Bug 988233

Summary: Anaconda does not exclude certain packages specified in the kickstart configuration
Product: [Fedora] Fedora Reporter: Richard Neuboeck <hawk>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 19CC: anaconda-maint-list, dshea, g.kaviyarasu, jonathan, mkolman, sbueno, stephent98, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-01 18:20:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Neuboeck 2013-07-25 07:18:03 UTC
Description of problem:
During a customized installation anaconda does not exclude certain packages though they are marked as not to be installed in the packages section of the kickstart configuration.

It seems some are 'reselected' as dependencies. I.e. ppp is selected again as dependency of NetworkManager. But firewalld is logged as 'deselected' and a few lines below without obvious log message as to why it is again 'selected' for installation.

Version-Release number of selected component (if applicable):
anaconda 19.30.13-1.fc19

How reproducible:
On every test installation I've done.

Steps to Reproduce:
1. create a ks configuration with the following package selection:

%packages
@core
@standard
ypbind
autofs
cfengine
xorg-x11-xauth
vim
yum-cron
ntp
rwho
munin-node
iptables-services
htop
tcsh
zsh
-firewalld
-ppp
-wpa_supplicant
-openrdate
-wireless-tools
-coolkey
-fprintd
-irda-utils
-rdist
-rsh
-pcsc-lite
-pcsc-lite-ccid
%end

2. run the install and during the package installation take a look at /tmp/packaging.log

3. Even though deselected in the kickstart configuration firewalld and others get installed.

Actual results:
Packages that are deselected are installed anyway.

Expected results:
I would expect that packages marked as 'not to be installed' should not be installed. even if that may brake dependencies.

Comment 1 Steve Tyler 2013-07-25 10:03:19 UTC
The installer always pulls in some packages:[1]

$ less -N anaconda-19.30.13-1/pyanaconda/install.py
...
    152     # anaconda requires storage packages in order to make sure the target
    153     # system is bootable and configurable, and some other packages in order
    154     # to finish setting up the system.
    155     packages = storage.packages + ["authconfig", "firewalld"] + ksdata.realm.packages
...

The post-installation section of the kickstart file could probably be used to remove some packages:
15.7. Post-installation Script
http://docs.fedoraproject.org/en-US/Fedora/19/html/Installation_Guide/s1-kickstart2-postinstallconfig.html

Disclaimer: I have not actually used the post-installation kickstart feature.

[1] The installer source is here:
https://git.fedorahosted.org/git/anaconda.git

Comment 2 Steve Tyler 2013-07-25 10:26:18 UTC
Installation Guide RFE:
Bug 988328 - RFE: some packages cannot be excluded using a kickstart file

Comment 3 Richard Neuboeck 2013-07-25 10:29:53 UTC
(In reply to Steve Tyler from comment #1)
> The post-installation section of the kickstart file could probably be used
> to remove some packages:

> Disclaimer: I have not actually used the post-installation kickstart feature.

Thanks for the details!

I'm doing exactly that right now - that works ok. But since the feature exists to exclude packages it's kind of annoying to have to crosscheck what may get pulled back.

Comment 4 Steve Tyler 2013-07-25 10:46:25 UTC
(In reply to Steve Tyler from comment #1)
...
>     155     packages = storage.packages + ["authconfig", "firewalld"] +
> ksdata.realm.packages
...

The installer could probably write its "package" list to a log file, or the Installation Guide could list them.

Comment 5 Richard Neuboeck 2013-07-25 10:54:54 UTC
(In reply to Steve Tyler from comment #4)
> (In reply to Steve Tyler from comment #1)
> ...
> >     155     packages = storage.packages + ["authconfig", "firewalld"] +
> > ksdata.realm.packages
> ...
> 
> The installer could probably write its "package" list to a log file, or the
> Installation Guide could list them.

Absolutely.

If those default packages would be listed in the manual or possibly flagged in the package log file as 'default' it would be much easier than searching in the sources.

Comment 6 Steve Tyler 2013-07-25 11:15:37 UTC
The installer may already be listing them. This group of four packages matches what the source says:

Snippet from anaconda.packaging.log:
...
20:56:31,053 DEBUG packaging: select package grub2
20:56:31,055 DEBUG packaging: select package e2fsprogs
20:56:31,056 DEBUG packaging: select package authconfig
20:56:31,056 DEBUG packaging: select package firewalld
...

Comment 7 Steve Tyler 2013-07-25 11:20:13 UTC
Since firewalld is a systemd service, another way is to make sure it is disabled after installation:
$ sudo systemctl disable firewalld

Comment 8 Richard Neuboeck 2013-07-25 11:53:21 UTC
From the packaging.log it's only clear that those are the 'default' packages if you already know that since a lot of others are selected in close proximity to those entries as well.

Disabling the service would also be a good way to get rid of it. Thanks!

I'm uninstalling this and other packages from within postinstall:

%post
#!/bin/bash
yum -q -y remove firewalld and_others_too
%end

Comment 9 Steve Tyler 2013-07-25 18:01:34 UTC
(In reply to Steve Tyler from comment #7)
> Since firewalld is a systemd service, another way is to make sure it is
> disabled after installation:
> $ sudo systemctl disable firewalld

The kickstart "services" option can do exactly that:
"--disabled — Disable the services given in the comma separated list."

See also the "firewall" option:
"firewall --enabled|--disabled [--trust=] <device> [--port=]"

15.4. Kickstart Options
http://docs.fedoraproject.org/en-US/Fedora/19/html/Installation_Guide/s1-kickstart2-options.html

Comment 10 Steve Tyler 2013-07-25 19:10:25 UTC
Adding this to a test kickstart file with your exact package list almost works:
services --disabled firewalld --enabled iptables

The firewalld service is disabled:
# systemctl status firewalld

The iptables service is enabled.
# systemctl status iptables

But "iptables -L" shows no rules. This could be new bug.

Tested with:
$ qemu-kvm -m 4096 -hda f19-test-3.img -cdrom ~/xfr/fedora/F19/Fedora-19-x86_64-DVD.iso -vga std -boot menu=on

Comment 11 Steve Tyler 2013-07-26 03:27:34 UTC
(In reply to Steve Tyler from comment #4)
...
> The installer could probably write its "package" list to a log file, or the
> Installation Guide could list them.

I modified install.py on the Live image to log the "packages" variable:

23:10:40,579 INFO anaconda: pre-configured packages: ['grub2', 'e2fsprogs', 'lvm2', 'authconfig', 'firewalld']

== diff -u ... ==
--- install.py	2013-06-27 08:31:06.000000000 -0700
+++ install.py	2013-07-25 20:15:31.387147358 -0700
@@ -153,6 +153,7 @@
     # system is bootable and configurable, and some other packages in order
     # to finish setting up the system.
     packages = storage.packages + ["authconfig", "firewalld"] + ksdata.realm.packages
+    log.info("pre-configured packages: " + str(packages))
 
     # don't try to install packages from the install class' ignored list
     packages = [p for p in packages if p not in instClass.ignoredPackages]
==

Tested with:
$ qemu-kvm -m 4096 -hda f19-test-3.img -cdrom ~/xfr/fedora/F19/Fedora-Live-Desktop-x86_64-19-1.iso -vga std -boot menu=on

Comment 12 David Shea 2013-08-01 18:20:28 UTC
Closing this bug since bug 988328 has been opened for the documentation issue. firewalld is the now the default firewall solution for Fedora and is always installed, see https://fedoraproject.org/wiki/Features/firewalld-default

Comment 13 Steve Tyler 2013-08-01 18:30:22 UTC
Comment 11 was proposing that the anaconda-required packages be logged. As my testing shows, the implementation should be very easy.

Should I open a new bug for that as an RFE?

Comment 14 Steve Tyler 2013-08-06 05:31:02 UTC
Bug 993503 - RFE: log packages required by installer