-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure to deploy oVirt node with security profile (PCI-DSS) #113
Comments
"BZ 2030226 [RFE] oVirt hypervisors should ..." is probably just an automatic translation, you can see in the bug it was a RHV feature. We do not test this upstream in oVirt really, mostly because it's hard to keep up with the profile changes. It may work, I don't mind merging a patch if you post one and confirm it works. |
oVirt#113 as recommended by @sandrobonazzola on ml
Change the name of the file to match what's expected by anaconda. from : ln -sf/usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn45}-ds.xml to : ln -sf /usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn4}-ds.xml
I don't have the know how to build an image with theses changes in order to test them. |
unfortunately not. for this project the automation is too tied with actual release. But it shouldnt' be that difficult to run locally, just prepare host as https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L40 and run priviledged container from https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L57 with the script and few variables like https://github.com/oVirt/ovirt-node-ng-image/blob/master/.github/workflows/build.yml#L66 |
@michalskrivanek On a clean centos stream 9, could you provide the exact command flow that will result in creating the container with the proper variables you mentioned and then run build.sh? |
i dont' have it at hand, but really just copying from the workflow code it should be |
Thank! Change the name of the file to match what's expected by anaconda. From : Please note that we kept linking from ssg-rhel9-ds.xml, as originally.
The host has been provisioned and joined to the oVirt Cluster. It seems to be working properly.
|
Please use the cs9 one as the OVAL tuple isn't matching between cs9 and rhel9. Once deployed, you can check it with:
|
Change the name of the file to match what's expected by anaconda. from : ln -sf/usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn45}-ds.xml to : ln -sf /usr/share/xml/scap/ssg/content/{ssg-rhel8,ssg-onn4}-ds.xml
Should be fixed by #115 |
Sorry for coming back to you late. I see that you have merged my initial patch linking to ssg-rhel9-ds.xml In the meantime, I had followed your advice and retried builing an iso while linking to ssg-cs9-ds.xml Two notes :
|
As reported on ovirt users mailing list:
I tried with el8 & el9 oVirt Node 4.5.4 isos,
But in both cases, the installation failed when selecting the PCI-DSS security profile. Please see screenshots attached
According to 4.5.0 release note this is a supported feature :
https://bugzilla.redhat.com/show_bug.cgi?id=2030226
As the RFE says that deployment works, I guess this is a regression somewhere between 4.5.0 & 4.5.4
On the mailing list, @sandrobonazzola answered :
The text was updated successfully, but these errors were encountered: