Failure to deploy oVirt node with security profile (PCI-DSS) #113
Comments
|
"BZ 2030226 [RFE] oVirt hypervisors should ..." is probably just an automatic translation, you can see in the bug it was a RHV feature. We do not test this upstream in oVirt really, mostly because it's hard to keep up with the profile changes. It may work, I don't mind merging a patch if you post one and confirm it works. |
oVirt#113 as recommended by @sandrobonazzola on ml
Change the name of the file to match what's expected by anaconda.
from :
ln -sf/usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn45}-ds.xml
to :
ln -sf /usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn4}-ds.xml
|
I don't have the know how to build an image with theses changes in order to test them. |
|
unfortunately not. for this project the automation is too tied with actual release. But it shouldnt' be that difficult to run locally, just prepare host as https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L40 and run priviledged container from https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L57 with the script and few variables like https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L66 |
|
@michalskrivanek On a clean centos stream 9, could you provide the exact command flow that will result in creating the container with the proper variables you mentioned and then run build.sh? |
|
i dont' have it at hand, but really just copying from the workflow code it should be |
|
Thank! Change the name of the file to match what's expected by anaconda. From : Please note that we kept linking from ssg-rhel9-ds.xml, as originally.
The host has been provisioned and joined to the oVirt Cluster. It seems to be working properly.
|
|
Please use the cs9 one as the OVAL tuple isn't matching between cs9 and rhel9. Once deployed, you can check it with:
|
Change the name of the file to match what's expected by anaconda.
from :
ln -sf/usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn45}-ds.xml
to :
ln -sf /usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn4}-ds.xml
|
Should be fixed by #115 |
|
Sorry for coming back to you late. I see that you have merged my initial patch linking to ssg-rhel9-ds.xml In the meantime, I had followed your advice and retried builing an iso while linking to ssg-cs9-ds.xml Two notes :
|
As reported on ovirt users mailing list:
I tried with el8 & el9 oVirt Node 4.5.4 isos,
But in both cases, the installation failed when selecting the PCI-DSS security profile. Please see screenshots attached
According to 4.5.0 release note this is a supported feature :
https://bugzilla.redhat.com/show_bug.cgi?id=2030226
As the RFE says that deployment works, I guess this is a regression somewhere between 4.5.0 & 4.5.4
On the mailing list, @sandrobonazzola answered :
The text was updated successfully, but these errors were encountered: