Bug 1288602
Summary: | RHEL KVM Guest image - product cert for both Beta and RHEL in /etc/pki/product[-default] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Harald Jensås <hjensas> | |
Component: | rhel-guest-image | Assignee: | Lubos Kocman <lkocman> | |
Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 7.2 | CC: | creynold, fdeutsch, hjensas, jgreguske, jswensso, linl, lkocman, mburgerh, mkalyat, rbarry, wshi | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | 7.2 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | node | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1311958 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-29 11:29:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1301891, 1311958 |
Description
Harald Jensås
2015-12-04 17:17:16 UTC
I'm not familiar with rhel-guest-image-7.2-20151102.0.x86_64.qcow2, but whomever created it must have manually renamed product cert 226.pem into the /etc/pki/product/69.pem that you removed. An rct cat-cert of the certificate that you have pasted in comment 0 for /etc/pki/product/69.pem is NOT product 69; it is indeed product 226 as you have shown in the subscription-manager list --installed. Product 226 and 69 are NOT the same products. Product 226 provided tag rhel-7-everything and gave access to content prior to the GA release of RHEL7.0. I don't believe product 226 was ever a customer facing product. Bottom line... this is not a subscription-manager bug. It is a poorly created qcow2 image. Agreed, I have re-assigning to component 'rhel-guest-image'. This hasn't been touched since the initial RHEL7 release. It's also present in all of the EC2 images (still a bug, but present), and every one of the RHEL7 guest images since 7.0, and it looks like it was originally to address bz#800120. In other words, it's been there for a long time. I'd prefer not to need to maintain this product key or do anything with it for a variety of reasons. If the cert is now included as part of the images, I'm happy to drop it from the kickstart. There's not a lot of visibility into product certs, what provides which entitlements, how they're owned, etc. Can I expect that everything will "just work" after removing it from the kickstart? Including beta keys for beta, etc? I think it will being included by redhat-release-* RPMs, i find this information under "How do product certificates get installed?" section of the document below: https://mojo.redhat.com/groups/release-engineering/blog/2015/09/01/product-certificates-explained rhel-guest-image 7.1 image doesn't have this bug, the correct 69.pem has been created before anaconda process the 69.pem file in kickstart %post%, but i don't know which program created the correct 69.pem. When did the change to product-default happen? for rhel6: since rhel-guest-image-6.7 for rhel7: since rhel-guest-image-7.2 redhat-release-server RPM contains product-default/69.pem, if a certificate locate in "product" directory which has the same "Product ID" with the one in "product-default" directory, the certificate in "product" dir will override the later one. we also need to fix this for rhel6 images. Find the bug to include default product certificate in redhat-release: rhel7 -> https://bugzilla.redhat.com/show_bug.cgi?id=1080007 rhel6 -> https://bugzilla.redhat.com/show_bug.cgi?id=1080012 IIUIC according to comment 7 this bug can be fixed by not including the product cert in the ks, but rely on the product cert from the redhat-release rpms. If you agree Ryan, then a new build can be done with the from the ks removed pems to see if this issue is fixed. Yes, I agree, though I'm away for the next couple of days, so this wouldn't be done until early next week. This should happen by default as of now the kvm image gets redhat-release-server ... (based on variant) from compose. And redhat-release-server contains default productid certificates. There should be always just one certificate (which would be Beta in Beta, HTB in Snapshots and GA in GA). If you get one with e.g. Beta cert you've used beta kvm-image. Is there something that I'm missing. As of RHEL-7.4 (not entirelt sure about 7.3) the kvm image is being produced as part of compose. http://download.devel.redhat.com/nightly/latest-RHEL-7/compose/Server/x86_64/images/ Closing as notabug. Feel free to re-open the issue. You guys can sync-up with me and we test image in Alpha, Beta, Snapshot, RC composes ... wheter the content is correct. Lubos |