content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Prefer platform_package_overrides

Open maage opened this issue 3 years ago • 5 comments

Description:

Add platform_package_overrides handling all over. Replace other methods to use it.

Rationale:

There is 3 ways to handle package names differing between products.

There is one exception where we need other way to handle package names and that is when default has only one package to handle a service and another product has multiple packages. And there is no possibility to se up platform_package_overrides.

First way is to use if block, see package_gdm_removed and package_dhcp_removed as an example. Endless lists of products that change and where ever there is possibility that some rule has a different set, there probably is. I don't like this and it just seems totally unmaintainable.

Second way is template vars '@' naming. Maintaining multiple lists is still hard, openssh-server in service_sshd_enabled is named openssh in products sle12 and sle15, but in rule service_sshd_disabled, same is only true with opensuse and sle12.

Third, and my selected way is to use per product dict platform_package_overrides. You need to make only one change when you notice package name mismatch. No maintenance needed after that.

There was already some support for platform_package_overrides in tests but it was not wholly used. See service_dhcpd_disabled.

My implementation uses one new jinja macro to procide transformation apply_platform_package_overrides. Each macro with package parameter is changed to use this. For each template with various package name parameter there is transformation in template.py preprocess.

All other ways I could find are changed.

Some changes on package names as I noticed mistakes.

Because this is change over multiple products and multiple rules it might need some deliberation how to proceed.

maage avatar Sep 02 '22 15:09 maage

Hi @maage. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Sep 02 '22 15:09 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Sep 02 '22 16:09 github-actions[bot]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_gdm_removed' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,4 @@
-To ensure the gdm package group is removed, run the following command:
-$ rpm -qi gdm
-The output should be:
-package gdm is not installed
- Is it the case that gdm has not been removed?
+Run the following command to determine if the gdm package is installed:
+$ rpm -q gdm
+ Is it the case that the package is installed?
 
OVAL definition oval:ssg-service_rsh_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_service_rsh_package_rsh_removed:tst:1
+ criterion oval:ssg-test_service_rsh_package_rsh-server_removed:tst:1
OVAL definition oval:ssg-service_telnet_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_service_telnet_package_telnet_removed:tst:1
+ criterion oval:ssg-test_service_telnet_package_telnet-server_removed:tst:1
OVAL definition oval:ssg-package_sssd_installed:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_package_sssd_installed:tst:1
+ criterion oval:ssg-test_package_sssd-common_installed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,3 @@
-Run the following command to determine if the sssd package is installed: $ rpm -q sssd
+Run the following command to determine if the sssd-common package is installed: $ rpm -q sssd-common
 Is it the case that the package is not installed?
 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,8 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q sssd-common; then
 
-if ! rpm -q --quiet "sssd" ; then
- yum install -y "sssd"
+if ! rpm -q --quiet "sssd-common" ; then
+ yum install -y "sssd-common"
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs:
--- old datastream
+++ new datastream
@@ -11,9 +11,9 @@
 - no_reboot_needed
 - package_sssd_installed
 
-- name: Ensure sssd is installed
+- name: Ensure sssd-common is installed
 package:
- name: sssd
+ name: sssd-common
 state: present
 when: '"sssd-common" in ansible_facts.packages'
 tags:

puppet remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
-include install_sssd
+include install_sssd-common
 
-class install_sssd {
- package { 'sssd':
+class install_sssd-common {
+ package { 'sssd-common':
 ensure => 'installed',
 }
 }

anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed' differs:
--- old datastream
+++ new datastream
@@ -1,2 +1,2 @@
 
-package --add=sssd
+package --add=sssd-common

OVAL definition oval:ssg-service_sssd_enabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_service_sssd_package_sssd_installed:tst:1
+ criterion oval:ssg-test_service_sssd_package_sssd-common_installed:tst:1
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_service_sssd_enabled' differs:
--- old datastream
+++ new datastream
@@ -26,7 +26,7 @@
 state: started
 masked: 'no'
 when:
- - '"sssd" in ansible_facts.packages'
+ - '"sssd-common" in ansible_facts.packages'
 when:
 - '"sssd-common" in ansible_facts.packages'
 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

github-actions[bot] avatar Sep 02 '22 16:09 github-actions[bot]

@maage: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-merge-robot avatar Sep 07 '22 13:09 openshift-merge-robot

After some testing and study of issues show, my conclusion is that I did not fully understand package handling in this project. Maybe there is some bits here that can be used as is already, but this needs more work other than conflict resolution.

maage avatar Sep 19 '22 16:09 maage

For registry, I liked this suggested approach. Based on this draft, it is already clear the improvements in readability. Also, in long-term this would be much easier to be maintained.

@maage , do you have plans to resume the work on this PR? Just ping me if you need any help here.

marcusburghardt avatar Jan 31 '23 11:01 marcusburghardt

Although this idea is interesting, the PR is quite outdated and seems that a considerable work is still necessary. Unfortunately, there is no more interaction from the author for months. I am closing this PR now. Even closed, it can be consulted anytime if similar ideas are considered in the future.

marcusburghardt avatar Feb 14 '23 07:02 marcusburghardt