Fix openSCAP results #2880
Fix openSCAP results #2880
Conversation
Bischoff
force-pushed
the
openscap-centos
branch
4 times, most recently
from
7491f1f
to
a9be690
Compare
Bischoff
force-pushed
the
openscap-centos
branch
2 times, most recently
from
03142cb
to
ed4b25c
Compare
Bischoff
force-pushed
the
openscap-centos
branch
3 times, most recently
from
aa013ea
to
96bd145
Compare
| TRADITIONAL_STACK_RPMS = 'spacewalk-client-tools spacewalk-check spacewalk-client-setup '\ | ||
| 'mgr-daemon mgr-osad mgr-cfg-actions'.freeze | ||
|
|
||
| OPEN_SCAP_CENTOS_DEPS = 'spacewalk-oscap scap-security-guide'.freeze | ||
|
|
||
| OPEN_SCAP_TRAD_DEPS = 'spacewalk-oscap'.freeze | ||
|
|
||
| OPEN_SCAP_SALT_DEPS = 'openscap-utils openscap-content scap-security-guide'.freeze |
There was a problem hiding this comment.
I don't like the idea to remove these constants.
I prefer to have outside from a method this information, as it's easier to tweak and handle it.
There was a problem hiding this comment.
I knew you would say that. I still don't understand how having things at different places helps. Having them where they are needed avoid me losing overview.
Said overwise, a constant (or a method) that is used only once does not really make sense to me.
There was a problem hiding this comment.
That's a lost battle, you will never agree with me in relation to encapsulation and isolation, so... go ahead.
| When(/^I enable universe repositories on "([^"]*)"$/) do |host| | ||
| node = get_target(host) | ||
| node.run("sed -i '/^#\\s*deb http:\\/\\/archive.ubuntu.com\\/ubuntu .* universe/ s/^#\\s*deb /deb /' /etc/apt/sources.list") | ||
| node.run("apt-get update") | ||
| end | ||
|
|
||
| When(/^I disable universe repositories on "([^"]*)"$/) do |host| | ||
| node = get_target(host) | ||
| node.run("sed -i '/^deb http:\\/\\/archive.ubuntu.com\\/ubuntu .* universe/ s/^deb /# deb /' /etc/apt/sources.list") | ||
| node.run("apt-get update") | ||
| end | ||
|
|
There was a problem hiding this comment.
I'd prefer if we join these two steps definitions that are doing the same, but with the opposite result
There was a problem hiding this comment.
I don't think that helps readability and I prefer it like this. But if you wish to "fix" this someday I won't oppose either.
There was a problem hiding this comment.
Using add-apt-repository on Ubuntu20, will be safer and will simplify it in a step.
If we use Ubuntu16 or Ubuntu18, we just need to first install software-properties-common
| # On CentOS 7, OpenSCAP files are for RedHat and need a small adaptation for CentOS | ||
| When(/^I fix CentOS 7 OpenSCAP files on "([^"]*)"$/) do |host| | ||
| node = get_target(host) | ||
| script = '/<\/rear-matter>/a <platform idref="cpe:/o:centos:centos:7"/>' | ||
| file = "/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml" | ||
| node.run("sed -i '#{script}' #{file}") | ||
| end |
There was a problem hiding this comment.
Does it only happen in CentOS7? It doesn't happen on CentOS 8?
There was a problem hiding this comment.
This is an interesting and open question. In the doubt, I took a conservative approach and chose to use it on CentOS 7 only. We can add it to CentOS 8 too if we see notapplicable there as well.
I am sure it happens in CentOS 6 because of https://forums.centos.org/viewtopic.php?t=50462 .
It also happens in Ubuntu !!! But I did not find the correct fix and gave up after one hour searching. I added a TODO in the code as a way to remember the issue.
There was a problem hiding this comment.
Ok, keep in mind it, and maybe add a comment in the card to upgrade our CI to CentOS8, as that could emerge at some moment.
| Scenario: Cleanup: remove the openSCAP packages from the traditional client | ||
| When I remove OpenSCAP dependencies from "sle_client" | ||
| And I disable SUSE Manager tools repositories on "sle_client" | ||
| And I disable repository "os_pool_repo os_update_repo" on this "sle_client" |
There was a problem hiding this comment.
If I recall correctly, a few weeks ago I manage to hide this information from the Gherkin code.
Could you review that there is no method that provides you this action without specifying fake repository names (os_pool_repo os_update_repo) here in the scenario?
There was a problem hiding this comment.
No, we do hide this, but for other stuff : Docker, Prometeus, etc.
To be noticed: the existing code was not hiding the details either (And I enable repository "CentOS Base").
I tried to hide it the same way:
And I install packages before testing OpenSCAP
but it resulted complicated, especially due to the fact we reuse steps like I disable SUSE Manager tools repositories that are already doing part of the hiding, but are also used standalone for bootstrapping. The other thing that makes it difficult is that it depends both on OS and on traditional/minion.
I agree this refactor would be beneficial, but I also already lost too much time on openSCAP, which is somehow marginal.
Feel free to write these "hiding" steps (but hiding all repository enable/disable, not only a couple of them). Would be great.
There was a problem hiding this comment.
As I said, I will not go behind others' code refactoring it. If you really feel it's ok like that, I will not oppose, I'm just giving my personal opinion :)
| Given I am on the Systems overview page of this "sle_client" | ||
| When I follow "Audit" in the content area | ||
| And I follow "List Scans" in the content area | ||
| And I click on "Select All" | ||
| And I click on "Remove Selected Scans" | ||
| And I click on "Confirm" | ||
| Then I should see a "deleted. 0 SCAP Scan(s) retained" text | ||
| Then I should see a "1 SCAP Scan(s) deleted. 0 SCAP Scan(s) retained" text |
There was a problem hiding this comment.
These kinds of assumptions are very problematic for idempotency and it's a source of issues if we decide to run the tests in parallel. Please keep that in mind. Note it will not impact if the minion only runs SCAP in this feature.
There was a problem hiding this comment.
Agree. Will remove it everywhere. Was done to align to same code on all types of clients, but I aligned the wrong way round.
There was a problem hiding this comment.
As a side note, it could not have created problems with parallelism, as it happens on different clients, and each has its own audit screen. But OK.
Bischoff
force-pushed
the
openscap-centos
branch
from
96bd145
to
bb9b72e
Compare
What does this PR change?
The result of the openSCAP audit may list many not applicable rules. They make the test for passing rules difficult as they may start on page 2. This PR uses the filter button to focus on the passing rules.
Now we will install all needed packages from the test suite, instead of a mixture of sumaform and the test suite (see uyuni-project/sumaform#801). This PR adapts.
The list of packages to install for openSCAP tests was wrong, For example, the CentOS traditional client is both a CentOS client and a traditional client. Constant package lists were not fit for this, this PR computes the list dynamically.
This PR also cleans up the generated reports, the installed packages and the enabled repositories at the end to make these tests idempotent.
Links
Ports:
Changelogs
If you don't need a changelog check, please mark this checkbox: