Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Some technical background behind the rebase:
Currently, in RHEL6 there is openscap-1.0.x version. Which is our family
gold certified on rhel5. The rebase to openscap-1.2.x gets us multiple new features, for example the latest OVAL 5.11.1 implementation. Engineering is quite confident with the rebase, as we have shipped 1.2.x in RHEL-7 and also in RHEL-6 through Satellite client tools channel. Further, our internal test suite and community of upstream users are consuming 1.2.x for almost year now.
I'll try to list the new features relevant to rhel6:
* OVAL-5.11 and OVAL-5.11.1 support
* introduced oscap-ssh -- handy utility to run remote scan over ssh
* introduced oscap-vm -- handy utility to run scan of cold virtal system
* native bzip2 support (you can use file.xml.bz2 instead of unbzipping before)
* minimized use of temp files, most of the operations complete from memory and redesign of DataStream processing
* awful lot of smaller bugfixes
Full list of changes can be reviewed at https://github.com/OpenSCAP/openscap/blob/69d29ad1d9408721cb979c2588134e4216656be1/NEWS#L1-L149
With regards to the the test plan:
(1) I feel we have done good job with creating upstream tests for the majority of bugfixes and OVAL-5.11.x work. So, the upstream test suite (make check) should pass on the update.
(2) The new tools (oscap-ssh and oscap-vm) are not tested upstream (as they require a lot of set-up). If QA had cycles to create automation for oscap-ssh and oscap-vm tools it would highly appreciated.
(3) The new HTML report/guide is already heavily consumed through Satellite 6 interface by customers, however afraid that no automation exists. It may be challenging to create automation for interactive HTML page. But if QA selects to do this exercise, they will be highly regarded.
Let me know, if you have any specific questions.
I have found two issues with the current build:
mandatory test_passing_vars.sh not present in the upstream testsuite, and it fails
guestunmount command that is utilized by the oscap-vm script is not available on rhel6.8 for now. Maybe "fusermount -u" could be used for unmount, as mentioned in guestmount man page?
this is tracked separately: https://bugzilla.redhat.com/show_bug.cgi?id=1300716
Upstream fix for first issue is here: https://github.com/OpenSCAP/openscap/commit/461ba59368551c74c29c74e5c9755333eae21990
Thank You Marek for pointing out these issues.
I have included your patches wrt oscap-vm in openscap-1.2.8-2.el6. Thank You!
However, I would like to leave the testsuite issue unresolved. Here is my reasoning.
* The bug is in the test suite not in the code
* The bug represents itself only in certain configuration (make distcheck with --enable-sce).
* The test suite is not being shipped to the customers
* The fix is not easy to backport. The problem is when patching Makefile.am, the timestamp of the file changes and makes whole autotools to regenerate stuff from scratch. But such build process will fail because of different hardcode automake versions. (just try it ;-)). The best option is to create a patch that removes all the Makefile.in config.h.in files.
Let me know how do you feel about this.
I needed more time for analysis.
I am not sure we are on the same page here [my Makefile-related knowledge is limited to say the least]. Testsuite is shipped in src.rpm, and that is available to our customers. And --enable-sce is part of our spec file configuration, thus I understand is as "our preferred".
And to the fix - I did it manually for now, and I only added these missing files from github repository:
and fixed starred files, where shebang of the upstream is #!/usr/bin/bash. I would suggest to change that to /usr/bin/env bash ;)
Afterwards, whole test pack passed successfully. I would really appreciate if we could fix it, even though it is not a strict necessity :)
As make check is not mandatory to work out-of-the-box [workaroundable as described in Comment 10] for release, I confirm that version openscap-1.2.8-2.el6 contains features noted by Simon in Comment 4, plus fix for oscap-vm as requested in Comment 6.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.