Bug 1006985

Summary: rhn-migrate-classic-to-rhsm should abort when it encounters RHN channels that map to different products certs that share the same productId
Product: Red Hat Enterprise Linux 6 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Alex Wood <awood>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5CC: jesusr, mreid
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Consequence: migration script clobbers product certs when duplicates found. Fix: Abort migration when we detect different certs with the same ID. Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 21:29:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 862910    

Description John Sefler 2013-09-11 16:12:34 UTC 
Description of problem:
When consuming RHN Classic channels, it is possible that among the channels being consumed, there is a mapping to products certs that share the same productId.  When this happens, the rhn-migrate-classic-to-rhsm currently ends up installing each of the product certs on top of each other by the name <productId>.pem in a clobbering manner.  This is a bad idea because the tags provided by the product certs could differ and the version numbers likely differ.  If only the version dumbers differ, then the consequence is cosmetic, but if the tags differ, then the consequence is restricted access to entitled content.  The safest thing to do (after several discussions among awood, jsefler, alikins, ggainey) is to abort the migration script with an informative message.  The message could suggest specific RHN channels to be removed followed by another attempt to migrate.


Version-Release number of selected component (if applicable):
[root@jsefler-6 ~]# rpm -q subscription-manager-migration subscription-manager-migration-data
subscription-manager-migration-1.9.5-1.el6.x86_64
subscription-manager-migration-data-1.12.3.2-1.el6.noarch



Steps to Reproduce:
[root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo

Now add channels that will map to two different product certs, for example rhel-x86_64-rhev-agent-6-server and rhel-x86_64-rhev-agent-6-server-beta which I determined map to two different product certs as follows:


[root@jsefler-6 ~]# for i in `rpm -ql subscription-manager-migration-data | egrep *x86_64.*-69.pem`; do echo $i; rct cat-cert $i | grep Version | tail -1; done;
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-23d36f276d57-69.pem
	Version: 6.3
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-323beb20e916-69.pem
	Version: 6.4 Beta
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-4b918bda53c0-69.pem
	Version: 5.9 Beta
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-6f455e15aed9-69.pem
	Version: 6.4
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-a515006cc2b2-69.pem
	Version: 5.8
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-dfb340743a6e-69.pem
	Version: 5.9

Now if I grep for the migration cert files in the mapping file, then we'll find the RHN channels that are candidates that will give rise to the issue in this bug.  Lets grep for the 6.3 and 6.4 Beta certs...
[root@jsefler-6 ~]# egrep "Server-Server-x86_64-23d36f276d57-69.pem|Server-Server-x86_64-323beb20e916-69.pem" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-rhev-agent-6-server-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-rhev-agent-6-server-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-cf-tools-1-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-hpn-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-hpn-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-optional-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-optional-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-supplementary-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-supplementary-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem

^^ Notice the first two channels in the list.  Let's classically consume these two channels...

[root@jsefler-6 ~]# rhn-channel --user qa --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta
Password: 
[root@jsefler-6 ~]# rhn-channel --list
rhel-x86_64-rhev-agent-6-server
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-server-6
[root@jsefler-6 ~]# 

Now we are consuming three channels, and...

[root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem

The three channels map to two unique product certs ( Server-Server-x86_64-23d36f276d57-69.pem and Server-Server-x86_64-323beb20e916-69.pem) that share the same product ID (69).  One of them is for RHEL 6.3 and the other is for RHEL 6.4 Beta.


Now let's migrate....

[root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription
Red Hat account: qa
Password: 
System Engine Username: qa
Password: 

Retrieving existing RHN Classic subscription information...

+-----------------------------------------------------+
System is currently subscribed to these RHN Classic Channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

+-----------------------------------------------------+
Installing product certificates for these RHN Classic channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

Product certificates installed successfully to /etc/pki/product.

Preparing to unregister system from RHN Classic...
System successfully unregistered from RHN Classic.

Attempting to register system to Red Hat Subscription Management...
The system has been registered with ID: 76a338be-0651-4559-8243-c5eadf5ded23 
System 'jsefler-6.usersys.redhat.com' successfully registered to Red Hat Subscription Management.

Attempting to auto-attach to appropriate subscriptions...
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed


Please visit https://access.redhat.com/management/consumers/76a338be-0651-4559-8243-c5eadf5ded23 to view the details, and to make changes if necessary.
[root@jsefler-6 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        6.3
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         12/31/2012
Ends:           12/31/2013

[root@jsefler-6 ~]# ls /etc/pki/product/
69.pem

^^^ Notice that ONLY the RHEL 6.3 product cert was migrated as the 69.pem product.  It was the last cert migrated and it clobbered the RHEL6.4 Beta product cert.


Consensus among developers is that this circumstance should be detected by the script and aborted with an informative message.
Comment 2 John Sefler 2013-09-26 20:10:32 UTC 
Adding mreid to help us with an informative message that states something like this:

These currently subscribed RHN Classic Channels [%s] map to multiple product certs that have Product ID %s in common.  Remove one or more of these conflicting RHN Classic Channels before attempting to migrate from RHN to RHSM.  Aborting.
Comment 3 Matt Reid 2013-09-27 13:48:52 UTC 
Alex talked to me yesterday about this and I believe put in a PR with what we came up with. Are we still looking for a string on this?
Comment 4 Alex Wood 2013-09-27 19:49:47 UTC 
(In reply to Matt Reid from comment #3)
> Alex talked to me yesterday about this and I believe put in a PR with what
> we came up with. Are we still looking for a string on this?

We're good.
Comment 5 Alex Wood 2013-09-27 20:40:27 UTC 
commit 5873b8421267854a96f1be83621e79fb6431d7ba
Author: Alex Wood <awood>
Date:   Thu Sep 19 14:42:15 2013 -0400

    1006985: Abort migration when we detect different certs with the same ID.

Please note that this commit adds new strings!
Comment 9 John Sefler 2013-10-08 19:14:00 UTC 
Verifying Version...
[root@jsefler-6 ~]# rpm -q subscription-manager-migration
subscription-manager-migration-1.9.9-1.el6.x86_64
[root@jsefler-6 ~]# rpm -q subscription-manager-migration-data
subscription-manager-migration-data-2.0.4-1.el6.noarch


[root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo
[root@jsefler-6 ~]# rhn-channel --user qa --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta
Password: 
[root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription
Red Hat account: qa
Password: 
System Engine Username: qa
Password: 

Retrieving existing RHN Classic subscription information...

+-----------------------------------------------------+
System is currently subscribed to these RHN Classic Channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

+-----------------------------------------------------+
Unable to continue migration!
+-----------------------------------------------------+
You are subscribed to channels that have conflicting product certificates.
The following channels map to product ID 69:
	rhel-x86_64-rhev-agent-6-server
	rhel-x86_64-rhev-agent-6-server-beta
	rhel-x86_64-server-6
Reduce the number of channels per product ID to 1 and run migration again.
To remove a channel, use 'rhn-channel --remove --channel=<conflicting_channel>'.
[root@jsefler-6 ~]# 


^^^^ VERIFIED: When consuming channels that map to different versions of the same product ID, the migration script aborts.

Note: By inspecting the channel-cert-mapping.txt, we can see that these three channels map to three different hashed versions of 69.pem
[root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-e774841f1bf0-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-06e8bd9df3f0-69.pem
Comment 10 errata-xmlrpc 2013-11-21 21:29:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1659.html