Bug 1104332
| Summary: | [RFE] Separate out the rhsm certs into a separate RPM | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Walsh <dwalsh> |
| Component: | python-rhsm | Assignee: | vritant <vrjain> |
| Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> |
| Severity: | low | Docs Contact: | Aneta Šteflová Petrová <apetrova> |
| Priority: | medium | ||
| Version: | 7.0 | CC: | alikins, aweiteka, bcourt, bkearney, dgregor, dwalsh, jpazdziora, skallesh, vrjain |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | 7.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-rhsm-1.17.5-1 | Doc Type: | Enhancement |
| Doc Text: |
`redhat-uep.pem` CA certificate moved to a *python-rhsm-certificates* package
The `/etc/rhsm/ca/redhat-uep.pem` certificate authority (CA) certificate was previously included in the *python-rhsm* package. This update moves this certificate into a simplified *python-rhsm-certificates* package that provides only the certificate. As a result, container images can now be built only with *python-rhsm-certificates* without all the package dependencies required by *python-rhsm*, specifically the *python* package.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-03 20:26:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1121117, 1298337, 1313485 | ||
|
Description
Daniel Walsh
2014-06-03 18:50:35 UTC
Acking 7.1 (In reply to Daniel Walsh from comment #0) > We need the cert in a docker based image, but we do not want the python or > more specifically the requires python package. > > We want to get to the point where we could use a docker image without python > being included. Which cert? It has been a while, but we wanted these in a subpackage, I believe. /etc/rhsm /etc/rhsm/ca /etc/rhsm/ca/candlepin-stage.pem /etc/rhsm/ca/redhat-uep.pem This bz now only applies to /etc/rhsm/ca/redhat-uep.pem , as /etc/rhsm/ca/candlepin-stage.pem is being removed anyways per https://bugzilla.redhat.com/show_bug.cgi?id=1242057 Well it has been two years since we requested this. Aaron do you remember? The CA /etc/rhsm/ca/redhat-uep.pem is used for securely connecting to CDN to install RPMs inside the running container. Aaron, The tools used to install the RPMs are all built using python, and require the python-rhsm package in order to properly generate the repo files used to connect to the CDN. Why do you need the files separated out into a new RPM if the other packages would still be required? I think the initial BZ comment made 2 years ago says it pretty clearly:
> We need the cert in a docker based image, but we do not want the python or more specifically the requires python package.
> We want to get to the point where we could use a docker image without python being included.
Bottom line is if we eliminate all of the python dependencies in the base image we will still want the CA cert to make secure calls to Red Hat.
Can we add the rhsm CA certs to redhat-release? I understand we have already done this with product certs. It is also similar to the method used to install the default rpm GPG keys.
We have a use case where we need these certificates on non Red Hat systems so adding them to redhat-release where only RHEL has access would be problematic. The certificate will be packaged with a new rhsm-certificates rpm. Pull Request: https://github.com/candlepin/python-rhsm/pull/173/commits Commits: 14aecdf15ba841fce1769d38cfecc8b621a565aa [root@dhcp35-128 ~]# rpm -qa | grep python-rhsm
python-rhsm-1.17.5-1.el7.x86_64
python-rhsm-certificates-1.17.5-1.el7.x86_64
python-rhsm is dependent on python-rhsm-certificate:
-------------------------------------------------------
[root@dhcp35-128 ~]# yum install python-rhsm-1.17.5-1.el7.x86_64.rpm -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.2-1.el7.x86_64
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.2-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
--> Processing Dependency: python-rhsm-certificates = 1.17.5-1.el7 for package: python-rhsm-1.17.5-1.el7.x86_64
--> Finished Dependency Resolution
Error: Package: python-rhsm-1.17.5-1.el7.x86_64 (/python-rhsm-1.17.5-1.el7.x86_64)
Requires: python-rhsm-certificates = 1.17.5-1.el7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
python-rhsm no longer contains /etc/rhsm/ca/redhat-uep.pem:
-----------------------------------------------------------------
[root@dhcp35-128 ~]# rpm -ql python-rhsm | grep "/etc/rhsm/ca/"
[root@dhcp35-128 ~]#
/etc/rhsm/ca/redhat-uep.pem is moved to python-rhsm-certificates:
------------------------------------------------------------------------
[root@dhcp35-128 ~]# rpm -ql python-rhsm-certificates | grep "/etc/rhsm/ca/"
/etc/rhsm/ca/redhat-uep.pem
No selinux denials while installing:
-------------------------------------------------------------
[root@shwetha-workstation ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@shwetha-workstation ~]# yum install python-rhsm-* -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Examining python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64
python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.4-1.el7.x86_64.rpm: python-rhsm-1.17.4-1.el7.x86_64
python-rhsm-1.17.4-1.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.4-1.el7.x86_64
Examining python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm: python-rhsm-certificates-1.17.5-1.el7.x86_64
Marking python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.4-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
---> Package python-rhsm-certificates.x86_64 0:1.17.5-1.el7 will be installed
--> Finished Dependency Resolution
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below knowledge base article
https://access.redhat.com/solutions/69319
If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
Dependencies Resolved
========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
python-rhsm-certificates x86_64 1.17.5-1.el7 /python-rhsm-certificates-1.17.5-1.el7.x86_64 7.6 k
Updating:
python-rhsm x86_64 1.17.5-1.el7 /python-rhsm-1.17.5-1.el7.x86_64 341 k
Transaction Summary
========================================================================================================================================================================
Install 1 Package
Upgrade 1 Package
Total size: 348 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : python-rhsm-certificates-1.17.5-1.el7.x86_64 1/3
Updating : python-rhsm-1.17.5-1.el7.x86_64 2/3
Cleanup : python-rhsm-1.17.4-1.el7.x86_64 3/3
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
failure: repodata/repomd.xml from admin-content-label: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Verifying : python-rhsm-1.17.5-1.el7.x86_64 1/3
Verifying : python-rhsm-certificates-1.17.5-1.el7.x86_64 2/3
Verifying : python-rhsm-1.17.4-1.el7.x86_64 3/3
Installed:
python-rhsm-certificates.x86_64 0:1.17.5-1.el7
Updated:
python-rhsm.x86_64 0:1.17.5-1.el7
Complete!
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
Augmenting verification comment 24... The new package python-rhsm-certificates is minimal, provides only one file (redhat-uep.pem), and depends only on rpmlib... [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates python-rhsm-certificates-1.17.5-1.el7.x86_64 [root@jsefler-rhel7 ~]# rpm -ql python-rhsm-certificates /etc/rhsm /etc/rhsm/ca /etc/rhsm/ca/redhat-uep.pem [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --requires rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 As demonstrated in comment 24, package python-rhsm now depends on python-rhsm-certificates... [root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --whatrequires python-rhsm-1.17.5-1.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html |