Bug 1026501
Summary: | deleting consumer will move splice identity cert | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Chris Duryee <cduryee> | |
Component: | subscription-manager | Assignee: | Devan Goodwin <dgoodwin> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.0 | CC: | bkearney, dgoodwin, omaciel, vkuznets, xdmoon | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1028074 (view as bug list) | Environment: | ||
Last Closed: | 2014-06-13 13:23:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 863175, 1028074 |
Description
Chris Duryee
2013-11-04 19:41:00 UTC
running "subscription-manager clean" after setup will cause this to happen as well. https://access.redhat.com/site/solutions/532423 created based on this Bugzilla (thanks beav & team for the heads-up!) moving to subscription manager to have it stop cleaning out certs it did not create. I think we already hit this issue with RHUI: https://bugzilla.redhat.com/show_bug.cgi?id=1011082 (it was about /etc/pki/entitlements but the essence is the same) and then a bug against subscription-manager was created: https://bugzilla.redhat.com/show_bug.cgi?id=1019992 unfortunately it was closed as 'WONTFIX'. I wontfix'd the entitlements one as that's a big problem, we have a lot of code assuming it can read everything in that directory. Fixing it would basically mean we need to keep track of what certs we wrote somewhere, which probably means we'd just start putting them somewhere else and abandon the directory we use now. However these are both directories we create/manage, there was no discussion of other apps dropping certs in them. For consumer certs, this is less of an issue as I think we go straight to a specific filename, however, for precedent, I'd like to push that we go for the cleaner option where each app creates and manages it's own certs, and we don't try to drop them all into one place. It's consistent with the decision for entitlements, it's less likely to cause issues, and will work on already released versions of subscription-manager/RHEL. I spoke to Chris, he's going to get splice storing it's cert in it's own location but asks that we clarify that those are not general purpose directories. So TL;DR: We will stop deleting these directories and get them owned by our RPM, but other apps will still be responsible for storing their own certs in their own dirs. Fixed in subscription-manager.git as of a9dc0beddd00a72844a15daa7dd6d97a0a1d65ea. Will appear in subscription-manager-1.10.14-1. Our rpms now own /etc/pki/consumer and /etc/pki/entitlement. On clean or unregister, we delete only our identity cert and key from /etc/pki/consumer, and only *.pem files in /etc/pki/entitlement. The directories themselves should never be completely removed now. I will verify the following new behavior as indicated in comment 7... When a consumer is deleted at the server, the /etc/pki/consumer/ directory is copied to /etc/pki/consumer.old/ and the cert.pem/key.pem pair that was in /etc/pki/consumer/ directory are deleted leaving behind the Splice cert/key pair. The former behavior simply renamed the directory from /etc/pki/consumer/ to /etc/pki/consumer.old/ thereby eliminating the /etc/pki/consumer/ directory. Verifying Version... [root@jsefler-7 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.3-1 subscription-manager: 1.10.14-1.el7 python-rhsm: 1.10.12-1.el7 Let's begin by verifying what happens when the consumer is deleted at the server... [root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: 90acc7c0-14ff-4416-a650-42c3266cd092 [root@jsefler-7 ~]# ls -l /etc/pki total 8 drwxr-xr-x. 6 root root 57 Jan 15 08:50 CA drwxr-xr-x. 4 root root 48 Jan 21 19:52 ca-trust drwxr-xr-x. 2 root root 35 Feb 13 13:12 consumer drwxr-xr-x. 2 root root 6 Feb 13 02:59 entitlement drwxr-xr-x. 2 root root 20 Jan 21 19:52 java drwxr-xr-x. 2 root root 97 Jan 29 12:39 nssdb drwxrwxr-x. 2 pesign pesign 51 Jan 21 20:04 pesign drwxr-xr-x. 2 root root 4096 Feb 13 01:48 product drwxr-xr-x. 2 root root 4096 Jan 21 19:57 rpm-gpg drwx------. 2 root root 6 Jan 21 10:28 rsyslog drwxr-xr-x. 5 root root 76 Jan 21 19:53 tls [root@jsefler-7 ~]# ls -l /etc/pki/consumer/ total 8 -rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem -rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem Faking the existence of a valid splice cert/key pair... [root@jsefler-7 ~]# cp /etc/pki/consumer/cert.pem /etc/pki/consumer/Splice_identity.cert [root@jsefler-7 ~]# cp /etc/pki/consumer/key.pem /etc/pki/consumer/Splice_identity.key [root@jsefler-7 ~]# ls -l /etc/pki/consumer/ total 16 -rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem -rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key Now let's delete the consumer at the server... [root@jsefler-7 ~]# curl -k -u admin:admin --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/90acc7c0-14ff-4416-a650-42c3266cd092 [root@jsefler-7 ~]# service rhsmcertd restart Redirecting to /bin/systemctl restart rhsmcertd.service [root@jsefler-7 ~]# sleep 120 [root@jsefler-7 ~]# ls -l /etc/pki total 8 drwxr-xr-x. 6 root root 57 Jan 15 08:50 CA drwxr-xr-x. 4 root root 48 Jan 21 19:52 ca-trust drwxr-xr-x. 2 root root 59 Feb 13 13:20 consumer drwxr-xr-x. 2 root root 88 Feb 13 13:14 consumer.old drwxr-xr-x. 2 root root 6 Feb 13 02:59 entitlement drwxr-xr-x. 2 root root 20 Jan 21 19:52 java drwxr-xr-x. 2 root root 97 Jan 29 12:39 nssdb drwxrwxr-x. 2 pesign pesign 51 Jan 21 20:04 pesign drwxr-xr-x. 2 root root 4096 Feb 13 01:48 product drwxr-xr-x. 2 root root 4096 Jan 21 19:57 rpm-gpg drwx------. 2 root root 6 Jan 21 10:28 rsyslog drwxr-xr-x. 5 root root 76 Jan 21 19:53 tls [root@jsefler-7 ~]# ls -l /etc/pki/consumer.old/ total 16 -rw-r-----. 1 root root 1306 Feb 13 13:12 cert.pem -rw-r-----. 1 root root 1679 Feb 13 13:12 key.pem -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key [root@jsefler-7 ~]# ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key [root@jsefler-7 ~]# VERIFIED: When rhsmcertd detects that the consumer has been deleted at the server, a backup of the consumer directory and contents is made and removes then cert.pem and key.pem from /etc/pki/consumer leaving behind the Splice cert/key Now let's verify clean... [root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: 6f4e2445-f24b-4628-adde-5c67f2210001 [root@jsefler-7 ~]# ls -l /etc/pki/consumer total 16 -rw-r-----. 1 root root 1306 Feb 13 13:27 cert.pem -rw-r-----. 1 root root 1675 Feb 13 13:27 key.pem -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key [root@jsefler-7 ~]# subscription-manager clean All local data removed [root@jsefler-7 ~]# ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key VERIFIED: The Splice cert/key remains after running clean Now let's verify unregister... [root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin Username: testuser1 Password: Organization: admin The system has been registered with ID: d6172d84-0edc-4e61-bd1c-77c954e6033f [root@jsefler-7 ~]# ls -l /etc/pki/consumer total 16 -rw-r-----. 1 root root 1306 Feb 13 13:31 cert.pem -rw-r-----. 1 root root 1679 Feb 13 13:31 key.pem -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key [root@jsefler-7 ~]# subscription-manager unregister System has been unregistered. [root@jsefler-7 ~]# ls -l /etc/pki/consumer total 8 -rw-r-----. 1 root root 1306 Feb 13 13:14 Splice_identity.cert -rw-r-----. 1 root root 1679 Feb 13 13:14 Splice_identity.key VERIFIED: The Splice cert/key remains after running unregister This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |