Bug 1537540

Summary: Review procedure to create Puppet environment for OpenSCAP
Product: Red Hat Satellite Reporter: Stephen Wadeley <swadeley>
Component: Docs Install GuideAssignee: Sergei Petrosian <spetrosi>
Status: CLOSED CURRENTRELEASE QA Contact: Stephen Wadeley <swadeley>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3.0CC: adahms, ehelms, mhulan, oprazak
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-15 13:07:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
yum install puppet-foreman_scap_client none

Description Stephen Wadeley 2018-01-23 13:32:24 UTC 
Document URL: 

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/host_configuration_guide/ch05s02#sect-Red_Hat_Satellite-Host_Configuration_Guide-Security_Compliance_Management_with_OpenSCAP-Installation-Importing_OpenSCAP_Puppet_Modules

Section Number and Name: 

Procedure 5.3. Import OpenSCAP Puppet Modules

Describe the issue: 

I hit the error described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1478403#c6

The navigation steps also need updating. I noticed this needs changing:

s/Click Import, then Import from satellite.example.com./Click Import from satellite.example.com./

Suggestions for improvement: 

We can add the step "chown apache /etc/puppet/environments/production/modules

But lets first confirm if the directory should also be owned by apache. and if the sticky git should be set to ensure new subdirectories are owned correctly.

I think this would do it:

chmod u+s /etc/puppet/environments/ 

Additional information: 

I think Sergei is correct, there is an engineering issue here too.
Comment 1 Eric Helms 2018-01-25 01:01:31 UTC 
Marek,

Do you mind commenting here on the use of the OpenSCAP puppet module?
Comment 2 Andrew Dahms 2018-02-21 13:24:28 UTC 
Assigning to Sergei for review.
Comment 3 Marek Hulan 2018-03-06 07:13:33 UTC 
OpenSCAP puppet module should be installed in shared directory, that means that all puppet environments will automatically include it. With puppet 3, it used to be /usr/share/puppet/modules/

Therefore any puppet enviornment that is imported from puppet master should list OpenSCAP module automatically. There's no need to create a new one.

IMHO 5.2.3. Step 1. is misleading and should not be needed at all. production environment was always created by default installation (againt at least with puppet 3). Step 2. is also misleading, since as I said, the foreman_scap_module should be present in any environment without any extra action as long as you have puppet-foreman_scap_client installed. That was not installed by default in 6.2 IIRC but in 6.3 it should be.
Comment 7 Ondřej Pražák 2018-03-12 11:57:43 UTC 
Created attachment 1407158 [details]
yum install puppet-foreman_scap_client
Comment 14 Sergei Petrosian 2018-03-15 13:07:58 UTC 
These changes are now live on the customer portal:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-security_compliance_management#configuring_scap_content

Thank you