Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24441

disabling via customizations.services fails on non-existent services

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • osbuild
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Building a blueprint with invalid (non-existent) services to disable fails on:

      Stage org.osbuild.systemd
Output:
...
Failed to disable unit, unit squid.service does not exist.
Traceback (most recent call last):
  File "/run/osbuild/bin/org.osbuild.systemd", line 81, in <module>
    r = main(args["tree"], args["options"])
  File "/run/osbuild/bin/org.osbuild.systemd", line 68, in main
    subprocess.run(["systemctl", "--root", tree, "disable", service], check=True)
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['systemctl', '--root', '/run/osbuild/tree', 'disable', 'squid']' returned non-zero exit status 1.

      for ie.

      [customizations.services]
enabled = ["fapolicyd","firewalld","rsyslog","auditd"]
disabled = ["squid","telnet","xinetd","avahi-daemon"]

      The issue is that, for security compliance via OpenSCAP, we need some way to pre-emptively disable (prohibit) services that might end up on the final system when pulled in via dependencies, or perhaps by a sysadmin who is unfamiliar with the compliance policy.

      One discussed approach that you (osbuild developers) were not against was adding support for systemd masking, ie.

      [customizations.services]
enabled = ["fapolicyd","firewalld","rsyslog","auditd"]
masked = ["squid","telnet","xinetd","avahi-daemon"]

      which would work by simply symlinking unit files to /dev/null, as systemctl mask does, regardless of whether the service is installed or not.

      Such an approach would work to fix this Bug, so please implement it, or some other way of ignoring the error.

      Please provide the package NVR for which bug is seen:

      osbuild-composer-dnf-json-99-1.el9.x86_64
      osbuild-composer-core-99-1.el9.x86_64
      osbuild-selinux-106-1.el9.noarch
      osbuild-106-1.el9.noarch
      osbuild-luks2-106-1.el9.noarch
      osbuild-lvm2-106-1.el9.noarch
      osbuild-ostree-106-1.el9.noarch
      osbuild-composer-worker-99-1.el9.x86_64
      osbuild-composer-99-1.el9.x86_64

      Expected results

      There is a way for a user to specify services to disable/mask that doesn't trigger a fatal error if those services don't exist.

              release-test-team Release Test Team
              jjaburek@redhat.com Jiri Jaburek
              Release Test Team Release Test Team
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: