Bug 1795193

Summary: [OCP v4.4] openscap-ocp container in the ComplianceScan pod terminates with an error code.
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: josorior, mrogers, nkinder
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: v0.1.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 15:54:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 4 Jakub Hrozek 2020-06-18 16:57:59 UTC 
Hi Prashant,
I believe this bug can be closed as well. What you asked for was implemented in the sense that the ocp container does not return its status code directly, but there is some post-processing and unless there is a hard error, the error code from the scanner does not surface to the CRs:

  openscap-ocp:          
    Container ID:  cri-o://2a6ce49736b6d9feeedc89c8dc2527330d3f291de6bbfc4c5c85e3ccdd09762a                           
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b
    Port:          <none>                                  
    Host Port:     <none>                                                                                             
    Command:                                               
      /scripts/openscap-container-entrypoint                                                                          
    State:          Terminated     
      Reason:       Completed                                                                                         
      Exit Code:    0                                                                                                 
      Started:      Thu, 18 Jun 2020 18:50:36 +0200                                                                   
      Finished:     Thu, 18 Jun 2020 18:50:38 +0200        
    Ready:          False                                                                                             
    Restart Count:  0     
    Environment Variables from:                                                                                       
      workers-scan-openscap-env-map  ConfigMap  Optional: false
    Environment:                     <none>                                                                           
    Mounts:                                                
      /content from content-dir (ro)
      /host from host (ro)                                 
      /reports from report-dir (rw)
      /scripts from workers-scan-openscap-container-entrypoint (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from resultscollector-token-gvmfq (ro)

The above comes from a scan that ended as non-compliant.

Can you please confirm that this bug had been fixed?
Comment 5 Prashant Dhamdhere 2020-06-23 10:01:40 UTC 
Hi Jakub,

Yes, the issue has been fixed and we are getting expected state and exit code along with the reason
for openscap-ocp container.


$ oc describe pod openscap-pod-2573cdb4be5ecbfda94f765f4365559b8451ba93 |grep -A 10 "openscap-ocp"
  openscap-ocp:
    Container ID:  cri-o://2a062992dc61738499adeddc0d628aae93ec874e4f2ad73d23b637dab7510347
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b
    Port:          <none>
    Host Port:     <none>
    Command:
      /scripts/openscap-container-entrypoint
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Tue, 23 Jun 2020 15:06:06 +0530
      Finished:     Tue, 23 Jun 2020 15:08:07 +0530
    Ready:          False
Comment 6 Prashant Dhamdhere 2020-07-09 13:27:58 UTC 
openscap-ocp container state looks good now

Also verified on: 4.6.0-0.nightly-2020-07-07-233934

$ oc describe pod workers-scan-ip-10-0-75-245.us-east-2.compute.internal-pod |grep -A 10 "openscap-ocp"
  openscap-ocp:
    Container ID:  cri-o://1f043e3cc5e9abd35ec4ef99e67f4b194e9b78b58ecff4c55170a5a4c841a8f6
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b
    Port:          <none>
    Host Port:     <none>
    Command:
      /scripts/openscap-container-entrypoint
    State:          Terminated
      Reason:       Completed  <<------
      Exit Code:    0       <<------
      Started:      Thu, 09 Jul 2020 18:50:28 +0530
      Finished:     Thu, 09 Jul 2020 18:52:04 +0530
    Ready:          False
Comment 9 errata-xmlrpc 2020-10-27 15:54:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196