--- tags: Discussion --- # HostConfig - Reconciliation Activities [TOC] ## How do we ssupport periodic checking withouth CR changes https://github.com/airshipit/hostconfig-operator/issues/10 Sirisha provided the following information: > We have reconcile annotation fields available as part of hostconfig-operator CR objects which help to run that particular CR periodically with the specified interval ansible.operator-sdk/reconcile-period. ## How do we provide information to the CR about the reconciliation task > For more info on reconcile configurations variables please refer here: https://github.com/airshipit/hostconfig-operator/blob/master/README.md#airship-hostconfig-operator-cr-object-specification-variables > > Here is a simple HCO CR example with reconcile annotation: https://github.com/airshipit/hostconfig-operator/blob/master/demo_examples/example_reconcile.yaml#L9 She suggested we continue the discussion on how to approach utilizing this configuration to perform the checks and perhaps identify a specific use case to put the implementation in place (like a deny list check). Packages that are in images are defined here: Expected list of packages : https://github.com/airshipit/images/blob/master/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml ***We could have image builder drop a file that includes the list of packages it built into the image.*** HostConfig would need to know : - that secret name that contains list of packages. Image Builder: - Would need to create FILE X with the list of pakcages - Would need to somehow output the following : - Store the list of packages and a hash i into k8s artifact (Secret) We could also try just listing denied packages. * Other reconciliatiosn on the host * MAC : AppArmor policies not ddrifting * Explicit FileSytems permission. i.e. /etc/, ... other rules.