The `org.osbuild.oscap.remediation` stage must pass `contaner` environment variable in a special way about osbuild HOT 9 CLOSED

from osbuild.

Hey, @kingsleyzissou!

from osbuild.

cc @achilleas-k @thozza @supakeen

Is this something we can/should be doing? And if we do we could probably omit the bwrap part. Any suggestions here?

from osbuild.

I'd need a bit more background. It is something we can do and if this is in the oscap stage then I have no problems with adding this.

What is the OSCAP issue we're having that this solves?

As a sidenote, why is this a special way? This seems to me to be the normal way to give additional environment variables to child processes.

from osbuild.

As far as I recall, and maybe @evgenyz can elaborate, it's being used to identify when remediation is being done offline - so we might handle the remediations differently in offline mode.

A concrete example of this is checking partitions. Currently, the openscap utility tries to check /proc/mounts which isn't available during image builder. They'd be able to use the environment variable and handle the check differently, in theory.

Edit to add:
I'd probably choose a different variable name though

from osbuild.

Right, if the oscap team is going to switch behavior based on if they're running in $buildsystem then it's a good idea to give them that information; however it'd be nice if that's a bit more 'standard' (as far as a standard exists). How about we pass an environment variable OSCAP_BUILD_SYSTEM=osbuild? Or is container in the environment already implemented in oscap?

from osbuild.

Yeah sorry that's what I meant by changing the name of the env variable. I'm not entirely sure if it's implemented elsewhere. So we can wait for Evgeny to get back to us on that

from osbuild.

The container variable should be already set for the stage when it is run. It should not be need to set a special environment variable when we run subprocess.run() as it inherits it. Although if that is the only option for oscap, it can be set. If that's the case, then I would set it to the same value that is set in container environment variable.

see

from osbuild.

In that case, please submit a PR with the diff mentioned in the description and from my PoV it should be acceptable to merge it.

from osbuild.