Bug 1303103
| Summary: | [RFE] Allow ISO repositories to be added to a content view and published/distributed | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Brad Buckingham <bbuckingham> | ||||||
| Component: | Content Views | Assignee: | Eric Helms <ehelms> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Sachin Ghai <sghai> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.1.6 | CC: | ahumbe, bbuckingham, bkearney, dcaplan, egolov, ehelms, hmore, hshukla, kabbott, mhrivnak, mmccune, pm-sat, sghai, stbenjam, sthirugn, xdmoon | ||||||
| Target Milestone: | Unspecified | Keywords: | FutureFeature, Triaged | ||||||
| Target Release: | Unused | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| URL: | http://projects.theforeman.org/issues/13661 | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | katello-installer-base-3.4.5.26-1,tfm-rubygem-runcible-1.12.0.3-1,tfm-rubygem-katello-3.4.5.58-1 | Doc Type: | Enhancement | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-02-21 12:33:41 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1321771 | ||||||||
| Attachments: |
|
||||||||
|
Description
Brad Buckingham
2016-01-29 14:56:01 UTC
Nope, I think everything you need is already available. But an early review from someone on katello would be a good idea to make sure they agree. Upstream bug component is Content Views Moving to POST since upstream bug http://projects.theforeman.org/issues/13661 has been closed Tested with satellite6.3 snap27. I can add synced RHEL ISOs to CV and publish as well as promote them to next environment. Please see the attached screenshots Created attachment 1364812 [details]
UI shows 49 files in CV
Created attachment 1364813 [details]
updated CV with RHEL 7Server iso and it includes 49 files.
ISO files are not being synced to capsule. Earlier, I selected the on_demand download policy for capsule and later I changed to "Immediate" but still no luck. There are 49 ISO files that I synced and published. However, none of them was synced to capsule. @Eric: Is there anything specific I need to do to sync ISO files to capsule ? As Eric is out today, I had a quick look at the setup. First observation was that Satellite thinks the Capsule never synced, which in a way is true, as each Sync Job has failed. example of a failed job: https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/foreman_tasks/tasks/0b399f7c-5395-4288-9665-579f73c14c32 PLP0000: Importer indicated a failed response looking into dynflow: https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/foreman_tasks/dynflow/f6a45e70-ac19-44f8-b65e-09bcca24bb7e "Actions::Pulp::Consumer::SyncCapsule" is skipped as it contains a traceback: input: --- capsule_id: 2 repo_pulp_id: 1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2 sync_options: remove_missing: false remote_user: admin remote_cp_user: admin output: --- pulp_tasks: - exception: task_type: pulp.server.managers.repo.sync.sync _href: "/pulp/api/v2/tasks/0cbc8638-54d9-435c-a32f-fa8e30ebdfae/" task_id: 0cbc8638-54d9-435c-a32f-fa8e30ebdfae tags: - pulp:repository:1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2 - pulp:action:sync finish_time: '2017-12-08T12:10:16Z' _ns: task_status start_time: '2017-12-08T12:10:15Z' traceback: | Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task R = retval = fun(*args, **kwargs) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 527, in __call__ return super(Task, self).__call__(*args, **kwargs) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__ return super(PulpTask, self).__call__(*args, **kwargs) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__ return self.run(*args, **kwargs) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 827, in sync raise pulp_exceptions.PulpExecutionException(_('Importer indicated a failed response')) PulpExecutionException: Importer indicated a failed response spawned_tasks: [] progress_report: iso_importer: error_message: response_code: 403 response_msg: Forbidden traceback: finished_bytes: 0 num_isos: state: manifest_failed total_bytes: state_times: not_started: '2017-12-08T12:10:15' manifest_in_progress: '2017-12-08T12:10:15' manifest_failed: '2017-12-08T12:10:15' num_isos_finished: 0 iso_error_messages: [] queue: reserved_resource_worker-0.lab.eng.bos.redhat.com.dq state: error worker_name: reserved_resource_worker-0.lab.eng.bos.redhat.com result: error: code: PLP0000 data: {} description: Importer indicated a failed response sub_errors: [] _id: "$oid": 5a2a8127266e6d3221798d1c id: 5a2a8127266e6d3221798d1c poll_attempts: total: 1 failed: 1 the interesting part of that is: iso_importer: error_message: response_code: 403 response_msg: Forbidden state: manifest_failed the systemd journal on the capsule contains (as expected): Dec 08 05:57:39 cloud-qe-06.idmqe.lab.eng.bos.redhat.com pulp[1834]: nectar.downloaders.threaded:INFO: Download failed: Download of https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST failed with code 403: Forbidden Dec 08 05:57:39 cloud-qe-06.idmqe.lab.eng.bos.redhat.com pulp[1834]: pulp_rpm.plugins.importers.iso.sync:ERROR: Failed to download https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST: Forbidden. and on the satellite the httpd log contains: [Fri Dec 08 05:57:39.876851 2017] [:error] [pid 29888] [client 10.19.34.35:37008] Request denied to destination [/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST [Fri Dec 08 05:57:39.876874 2017] [:error] [pid 29888] [client 10.19.34.35:37008] mod_wsgi (pid=29888): Client denied by server configuration: '/var/www/pub/https/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST'. [Fri Dec 08 06:27:22.452082 2017] [:error] [pid 10376] [client 10.19.34.35:37128] Request denied to destination [/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST I am not sure what is happening here, so leaving the NI on Eric. Hope my debugging helps :) From my investigation, I tested the certs the importer is configured with and was able to curl that Forbidden file with them just fine. So I am not currently sure what is happening when the actual sync operation occurs and will have to dig further. *** Bug 1480358 has been marked as a duplicate of this bug. *** Testing on upstream, but get the same results. I don't think the certificate the capsule is getting is configured correctly. Using the certificate in the database, I am not able to retrieve a file from the repo: [root@centos7-foreman-proxy-3-5 ~]# curl --cert /root/cert.crt --key /root/key.crt https://centos7-katello-3-5.zpm.example.com/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST on this server.</p> </body></html> HTTP logs show: [Thu Jan 25 17:43:02.353200 2018] [:error] [pid 11693] [client 192.168.121.130:40360] Request denied to destination [/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST Pulp's OID validator seems to be doing some kind of check that determines if the certificate has access to /pulp/isos: /usr/lib/python2.7/site-packages/pulp/oid_validation/oid_validation.py I'm not sure how to decode the extensions exactly: [root@centos7-foreman-proxy-3-5 ~]# openssl x509 -in cert.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2032182190564053392 (0x1c33c2ef73721190) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=centos7-katello-3-5.zpm.example.com Validity Not Before: Jan 24 15:32:10 2018 GMT Not After : Dec 1 13:00:00 2049 GMT Subject: O=Default_Organization Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:80:79:11:9a:71:47:a9:93:fb:be:e1:93:d9:cf: 8c:5b:26:a5:f2:59:87:bb:11:ea:a8:75:8a:d9:03: 6d:3b:0d:b5:64:1b:c6:cc:5b:b8:8d:dd:2d:67:7d: 61:0c:58:b8:64:4b:c2:4d:13:59:3c:fe:36:aa:b4: 62:e3:99:3f:19:40:d9:a2:38:84:8c:58:3d:e8:cf: 41:ba:8c:d2:33:64:54:8a:45:87:57:66:82:84:56: 25:7b:dd:9a:08:eb:1b:b7:59:71:5a:c4:45:b4:8b: 91:dc:97:2a:c8:c3:2e:94:03:58:a0:54:bd:1b:38: a5:7c:70:29:a2:20:92:ca:d5:f3:3c:81:91:3c:f6: 5c:78:f2:28:fd:0c:63:e7:eb:7b:6f:91:fb:9e:68: 14:4d:7c:94:b6:f3:10:09:17:cd:42:b4:83:27:9d: ea:7f:89:30:ac:c0:69:01:96:a2:bc:47:68:9c:6f: fb:ad:a5:4b:ec:39:0b:a3:21:1a:93:11:13:67:f4: 2a:6c:b6:84:69:12:07:fc:a0:63:2d:c7:53:bc:bb: aa:2e:2d:4b:55:6d:f1:2e:2c:b2:d4:8b:c4:11:92: 19:22:c1:92:3a:85:64:65:08:a2:bd:dd:1f:bd:71: a6:c6:b5:b5:23:9c:f6:b0:ce:71:3f:e4:bc:91:aa: fd:6f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier: keyid:8B:ED:73:F8:53:4C:76:B2:30:AB:D7:55:EA:85:FC:D3:5E:A7:D9:85 DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=centos7-katello-3-5.zpm.example.com serial:C0:6B:3D:41:B0:98:76:EF X509v3 Subject Key Identifier: C9:61:8F:1F:07:99:71:2A:1E:3D:63:C1:D7:64:3A:CE:A7:1F:54:10 X509v3 Extended Key Usage: TLS Web Client Authentication 1.3.6.1.4.1.2312.9.1.1516807930959.1: ."Default_Organization_ueber_product 1.3.6.1.4.1.2312.9.1.1516807930959.3: .. 1.3.6.1.4.1.2312.9.1.1516807930959.2: .. 1.3.6.1.4.1.2312.9.1.1516807930959.5: .. 1.3.6.1.4.1.2312.9.2.1516807930960.1: ..yum 1.3.6.1.4.1.2312.9.2.1516807930960.1.1: ueber_content . 1.3.6.1.4.1.2312.9.2.1516807930960.1.2: ..1516807930959_ueber_content 1.3.6.1.4.1.2312.9.2.1516807930960.1.5: ..Custom 1.3.6.1.4.1.2312.9.2.1516807930960.1.6: ../Default_Organization 1.3.6.1.4.1.2312.9.2.1516807930960.1.7: .. 1.3.6.1.4.1.2312.9.2.1516807930960.1.8: ..1 1.3.6.1.4.1.2312.9.4.1: ."Default_Organization_ueber_product 1.3.6.1.4.1.2312.9.4.2: .. 1.3.6.1.4.1.2312.9.4.3: 1516807930959 . 1.3.6.1.4.1.2312.9.4.5: ..1 1.3.6.1.4.1.2312.9.4.6: ..2018-01-24T15:32:10Z 1.3.6.1.4.1.2312.9.4.7: ..2049-12-01T13:00:00Z 1.3.6.1.4.1.2312.9.4.12: ..0 1.3.6.1.4.1.2312.9.4.10: .. 1.3.6.1.4.1.2312.9.4.13: .. 1.3.6.1.4.1.2312.9.4.14: ..0 1.3.6.1.4.1.2312.9.4.11: ..1 1.3.6.1.4.1.2312.9.5.1: .$3c1a6371-75de-4a49-9b27-9fa5be87b682 But rhsm seems to confirm the certificate has no rights to this file: >>> from rhsm import certificate >>> cert = certificate.create_from_file("/root/cert.crt") >>> cert.check_path("/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST") False Upstream bug assigned to ehelms Upstream bug assigned to ehelms Created redmine issue http://projects.theforeman.org/issues/22446 from this bug Verified with sat6.3 snap35 [root@cloud-qe-17 ~]# hammer -u admin -p changeme capsule content synchronize --id=2 [....................... ] [11%] [..........................................................................................................................................................................................................] [100%] [root@cloud-qe-17 ~]# I can sync iso repos to capsule by publishing through CV. synced isos from capsule. /var/lib/pulp/content/units/iso/6c/93dd9c54d7580b8d48afdc62c0f0ea2273fa523a8495224eccf8a94264d6b4/rhel-workstation-7.3-x86_64-boot.iso /var/lib/pulp/content/units/iso/a7/df1dc22e4fdc96e083767f4a6c56f80a4da540bb50a58b0de8f2eccacd2064/rhel-server-7.4-x86_64-dvd.iso /var/lib/pulp/content/units/iso/3b/66a35c07701ed31212ae6000027f70a3b9b49ab865b3dbad979c357e588113/rhel-server-7.1-x86_64-boot.iso /var/lib/pulp/content/units/iso/4a/3068d44fccb0afda7d199f739ec43c12e9ee0e959a733a381071f601f8ea77/dd-igb-5.2.15_k-1-x86_64.iso /var/lib/pulp/content/units/iso/2e/04538008082952b11def17dec6f78e44d8a55e0e4a9afd365dee1a8df41272/rhel-workstation-7.2-x86_64-boot.iso /var/lib/pulp/content/units/iso/32/fd023380edee37e6d040ebc1544eb6a6a720f58495e3debcc45d18ddf617a9/rhel-server-7.2-x86_64-boot.iso /var/lib/pulp/content/units/iso/ff/8811fa38bdd32f9577f7a89d69f8789e020069890820beb5814ec8bba80077/dd-lpfc-10.2.8021.0-x86_64.iso /var/lib/pulp/content/units/iso/ff/8fa10a5717370b67a4e965a006386b47adaffb6c167b52a0b23b6df798780f/virt-p2v-1.32.7-2.el7.iso /var/lib/pulp/content/units/iso/09/8e1a9742de8625e8302a6d5a4dba886219c08877ef818324489706cc376f91/dd-sfc.el7_2.iso /var/lib/pulp/content/units/iso/6b/9b66bbd3f4065b10c0442e01c442eee047bab463ab5d62760991c6d1566693/dd-ixgbe-4.4.0_k_rh7.4_z-2-ixgbevf-3.2.2_k_rh7.4_z-1.el7_3.iso /var/lib/pulp/content/units/iso/6b/f6a70bed83a93a123edbc32cd1c49f42b457293e78eaf168905a02c9f97bb3/dd-lpfc.el7_2.iso /v Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |