Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCP4 cis-node profile is broken due to openvswitch change #6913

Closed
JAORMX opened this issue Apr 29, 2021 · 0 comments · Fixed by #6914
Closed

OCP4 cis-node profile is broken due to openvswitch change #6913

JAORMX opened this issue Apr 29, 2021 · 0 comments · Fixed by #6914
Assignees
@JAORMX
Labels
OpenShift OpenShift product related.

Comments

@JAORMX
Copy link
Contributor

JAORMX commented Apr 29, 2021

Description of problem:

The e2e job e2e-aws-ocp4-cis-node is failing as of recently due to a recent change in openvswitch.

The logs look as follows:

 INFO[2021-04-28T17:57:41Z]     helpers.go:695: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-pid - Status: FAIL - Severity: medium 
INFO[2021-04-28T17:57:41Z]     helpers.go:698: E2E-FAILURE: The expected result for the file_groupowner_ovs_pid rule didn't match. Expected 'PASS', Got 'FAIL' 
INFO[2021-04-28T17:57:41Z]     helpers.go:695: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-sys-id-conf - Status: PASS - Severity: medium 
INFO[2021-04-28T17:57:41Z]     helpers.go:760: Rule file_groupowner_ovs_sys_id_conf matched expected result 
INFO[2021-04-28T17:57:41Z]     helpers.go:695: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-vswitchd-pid - Status: FAIL - Severity: medium 
INFO[2021-04-28T17:57:41Z]     helpers.go:698: E2E-FAILURE: The expected result for the file_groupowner_ovs_vswitchd_pid rule didn't match. Expected 'PASS', Got 'FAIL' 
INFO[2021-04-28T17:57:41Z]     helpers.go:695: Result - Name: e2e-cis-node-worker-file-groupowner-ovsdb-server-pid - Status: FAIL - Severity: medium 
INFO[2021-04-28T17:57:41Z]     helpers.go:698: E2E-FAILURE: The expected result for the file_groupowner_ovsdb_server_pid rule didn't match. Expected 'PASS', Got 'FAIL'

The rules expected the group to be openvswitch (of id 800), and a recent change in the openvswitch version shipped in RHCOS4 (based on RHEL 8.4) changed those pid files to be owned by the group hugetlbfs (id 801).

The content should be updated to reflect this.
@JAORMX JAORMX self-assigned this Apr 29, 2021
@JAORMX JAORMX added the OpenShift OpenShift product related. label Apr 29, 2021
@JAORMX JAORMX mentioned this issue Apr 29, 2021
Merged
JAORMX added a commit to JAORMX/content that referenced this issue Apr 29, 2021
@JAORMX
ocp4: Enhance group ownership checks openvswitch processes pid files
a54a3c2 
In a more recent version of Open vSwitch, the process pid files changed
ownership from "openvswitch" to "hugetlbfs". OCP 4.6 will stay in an
older version of OvS, so to keep this working with newer versions (e.g.
the one included in OCP 4.8), this fixes the content to check for both
groups. This way the content keeps being valid accross releases.

Closes ComplianceAsCode#6913

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
JAORMX added a commit to JAORMX/content that referenced this issue Apr 29, 2021
@JAORMX
ocp4: Enhance group ownership checks openvswitch processes pid files
76fb8d2 
In a more recent version of Open vSwitch, the process pid files changed
ownership from "openvswitch" to "hugetlbfs". OCP 4.6 will stay in an
older version of OvS, so to keep this working with newer versions (e.g.
the one included in OCP 4.8), this fixes the content to check for both
groups. This way the content keeps being valid accross releases.

Closes ComplianceAsCode#6913

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JAORMX JAORMX

Labels
OpenShift OpenShift product related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ocp4: Enhance group ownership checks openvswitch processes pid files JAORMX/content
1 participant
@JAORMX