RHEL9 GUI Kickstart install of CIS Workstation Level 2 aborts

[yuumasato]

Description of problem:

Installation of a RHEL9 GUI via Kickstart with CIS Worksation Level 2 fails.
The Anaconda logs seem to indicate that the mountpoints don't exist.

SCAP Security Guide Version:

Upstream as of 2ce85d7

Operating System Version:

RHEL9

Steps to Reproduce:

Example install command

1. virt-install --name=test_suite_vm --memory=4096 --vcpus=2 --hvm --network bridge=virbr0 --disk path=,size=20 --location --initrd-inject ssg-rhel9-cis_workstation_l2-ks.cfg --wait 0 --graphics vnc --extra-args "inst.ks=file:/ssg-rhel9-cis_workstation_l2-ks.cfg inst.addrepo=AppStream, inst.addrepo=ssg,http://192.168.122.1/ssg console=ttyS0 inst.graphical notmux systemd.journald.forward_to_console=1" --noautoconsole'

Actual Results:

[  160.705959] anaconda[1803]: anaconda: misc: OSCAP Addon: Done with analysis
[  160.723837] org.fedoraproject.Anaconda.Modules.Storage[1858]: INFO:blivet:registered action: [157] create format xfs filesystem mounted at /var/tmp on lvmlv VolGroup-LogVol7 (id 151)
[  160.762998] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup ; incomplete: False ; hidden: False ;
[  160.799797] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 19.5 GiB lvmvg VolGroup (118)
[  160.832353] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol03 ; incomplete: False ; hidden: False ;
[  160.868332] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned None
[  160.896791] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                XFS.supported: supported: True ;
[  160.921923] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:get_format('xfs') returning XFS instance with object id 159
[  160.949959] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:get_format('None') returning DeviceFormat instance with object id 161
[  160.980221] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                              LVMVolumeGroupDevice.add_child: name: VolGroup ; child: LogVol03 ; kids: 4 ;
[  161.014676] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                            LVMLogicalVolumeDevice._set_format: VolGroup-LogVol03 ; type: xfs ; current: None ;
[  161.044840] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:get_format('None') returning DeviceFormat instance with object id 163
[  161.068518] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                              LVMVolumeGroupDevice.remove_child: name: VolGroup ; child: LogVol03 ; kids: 5 ;
[  161.099594] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                            LVMVolumeGroupDevice.add_child: name: VolGroup ; child: LogVol03 ; kids: 4 ;
[  161.131051] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                          LVMLogicalVolumeDevice._set_format: VolGroup-LogVol03 ; type: xfs ; current: None ;
[  161.161780] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:                            LVMLogicalVolumeDevice.read_current_size: exists: False ; path: /dev/mapper/VolGroup-LogVol03 ; sysfs_path:  ;
[  161.198133] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:VolGroup size is 19.5 GiB

...[snip]...

[  171.403394] anaconda[1803]: anaconda: core.util: Skipping detection of SMT.
[  171.417759] anaconda[1803]: anaconda: misc: OSCAP addon: Executing subprocess: 'oscap xccdf generate fix --template=urn:redhat:anaconda:pre --profile=xccdf_org.ssgproject.content_profile_cis_workstation_l2 --datastream-id=scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml --xccdf-id=scap_org.open-scap_cref_ssg-rhel9-xccdf.xml /tmp/openscap_data/ssg-rhel9-ds.xml'
[  171.479330] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol02 ; incomplete: True ; hidden: True ;
[  171.509148] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol02 (133) with non-existent xfs filesystem mounted at /home
[  171.543553] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol02 ; incomplete: True ; hidden: True ;
[  171.571491] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol02 (133) with non-existent xfs filesystem mounted at /home
[  171.605395] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:anaconda.modules.storage.devicetree.handler:Mount options of VolGroup-LogVol02 are set to 'nodev,nosuid'.
[  171.633800] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol01 ; incomplete: True ; hidden: True ;
[  171.661737] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol01 (142) with non-existent xfs filesystem mounted at /tmp
[  171.695060] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol01 ; incomplete: True ; hidden: True ;
[  171.721793] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol01 (142) with non-existent xfs filesystem mounted at /tmp
[  171.755214] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:anaconda.modules.storage.devicetree.handler:Mount options of VolGroup-LogVol01 are set to 'nodev,noexec,nosuid'.
[  171.783773] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol03 ; incomplete: True ; hidden: True ;
[  171.813837] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 3 GiB lvmlv VolGroup-LogVol03 (160) with non-existent xfs filesystem mounted at /var
[  171.851009] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol03 ; incomplete: True ; hidden: True ;
[  171.879329] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 3 GiB lvmlv VolGroup-LogVol03 (160) with non-existent xfs filesystem mounted at /var
[  171.917820] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:anaconda.modules.storage.devicetree.handler:Mount options of VolGroup-LogVol03 are set to 'defaults,nodev,nosuid'.
[  171.947796] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol04 ; incomplete: True ; hidden: True ;
[  171.976923] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol04 (169) with non-existent xfs filesystem mounted at /var/log
[  172.025301] org.fedoraproject.Anaconda.Modules.Payloads[1855]: DEBUG:anaconda.modules.payloads.payload.dnf.dnf:Packages are set to 'PackagesConfigurationData(broken_ignored=False, core_group_enabled=True, default_environment_enabled=False, docs_excluded=False, environment='graphical-server-environment', excluded_groups=[], excluded_packages=['openldap-clients', 'rsync-daemon', 'net-snmp', 'dhcp-server', 'mcstrans', 'tftp-server', 'tftp', 'avahi-autoipd', 'bind', 'telnet-server', 'squid', 'avahi', 'dovecot', 'vsftpd', 'samba', 'httpd', 'telnet'], groups=['Base'], groups_package_types={}, languages='all', missing_ignored=False, multilib_policy='best', packages=['python3', 'scap-security-guide', 'audit', 'aide', 'nftables', 'sudo', 'libselinux', 'rsyslog'], retries=-1, timeout=-1, weakdeps_excluded=False)'.
[  172.191747] org.fedoraproject.Anaconda.Modules.Network[1873]: DEBUG:anaconda.modules.network.firewall.firewall:Services that will be allowed through the firewall: ['ssh']

....[snip]...

[  175.294549] anaconda[1803]: anaconda: ui.gui.helpers: kickstart installation stopped for info: User interaction required on spoke Security Profile
[  175.296783] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol04 (169) with non-existent xfs filesystem mounted at /var/log
[  175.300897] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol05 ; incomplete: True ; hidden: True ;
[  175.304364] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 512 MiB lvmlv VolGroup-LogVol05 (178) with non-existent xfs filesystem mounted at /var/log/audit
[  175.308054] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol7 ; incomplete: True ; hidden: True ;
[  175.311489] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol7 (151) with non-existent xfs filesystem mounted at /var/tmp
[  175.314553] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol02 ; incomplete: True ; hidden: True ;
[  175.315181] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol02 (133) with non-existent xfs filesystem mounted at /home
[  175.318864] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol01 ; incomplete: True ; hidden: True ;
[  175.324352] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol01 (142) with non-existent xfs filesystem mounted at /tmp
[  175.325520] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol03 ; incomplete: True ; hidden: True ;
[  175.330503] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 3 GiB lvmlv VolGroup-LogVol03 (160) with non-existent xfs filesystem mounted at /var
[  175.336244] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol04 ; incomplete: True ; hidden: True ;
[  175.340263] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol04 (169) with non-existent xfs filesystem mounted at /var/log
[  175.344234] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol05 ; incomplete: True ; hidden: True ;
[  175.351167] systemd[1]: systemd-hostnamed.service: Deactivated successfully.
[  175.364008] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 512 MiB lvmlv VolGroup-LogVol05 (178) with non-existent xfs filesystem mounted at /var/log/audit
[  175.365087] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name: name: VolGroup-LogVol7 ; incomplete: True ; hidden: True ;
[  175.370264] org.fedoraproject.Anaconda.Modules.Storage[1858]: DEBUG:blivet:             DeviceTree.get_device_by_name returned non-existent 1024 MiB lvmlv VolGroup-LogVol7 (151) with non-existent xfs filesystem mounted at /var/tmp
[  175.377168] anaconda[1803]: anaconda: ui.gui.helpers: kickstart installation stopped for info: User interaction required on spoke Security Profile
[  904.628512] systemd[1]: Starting Cleanup of Temporary Directories...

Expected Results:

Install with kickstart finishes

Additional Information/Debugging Steps:

[mildas]

The Anaconda logs seem to indicate that the mountpoints don't exist.

I confirm. The problem is missing /dev/shm partition in kickstart.

[mildas]

/dev/shm is not the only problem. With the /dev/shm fix, installation starts but fails at the beginning:

 Problem: package libsane-hpaio-3.21.2-6.el9.x86_64 requires libavahi-core.so.7()(64bit), but none of the providers can be installed
  - cannot install the best candidate for the job
  - package avahi-0.8-12.el9.x86_64 is filtered out by exclude filtering

We should check if the package related requirement is mandatory. If not, I'd propose removal from profile.

[mildas]

The package conflict is relevant only on CIS Workstation Level 2 + Server with GUI package selection combination.

[Mab879]

It seems that the removal of avahi is in direct conflict with libsane-hpaio being mandatory for the GNOME package group. You can remove the package once the install is done.