Fix zipl_bootmap_is_up_to_date #11980
Conversation
First, we prioritize order of all zIPL rules that are changing the bootloader arguments in order to put them before zipl_bootmap_is_up_to_date. This should ensure that the fixed rule zipl_bootmap_is_up_to_date isn't broken by remediations executed later. Second, we align the Ansible remediation in zipl_bootmap_is_up_to_date to consider modification time of /boot/loader/entries/. Fixes ComplianceAsCode#11944
jan-cerny
added
the
productization-issue
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date' differs.
--- xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
+++ xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
@@ -11,11 +11,20 @@
path: /etc/zipl.conf
register: zipl_conf
+ - name: Obtain stats of /boot/loader/entries
+ stat:
+ path: /boot/loader/entries
+ register: boot_loader_entries
+
- name: Update zIPL bootmap
command: /usr/sbin/zipl
changed_when: true
- when: boot_bootmap.stat.mtime is defined and zipl_conf.stat.mtime is defined and boot_bootmap.stat.mtime
- < zipl_conf.stat.mtime
+ when:
+ - boot_bootmap.stat.mtime is defined
+ - zipl_conf.stat.mtime is defined
+ - boot_loader_entries.stat.mtime is defined
+ - boot_bootmap.stat.mtime < zipl_conf.stat.mtime or boot_bootmap.stat.mtime <
+ boot_loader_entries.stat.mtime
when:
- ansible_architecture == "s390x"
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit bb3dd2c and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/test images |
|
/packit retest-failed |
4 similar comments
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
Waving Automatus due to the fact that zipl_bootmap_is_up_to_date is not applicable on x86. |
First, we prioritize order of all zIPL rules that are changing the bootloader arguments in order to put them before
zipl_bootmap_is_up_to_date. This should ensure that the fixed rulezipl_bootmap_is_up_to_dateisn't broken by remediations executed later.Second, we align the Ansible remediation in
zipl_bootmap_is_up_to_dateto consider modification time of/boot/loader/entries/.Fixes #11944