New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable the RHEL9 prodtype for rules that are expected to work the same on that system #6890
Conversation
Skipping CI for Draft Pull Request. |
@matejak Are you building a RHEL-9 profile and adding the rules to that or do you work the other way (add prodtype to rules and then collect relevant rules into a profile)? I have a utility I use to parse a profile (mentioned on #6889) that then automatically adds the prodtype to all rules mentioned in the profile --- I could look into upstreaming it if it'd be useful. |
Right now, we proceed by components - whenever we think a component is RHEL9-ready, we flip its rules to be applicable. As more rules get enabled, we will go in the opposite direction as well - making sure that a profile is rule-complete. |
Cool, thanks @matejak :) Always interested to see how different people use it :) |
The Jenkins CI and other CIs don't build the RHEL 9 content. When I build it locally (./build_product rhel9) I get this error:
|
(Just to follow up, #6906 was the utility I mentioned above). |
The only significant change in this component's behavior is no need for the NO_SHA1 module any more.
The syntax we use in our rules is getting rusty, but it is still valid.
The level of RPM that we interact with is stable.
The component maintainers have reported that there are no breaking changes.
The component maintainers have reported that there are no breaking changes.
The component maintainers have reported that there are no breaking changes in the audit configuration.
The interface for handling keys or configuring gpgcheck remains the same. RHEL9 just doesn't have a gpg key metadata at this time.
File permission rules are generally backward-compatible.
Mount options are generally compatible.
Those rules are generally safe to enable, as they don't cause problems. The rule for the pigz package has not been enabled for RHEL9 because it is not needed, but the rese of RHEL8 package removed rules were ported.
While it is difficult to know what packages will land in RHEL9 at this moment, it is very likely that packages related to this PR will be shipped, because they are a stable long-term part of the RHEL ecosystem.
I have added more rules from wider areas, and it should build reliably. |
/retest AWS infra issue |
@matejak: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
It builds the rhel9 content now. |
The
utils/mod_prodtype.py
has been used to insert the RHEL9 prodtype, and it reorders the list by the lexicographical order.Individual commits contain additional information regarding why a set of rules got enabled.