a while to resolve. Did you try creating local VM with Ubuntu and using Automatus to test those rules in that VM? If you did that and test scenarios pass, I think this can be merged.

[alanmcanonical]

@alanmcanonical I see. I think the issue might take a while to resolve. Did you try creating local VM with Ubuntu and using Automatus to test those rules in that VM? If you did that and test scenarios pass, I think this can be merged.

All the tests pass on my qemu vm

[qlty-cloud-legacy[bot]]

Code Climate has analyzed commit d7b34387 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.