You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PROBLEM: We are using osbuild collection to generate edge-commit repositories (rpm-ostree). We must be FIPS compliant. A recent version of openssl was released into RHEL 8.10 that is not FIPS validated. We would like to add the openssl package to the builder_compose_pkgs variable with a specific version to use. This is supported by the blueprint specification. However, the infra.osbuild.create_blueprint ansible module forces all packages to use version "", which I believe represents latest version. Thus we cannot lock in the version of a package when using infra.osbuild.
The python code in question is lines 174 - 177 of infra.osbuild/plugins/modules/create_blueprint.py:
if module.params["packages"]:
toml_data["packages"]: list = []
for package in module.params["packages"]:
toml_data["packages"].append({"name": f"{package}", "version": ""})
Notice, when the blueprint is written, it is using a version of "*", which I believe is translated latest. The ansible variable in question is builder_compose_pkgs which is a yaml/json list of package names.
builder_compose_pkgs:
"openssl"
If this variable were reworked to be a list of dictionaries like so:
builder_compose_pkgs:
name: "openssl"
version: "1.1.1k-12"
and the above python referenced the new format, it could insert the version into the blueprint easily. 11:54
Another angle to approach the issue from would be: Is 8.10 FIPS validated? If not, what is the latest version of RHEL 8 that is validated, and create new images from that particular version.
The text was updated successfully, but these errors were encountered:
Request has come from an AAP customer.
Notes from Jason Dickerson:
PROBLEM: We are using osbuild collection to generate edge-commit repositories (rpm-ostree). We must be FIPS compliant. A recent version of openssl was released into RHEL 8.10 that is not FIPS validated. We would like to add the openssl package to the builder_compose_pkgs variable with a specific version to use. This is supported by the blueprint specification. However, the infra.osbuild.create_blueprint ansible module forces all packages to use version "", which I believe represents latest version. Thus we cannot lock in the version of a package when using infra.osbuild.
The python code in question is lines 174 - 177 of infra.osbuild/plugins/modules/create_blueprint.py:
if module.params["packages"]:
toml_data["packages"]: list = []
for package in module.params["packages"]:
toml_data["packages"].append({"name": f"{package}", "version": ""})
Notice, when the blueprint is written, it is using a version of "*", which I believe is translated latest. The ansible variable in question is builder_compose_pkgs which is a yaml/json list of package names.
builder_compose_pkgs:
If this variable were reworked to be a list of dictionaries like so:
builder_compose_pkgs:
version: "1.1.1k-12"
and the above python referenced the new format, it could insert the version into the blueprint easily.
11:54
Another angle to approach the issue from would be: Is 8.10 FIPS validated? If not, what is the latest version of RHEL 8 that is validated, and create new images from that particular version.
The text was updated successfully, but these errors were encountered: