The oscap remediation is failing due to an issue with remediating the
firewall loopback traffic. The remediation fails and bails out early
resulting in a lower score and causing a regression in the test. This
will need to be fixed on the OpenSCAP side, so as a workaround, we can
remove this rule from the remediation.
test logs print:
[2023-08-22T10:18:14-04:00] 💿 Install image via installer(ISO) on VM
WARNING --os-type is deprecated and does nothing. Please stop using it.
We were using greenprint for failures, which makes it hard to quickly
find where the tests failed. This switches errors to use redprint, and
adds it to places that were simply using echo before doing an exit 1.
- not used in oscap.sh test at all
- causes VM in libvirt.sh test to acquire a different IP address instead
of the hard-coded one inside the test, which causes SSH to fail
- not used anywhere else
Since we're sharing functions between test scripts, move greenprint(),
the most rewritten function in the history of the project, to
shared_lib.sh and source it everywhere.
- Handle the array responses from the new weldr-client (>= 35.6).
- Move the `get_build_info` function to shared_libs.sh to source and
reuse in multiple places.
some scripts skip the test if it's not supported for that
distro-version. Disable them in gitlab-ci.yml so we don't waste CI
resources.
To disable them, we are using the `rules` on each job with a regex
pattern. Using `=~` (pattern matches) as a WHITELIST and `!~` (pattern
does not match) as a BLACKLIST.
Since the oscap remediation stage in osbuild runs
the oscap package in `chroot`, it is necessary to
install the `openscap-scanner` package to the image
itself rather than the build root.
Add integration tests for oscap customizations.
This tests only the most basic case of oscap remediation.
Mountpoints and additional packages are not added since
this varies between distros and OpenSCAP profiles
i.e. additional blueprints customizations would need
to be specified for each oscap profile to ensure
best results.
