Bug 1817443

Summary: RHVH 4.4 installation will fail when security profile is selected
Product: Red Hat Enterprise Virtualization Manager Reporter: Qin Yuan <qiyuan>
Component: redhat-virtualization-hostAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Qin Yuan <qiyuan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4.0CC: cshao, lsvaty, mavital, nlevy, peyu, qiyuan, sbonazzo, shlei, weiwang, wsato, yaniwang, yturgema
Target Milestone: ovirt-4.4.0   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: redhat-release-virtualization-host-4.4.0-17.el8ev Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 16:22:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
installation logs in /tmp none

Description Qin Yuan 2020-03-26 11:08:53 UTC 
Created attachment 1673765 [details]
installation logs in /tmp

Description of problem:
RHVH 4.4 installation will fail when a security profile, draft stig or vpp, is selected, see errors:

anaconda 29.19.2.16 exception report
Traceback (most recent call first):
  File "/usr/share/anaconda/addons/org_fedora_oscap/common.py", line 276, in run_oscap_remediate
    raise OSCAPaddonError(msg)
  File "/usr/share/anaconda/addons/org_fedora_oscap/ks/oscap.py", line 549, in execute
    chroot=getSysroot())
  File "/usr/lib64/python3.6/site-packages/pyanaconda/addons.py", line 92, in execute
    v.execute(storage, ksdata, instClass, users, payload)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 446, in run_task
    self._task(*self._task_args, **self._task_kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 453, in run_task
    raise e
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 487, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 211, in doConfiguration
    configuration_queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 286, in run
    threading.Thread.run(self)
org_fedora_oscap.common.OSCAPaddonError: Content evaluation and remediation with the oscap tool failed: WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
No profile matching suffix "xccdf_org.ssgproject.content_profile_rhvh-vpp" was found. Get available profiles using:
$ oscap info "/usr/share/xml/scap/ssg/content/ssg-rhvh4-ds.xml"


Version-Release number of selected component (if applicable):
RHVH-4.4-20200325.0-RHVH-x86_64-dvd1.iso

How reproducible:
100%

Steps to Reproduce:
1. Install RHVH-4.4-20200325.0-RHVH-x86_64-dvd1.iso
2. Select a security profile, draft stig or vpp, on security policy screen 
3. Continue to finish other required configurations, and begin installation

Actual results:
1. Installation failed with the above error

Expected results:
1. Installation could succeed
2. Security check works fine

Additional info:
Comment 1 Watson Yuuma Sato 2020-03-26 11:23:00 UTC 
I see that "/usr/share/xml/scap/ssg/content/ssg-rhvh4-ds.xml" is a symlink to "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml",
it should actually be a symlink to "/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml"

The rhel8 Data Stream doesn't contain the RHVH profiles.

when I run following command, I see rhvh-vpp profile there:

$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml
Document type: Source Data Stream
Imported: 2019-12-17T14:05:32

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhv4-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-xccdf-1.2.xml
		Status: draft
		Generated: 2019-12-17
		Resolved: true
		Profiles:
			Title: [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
				Id: xccdf_org.ssgproject.content_profile_rhvh-stig
			Title: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)
				Id: xccdf_org.ssgproject.content_profile_rhvh-vpp
		Referenced check files:
			ssg-rhv4-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			ssg-rhv4-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-cpe-oval.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-cpe-dictionary.xml
Comment 3 Qin Yuan 2020-03-26 14:25:10 UTC 
Manually modified the symlink during installation, installation succeeded:

# cd /mnt/sysimage/usr/share/xml/scap/ssg/content/
# ln -sf /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml ssg-rhvh4-ds.xml
Comment 7 Qin Yuan 2020-04-10 02:57:41 UTC 
Tested RHVH-4.4-20200409.0-RHVH-x86_64-dvd1.iso, installation succeeded when security profile was selected.
Comment 9 errata-xmlrpc 2020-08-04 16:22:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Host (redhat-virtualization-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3316