Bug 2129008

Summary: content-type = rpm causes There was an unexpected problem with the supplied content
Product: Red Hat Enterprise Linux 8 Reporter: Jan Pazdziora <jpazdziora>
Component: oscap-anaconda-addonAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: jcerny, jikortus, jpazdziora, jstodola, mhaicman, wsato
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: oscap-anaconda-addon-1.2.1-10.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2129846 (view as bug list) Environment:
Last Closed: 2023-05-16 08:36:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2129846    

Description Jan Pazdziora 2022-09-22 09:31:17 UTC 
Description of problem:

Running RHEL 8.5 provisioning with

%addon org_fedora_oscap
  content-type = rpm
  content-url = "http://server/path/scap-security-guide-0.1.54-5.el8.noarch.rpm"
  content-path = usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  profile = ospp
%end

stops with

Setting up org_fedora_oscap addon

================================================================================      
================================================================================      

Question      
      There was an unexpected problem with the supplied content.
      The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no':

That indicates that the addon did not try to correctly process the profile because if it did, it would stop with

Question      
Wrong configuration detected!      
/var/log/audit must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/home must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/log must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
     
The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no': 

like it did on RHEL 8.4 (see bug 2129001).

Version-Release number of selected component (if applicable):

I believe the RHEL 8.5 GA installation media has oscap-anaconda-addon-1.2.1.-4.el8

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a minimal RHEL 8.5 kickstart, test that it correctly provisions the system.
2. Add

%addon org_fedora_oscap
  content-type = rpm
  content-url = "http://server/path/scap-security-guide-0.1.54-5.el8.noarch.rpm"
  content-path = usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  profile = ospp
%end

to the kickstart, provision.

Actual results:

Setting up org_fedora_oscap addon

================================================================================      
================================================================================      

Question      
      There was an unexpected problem with the supplied content.
      The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no':

Expected results:

Setting up org_fedora_oscap addon      
      
================================================================================       
================================================================================       

Question      
Wrong configuration detected!      
/var/log/audit must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/home must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/log must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/var/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
/tmp must be on a separate partition or logical volume and has to be created in the partitioning layout before installation can occur with a security profile
     
The installation should be aborted. Do you wish to continue anyway?
Please respond 'yes' or 'no': 

Additional info:

This is a regression against RHEL 8.4 with (I believe) oscap-anaconda-addon-1.1.1-7.el8.

Note that we use the RHEL 8.4 scap-security-guide 0.1.54-5.el8 here specifically to minimize the difference against the RHEL 8.4 case.
Comment 7 Matěj Týč 2022-09-26 12:42:58 UTC 
This issue is a regression of the addon:

- The addon started to auto-detect filetypes of files in archives (and RPMs), and
- doesn't take the content-path into the account in connection with this autodetection,

and as a result it becomes confused by multiple datastreams being available in RHEL8 or RHEL7 RPMs.
This issue is still valid in RHEL8.7 and in RHEL9.1.

A workaround in form of extracting the datastream and using that one is valid, and another workaround could be to produce "thin RPMs" by only having content for one product present, in this case that would be RHEL8.
Comment 10 Matěj Týč 2022-11-10 15:45:36 UTC 
Fixed by https://github.com/OpenSCAP/oscap-anaconda-addon/pull/220
Comment 11 Matěj Týč 2022-11-16 13:02:58 UTC 
The referenced PR introduced a regression.
Comment 12 Matěj Týč 2022-11-16 13:04:28 UTC 
https://github.com/rhinstaller/kickstart-tests/issues/827
Comment 18 Jan Stodola 2022-12-05 12:20:06 UTC 
Checked that oscap-anaconda-addon-1.2.1-10.el8 is in nightly compose RHEL-8.8.0-20221204.2

Moving to VERIFIED
Comment 21 errata-xmlrpc 2023-05-16 08:36:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (oscap-anaconda-addon bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2828