Provisioning of Ph4 x86_64 fails with stig hardening=yes

[dcasota]

Describe the bug

Hi Oliver,

the issue as described in #33 happens on Ph4 x86_64 as well.

The correct initrd container including stig-hardening - is it this one?

projects5-proxy.projects.packages.broadcom.com/photon/installer:sha256__e95ed1f06d478a5b2c6cc49bb976c48bc763afeb37e17067f4cd47171c333219

That projects5-proxy-prefix is correct, right?

Github repository for Photon OS 4 does not include a https://github.com/vmware/photon/tree/4.0/support/poi subdirectory, right?
You've said For the future, you can also build these container images yourself, see https://github.com/vmware/photon-os-installer/tree/master/docker#readme .

Is it allowed to integrate it the classic way?

pip3 install git+https://github.com/vmware/photon-os-installer.git

PHOTON_RELEASE="4.0"
git clone -b $PHOTON_RELEASE https://github.com/vmware/photon.git
cd photon/

# TODO inject support/poi in photon/

# modifications in poi.py
# if THIS_ARCH == "x86_64":
#     POI_IMAGE = "projects5-proxy.projects.packages.broadcom.com/photon/installer:sha256__e95ed1f06d478a5b2c6cc49bb976c48bc763afeb37e17067f4cd47171c333219"
# elif THIS_ARCH == "aarch64":
#     POI_IMAGE = "projects5-proxy.projects.packages.broadcom.com/photon/installer-arm64:ob-22815437"
# else:
#     raise Exception(f"unknown arch {THIS_ARCH}")# use ":latest" tag for latest version and reproducibility is not important

make image IMG_NAME=iso

Reproduction steps

Make build of Ph4 x86_64 (photon-4.0-492d03156.iso)
Boot from iso on VMware Workstation 17 vm. Provisioning with photon minimal, stig hardening = yes

Expected behavior

Installation with stig hardening = yes

Additional context

The flexibility of initrd containers creates different levels of complexity. The custom bits should be governed, because tdnf highly depends on it -> cpu architecture, flavors, mbr/uefi, security features like secure boot/encryption/hardening/hashingtype, and more.

[oliverkurth]

There is no "classic" way anymore. The Makefile in Photon, together with poi.py in https://github.com/vmware/photon/blob/5.0/support/poi/poi.py is just a wrapper around the new way to build images using containers, just as described in https://github.com/vmware/photon-os-installer/tree/master/docker#readme .

Look at https://github.com/vmware/photon/blob/5.0/support/poi/poi.py#L162:

    def create_raw_image(self, type, image_file, subdir=None):
...

It's just running the docker image with create-image. Same for creating the ISO image, in https://github.com/vmware/photon/blob/5.0/support/poi/poi.py#L324 .

That projects5-proxy-prefix is correct, right?

It should be just projects.packages.broadcom.com/photon/installer. Where did you get the "projects5-proxy" prefix from?

There seems to be an issue with the latest tag though, it's not pointing to the latest. Look at https://projects.registry.vmware.com/artifactory/projects/photon/installer/ and go by the date.

Is it allowed to integrate it the classic way?

I'm not exactly sure what you mean, but you can do anything you want ;-). Building the photon/installer image yourself shouldn't take much time. You can then use it in poi.py, or directly. Note that you can invoke poi.py with --docker-image to set the image to be used. Unfortunately, this isn't used by the Makefile.

[dcasota]

Hi Oliver,

Many thanks. I have to divide my time and try out the new way based on your description. I just haven't done it yet.

It should be just projects.packages.broadcom.com/photon/installer. Where did you get the "projects5-proxy" prefix from?
From here:
https://projects.packages.broadcom.com/ui/packages/docker:%2F%2Fphoton%2Finstaller?name=photon&type=packages

There seems to be an issue with the latest tag though, it's not pointing to the latest.
Okay, thanks for this as well.

Give me some time. I will report back.