Skip to content

Make Ansible in dconf_db_up_to_date idempotent#13997

Merged
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:dconf_idem
Oct 8, 2025
Merged

Make Ansible in dconf_db_up_to_date idempotent#13997
Mab879 merged 1 commit into
ComplianceAsCode:masterfrom
jan-cerny:dconf_idem

Conversation

@jan-cerny
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny commented Oct 8, 2025

This change will make the Ansible remediation for rule dconf_db_up_to_date idempotent. The solution is inspired by OVAL check in this rule. The Ansible remediation will update the dconf database only if some key file is newer than the database.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6229

Review Hints:

  • ./build_product --playbook-per-rule rhel9
  • manually replace hosts by hosts: all in build/rhel9/playbooks/all/dconf_db_up_to_date.yml
  • ssh to your VM and install the gdm RPM package there
  • run this script there to make the system incompliant with the rule: test.sh
  • run ansible-playbook -u root -i YOUR_IP, build/rhel9/playbooks/all/dconf_db_up_to_date.yml at least twice and compare the output of the first run with the second run and so on, verify that the second and next runs don't change anything and that the output contains only "ok" or "skipping"
  • apart from that, run automatus Tss with --remediate-using ansible

@jan-cerny
Make Ansible in dconf_db_up_to_date idempotent
8baed6d 
This change will make the Ansible remediation for rule
dconf_db_up_to_date idempotent. The solution is inspired by OVAL check
in this rule. The Ansible remediation will update the dconf database
only if some key file is newer than the database.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6229
@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 8, 2025
@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Oct 8, 2025
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Oct 8, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 8baed6d link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Oct 8, 2025
@Mab879 Mab879 merged commit f8969c2 into ComplianceAsCode:master Oct 8, 2025
131 of 136 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Ansible Ansible remediation update.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879