Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce 'environment' header key to SCE checks #12734

Merged
merged 6 commits into from
Jan 7, 2025

Conversation

jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Dec 17, 2024

This adds a new mechanism that allow content authors to control the execution of SCE checks depending on environment. They can use the environment key to disable running their SCE check during a build of a bootable container image, or on contrary, disable running the SCE check outside of the bootable container image build environment.

We need to distinguish generic SCE checks from SCE checks that are meant to be executed only during the "podman build" phase of the bootable containers. We need to have a way to specify that some code is special for this environment. This way, we will prevent using SCE checks that require DBUS or other special SCE checks. Also, it will prevent using SCE checks that are designed only for the bootable containers to be executed in other situations.

Update: The detection is performed by the bash code in SCE directly. It doesn't depend on environment variables anymore.

@jan-cerny jan-cerny added Infrastructure Our content build system Image Mode Bootable containers and Image Mode RHEL labels Dec 17, 2024
@jan-cerny jan-cerny added this to the 0.1.76 milestone Dec 17, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 17, 2024
Copy link

openshift-ci bot commented Dec 17, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

This adds a new mechanism that allow content authors to control
the execution of SCE checks depending on environment. They can
use the `environment` key to disable running their SCE check during a build
of a bootable container image, or on contrary, disable running the
SCE check outside of the bootable container image build environment.

We need to distinguish generic SCE checks from SCE checks that are meant
to be executed only during the "podman build" phase of the bootable
containers. We need to have a way to specify that some code is special
for this environment. This way, we will prevent using SCE checks that
require DBUS or other special SCE checks. Also, it will prevent using
SCE checks that are designed only for the bootable containers to be
executed in other scenarios.

This change depends on this OpenSCAP PR:
OpenSCAP/openscap#2189
Extracts code to separate functions. Reduces code complexity
and addresses Code Climate problem.
Do not depend on setting the environment variable OSCAP_BOOTC_BUILD
by oscap. Instead, detect the bootable container build process by
a direct check in SCE script code.
Change the default value of the `environment` header to `any`.
Using `any` does not modify the built content therefore this PR
won't modify the existing SCE checks unless we add the `environment`
header explicitly.
Copy link

codeclimate bot commented Jan 3, 2025

Code Climate has analyzed commit b0be6f8 and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category Count
Duplication 2

The test coverage on the diff in this pull request is 68.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.6% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny marked this pull request as ready for review January 3, 2025 12:22
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 3, 2025
@jan-cerny
Copy link
Collaborator Author

The code climate fail is a false positive - the reported duplicates aren't duplicates.

@matusmarhefka matusmarhefka self-assigned this Jan 7, 2025
@matusmarhefka
Copy link
Member

I verified that the built SCE checks are properly wrapped into if condition based on the environment metadata and I also tested that environment = bootc SCE checks work correctly at bootable CS9 container build time.

@matusmarhefka matusmarhefka merged commit 025fba1 into ComplianceAsCode:master Jan 7, 2025
104 of 105 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Image Mode Bootable containers and Image Mode RHEL Infrastructure Our content build system
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants