RHCOS4: Updated rule for rhel9 based RHCOS #10343
Conversation
Vincent056
force-pushed
the
rhcos4-rhel9
branch
2 times, most recently
from
f5d6aea to
3ee1cfc
Compare
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_logrotate_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
+++ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
@@ -5,7 +5,7 @@
[description]:
The logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
-which triggers a cron task. To configure logrotate to run daily, add or correct
+which triggers a cron task or a timer. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
daily
OVAL for rule 'xccdf_org.ssgproject.content_rule_ensure_logrotate_activated' differs.
--- oval:ssg-ensure_logrotate_activated:def:1
+++ oval:ssg-ensure_logrotate_activated:def:1
@@ -1,4 +1,6 @@
criteria AND
criterion oval:ssg-test_logrotate_conf_daily_setting:tst:1
criterion oval:ssg-test_logrotate_conf_no_other_keyword:tst:1
+criteria OR
criterion oval:ssg-test_cron_daily_logrotate_existence:tst:1
+extend_definition oval:ssg-timer_logrotate_enabled:def:1 |
Vincent056
force-pushed
the
rhcos4-rhel9
branch
3 times, most recently
from
57880b9 to
8ca6e26
Compare
| test_ref="test_cron_daily_logrotate_existence" /> | ||
| <criteria comment="Check if either logrotate timer or cron job is eneabled" operator="OR"> | ||
| <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" test_ref="test_cron_daily_logrotate_existence" /> | ||
| <extend_definition comment="check kubeletconfig master" definition_ref="timer_logrotate_enabled" /> |
| @@ -8,8 +8,10 @@ | |||
| test_ref="test_logrotate_conf_daily_setting" /> | |||
| <criterion comment="check that there is no weekly/monthly/yearly keyword in logrotate.conf" | |||
| test_ref="test_logrotate_conf_no_other_keyword" /> | |||
| <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" | |||
| test_ref="test_cron_daily_logrotate_existence" /> | |||
| <criteria comment="Check if either logrotate timer or cron job is eneabled" operator="OR"> | |||
| @@ -0,0 +1,38 @@ | |||
| documentation_complete: true | |||
|
|
|||
| title: 'Ensure logrotate is Installed' | |||
There was a problem hiding this comment.
It's needed by timer enabled template
|
/retest |
1 similar comment
|
/retest |
We recently have Compliance Operator to build latest image using master branch, this PR change the CatalogSource image reference to that image.
|
/retest |
Vincent056
force-pushed
the
rhcos4-rhel9
branch
from
8ca6e26 to
e3259cb
Compare
Vincent056
force-pushed
the
rhcos4-rhel9
branch
from
e3259cb to
3d869aa
Compare
|
/test e2e-aws-rhcos4-high |
|
/test e2e-aws-ocp4-high-node |
|
/test e2e-aws-ocp4-high |
|
/test e2e-aws-rhcos4-high |
I think I need to fix the CPE, probably have some issues with the regex matching, the other fix has worked. |
Vincent056
force-pushed
the
rhcos4-rhel9
branch
from
3d869aa to
19f1291
Compare
|
/test e2e-aws-rhcos4-high |
1 similar comment
|
/test e2e-aws-rhcos4-high |
|
/test e2e-aws-rhcos4-high |
Vincent056
force-pushed
the
rhcos4-rhel9
branch
from
19f1291 to
324d127
Compare
|
/test e2e-aws-rhcos4-high |
|
@Vincent056: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/test e2e-aws-rhcos4-high |
Vincent056
force-pushed
the
rhcos4-rhel9
branch
3 times, most recently
from
aa07865 to
2bd6cfb
Compare
|
/test e2e-aws-rhcos4-high |
Added a new CPE for rhel9 rhcos, disabled iptables rule for rhel9-rhcos4, iptables is being replaced by iptables-nft. Added a new rule to detect if iptables-nft is being installed.
Vincent056
force-pushed
the
rhcos4-rhel9
branch
from
2bd6cfb to
f723e01
Compare
|
/test e2e-aws-rhcos4-high |
|
Changed expected e2e test result. |
|
Code Climate has analyzed commit f723e01 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.8% (0.0% change). View more on Code Climate. |
|
Actually, let's hold the merge, the automatus failures look related... |
|
@Vincent056 it looks like we can ignore this error: but what about this one? |
systemd is not working in the fedora container, should we just remove this test? The e2e has passed, so the timer detection is working as expected. |
|
I do not know why I missed this. Thank you. |
This is needed since ComplianceAsCode#10343 added test for the logrotate timer
This is needed since ComplianceAsCode#10343 added test for the logrotate timer
Description:
Added a new CPE for RHEL9 RHCOS, disabled
iptablesrule for rhel9-rhcos4, and added a new rule to detect ifiptables-nftis being installed.Fix rule
ensure_logrotate_activated.Rationale:
iptablesis being replaced byiptables-nftin RHEL9 based RHCOS.The newer logrotate use systemd timer instead of cron.