Charm Helpers

Error when using "os" hardening since 19.10

Bug #1857258 reported by Rodrigo Barbieri
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
New
Undecided
Unassigned

Bug Description

Hello,

Hit the following error [3] while using "juju config ceph-mon harden="os ssh apache mysql". Commit [1] replaces python3-apt import with a helper class, but does not handle [2].

At the moment "os" hardening cannot be used in any charm due to that.

[1] https://github.com/juju/charm-helpers/commit/d2ea1b8d8c2fb5bc80b8ff2f7f81c82a02bd611b

[2] https://github.com/juju/charm-helpers/blob/b4de1f4d17906d13bfb7bf5b94d6e62d2e69dec7/charmhelpers/contrib/hardening/audits/apt.py#L39

[3] 2019-12-12 15:16:54 DEBUG juju-log Hardening function 'config_changed'
2019-12-12 15:16:54 DEBUG juju-log Executing hardening module 'run_os_checks'
2019-12-12 15:16:54 DEBUG juju-log Starting OS hardening checks.
2019-12-12 15:16:54 DEBUG juju-log Found user-provided config overrides file '/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hardening.yaml'
2019-12-12 15:16:54 DEBUG juju-log No overrides found for 'os'
2019-12-12 15:16:54 DEBUG juju-log Running 'AptConfig' check
2019-12-12 15:16:54 DEBUG config-changed Traceback (most recent call last):
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/config-changed", line 1020, in <module>
2019-12-12 15:16:54 DEBUG config-changed hooks.execute(sys.argv)
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/charmhelpers/core/hookenv.py", line 932, in execute
2019-12-12 15:16:54 DEBUG config-changed self._hooks[hook_name]()
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/charmhelpers/contrib/hardening/harden.py", line 89, in _harden_inner2
2019-12-12 15:16:54 DEBUG config-changed hardener()
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/charmhelpers/contrib/hardening/host/checks/__init__.py", line 46, in run_os_checks
2019-12-12 15:16:54 DEBUG config-changed check.ensure_compliance()
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/charmhelpers/contrib/hardening/audits/apt.py", line 46, in ensure_compliance
2019-12-12 15:16:54 DEBUG config-changed self.verify_config()
2019-12-12 15:16:54 DEBUG config-changed File "/var/lib/juju/agents/unit-ceph-mon-openstack-0/charm/hooks/charmhelpers/contrib/hardening/audits/apt.py", line 39, in verify_config
2019-12-12 15:16:54 DEBUG config-changed value = apt_pkg.config.get(cfg['key'], cfg.get('default', ''))
2019-12-12 15:16:54 DEBUG config-changed AttributeError: module 'charmhelpers.fetch.ubuntu_apt_pkg' has no attribute 'config'
2019-12-12 15:16:54 ERROR juju.worker.uniter.operation runhook.go:132 hook "config-changed" failed: exit status 1

Tags: sts
Felipe Reyes (freyes)
tags: added: sts
Revision history for this message
Frode Nordahl (fnordahl) wrote :

The removal of the python-apt dependency has its origin in enabling reactive charms venv to not include system Python packages and at the same time have one charm binary support a span of Ubuntu distributions. The need for this came out of the move to Python 3.7 on Ubuntu Disco. python-apt is not developed in a backwards or forward compatible manner and it is tightly coupled with whichever version of the compiled C library version distributed with a system. It is not suitable for distribution as a wheel together with a charm binary.

To fix the specific bug here either the hardening library for apt should learn to call out to `apt-config` or something similar or a wrapper for that could be added to the python-apt compability shim if you think other consumers have an issue with lack for apt-config support.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.