Use TestingFarm image for container tests

hardening/anaconda/test.py

@@ -39,15 +39,15 @@
     # scan the remediated system
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
+    g.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])

hardening/ansible/test.py

@@ -51,15 +51,15 @@
     g.copy_to(util.get_datastream(), 'scan-ds.xml')
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
+    g.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])

hardening/container/anaconda-ostree/main.fmf

@@ -28,9 +28,6 @@ adjust:
   - when: distro < rhel-9.6
     enabled: false
     because: Image Mode not supported for older RHELs
-  - when: distro == rhel
-    enabled: false
-    because: TODO - no freely accessible RHEL bootc image, CentOS Stream only
 tag+:
   # TODO: this test is currently broken by / blocked on Anaconda
   # having broken ostreecontainer kickstart functionality,

hardening/container/anaconda-ostree/test.py

@@ -16,8 +16,13 @@
 guest.wipe()
 guest.generate_ssh_keypair()
 
-# CentOS Stream image only, for now
-src_image = f'quay.io/centos-bootc/centos-bootc:stream{versions.rhel.major}'
+# select appropriate container image based on host OS
+major = versions.rhel.major
+minor = versions.rhel.minor
+if versions.rhel.is_true_rhel():
+    src_image = f'images.paas.redhat.com/testingfarm/rhel-bootc:{major}.{minor}'
+else:
+    src_image = f'quay.io/centos-bootc/centos-bootc:stream{major}'
 
 # RHEL-9 and older use 'maint-1.3' openscap git repo branch, newer use 'main'
 if versions.rhel <= 9:
@@ -33,7 +38,8 @@
     RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64
     RUN dnf -y install openscap-utils
     COPY remediation-ds.xml /root/.
-    RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
+    RUN oscap-bootc --profile '{profile}' \
+        --results-arf /root/remediation-arf.xml /root/remediation-ds.xml
     # hack sshd cmdline to allow root login
     RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd
 ''')
@@ -65,15 +71,19 @@
     # scan the remediated system
     proc, lines = guest.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     guest.copy_from('report.html')
-    guest.copy_from('results-arf.xml')
+    guest.copy_from('remediation-arf.xml')
+    guest.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+tar = [
+    'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml',
+]
+util.subprocess_run(tar, check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+results.report_and_exit(logs=['report.html', 'results-arf.tar.xz'])

hardening/container/bootc-image-builder/main.fmf

@@ -28,9 +28,6 @@ adjust:
   - when: distro < rhel-9.6
     enabled: false
     because: Image Mode not supported for older RHELs
-  - when: distro == rhel
-    enabled: false
-    because: TODO - no freely accessible RHEL bootc image, CentOS Stream only
 
 /anssi_bp28_high:
 

hardening/container/bootc-image-builder/test.py

@@ -19,8 +19,13 @@
 guest.wipe()
 guest.generate_ssh_keypair()
 
-# CentOS Stream image only, for now
-src_image = f'quay.io/centos-bootc/centos-bootc:stream{versions.rhel.major}'
+# select appropriate container image based on host OS
+major = versions.rhel.major
+minor = versions.rhel.minor
+if versions.rhel.is_true_rhel():
+    src_image = f'images.paas.redhat.com/testingfarm/rhel-bootc:{major}.{minor}'
+else:
+    src_image = f'quay.io/centos-bootc/centos-bootc:stream{major}'
 
 # RHEL-9 and older use 'maint-1.3' openscap git repo branch, newer use 'main'
 if versions.rhel <= 9:
@@ -36,7 +41,8 @@
     RUN dnf -y copr enable {copr} centos-stream-{versions.rhel.major}-x86_64
     RUN dnf -y install openscap-utils
     COPY remediation-ds.xml /root/.
-    RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
+    RUN oscap-bootc --profile '{profile}' \
+        --results-arf /root/remediation-arf.xml /root/remediation-ds.xml
     # hack sshd cmdline to allow root login
     RUN echo "OPTIONS=-oPermitRootLogin=yes" >> /etc/sysconfig/sshd
 ''')
@@ -80,15 +86,19 @@
     # scan the remediated system
     proc, lines = guest.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     guest.copy_from('report.html')
-    guest.copy_from('results-arf.xml')
+    guest.copy_from('remediation-arf.xml')
+    guest.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+tar = [
+    'tar', '-cvJf', 'results-arf.tar.xz', 'remediation-arf.xml', 'scan-arf.xml',
+]
+util.subprocess_run(tar, check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+results.report_and_exit(logs=['report.html', 'results-arf.tar.xz'])

hardening/host-os/ansible/test.py

@@ -42,14 +42,14 @@
     # scan the remediated system
     cmd = [
         'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
-        '--report', 'report.html', '--results-arf', 'results-arf.xml',
+        '--report', 'report.html', '--results-arf', 'scan-arf.xml',
         util.get_datastream(),
     ]
     proc, lines = util.subprocess_stream(cmd)
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
-    util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+    util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)
 
-    results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+    results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])

hardening/host-os/oscap/test.py

@@ -17,10 +17,10 @@
 remediation_ds = tmpdir / 'remediation-ds.xml'
 
 
-def do_one_remediation(ds, profile, html_report):
+def do_one_remediation(ds, profile, arf_results):
     cmd = [
         'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
-        '--report', html_report, '--remediate', ds,
+        '--results-arf', arf_results, '--remediate', ds,
     ]
     proc = util.subprocess_run(cmd)
     if proc.returncode not in [0,2]:
@@ -41,7 +41,7 @@ def do_one_remediation(ds, profile, html_report):
 
     oscap.unselect_rules(util.get_datastream(), remediation_ds, remediation.excludes())
 
-    do_one_remediation(remediation_ds, profile, tmpdir / 'remediation.html')
+    do_one_remediation(remediation_ds, profile, tmpdir / 'remediation-arf.xml')
 
     util.reboot()
 
@@ -50,7 +50,7 @@ def do_one_remediation(ds, profile, html_report):
 elif util.get_reboot_count() == 1:
     util.log("second boot, doing second remediation")
 
-    do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2.html')
+    do_one_remediation(remediation_ds, profile, tmpdir / 'remediation2-arf.xml')
 
     util.reboot()
 
@@ -61,20 +61,26 @@ def do_one_remediation(ds, profile, html_report):
     # - use the original unmodified datastream
     cmd = [
         'oscap', 'xccdf', 'eval', '--profile', profile, '--progress',
-        '--report', 'report.html', '--results-arf', 'results-arf.xml',
+        '--report', 'report.html', '--results-arf', 'scan-arf.xml',
         util.get_datastream(),
     ]
     proc, lines = util.subprocess_stream(cmd)
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
-    util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+    # TODO: str() because of python 3.6 shutil.move() not supporting Path
+    shutil.move(str(tmpdir / 'remediation-arf.xml'), '.')
+    shutil.move(str(tmpdir / 'remediation2-arf.xml'), '.')
+
+    tar = [
+        'tar', '-cvJf', 'results-arf.tar.xz',
+        'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml',
+    ]
+    util.subprocess_run(tar, check=True)
 
     logs = [
         'report.html',
-        'results-arf.xml.gz',
-        tmpdir / 'remediation.html',
-        tmpdir / 'remediation2.html',
+        'results-arf.tar.xz',
     ]
     results.report_and_exit(logs=logs)

hardening/image-builder/test.py

@@ -33,15 +33,15 @@
     # scan the remediated system
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
+    g.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz', g.osbuild_log])
+results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz', g.osbuild_log])

hardening/kickstart/test.py

@@ -36,15 +36,15 @@
     # scan the remediated system
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
+    g.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+util.subprocess_run(['gzip', '-9', 'scan-arf.xml'], check=True)
 
-results.report_and_exit(logs=['report.html', 'results-arf.xml.gz'])
+results.report_and_exit(logs=['report.html', 'scan-arf.xml.gz'])

hardening/oscap/old-new/test.py

@@ -22,13 +22,13 @@
     oscap.unselect_rules(util.get_datastream(), 'remediation-new.xml', remediation.excludes())
     g.copy_to('remediation-new.xml')
 
-    def remediate(datastream, html_report, html_report2):
+    def remediate(datastream, arf_results, arf_results2):
         # remediate twice due to some rules being 'notapplicable'
         # on the first pass
-        for html_report in [html_report, html_report2]:
+        for arf_output in [arf_results, arf_results2]:
             cmd = [
                 'oscap', 'xccdf', 'eval', '--profile', profile,
-                '--progress', '--report', html_report,
+                '--progress', '--results-arf', arf_output,
                 '--remediate', datastream,
             ]
             proc = g.ssh(' '.join(cmd))
@@ -38,34 +38,38 @@ def remediate(datastream, html_report, html_report2):
 
     # remediate using old content,
     # then remediate using new content
-    remediate('remediation-old.xml', 'remediation-old.html', 'remediation-old2.html')
-    remediate('remediation-new.xml', 'remediation-new.html', 'remediation-new2.html')
+    remediate('remediation-old.xml', 'remediation-arf-old.xml', 'remediation-arf-old2.xml')
+    remediate('remediation-new.xml', 'remediation-arf-new.xml', 'remediation-arf-new2.xml')
 
     # scan using new content
     g.copy_to(util.get_datastream(), 'scan-new.xml')
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-new.xml'
+        f' --results-arf scan-arf.xml scan-new.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
-    g.copy_from('remediation-old.html')
-    g.copy_from('remediation-old2.html')
-    g.copy_from('remediation-new.html')
-    g.copy_from('remediation-new2.html')
+    g.copy_from('scan-arf.xml')
+    g.copy_from('remediation-arf-old.xml')
+    g.copy_from('remediation-arf-old2.xml')
+    g.copy_from('remediation-arf-new.xml')
+    g.copy_from('remediation-arf-new2.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+tar = [
+    'tar', '-cvJf', 'results-arf.tar.xz',
+    'scan-arf.xml',
+    'remediation-arf-old.xml',
+    'remediation-arf-old2.xml',
+    'remediation-arf-new.xml',
+    'remediation-arf-new2.xml',
+]
+util.subprocess_run(tar, check=True)
 
 logs = [
     'report.html',
-    'results-arf.xml.gz',
-    'remediation-old.html',
-    'remediation-old2.html',
-    'remediation-new.html',
-    'remediation-new2.html',
+    'results-arf.tar.xz',
 ]
 results.report_and_exit(logs=logs)

hardening/oscap/test.py

@@ -29,10 +29,10 @@
 
     # - remediate twice due to some rules being 'notapplicable'
     #   on the first pass
-    for html_report in ['remediation.html', 'remediation2.html']:
+    for arf_results in ['remediation-arf.xml', 'remediation2-arf.xml']:
         cmd = [
             'oscap', 'xccdf', 'eval', '--profile', profile,
-            '--progress', '--report', html_report,
+            '--progress', '--results-arf', arf_results,
             '--remediate', 'remediation-ds.xml',
         ]
         proc = g.ssh(' '.join(cmd))
@@ -45,23 +45,25 @@
     # scan the remediated system
     proc, lines = g.ssh_stream(
         f'oscap xccdf eval --profile {profile} --progress --report report.html'
-        f' --results-arf results-arf.xml scan-ds.xml'
+        f' --results-arf scan-arf.xml scan-ds.xml'
     )
     oscap.report_from_verbose(lines)
     if proc.returncode not in [0,2]:
         raise RuntimeError("post-reboot oscap failed unexpectedly")
 
     g.copy_from('report.html')
-    g.copy_from('results-arf.xml')
-    g.copy_from('remediation.html')
-    g.copy_from('remediation2.html')
+    g.copy_from('remediation-arf.xml')
+    g.copy_from('remediation2-arf.xml')
+    g.copy_from('scan-arf.xml')
 
-util.subprocess_run(['gzip', '-9', 'results-arf.xml'], check=True)
+tar = [
+    'tar', '-cvJf', 'results-arf.tar.xz',
+    'remediation-arf.xml', 'remediation2-arf.xml', 'scan-arf.xml',
+]
+util.subprocess_run(tar, check=True)
 
 logs = [
     'report.html',
-    'results-arf.xml.gz',
-    'remediation.html',
-    'remediation2.html',
+    'results-arf.tar.xz',
 ]
 results.report_and_exit(logs=logs)