You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With cd7b4ab logrotate remediation and check was switched to rely on systemd in SLE. Meaning remediation runs systemctl enable and systemctl start and then the verification step runs systemd status. The rules for firewalld follow the same concept.
This creates a problem when applying remediation in a construct when systemd is not running. For example the building of cloud images in an offline fashion. While the remediation step works, i.e. systemctl enable will succeed the starting systemctl start and verification systemctl status will fail.
Of course in a system that is running and where a user runs remediation we want to have the service started and then checked that it is really running. Preferably we'd have things set up to satisfy both environments
Description of problem:
remediation fails partially and verification fails outright. The result is that we need to remove rules that we would like to have pre-applied in the images that we build.
Proposed change:
Have a change for rules that use systemd in a way that checks first if systemd is running could be simply pidof systemd if this returns something, i.e. systemd is running proceed with systemctl start during the remediation and then systemctl status during the verification step. If systemd is not running skip systemctl start during remediation and in the verification check that the proper symlinks were created.
References:
The text was updated successfully, but these errors were encountered:
Public Cloud images are built in a context that is different from a running
system. For example systemd is not running. As such systemctl start and
systemctl status will fail, see issue ComplianceAsCode#10945 for details.
Remove firewalld rule outright; in the cloud other mechanisms exist for
handling connections to a running system and is generally the recommendation
not to run a firewall in the instance
Comment out the logrotate rule, we'd like to re-enable this after ComplianceAsCode#10945 is
addressed
Comment out pam due to the way bash behaves. Requires a separate PR to address
the bash issue. No issue filed yet.
Share the context
With cd7b4ab logrotate remediation and check was switched to rely on systemd in SLE. Meaning remediation runs
systemctl enable
andsystemctl start
and then the verification step runssystemd status
. The rules for firewalld follow the same concept.This creates a problem when applying remediation in a construct when systemd is not running. For example the building of cloud images in an offline fashion. While the remediation step works, i.e.
systemctl enable
will succeed the startingsystemctl start
and verificationsystemctl status
will fail.Of course in a system that is running and where a user runs remediation we want to have the service started and then checked that it is really running. Preferably we'd have things set up to satisfy both environments
Description of problem:
remediation fails partially and verification fails outright. The result is that we need to remove rules that we would like to have pre-applied in the images that we build.
Proposed change:
Have a change for rules that use systemd in a way that checks first if systemd is running could be simply
pidof systemd
if this returns something, i.e. systemd is running proceed withsystemctl start
during the remediation and thensystemctl status
during the verification step. If systemd is not running skipsystemctl start
during remediation and in the verification check that the proper symlinks were created.References:
The text was updated successfully, but these errors were encountered: