Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49502

Un-exclude nss for qcow2 images on RHEL-10

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.0.beta
    • osbuild-composer
    • None
    • None
    • None
    • rhel-sst-image-builder
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      osbuild-composer seems to exclude nss, https://github.com/osbuild/images/blob/671593683488588c41f3fcc47df51dfd8e95743a/pkg/distro/rhel/rhel10/qcow2.go#L139 , however nss is a dependency of openscap on RHEL-10, after it switched away from libgcrypt to nss, and the exclude breaks an openscap-generated hardening blueprint, which includes:

          [customizations.openscap]
    profile_id = "xccdf_org.ssgproject.content_profile_cis_workstation_l1"

      which (presumably) makes osbuild-composer try to install openscap and fail:

      ERROR: DepsolveError: DNF error occurred: DepsolveError: There was a problem depsolving dracut-config-generic, grub2-pc, dracut-config-generic, efibootmgr, grub2-efi-x64, shim-x64, kernel, lvm2, xfsprogs, dosfstools, selinux-policy-targeted, openscap-scanner, scap-security-guide, xz, @core, chrony, cloud-init, cloud-utils-growpart, cockpit-system, cockpit-ws, dnf-utils, dosfstools, nfs-utils, oddjob, oddjob-mkhomedir, psmisc, python3-jsonschema, qemu-guest-agent, redhat-release, redhat-release-eula, rsync, tar, tuned, tcpdump, insights-client, subscription-manager-cockpit, aide, sudo, libpwquality, systemd-journal-remote, firewalld, nftables, libselinux, openscap-scanner, contest-pack: 
 Problem 1: package openscap-scanner-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libopenscap.so.25()(64bit), but none of the providers can be installed
  - package openscap-scanner-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires openscap(x86-64) = 1:1.3.10-3.el10, but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so()(64bit), but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so(NSS_3.2)(64bit), but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so(NSS_3.4)(64bit), but none of the providers can be installed
  - conflicting requests
  - package nss-3.97.0-1.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 is filtered out by exclude filtering
 Problem 2: package openscap-scanner-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libopenscap.so.25()(64bit), but none of the providers can be installed
  - package openscap-scanner-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires openscap(x86-64) = 1:1.3.10-3.el10, but none of the providers can be installed
  - package scap-security-guide-0.1.73-2.el10.noarch from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires openscap-scanner >= 1.2.5, but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so()(64bit), but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so(NSS_3.2)(64bit), but none of the providers can be installed
  - package openscap-1:1.3.10-3.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 requires libnss3.so(NSS_3.4)(64bit), but none of the providers can be installed
  - conflicting requests
  - package nss-3.97.0-1.el10.x86_64 from 4d58eb9c5b2a2392d650a0f7091dd887a04e6f9c443c27eb022dae70f171e998 is filtered out by exclude filtering

      Please remove that exclude, thanks.

      Please provide the package NVR for which bug is seen:

      osbuild-composer-109-1.el10

              osbuilders Osbuilders Bot Account
              jjaburek@redhat.com Jiri Jaburek
              Osbuilders Bot Account Osbuilders Bot Account
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: