New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving check-profile #773
Conversation
2a4bab5
to
6c6d413
Compare
8e86b3b
to
ebdd55d
Compare
ebdd55d
to
97ee8d1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks (almost) good. Just a comment about the option description.
4e832d2
to
979ef7b
Compare
❌ Internal Jenkins job #111 failed |
✔️ Public Jenkins job #197 successfully finished |
The user facing documentation is at https://documentation.suse.com/sles/15-SP3/single-html/SLES-autoyast/#check-profile |
My plan is to extend the doc-sle section Checking a control file (source)
But now while testing it on SP3 I have found that (2.) is currently pointless as it never works without /usr/sbin/yast autoyast check-profile filename=/vagrant/opensuse_minimal.xml output=check-profile-output.xml |
Problem
A new check-profile command was recently added. This command is intended to check an AutoYaST profile without applying changes to the system. Generally, such a check could be done without root permissions, but there are some situations where root permissions are required:
Running scripts/ERB code as root could lead to security problems, see:
Solution
It is difficult (or almost impossible) to know in advance if the command will require root access. The only way to ensure that the check will no fail because the permissions would be:
It was agreed with security team to go with the following solution:
Testing