Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSCAP tailoring: add key/value rule overrides #300

Closed
wants to merge 9 commits into from
Closed

OpenSCAP tailoring: add key/value rule overrides #300

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
68fdf42
schutz: update `osbuild` commit
kingsleyzissou Dec 4, 2023
2e725fc
pkg/distro: generalise default datastream
kingsleyzissou Dec 13, 2023
bd12442
pkg/distro: simplify directory creation
kingsleyzissou Dec 13, 2023
ee3e8c3
pkg/distro: simplify tailoring stage options
kingsleyzissou Dec 13, 2023
a03aaa8
pkg/distro: simplify remediation stage options
kingsleyzissou Dec 13, 2023
770a6c7
pkg/blueprints: add tailoring overrides
kingsleyzissou Dec 4, 2023
fefcc4c
pkg/osbuild: enable OpenSCAP tailoring overrides
kingsleyzissou Dec 4, 2023
be317b5
pkg/customizations: enable tailor overrides
kingsleyzissou Dec 13, 2023
3b6b310
test/configs: update OpenSCAP tests
kingsleyzissou Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/customizations/oscap/oscap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ const (
tailoringDirPath string = "/usr/share/xml/osbuild-openscap-data"
)

func GetDatastream(datastream string, d distro.Distro) string {
func getDatastream(datastream string, d distro.Distro) string {
if datastream != "" {
return datastream
}
Expand Down
39 changes: 37 additions & 2 deletions pkg/customizations/oscap/stage_options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/osbuild/images/pkg/osbuild"
)

func CreateRequiredDirectories(createTailoring bool) ([]*fsnode.Directory, error) {
func createRequiredDirectories(createTailoring bool) ([]*fsnode.Directory, error) {
var directories []*fsnode.Directory

// although the osbuild stage will create this directory,
Expand Down Expand Up @@ -43,7 +43,7 @@ func CreateTailoringStageOptions(oscapConfig *blueprint.OpenSCAPCustomization, d
return nil
}

datastream := GetDatastream(oscapConfig.Datastream, d)
datastream := getDatastream(oscapConfig.Datastream, d)

tailoringConfig := oscapConfig.Tailoring
if tailoringConfig == nil {
Expand All @@ -64,3 +64,38 @@ func CreateTailoringStageOptions(oscapConfig *blueprint.OpenSCAPCustomization, d
},
)
}

func CreateRemediationStageOptions(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, this should IMO go into the osbuild package.

oscapConfig *blueprint.OpenSCAPCustomization,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better if this function would accept some internal abstraction of the OSCAP config, instead of BP customization.

isOSTree bool,
d distro.Distro,
) (*osbuild.OscapRemediationStageOptions, []*fsnode.Directory, error) {
if oscapConfig == nil {
return nil, nil, nil
}

if isOSTree {
return nil, nil, fmt.Errorf("unexpected oscap options for ostree image type")
}
Comment on lines +86 to +88
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is IMO not the place to check if the image type is ostree or not. This is not the job if a function which generates an osbuild stage options. Instead, this should be checked on a higher-lervel in the distro implementation and we should return an error there in case one wants to use BP customizations with an image type that does not support them.


datastream := getDatastream(oscapConfig.Datastream, d)

profileID := oscapConfig.ProfileID
if oscapConfig.Tailoring != nil {
profileID = getTailoringProfileID(profileID)
}

directories, err := createRequiredDirectories(oscapConfig.Tailoring == nil)
if err != nil {
return nil, nil, err
}

return osbuild.NewOscapRemediationStageOptions(
dataDirPath,
osbuild.OscapConfig{
Datastream: datastream,
ProfileID: profileID,
Compression: true,
},
), directories, nil
}
3 changes: 0 additions & 3 deletions pkg/distro/fedora/distro.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@ const (

// Added kernel command line options for ami, qcow2, openstack, vhd and vmdk types
cloudKernelOptions = "ro no_timer_check console=ttyS0,115200n8 biosdevname=0 net.ifnames=0"

// location for saving openscap remediation data
oscapDataDir = "/oscap_data"
)

var (
Expand Down
47 changes: 15 additions & 32 deletions pkg/distro/fedora/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,39 +161,22 @@ func osCustomizations(
osc.YUMRepos = append(osc.YUMRepos, osbuild.NewYumReposStageOptions(filename, repos))
}

if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
if t.rpmOstree {
panic("unexpected oscap options for ostree image type")
}

datastream := oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Datastream: datastream,
ProfileID: oscapConfig.ProfileID,
Compression: true,
}

osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
oscapConfig,
t.arch.distro,
)

if tailorConfig := osc.OpenSCAPTailorConfig; tailorConfig != nil {
oscapStageOptions.ProfileID = tailorConfig.Config.NewProfile
oscapStageOptions.Tailoring = tailorConfig.Filepath
}

directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring != nil)
if err != nil {
panic(err)
}

if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}
var directories []*fsnode.Directory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: consider renaming this to something like oscapDirectories to make it obvious what the variable is used for.

osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
c.GetOpenSCAP(),
t.arch.distro,
)
osc.OpenSCAPConfig, directories, err = oscap.CreateRemediationStageOptions(
c.GetOpenSCAP(),
t.rpmOstree,
t.arch.distro,
)
if err != nil {
panic(err)
}

osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}

osc.ShellInit = imageConfig.ShellInit
Expand Down
46 changes: 15 additions & 31 deletions pkg/distro/rhel8/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,38 +182,22 @@ func osCustomizations(
osc.YUMRepos = append(osc.YUMRepos, osbuild.NewYumReposStageOptions(filename, repos))
}

if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
if t.rpmOstree {
panic("unexpected oscap options for ostree image type")
}

datastream := oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Datastream: datastream,
ProfileID: oscapConfig.ProfileID,
Compression: true,
}

osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
oscapConfig,
t.arch.distro,
)

if tailorConfig := osc.OpenSCAPTailorConfig; tailorConfig != nil {
oscapStageOptions.ProfileID = tailorConfig.Config.NewProfile
oscapStageOptions.Tailoring = tailorConfig.Filepath
}

directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring != nil)
if err != nil {
panic(err)
}
var directories []*fsnode.Directory
osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
c.GetOpenSCAP(),
t.arch.distro,
)
osc.OpenSCAPConfig, directories, err = oscap.CreateRemediationStageOptions(
c.GetOpenSCAP(),
t.rpmOstree,
t.arch.distro,
)
if err != nil {
panic(err)
}

if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}
osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}

osc.ShellInit = imageConfig.ShellInit
Expand Down
3 changes: 0 additions & 3 deletions pkg/distro/rhel8/imagetype.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,6 @@ const (

// blueprint package set name
blueprintPkgsKey = "blueprint"

// location for saving openscap remediation data
oscapDataDir = "/oscap_data"
)

type imageFunc func(workload workload.Workload, t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, packageSets map[string]rpmmd.PackageSet, containers []container.SourceSpec, rng *rand.Rand) (image.ImageKind, error)
Expand Down
47 changes: 15 additions & 32 deletions pkg/distro/rhel9/images.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,39 +179,22 @@ func osCustomizations(
osc.YUMRepos = append(osc.YUMRepos, osbuild.NewYumReposStageOptions(filename, repos))
}

if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
if t.rpmOstree {
panic("unexpected oscap options for ostree image type")
}

var datastream = oscap.GetDatastream(oscapConfig.Datastream, t.arch.distro)

oscapStageOptions := osbuild.OscapConfig{
Datastream: datastream,
ProfileID: oscapConfig.ProfileID,
Compression: true,
}

osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
oscapConfig,
t.arch.distro,
)

if tailorConfig := osc.OpenSCAPTailorConfig; tailorConfig != nil {
oscapStageOptions.ProfileID = tailorConfig.Config.NewProfile
oscapStageOptions.Tailoring = tailorConfig.Filepath
}

directories, err := oscap.CreateRequiredDirectories(oscapConfig.Tailoring == nil)
if err != nil {
panic(err)
}

if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}
var directories []*fsnode.Directory
osc.OpenSCAPTailorConfig = oscap.CreateTailoringStageOptions(
c.GetOpenSCAP(),
t.arch.distro,
)
osc.OpenSCAPConfig, directories, err = oscap.CreateRemediationStageOptions(
c.GetOpenSCAP(),
t.rpmOstree,
t.arch.distro,
)
if err != nil {
panic(err)
}

osc.OpenSCAPConfig = osbuild.NewOscapRemediationStageOptions(oscapDataDir, oscapStageOptions)
if len(directories) > 0 {
osc.Directories = append(osc.Directories, directories...)
}

osc.ShellInit = imageConfig.ShellInit
Expand Down
3 changes: 0 additions & 3 deletions pkg/distro/rhel9/imagetype.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,6 @@ const (

// blueprint package set name
blueprintPkgsKey = "blueprint"

// location for saving openscap remediation data
oscapDataDir = "/oscap_data"
)

type imageFunc func(workload workload.Workload, t *imageType, customizations *blueprint.Customizations, options distro.ImageOptions, packageSets map[string]rpmmd.PackageSet, containers []container.SourceSpec, rng *rand.Rand) (image.ImageKind, error)
Expand Down