Bug 1011082
| Summary: | Subscription-manager removes RHUI client certificates under /etc/pki/entitlement during "subscription-manager clean" | |||
|---|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Ina Panova <ipanova> | |
| Component: | RHUA | Assignee: | dgao | |
| Status: | CLOSED ERRATA | QA Contact: | Ina Panova <ipanova> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 2.1.2 | CC: | alikins, cbillett, dgao, jmatthew, melewis, tsanders, vkuznets | |
| Target Milestone: | --- | |||
| Target Release: | 2.1.3 | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
This update fixes an issue where RHUI was sharing a directory with subscription-manager for certificates. When the subscription-manager deleted its own certificates it deleted everything in the directory causing the RHUI certificates to be deleted as well. The certificates are now placed in /etc/pki/rhui instead of /etc/pki/entitlement/ so that subscription-manager will no longer delete the RHUI certificates.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1019992 (view as bug list) | Environment: | ||
| Last Closed: | 2013-12-17 20:10:32 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
The problem that I found on this system is here... [root@ip-10-164-16-250 yum.repos.d]# ls /etc/pki/entitlement/ ca.crt cdn.redhat.com-chain.crt content-rhel5.key product rhui-client-config-server-5.key Why are these RHUI certificates located in /etc/pki/entitlement/ ? The /etc/pki/entitlement/ directory is a default configuration used by subscription-manager... [root@ip-10-164-16-250 ~]# grep entitlement /etc/rhsm/rhsm.conf entitlementCertDir = /etc/pki/entitlement When subscription-manager clean is executed, the contents of /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui repo files that are pointing to certificates in /etc/pki/entitlement [root@ip-10-164-16-250 ~]# grep "/etc/pki/entitlement" /etc/yum.repos.d/*.repo /etc/yum.repos.d/redhat-rhui-client-config.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt /etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientcert=/etc/pki/entitlement/product/rhui-client-config-server-5.crt /etc/yum.repos.d/redhat-rhui-client-config.repo:sslclientkey=/etc/pki/entitlement/rhui-client-config-server-5.key /etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key /etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt /etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt /etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key /etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt /etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt /etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key /etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt /etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt /etc/yum.repos.d/redhat-rhui.repo:sslclientkey=/etc/pki/entitlement/content-rhel5.key /etc/yum.repos.d/redhat-rhui.repo:sslclientcert=/etc/pki/entitlement/product/content-rhel5.crt /etc/yum.repos.d/redhat-rhui.repo:sslcacert=/etc/pki/entitlement/cdn.redhat.com-chain.crt It seems to me that an arm wrestling match between the RHUI team and the RHSM team over the right to write to /etc/pki/entitlement/ is in order. (In reply to John Sefler from comment #1) > Why are these RHUI certificates located in /etc/pki/entitlement/ ? > > The /etc/pki/entitlement/ directory is a default configuration used by > subscription-manager... > > When subscription-manager clean is executed, the contents of > /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui > repo files that are pointing to certificates in /etc/pki/entitlement Subscription-manager's behavior here doesn't seem correct: 1) If this directory is RHSM-specific - why is has so generalized name? Why not "/etc/pki/rhsm/entitlements"? 2) Why does subscription-manager remove _all_ content from directory no matter who brought it here? Files in "/etc" are usually supposed to be edited/added by humans. 3) If this directory is rhsm-specific data/cache - why it is not under "/var"? (In reply to Vitaly Kuznetsov from comment #2) > (In reply to John Sefler from comment #1) > > Why are these RHUI certificates located in /etc/pki/entitlement/ ? > > > > The /etc/pki/entitlement/ directory is a default configuration used by > > subscription-manager... > > > > When subscription-manager clean is executed, the contents of > > /etc/pki/entitlement/ are deleted which screws up all of these redhat-rhui > > repo files that are pointing to certificates in /etc/pki/entitlement > > Subscription-manager's behavior here doesn't seem correct: > 1) If this directory is RHSM-specific - why is has so generalized name? Why > not "/etc/pki/rhsm/entitlements"? No idea. "historical reasons". The content is meant to be managed by subscription-manager, and used by yum. > 2) Why does subscription-manager remove _all_ content from directory no > matter who brought it here? Files in "/etc" are usually supposed to be > edited/added by humans. Tend to agree it shouldn't delete stuff it didn't put there. But then again, manually provisioning rhsm entitlement certs there is more or less supported (for disconnected, or loosely connected scenarios). Not deleting unknown ent certs (or anything unknown) on "clean" seems reasonable. > 3) If this directory is rhsm-specific data/cache - why it is not under > "/var"? Not really a cache (yum is setup to assume those certs exists, and doesn't do anything to refresh them if not). /etc/pki/ is the normal place for installing certificates. Commit: 5b92c5cce67b222e322d68dc7ccac315a2da1048 and 654dee3c2c5d004e5dcbc4ab3f4ce51f7bb99f30 This fixes the RHUI side by placing certs into /etc/pki/rhui instead of /etc/pki/entitlement/. Also opened up https://bugzilla.redhat.com/show_bug.cgi?id=1019992 to keep track of the changes needed to be made on subscription-manager to not delete certs it didn't put in /etc/pki/entitlements. tested in rh-rhui-tools-2.1.27-1.git.4.b7072ef.el6.noarch pulp-0.0.263-38.git.1.7f842df.el6.noarch Move to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1854.html |
Description of problem: After installing rhel5.10 with no changes made on it perform 'subscription-manager clean' command. After that, any yum command(yum install, update, repolist, etc.) fails. Version-Release number of selected component (if applicable): subscription-manager-1.8.22-1.el5 How reproducible: always Steps to Reproduce: [root@ip-10-245-114-124 ~]# rpm -qa subscription-manager subscription-manager-1.8.22-1.el5 [root@ip-10-245-114-124 ~]# yum repolist Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security Determining fastest mirrors * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com rhui-REGION-client-config-server-5 | 2.3 kB 00:00 rhui-REGION-client-config-server-5/primary_db | 4.5 kB 00:00 rhui-REGION-rhel-server | 3.7 kB 00:00 rhui-REGION-rhel-server/primary_db | 7.6 MB 00:00 Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs) Finished repo id repo name status rhui-REGION-client-config-server-5 Red Hat Update Infrastructure 2.0 Client Configuration Server 5 3 rhui-REGION-rhel-server Red Hat Enterprise Linux Server 5 (RPMs) 15,263+80 repolist: 15,266 [root@ip-10-245-114-124 ~]# subscription-manager list No installed products to list [root@ip-10-245-114-124 ~]# yum repolist Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security Loading mirror speeds from cached hostfile * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com * rhui-REGION-rhel-server: rhui2-cds01.us-east-1.aws.ce.redhat.com Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs) Finished repo id repo name status rhui-REGION-client-config-server-5 Red Hat Update Infrastructure 2.0 Client Configuration Server 5 3 rhui-REGION-rhel-server Red Hat Enterprise Linux Server 5 (RPMs) 15,263+80 repolist: 15,266 [root@ip-10-245-114-124 ~]# subscription-manager clean All local data removed [root@ip-10-245-114-124 ~]# yum repolist Loaded plugins: amazon-id, fastestmirror, product-id, rhui-lb, security Loading mirror speeds from cached hostfile * rhui-REGION-client-config-server-5: rhui2-cds01.us-east-1.aws.ce.redhat.com Traceback (most recent call last): File "/usr/bin/yum", line 29, in ? yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 309, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 178, in main result, resultmsgs = base.doCommands() File "/usr/share/yum-cli/cli.py", line 349, in doCommands return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds) File "/usr/share/yum-cli/yumcommands.py", line 788, in doCommand base.repos.populateSack() File "/usr/lib/python2.4/site-packages/yum/repos.py", line 232, in populateSack self.doSetup() File "/usr/lib/python2.4/site-packages/yum/repos.py", line 79, in doSetup self.ayum.plugins.run('postreposetup') File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run func(conduitcls(self, self.base, conf, **kwargs)) File "/usr/lib/yum-plugins/fastestmirror.py", line 205, in postreposetup_hook repo.setupGrab() File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 463, in setupGrab self._setupGrab() File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 474, in _setupGrab ugopts = self._default_grabopts() File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 486, in _default_grabopts opts = { 'keepalive': self.keepalive, File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 656, in _getSslContext sslCtx.load_cert(self.sslclientcert, self.sslclientkey) File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Context.py", line 74, in load_cert m2.ssl_ctx_use_cert(self.ctx, certfile) M2Crypto.SSL.SSLError: No such file or directory Actual results: yum command fails Expected results: yum should work normally Additional info: