How To Upgrade foreman_openscap plugin

Jeuill · October 25, 2019, 9:02pm

Problem:

I’m trying to run openscap from my Satellite server using Ansible to scan a remote host. Running the role “theforeman.foreman_scap_client” works flawlessly. Everything is configured on the remote host automatically after the role is run so that I can execute “foreman_openscap_client 1” on the remote host and it starts the scan without error.

I just found out that there is a bug in foreman_openscap for versions older than 2.0.0. that prevents running the scan via Ansible from the Satellite via the “Run OpenSCAP Scans” job template. I need to upgrade just that plugin to get passed this error. In the About page on the Foreman UI, my version says,

" foreman_openscap Foreman plug-in for managing security compliance reports slukasik@redhat.com 1.0.4"

There is no guidance on getting from 1.0.4 to 2.0.0. for this plugin. I installed the plugin using the foreman-installer tool: foreman-installer --enable-foreman-plugin-openscap

Looking at the help page from the tool, it doesn’t tell you how to upgrade a plugin. I have reinstalled the plugin hoping it would pull the latest version. But it doesn’t.

This website says there is an RPM for foreman_openscap, but doesn’t tell you how to download it or install it:
https://projects.theforeman.org/projects/foreman/wiki/List_of_Plugins

Expected outcome:

Instructions on how to upgrade a plugin when a bug is fixed in a newer version and an upgrade is needed to fix the bug. Right now I am only able to scan hosts manually.

Foreman and Proxy versions:

Foreman version: 1.23.1
Foreman Proxy version: 1.23.0

Foreman and Proxy plugin versions:

|foreman-tasks| |0.16.2|
|foreman_ansible| |3.0.5|
|foreman_openscap| |1.0.4|
|foreman_remote_execution| |1.8.2|
|katello| |3.13.1|

Distribution and version:

Running CentOS 7.6

Other relevant data:

N/A

Ondrej_Prazak · October 29, 2019, 7:22am

Hi,
if you have Satellite server from packages provided by Red Hat via your subscription, then getting packages from upstream and installing them on your Satellite is not a good idea and I would not recommend it.

If you have upstream Foreman installation - which I think is your case when looking at the installer command you provided - then you need a newer RPM package. You can take a look at yum.theforeman.org to see what packages are available. The ‘plugins’ repo is already configured for your server, but the reason you did not get the newer plugin version with the fix is that foreman_openscap 2.0 has been released for foreman 1.24 and will not run with 1.23. My recommendation is to upgrade to 1.24 when it is released and you will get the newer plugin version as well.

Jeuill · October 30, 2019, 3:50pm

Ondrej,

Thanks. I didn’t know that the plugins were packaged with the releases of foreman. It would be nice to be able to upgrade individual plugins if there is a bug. Currently, I’m unable to run any scans via Ansible until a new version of foreman is released. Any idea when the new version will be released? Or, is there a qucik workaround like creating an ansible role manually? Or if someone has code that I can tweak myself for the fix? That would be great.

Ondrej_Prazak · November 1, 2019, 8:02am

The plugins have greater flexibility in the releases as they are not strictly tied to the foreman core release schedule, it just happens that no compatible version of foreman_openscap was released with a fix for this bug, which got me wondering why that happened but I did not find any specific reason. The fix is not really big, so I decided to release a new version for 1.23. After the packaging PR is merged, the 1.0.9 should propagate to the rpm repos and you should be able to upgrade, I hope this will resolve the issue.

Jeuill · November 1, 2019, 8:12pm

Thank you so much. I appreciate it!