Description of problem: Adding a `%addon org_fedora_oscap` stanza to a kickstart file breaks an ISO installation. Version-Release number of selected component (if applicable): Centos-8.3.2011-x86_64-dvd1.iso and whatever version of Anaconda is included there. How reproducible: Every time. Steps to Reproduce: 1. Add this stanza to a kickstart file. This is the exact example offered in the CentOS 8 kickstart documentation. ``` %addon org_fedora_oscap content-type = scap-security-guide profile = pci-dss %end ``` 2. Add the kickstart file to an expanded ISO, make a new ISO, and boot from that modified ISO. Actual results: The installation halts before getting to the GUI Installation Summary page. The error message on the Anaconda launch console is ``` An error occurred during reading the kickstart file: SCAP Security Guide not found on the system The installer will now terminate. ``` Expected results: First preferred result: the installer would find the `scap-security-guide` package in the `AppStream` repository on the installation ISO. Second preferred result: The installer would launch the GUI and allow the administrator to deselect the addon. Additional info: May be related to the Installation Source challenges in bug 1945779?
Reassigning to the oscap addon.
Adding `scap-security-guide` and `scap-security-guide-doc` to the `%packages` section does not change behavior. The error still occurs.
Hi, I think that scap-security-guide needs to be installed on the ISO, because some of the checks are run before the installation. The org_fedora_oscap addon will install it automatically on the target system if required, but it is not able to install it automatically on the ISO.
I'm missing something then. The `%addon` text I'm using is straight from https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-commands-and-options-reference/#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ``` %addon org_fedora_oscap content-type = scap-security-guide profile = pci-dss %end ``` and that page doesn't say anything about needing to make the scap-security-guide available to the installer. If additional steps are needed for this to work, this is at least a documentation bug. I've verified that the `scap-security-guide` and `scap-security-guide-doc` packages are available in the AppStream repository in the ISO. ``` [root@bravo ~]# find /tmp/iso/ -name 'scap-security-guide*' /tmp/iso/AppStream/Packages/scap-security-guide-0.1.50-14.el8.noarch.rpm /tmp/iso/AppStream/Packages/scap-security-guide-doc-0.1.50-14.el8.noarch.rpm ``` I get that the installer wouldn't know to unpack those packages so early in the install. But, that just brings me back to my original question. This `%addon` block isn't working, and halts the installer before the graphical interface even appears. I'll go dig out the installation logs and post those in a couple hours.
Created attachment 1771658 [details] TGZ of /tmp log files.
This one may turn out to be a hardware/timeout issue. Until yesterday, I was using a 64MB USB flash drive for my bootable media. The transfer rate of the `dd` command to write the ISO onto the flash drive is between 4-6MB/sec. Yesterday, I discovered a 1TB Seagate USB SSD has a transfer rate that is 10 times faster. If I `dd` to this drive, I don't get the error "during reading the kickstart file." So, I'm okay with this becoming NOTABUG, and suggesting to future ISO/kickstart users to try faster media before calling this a problem.
I have checked the content of CentOS-8.3.2011-x86_64-dvd1.iso and the scap-security-guide package seems to be installed on the ISO. So I have checked the logic that detects the availability of the scap-security-guide package in the org_fedora_oscap add-on. From org_fedora_oscap/common.py: SSG_DIR = "/usr/share/xml/scap/ssg/content/" SSG_CONTENT = "ssg-%s%s-ds.xml" % (constants.shortProductName, constants.productVersion.strip(".")[0]) def ssg_available(root="/"): """ Tries to find the SCAP Security Guide under the given root. :return: True if SSG was found under the given root, False otherwise """ return os.path.exists(utils.join_paths(root, SSG_DIR + SSG_CONTENT)) This will look for something like /usr/share/xml/scap/ssg/content/ssg-cl8-ds.xml. There is no such file on the ISO.
First, "delete" https://bugzilla.redhat.com/show_bug.cgi?id=1946142#c6. I couldn't replicate the success of the faster disk device. Second, Vendula, is this something that needs to be added to documentation for an individual administrator to add to a customized ISO, or is this something that needs to be added to the ISOs distributed by CentOS? Either way, `ssg_available()` would have to be called either as `ssg_available(/run/media/repo)` or `ssg_available(/run/install/mount-0000-cdrom/)` to point the installer to the installation media.
It looks like that determination of the appropriate content is incorrect - instead of ssg-cl8-ds.xml, it should be ssg-centos8-ds.xml. We have had this issue before in a different setting, and the correct way forward seems to be to enable configuration of the content file during the RPM build process. I am not sure whether there is another problem aside from this one, and the incorrect documentation.
Hi, the name doesn't matter. There is no CentOS file on the ISO: > find /usr/share/xml/scap/ssg/content/ | sort /usr/share/xml/scap/ssg/content/ /usr/share/xml/scap/ssg/content/ssg-firefox-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-firefox-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml /usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml /usr/share/xml/scap/ssg/content/ssg-firefox-oval.xml /usr/share/xml/scap/ssg/content/ssg-firefox-xccdf.xml /usr/share/xml/scap/ssg/content/ssg-jre-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-jre-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-jre-ds-1.2.xml /usr/share/xml/scap/ssg/content/ssg-jre-ds.xml /usr/share/xml/scap/ssg/content/ssg-jre-ocil.xml /usr/share/xml/scap/ssg/content/ssg-jre-oval.xml /usr/share/xml/scap/ssg/content/ssg-jre-xccdf.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds-1.2.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-oval.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed.