Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPENSCAP-5235: Block remediation on deployed bootc system #2203

Merged
merged 6 commits into from
Mar 13, 2025
Merged

OPENSCAP-5235: Block remediation on deployed bootc system #2203

merged 6 commits into from
Mar 13, 2025

Conversation

jan-cerny
Copy link
Member

OpenSCAP remediation is supposed to be used only at bootc container image build. Deployed bootc system is immutable, it can't be remediated with OpenSCAP and trying to do so would result in errors and bad user experience.

We will update OpenSCAP to print error message for users in case they try to run remediation on an already deployed bootc system, informing them that it is not possible and that the openscap remediation must be performed during container build.

@jan-cerny jan-cerny added the Image Mode Bootable containers and Image Mode RHEL label Mar 6, 2025
@jan-cerny jan-cerny force-pushed the prevent_bootc branch 5 times, most recently from 376ce92 to 3d5d391 Compare March 6, 2025 10:57
@jan-cerny
OPENSCAP-5235: Block remediation on deployed bootc system
15c15c3 
OpenSCAP remediation is supposed to be used only at bootc container
image build. Deployed bootc system is immutable, it can't be remediated
with OpenSCAP and trying to do so would result in errors and bad user
experience.

We will update OpenSCAP to print error message for users in case they
try to run remediation on an already deployed bootc system, informing
them that it is not possible and that the openscap remediation must be
performed during container build.
@jan-cerny jan-cerny marked this pull request as ready for review March 10, 2025 13:37
@jan-cerny jan-cerny added this to the 1.3.12 milestone Mar 10, 2025
@jan-cerny
Stop using jq
e433f36 
The jq is additional tool. Currently it's available in both RHEL
and CentOS base bootable container images. But, we better not
rely on it if someone removes it in future.
@jan-cerny
Move error at the beginning of evaluation
3f00d7b 
We don't like the current behavior when user needs to wait for the
initial scan results just to see the error. We will move the error so it
is printed right away and the initial scan is not even performed.
@jan-cerny
Add missing newlines
febe194
@matusmarhefka matusmarhefka self-assigned this Mar 12, 2025
matusmarhefka
matusmarhefka requested changes Mar 12, 2025
View reviewed changes
@matusmarhefka matusmarhefka merged commit f14ef25 into OpenSCAP:maint-1.3 Mar 13, 2025
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusmarhefka matusmarhefka matusmarhefka approved these changes

Assignees

@matusmarhefka matusmarhefka

Labels
Image Mode Bootable containers and Image Mode RHEL
Projects
None yet
Milestone
1.3.12
Development

Successfully merging this pull request may close these issues.
2 participants
@jan-cerny @matusmarhefka