1817443 – RHVH 4.4 installation will fail when security profile is selected

Bug 1817443 - RHVH 4.4 installation will fail when security profile is selected

Summary: RHVH 4.4 installation will fail when security profile is selected

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	redhat-virtualization-host
Sub Component:
Version:	4.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.4.0
Target Release:	4.4.0
Assignee:	Yuval Turgeman
QA Contact:	Qin Yuan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-26 11:08 UTC by Qin Yuan
Modified:	2020-08-04 16:22 UTC (History)
CC List:	12 users (show)
Fixed In Version:	redhat-release-virtualization-host-4.4.0-17.el8ev
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-08-04 16:22:45 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
installation logs in /tmp (2.49 MB, application/gzip) 2020-03-26 11:08 UTC, Qin Yuan	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2020:3316	0	None	None	None	2020-08-04 16:22:58 UTC

Description Qin Yuan 2020-03-26 11:08:53 UTC

Created attachment 1673765 [details]
installation logs in /tmp

Description of problem:
RHVH 4.4 installation will fail when a security profile, draft stig or vpp, is selected, see errors:

anaconda 29.19.2.16 exception report
Traceback (most recent call first):
  File "/usr/share/anaconda/addons/org_fedora_oscap/common.py", line 276, in run_oscap_remediate
    raise OSCAPaddonError(msg)
  File "/usr/share/anaconda/addons/org_fedora_oscap/ks/oscap.py", line 549, in execute
    chroot=getSysroot())
  File "/usr/lib64/python3.6/site-packages/pyanaconda/addons.py", line 92, in execute
    v.execute(storage, ksdata, instClass, users, payload)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 446, in run_task
    self._task(*self._task_args, **self._task_kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 453, in run_task
    raise e
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 487, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 211, in doConfiguration
    configuration_queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 286, in run
    threading.Thread.run(self)
org_fedora_oscap.common.OSCAPaddonError: Content evaluation and remediation with the oscap tool failed: WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
No profile matching suffix "xccdf_org.ssgproject.content_profile_rhvh-vpp" was found. Get available profiles using:
$ oscap info "/usr/share/xml/scap/ssg/content/ssg-rhvh4-ds.xml"


Version-Release number of selected component (if applicable):
RHVH-4.4-20200325.0-RHVH-x86_64-dvd1.iso

How reproducible:
100%

Steps to Reproduce:
1. Install RHVH-4.4-20200325.0-RHVH-x86_64-dvd1.iso
2. Select a security profile, draft stig or vpp, on security policy screen 
3. Continue to finish other required configurations, and begin installation

Actual results:
1. Installation failed with the above error

Expected results:
1. Installation could succeed
2. Security check works fine

Additional info:

Comment 1 Watson Yuuma Sato 2020-03-26 11:23:00 UTC

I see that "/usr/share/xml/scap/ssg/content/ssg-rhvh4-ds.xml" is a symlink to "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml",
it should actually be a symlink to "/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml"

The rhel8 Data Stream doesn't contain the RHVH profiles.

when I run following command, I see rhvh-vpp profile there:

$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml
Document type: Source Data Stream
Imported: 2019-12-17T14:05:32

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhv4-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-xccdf-1.2.xml
		Status: draft
		Generated: 2019-12-17
		Resolved: true
		Profiles:
			Title: [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
				Id: xccdf_org.ssgproject.content_profile_rhvh-stig
			Title: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)
				Id: xccdf_org.ssgproject.content_profile_rhvh-vpp
		Referenced check files:
			ssg-rhv4-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			ssg-rhv4-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-cpe-oval.xml
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhv4-cpe-dictionary.xml

Comment 3 Qin Yuan 2020-03-26 14:25:10 UTC

Manually modified the symlink during installation, installation succeeded:

# cd /mnt/sysimage/usr/share/xml/scap/ssg/content/
# ln -sf /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml ssg-rhvh4-ds.xml

Comment 7 Qin Yuan 2020-04-10 02:57:41 UTC

Tested RHVH-4.4-20200409.0-RHVH-x86_64-dvd1.iso, installation succeeded when security profile was selected.

Comment 9 errata-xmlrpc 2020-08-04 16:22:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Host (redhat-virtualization-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3316

Note You need to log in before you can comment on or make changes to this bug.