| Summary: | sync-ing of HTB (High Touch Beta) channel from RH ends in "Forbidden" | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Paul Jochum <paul.jochum> |
| Component: | async/tasks | Assignee: | Randy Barlow <rbarlow> |
| Status: | CLOSED NOTABUG | QA Contact: | pulp-qe-list |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.2 Beta | CC: | mhrivnak, paul.jochum, skarmark |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-01 17:13:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Based on our experience with this feature, it is most likely that the certificate passed to pulp does not allow the path being accessed. Could you please try the following with curl, using the same certificates you gave to pulp? curl -I -k --cert path/to/cert --key path/to/key --cacert path/to/cacert https://cdn.redhat.com/content/htb/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml Let us know what HTTP response code you get back. If you can't get a 200, then pulp is definitely not the issue, and it's most likely that the certificate doesn't allow that path. Last night, was able to make some progress on this. I got the x86_64 channel for HTB working, today I am getting the following error message when I try to sync the x86_64 channel:
$ pulp-admin -u admin -p admin rpm repo sync run --repo-id=rhel-x86_64-server-6-htb
+----------------------------------------------------------------------+
Synchronizing Repository [rhel-x86_64-server-6-htb]
+----------------------------------------------------------------------+
This command may be exited by pressing ctrl+c without affecting the actual
operation on the server.
Downloading metadata...
[|]
... failed
[Errno 2] No such file or directory:
u'/var/lib/pulp/working/repos/rhel-x86_64-server-6-htb/importers/yum_importer/tm
pWyqmG9/ad5c5cf4ef87371ef55074bde96812065f5ca6b1-filelists.xml.gz'
(don't know why the line starts with a u and a tick)????
*******************************************
I have also not been able to get the i386 channel working, I just get:
$ pulp-admin -u admin -p admin rpm repo sync run --repo-id=rhel-i386-server-6-htb
+----------------------------------------------------------------------+
Synchronizing Repository [rhel-i386-server-6-htb]
+----------------------------------------------------------------------+
This command may be exited by pressing ctrl+c without affecting the actual
operation on the server.
Downloading metadata...
[\]
... failed
Not Found
*********************************************
As to the curl command, I ran it on both the x86_64 and i386 channels, and got the following (which I believe is correct, since it does return a 200)
-sh-4.1# curl -I -k --cert /etc/pki/entitlement/4293201934666443712.pem --key /etc/pki/entitlement/4293201934666443712-key.pem --cacert /etc/rhsm/ca/redhat-uep.pem https://cdn.redhat.com/content/htb/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml
HTTP/1.1 200 Connection established
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 371
Expires: Wed, 23 Oct 2013 21:32:22 GMT
Date: Wed, 23 Oct 2013 21:32:22 GMT
X-Cache: TCP_DENIED from a216-246-75-208.deploy.akamaitechnologies.com (AkamaiGHost/6.13.4-11557381) (-)
Connection: keep-alive
X-Akamai-Request-ID: 14277128
-sh-4.1# curl -I -k --cert /etc/pki/entitlement/4293201934666443712.pem --key /etc/pki/entitlement/4293201934666443712-key.pem --cacert /etc/rhsm/ca/redhat-uep.pem https://cdn.redhat.com/content/htb/rhel/server/6/6Server/i386/os/repodata/repomd.xml
HTTP/1.1 200 Connection established
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 365
Expires: Wed, 23 Oct 2013 21:32:47 GMT
Date: Wed, 23 Oct 2013 21:32:47 GMT
X-Cache: TCP_DENIED from a216-246-75-208.deploy.akamaitechnologies.com (AkamaiGHost/6.13.4-11557381) (-)
Connection: keep-alive
X-Akamai-Request-ID: 1427a95c
Because you are unable to retrieve the remomd.xml file using Curl, I believe we can close this bug as not being a Pulp issue. It would appear that your entitlement certificate does not have access to that repository. Please check with Red Hat Customer Support as to what you need to do to get a certificate that has access to this repository. |
Description of problem: running the command: [root@lss-pulp01 bin]# pulp-admin -u admin -p admin rpm repo sync run --repo-id=rhel-x86_64-server-6-htb +----------------------------------------------------------------------+ Synchronizing Repository [rhel-x86_64-server-6-htb] +----------------------------------------------------------------------+ This command may be exited by pressing ctrl+c without affecting the actual operation on the server. Downloading metadata... [\] ... failed Forbidden Version-Release number of selected component (if applicable): pulp-v2-testing How reproducible: on every sync Steps to Reproduce: From the mailing list pulp-list On Fri, 2013-10-18 at 14:46 -0500, Paul Jochum wrote: > On 10/18/2013 12:49 PM, Dennis Gregorovic wrote: >> On Fri, 2013-10-18 at 12:28 -0500, Paul Jochum wrote: >>> On 10/18/2013 08:13 AM, Dennis Gregorovic wrote: >>>> On Thu, 2013-10-17 at 21:44 -0500, Paul Jochum wrote: >>>>> Hi All: >>>>> >>>>> I have been asked to add Red Hat's HTB (high touch beta) feeds to >>>>> my pulp server. Does anyone know the feed paths for them? I did try >>>>> Dennis Gregorovic's sugestion of "subscription-manager repos --list", >>>>> but that didn't help for the HTB feeds. >>>>> >>>>> thanks in advance, >>>>> >>>>> Paul >>>> Hi Paul, >>>> >>>> Grep for /htb in the output of "subscription-manager repos --list". If >>>> you don't see anything, you'll need to get a HTB subscription. >>>> >>>> Cheers >>>> -- Dennis >>> Hi Dennis: >>> >>> I added the htb subscription: >>> [root@lss-pulp01 ~]# subscription-manager >>> --proxy=http://ih.proxy.lucent.com:8000 attach >>> --pool=8a85f982419ee8900141a30f640b6f08 >>> Successfully attached a subscription for: High Touch Beta for Red Hat >>> Enterprise Linux Server (4 sockets) >>> >>> and can now grep for them: >>> [root@lss-pulp01 ~]# subscription-manager >>> --proxy=http://ih.proxy.lucent.com:8000 repos --list > /tmp/repos >>> [root@lss-pulp01 ~]# grep -i htb /tmp/repos >>> Repo ID: rhel-6-server-optional-htb-rpms >>> Repo Name: Red Hat Enterprise Linux 6 Server - Optional HTB (RPMs) >>> Repo URL: >>> https://cdn.redhat.com/content/htb/rhel/server/6/$releasever/$basearch/optional/os >>> Repo ID: rhel-scalefs-for-rhel-6-server-htb-debug-rpms >>> Repo Name: Red Hat Enterprise Linux Scalable File System (for RHEL 6 >>> Server) HTB (Debug RPMs) >>> Repo URL: >>> https://cdn.redhat.com/content/htb/rhel/server/6/$releasever/$basearch/scalablefilesystem/debug >>> Repo ID: rhel-rs-for-rhel-6-server-htb-debug-rpms >>> Repo Name: Red Hat Enterprise Linux Resilient Storage (for RHEL 6 >>> Server) HTB (Debug RPMs) >>> Repo URL: >>> https://cdn.redhat.com/content/htb/rhel/server/6/$releasever/$basearch/resilientstorage/debug >>> ... >>> >>> I can also perform the repo create (note, replaced the real key file >>> names with xxx): >>> [root@lss-pulp01 ~]# pulp-admin -u admin -p admin rpm repo create >>> --proxy-host=https://ih.proxy.lucent.com --proxy-port=8000 >>> --repo-id=rhel-x86_64-server-6-htb >>> --feed=https://cdn.redhat.com/content/htb/rhel/server/6/6Server/x86_64/os --feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem >>> --feed-key=/etc/pki/entitlement/xxx-key.pem >>> --feed-cert=/etc/pki/entitlement/xxx.pem >>> Successfully created repository [rhel-x86_64-server-6-htb] >>> >>> but, when I attempt to sync them, they fail: >>> [root@lss-pulp01 ~]# pulp-admin -u admin -p admin rpm repo sync run >>> --repo-id=rhel-x86_64-server-6-htb >>> +----------------------------------------------------------------------+ >>> Synchronizing Repository [rhel-x86_64-server-6-htb] >>> +----------------------------------------------------------------------+ >>> >>> This command may be exited by pressing ctrl+c without affecting the actual >>> operation on the server. >>> >>> Downloading metadata... >>> [\] >>> ... failed >>> >>> Forbidden >>> >>> >>> The following is from /var/log/pulp/pulp.log: >>> 2013-10-18 12:14:09,023 nectar.downloaders.threaded:ERROR: Download of >>> https://cdn.redhat.com/content/htb/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml >>> failed with code 403: Forbidden >>> 2013-10-18 12:14:09,023 pulp_rpm.plugins.importers.yum.sync:ERROR: sync >>> failed >>> Traceback (most recent call last): >>> File >>> "/usr/lib/python2.6/site-packages/pulp_rpm/plugins/importers/yum/sync.py", >>> line 109, in run >>> metadata_files = self.get_metadata() >>> File >>> "/usr/lib/python2.6/site-packages/pulp_rpm/plugins/importers/yum/sync.py", >>> line 194, in get_metadata >>> raise FailedException(str(e)) >>> FailedException: Forbidden >>> 2013-10-18 12:14:09,028 pulp.server.dispatch.task:ERROR: Importer >>> indicated a failed response >>> Traceback (most recent call last): >>> File "/usr/lib/python2.6/site-packages/pulp/server/dispatch/task.py", >>> line 138, in _run >>> result = call(*args, **kwargs) >>> File >>> "/usr/lib/python2.6/site-packages/pulp/server/managers/repo/sync.py", >>> line 117, in sync >>> raise PulpExecutionException(_('Importer indicated a failed response')) >>> PulpExecutionException: Importer indicated a failed response >>> 2013-10-18 12:14:09,028 pulp.server.dispatch.task:INFO: FAILURE: Task >>> e6baf8fc-cc94-4bbb-968b-bef7ab30e8d4: CallRequest: >>> RepoSyncManager.sync(u'rhel-x86_64-server-6-htb', sync_config_override=None) >> The 403 indicates a problem with the certs. It's either using the wrong >> certs or the certs aren't valid. I'd start by making sure that 'yum >> repolist --enablerepo=*htb*' works as expected. >> >> Cheers >> -- Dennis >> > Hi Dennis: > > The command yum repolist --enablerepo seems to work fine: > > [root@lss-pulp01 .pulp]# yum repolist --enablerepo=rhel-6-server-htb-rpms > Loaded plugins: product-id, refresh-packagekit, security, > subscription-manager > timed out > rhel-6-server-htb-rpms 3.4 kB 00:00 > rhel-6-server-rpms 3.7 kB 00:00 > repo id repo name status > epel Extra Packages for Enterprise Linux 6 - > x86_64 9,789 > pulp-v2-testing Pulp v2 Testing Builds > 44 > rhel-6-server-htb-rpms Red Hat Enterprise Linux 6 Server HTB > (RPMs) 1,934 > rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) > 11,029 > repolist: 22,796 > > But, the sync still fails. > > thanks, > Paul Looks like the cert isn't being used correctly in Pulp then. I'll have to defer to the Pulp folks on that topic. Cheers -- Dennis