In the context of a security certification, i’m most likely going to need to run QualysCloudAgent on my Fedora Silverblue workstation.
It’s provided to me as an rpm which, of course, has no clue of what an immutable OS is and assumes it can modify /usr and so forth.
I’ve tried running it in a toolbox created for this occasion, but it also fails there, as it assumes it can tinker with systemd, install units, restart the daemon etc.
After installing it with sudo rpm -ivh QualysCloudAgent.rpm in the toolbox, there is nothing that i can see that will run.
rpm --query --package --scripts Downloads/QualysCloudAgent.rpm is a whopping 574 lines long and sudo rpm --verify qualys-cloud-agent shows:
.......T. /etc/qualys/cloud-agent/.centos/qualys-cloud-agent
.......T. /etc/qualys/cloud-agent/.centos/qualys-cloud-agent-restart
.......T. /etc/qualys/cloud-agent/.systemd/qualys-cloud-agent.service
.......T. c /etc/qualys/cloud-agent/edr-plugin.conf
S.5....T. c /etc/qualys/cloud-agent/qualys-cloud-agent.conf
Does anyone have any experience with this? Any clues? I don’t really want to give the tool complete access to my system, though of course i get that that’s what it expects.
Thanks @boredsquirrel. I haven’t tried to layer it, but was rather hoping to avoid doing that. I’ll give it a shot.
I have distrobox already installed / layered, so that’s also a neat option. Thanks.
edit: ah well distrobox create --root --image fedora:40 gave me a distrobox that has no systemctl, so that’s not going to help. distrobox create --root --image fedora-toolbox-40 gives me a environment with systemctl, but:
Running in chroot, ignoring command 'daemon-reload'
Running in chroot, ignoring command 'start'
Also the obvious note: rpm-ostree doesnt need sudo
Yes theoretically you could also install it on a secondary regulat fedora install and monitor what files are changed. (Is there any good tool for that?)
Then package a new RPM where all those files are included where they should be and it should work.
There is a tool that allows to create RPMs from a directory with all it’s subdirectories.
The bottlened of rpm-ostree UX really just is the ability to place whatever files you need, by packaging them into RPMs.
Before that you can also ask the devs to create a regular “static” RPM that just contains all the files, no dynamic script which breaks on Fedora Atomic Desktops, Fedora IoT, Fedora coreOS, CentOS Stream bootc and RHEL bootc too.
So this really is an important change that will be more required in the future.