Working with OpenSCAP on Ubuntu/Debian - webpack error on gem upgrade attempts

Problem:
I managed to get OpenSCAP working on foreman 2.4.1 for Ubuntu 18.04 and on 3.14 for Ubuntu 22.04.
But my organization uses 2.4.1, so I have to work on a coherent upgrade path when we eventually move to Foreman 3.x (soon™️).

Upgrading the Foreman itself from 2.4 to 2.5 or 3.0 works fine and the openSCAP UI and proxy plugin still allow me to manage all the content, policies and reports.
But upgrading the UI plugin from 4.2.0 to anything higher causes it to complain about a webpack issue.

Trying to figure out what the custom install is missing when upgrading my gem from the current version.

Expected outcome:
When upgrading to higher foreman versions, I expected I could just perform my steps with the updated packages from the yum repo.

Foreman and Proxy versions:
2.4.1
Foreman and Proxy plugin versions:
foreman_openscap 4.2.0 & smart_proxy_openscap 0.8.1
Distribution and version:
Ubuntu 18.04

Other relevant data:
Here’s the error when I try to update the foreman_openscap gem to anything higher than 4.2.0

 8e2f9059 | /usr/share/foreman/vendor/ruby/2.5.0/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2025-03-30T18:58:51 [I|app|8e2f9059]   Rendering common/500.html.erb within layouts/application
2025-03-30T18:58:51 [I|app|8e2f9059]   Rendered common/500.html.erb within layouts/application (Duration: 1.7ms | Allocations: 952)
2025-03-30T18:58:51 [I|app|8e2f9059]   Rendered layouts/_application_content.html.erb (Duration: 0.1ms | Allocations: 100)
2025-03-30T18:58:51 [I|app|8e2f9059]   Rendering layouts/base.html.erb
2025-03-30T18:58:51 [I|app|8e2f9059]   Rendered layouts/base.html.erb (Duration: 0.4ms | Allocations: 582)
2025-03-30T18:58:51 [I|app|8e2f9059] Completed 500 Internal Server Error in 96ms (ActiveRecord: 3.3ms | Allocations: 75144)
2025-03-30T18:58:51 [F|app|8e2f9059]
 8e2f9059 | ActionView::Template::Error (Can't find entry point 'foreman_openscap:global' in webpack manifest):
 8e2f9059 |     13:     <%= stylesheet_link_tag *webpack_asset_paths('foreman-vendor', :extension => 'css') %>
 8e2f9059 |     14:     <%= stylesheet_link_tag *webpack_asset_paths('bundle', :extension => 'css') %>
 8e2f9059 |     15:     <%= stylesheet_link_tag 'application' %>
 8e2f9059 |     16:     <%= webpacked_plugins_with_global_css %>
 8e2f9059 |     17:     <%= yield(:stylesheets) %>
 8e2f9059 |     18:
 8e2f9059 |     19:     <%= csrf_meta_tags %>
 8e2f9059 |
 8e2f9059 | app/helpers/reactjs_helper.rb:64:in `block (2 levels) in global_css_tags'
 8e2f9059 | app/helpers/reactjs_helper.rb:63:in `map'
 8e2f9059 | app/helpers/reactjs_helper.rb:63:in `block in global_css_tags'
 8e2f9059 | app/helpers/reactjs_helper.rb:62:in `map'
 8e2f9059 | app/helpers/reactjs_helper.rb:62:in `global_css_tags'
 8e2f9059 | app/helpers/reactjs_helper.rb:22:in `webpacked_plugins_with_global_css'
 8e2f9059 | app/views/layouts/base.html.erb:16
 8e2f9059 | app/views/layouts/application.html.erb:5
 8e2f9059 | app/controllers/application_controller.rb:353:in `generic_exception'
 8e2f9059 | lib/foreman/middleware/telemetry.rb:10:in `call'
 8e2f9059 | lib/foreman/middleware/catch_json_parse_errors.rb:9:in `call'
 8e2f9059 | lib/foreman/middleware/logging_context_session.rb:22:in `call'
 8e2f9059 | lib/foreman/middleware/logging_context_request.rb:11:in `call'

This is how I install a functional version on 2.4.1

# Instal fpm to convert rpm packages to deb
gem install dotenv -v 2.8.1
gem install --no-document fpm

# Get the Yum packages for 2.4
wget https://yum.theforeman.org/plugins/2.4/el8/x86_64/rubygem-foreman_openscap-4.2.0-1.fm2_4.el8.noarch.rpm
wget https://yum.theforeman.org/plugins/2.4/el8/x86_64/rubygem-smart_proxy_openscap-0.8.1-1.fm2_4.el8.noarch.rpm


# Convert the packages to deb with fpm (with altered names that foreman-installer expects)
fpm -s rpm -t deb --version 4.2.0 --iteration 1.fm2.4.el8   --no-auto-depends --name ruby-foreman-openscap rubygem-foreman_openscap-4.2.0-1.fm2_4.el8.noarch.rpm
fpm -s rpm -t deb --version 0.8.1 --iteration 1.fm2.4.el8   --no-auto-depends --name ruby-smart-proxy-openscap rubygem-smart_proxy_openscap-0.8.1-1.fm2_4.el8.noarch.rpm

# install them
dpkg -i *.deb
cd /usr/share/foreman

# insert the supported gems for foreman 2.4.1 in the bundler.d file
cat <<EOF > bundler.d/foreman_openscap.rb 
gem 'foreman_openscap', '4.2.0'
gem 'mini_portile2', '2.5.3'
EOF

sudo -u foreman bundle install

# Add missing link to assets. 
ln -sf /usr/share/gems/gems/foreman_openscap-4.2.0/app/assets/foreman_openscap /usr/share/foreman/public/assets
foreman-installer --enable-foreman-plugin-openscap

# Openscap proxy plugin
apt-get install libopenscap8
gem install nokogiri -v 1.12.5
gem install smart_proxy_openscap -v 0.8.1
chown -R foreman-proxy:foreman-proxy /var/lib/foreman-proxy/openscap
chown -R foreman-proxy:foreman-proxy /var/spool/foreman-proxy/
foreman-installer --enable-foreman-proxy-plugin-openscap

As a disclaimer, I came to these install steps by trial and error. If you notice any steps that have better alternatives (within the scope of Ubuntu), I very much appreciate you sharing them.

Higher versions of f-openscap have part of assets handled by webpack, you’ll need to symlink additional directory. It needs to be placed into /var/lib/foreman/public/webpack/foreman_openscap and point at /usr/share/gems/gems/foreman_openscap-$version/public/webpack/foreman_openscap.

Maybe this won’t get you all the way through, but it is a start at least.

While the package already made that symlink, your comment got me to think more about there being two manifests.json files, one in /usr/share/foreman/public/webpack and one in /usr/share/foreman/public/webpack/foreman_openscap.

When I put the foreman_openscap:global definitions from webpack/foreman_openscap into webpack/manifest.json. The UI works again and I can access all functionality .

Sadly I have even less of an idea what exactly I did here, other than speculating that the webpack manifest.json from foreman_openscap was not loaded and/or ignored.
When I look at my Ubuntu 22.04 Foreman 3.13 installation with openscap, it does not have a webpack/foreman_openscap/manifest.json file.

My next problem is with the openscap proxy plugin, it seems that version 0.9.1 has some problems when uploading

{"result":"Failed to upload to Foreman, saving in spool. Failed with: 404 \"Not Found\""}

I test uploading with a bzip2 arf report using the following curl

curl -X POST --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem --cert /etc/puppetlabs/puppet/ssl/certs/fqdn.pem --key /etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem -H "Content-Type: application/xml" --data-binary @/path/to/xccdf-results-arf.xml.bz2 https://fqdn:8443/compliance/arf/5

I jokingly tried to upgrade the proxy plugin to the latest version, and then realized 0.10.0 to 0.11.1 work for uploading, but then the UI complains about the smart proxy missing when uploading new SCAP content.

No proxy with OpenSCAP feature is running.
The logs sadly don’t give me extra hints.
2025-03-31T18:55:10 [E|app|fccca245] Failed to save: No proxy with OpenSCAP feature is running.

Sticking to 0.8.1 for now, which is the only version that keeps both the UI and ARF uploading functional.

What does Foreman’s production.log say?

Not much, just the post request and the same response.
I will try to upgrade to a higher openscap UI version, maybe under the hood the UI is calling an old API call that doesn’t exists and then concludes the smart proxy plugin has yet to be installed.

2025-04-01T19:04:23 [I|app|d4cb3e70] Completed 200 OK in 3ms (Views: 0.1ms | ActiveRecord: 0.5ms | Allocations: 2654)
2025-04-01T19:04:27 [I|app|95563e15] Started POST "/compliance/scap_contents" for 10.10.100.39 at 2025-04-01 19:04:27 +0000
2025-04-01T19:04:27 [I|app|95563e15] Processing by ScapContentsController#create as HTML
2025-04-01T19:04:27 [I|app|95563e15]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"HV0nmgi13C6XcQLwATXkWIvZ/uQDOmRexSkkXdWGTFhXppvlT28Qr9OvXhyNhugTY5+jSZizCKJeKqGoGXCM4A==", "scap_content"=>{"title"=>"eqwe222", "scap_file"=>"[FILTERED]", "location_ids"=>["", "2"], "organization_ids"=>["", "1"]}, "commit"=>"Submit"}
2025-04-01T19:04:27 [E|app|95563e15] Failed to save: No proxy with OpenSCAP feature is running.
2025-04-01T19:04:27 [I|app|95563e15]   Rendering vendor/ruby/2.5.0/gems/foreman_openscap-5.0.0/app/views/scap_contents/new.html.erb within layouts/application

Sort of related question.
Is gem install the only way to install the smart_proxy_openscap?
Right now I do install nokogiri and the plugin like this.

gem install nokogiri -v 1.12.5
gem install smart_proxy_openscap -v 0.8.1

While specifically For the UI, I could go to /usr/share/foreman/bundler.d and add the required gems and versions there and use sudo -u foreman bundle install to get the gems.
While /usr/share/foreman-proxy does have the bundler.d folder, it does not have a Gemfile, it has Gemfile.In, but I didn’t manage to google a good explanation on it.

This is the error you need to resolve. If you go to Infrastructure > Smart Proxies, click on the smart proxy that you have and in there click refresh, does it show openscap among its features?

On deb-based distributions probably yes. This would be much easier if you were on EL*.

does it show openscap among its features?

Yep!

image2393×475 54.6 KB

This would be much easier if you were on EL*.

Very much agreed! Which is why I really appreciate the suggestions you have provided despite of this somewhat silly setup
Maybe I could convince my org to use EL for our migration to 3.x (soon™️)