Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remediation and verification for systemd services #10945

Open
rjschwei opened this issue Aug 2, 2023 · 0 comments
Open

remediation and verification for systemd services #10945

rjschwei opened this issue Aug 2, 2023 · 0 comments
Labels
enhancement General enhancements to the project. SLES SUSE Linux Enterprise Server product related.

Comments

@rjschwei
Copy link
Contributor

rjschwei commented Aug 2, 2023

Share the context

With cd7b4ab logrotate remediation and check was switched to rely on systemd in SLE. Meaning remediation runs systemctl enable and systemctl start and then the verification step runs systemd status. The rules for firewalld follow the same concept.

This creates a problem when applying remediation in a construct when systemd is not running. For example the building of cloud images in an offline fashion. While the remediation step works, i.e. systemctl enable will succeed the starting systemctl start and verification systemctl status will fail.

Of course in a system that is running and where a user runs remediation we want to have the service started and then checked that it is really running. Preferably we'd have things set up to satisfy both environments

Description of problem:

remediation fails partially and verification fails outright. The result is that we need to remove rules that we would like to have pre-applied in the images that we build.

Proposed change:

Have a change for rules that use systemd in a way that checks first if systemd is running could be simply pidof systemd if this returns something, i.e. systemd is running proceed with systemctl start during the remediation and then systemctl status during the verification step. If systemd is not running skip systemctl start during remediation and in the verification check that the proper symlinks were created.

References:
@rjschwei rjschwei added the enhancement General enhancements to the project. label Aug 2, 2023
rjschwei added a commit to rjschwei/content that referenced this issue Aug 2, 2023
@rjschwei
Remove rules that cannot be applied during image build
6e1ef14 
Public Cloud images are built in a context that is different from a running
system. For example systemd is not running. As such systemctl start and
systemctl status will fail, see issue ComplianceAsCode#10945 for details.

Remove firewalld rule outright; in the cloud other mechanisms exist for
handling connections to a running system and is generally the recommendation
not to run a firewall in the instance

Comment out the logrotate rule, we'd like to re-enable this after ComplianceAsCode#10945 is
addressed

Comment out pam due to the way bash behaves. Requires a separate PR to address
the bash issue. No issue filed yet.
@rjschwei rjschwei mentioned this issue Aug 2, 2023
Merged
@marcusburghardt marcusburghardt added the SLES SUSE Linux Enterprise Server product related. label Aug 3, 2023
@jgleissner jgleissner mentioned this issue Aug 9, 2023
Open
@rjschwei rjschwei mentioned this issue Aug 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement General enhancements to the project. SLES SUSE Linux Enterprise Server product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rjschwei @marcusburghardt