Fix Blueprint template to be self-contained #2081
Conversation
evgenyz
force-pushed
the
fix-blueprint-template
branch
from
ee3b963
to
51faf9f
Compare
Now the generated Blueprint file will be ready-to-use right after generation unless a custom data stream is used for hardening. There are also instructions on how to adapt the Blueprint for a custom data stream.
evgenyz
force-pushed
the
fix-blueprint-template
branch
from
51faf9f
to
d5204de
Compare
|
@evgenyz do you plan to do a self-review? |
Nope. It was a glitch. |
|
Also, @comps, please take a look. |
| "[[packages]]\n" | ||
| "name = \"scap-security-guide\"\n" | ||
| "version = \"*\"\n\n" | ||
| "[[packages]]\n" | ||
| "name = \"openscap-scanner\"\n" | ||
| "version = \"*\"\n\n", |
There was a problem hiding this comment.
I probably wouldn't do this.
The target system doesn't need scap-security-guide or openscap-scanner since the changes were already applied during image creation. It might be convenient in case the admin wants to run oscap from CLI to double-check, but it unnecessarily bloats the image.
Plus it might provide confusing results if the admin used datastream = for [customizations.openscap] since the installed scap-security-guide RPM will likely have different content version.
There was a problem hiding this comment.
I've removed these sections. By the time it hits downstream they won't be needed (they are implicit in the upstream of IB now).
Remove would-be-redundant to mention implicit scap-security-guide and openscap-scanner packages.
evgenyz
force-pushed
the
fix-blueprint-template
branch
from
917012a
to
0933cfe
Compare
Now the generated Blueprint file will be ready-to-use right after generation unless a custom data stream is used for hardening.
There are also instructions on how to adapt the Blueprint for a custom data stream.