Bug 1400827

Summary: rpm-ostree fails to install RPMs when rpm-md repos which use multiple gpgkey entries are active
Product: Red Hat Enterprise Linux 7 Reporter: Alex Jia <ajia>
Component: rpm-ostree-clientAssignee: Colin Walters <walters>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: dornelas, jlebon, miabbott, rrajaram, sakulkar, santiago, walters
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-20 15:59:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1424588    
Bug Blocks: 1186913, 1420851    

Description Alex Jia 2016-12-02 07:54:59 UTC 
Description of problem:
Using the command rpm-ostree pkg-add to layer new packages into Atomic Host, I met error like this "error: Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release]".

Version-Release number of selected component (if applicable):

[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-30 02:14:24)
        Commit: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)
      Unlocked: development

[root@atomic-00 cloud-user]# rpm -qa | grep ostree
ostree-fuse-2016.11-2.atomic.el7.x86_64
rpm-ostree-client-2016.11-2.atomic.el7.x86_64
ostree-2016.11-2.atomic.el7.x86_64
cockpit-ostree-122-3.el7.x86_64
ostree-grub2-2016.11-2.atomic.el7.x86_64
subscription-manager-plugin-ostree-1.17.15-1.el7.x86_64

[root@atomic-00 cloud-user]# rpm -q skopeo
skopeo-0.1.17-0.7.git1f655f3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.rpm-ostree pkg-add strace


Actual results:

[root@atomic-00 cloud-user]# rpm-ostree pkg-add strace
Checking out tree 42cfe1c... done

Downloading metadata: [=====                                                                                                                                                                                 ]   3%
error: Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release]

Expected results:
fix it

Additional info:

It's okay to manually run curl w/ above 2 files w/o permission issue.

[root@atomic-00 cloud-user]# ll -aZ /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-rw-r--r--. root root system_u:object_r:cert_t:s0      /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
-rw-r--r--. root root system_u:object_r:cert_t:s0      /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Comment 1 Colin Walters 2016-12-02 12:21:32 UTC 
Ugh, this is a variant of https://bugzilla.redhat.com/show_bug.cgi?id=1399770

For this case I think realistically we need to symlink etc -> usr/etc inside rpm-ostree's initial tree checkout.
Comment 4 Micah Abbott 2016-12-02 14:17:46 UTC 
This may be related to using an employee subscription and having all the repos enabled.  At the very least, you can work around this issue; see below.

For example, in my session below I have registered with an employee subscription that grants access to many (all?) repos.  When I try to install 'strace' via 'rpm-ostree install', I receive the same error reported here.  

However, if I disable all the available repos and then selectively enable the most common (server, extras, optional), I am able to install strace successfully.


# rpm-ostree status
State: idle
Deployments:
● 7.3.1-rc:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-30 02:14:24)
        Commit: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86
        OSName: rhel-atomic-host

# subscription-manager repos --list-enabled
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-sjis-for-rhel-7-server-aus-source-rpms
Repo Name: Red Hat Enterprise Linux for S-JIS (RHEL 7 Server) - AUS (Source RPMs)
Repo URL:  https://cdn.redhat.com/content/aus/rhel/server/7/$releasever/$basearch/sjis/source/SRPMS
Enabled:   1

Repo ID:   rhel-7-server-htb-rpms
Repo Name: Red Hat Enterprise Linux 7 Server HTB (RPMs)
Repo URL:  https://cdn.redhat.com/content/htb/rhel/server/7/$basearch/os
Enabled:   1

Repo ID:   rhel-7-server-tus-rpms
Repo Name: Red Hat Enterprise Linux 7 Server - TUS (RPMs)
Repo URL:  https://cdn.redhat.com/content/tus/rhel/server/7/$releasever/$basearch/os
Enabled:   1

Repo ID:   rhel-sjis-for-rhel-7-server-aus-debug-rpms
Repo Name: Red Hat Enterprise Linux for S-JIS (RHEL 7 Server) - AUS (Debug RPMs)
Repo URL:  https://cdn.redhat.com/content/aus/rhel/server/7/$releasever/$basearch/sjis/debug
Enabled:   1
...

# ls -lZ /etc/pki/rpm-gpg/
-rw-r--r--. root root system_u:object_r:cert_t:s0      RPM-GPG-KEY-redhat-beta
-rw-r--r--. root root system_u:object_r:cert_t:s0      RPM-GPG-KEY-redhat-legacy-former
-rw-r--r--. root root system_u:object_r:cert_t:s0      RPM-GPG-KEY-redhat-legacy-release
-rw-r--r--. root root system_u:object_r:cert_t:s0      RPM-GPG-KEY-redhat-legacy-rhx
-rw-r--r--. root root system_u:object_r:cert_t:s0      RPM-GPG-KEY-redhat-release

# rpm-ostree install strace
Checking out tree 42cfe1c... done

Downloading metadata: [=====                                                                                                                                                                                 ]   3%
error: Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat
-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release]

# subscription-manager repos --disable \*
Repository 'rhel-7-server-v2vwin-1-debug-rpms' is disabled for this system.
Repository 'rhel-7-server-mrg-messaging-3-rpms' is disabled for this system.
Repository 'rhel-7-server-openstack-6.0-debug-rpms' is disabled for this system.
Repository 'rhel-7-server-rhscon-2-main-source-rpms' is disabled for this system.
Repository 'rhel-7-server-rhceph-2-tools-rpms' is disabled for this system.
Repository 'jb-eap-7-for-rhel-7-server-source-rpms' is disabled for this system.
Repository 'rhel-sjis-for-rhel-7-server-aus-source-rpms' is disabled for this system.
Repository 'rhel-7-server-openstack-beta-cts-debug-rpms' is disabled for this system.
Repository 'cf-me-for-rhel-7-beta-rpms' is disabled for this system.
Repository 'rhel-7-server-ose-3.3-debug-rpms' is disabled for this system.
...

# subscription-manager repos --enable rhel-7-server-rpms --enable rhel-7-server-extras-rpms --enable rhel-7-server-optional-rpms
Repository 'rhel-7-server-rpms' is enabled for this system.
Repository 'rhel-7-server-optional-rpms' is enabled for this system.
Repository 'rhel-7-server-extras-rpms' is enabled for this system.

# rpm-ostree install strace                                                                                                                                                                  
Checking out tree 42cfe1c... done

Downloading metadata: [=====================] 100%
Resolving dependencies... done
Overlaying... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 32 modified, 4 removed, 85 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Added:
  strace-4.8-11.el7.x86_64
Run "systemctl reboot" to start a reboot

# rpm-ostree status
State: idle
Deployments:
  7.3.1-rc:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-12-02 14:10:50)
    BaseCommit: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86
        Commit: 80707f620487af2397646cfd30038369e79450ac4267dc058273e13ff43ba8a5
        OSName: rhel-atomic-host
      Packages: strace

● 7.3.1-rc:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-30 02:14:24)
        Commit: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86
        OSName: rhel-atomic-host
Comment 5 Jonathan Lebon 2016-12-02 15:51:51 UTC 
(In reply to Colin Walters from comment #1)
> Ugh, this is a variant of https://bugzilla.redhat.com/show_bug.cgi?id=1399770
> 
> For this case I think realistically we need to symlink etc -> usr/etc inside
> rpm-ostree's initial tree checkout.

Isn't this something else though? RHBZ1399770 was because of:
https://github.com/projectatomic/rpm-ostree/pull/496/files#diff-af8b24e3bf31175f007dd70d4b1a46fcL1095

Right?

But that can only affect os-release since that's all libhif uses the source_root for.

Judging by what Micah said above and looking closely at the error message:

> error: Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release]

This looks like a potentially badly formatted "gpgkey=" entry in redhat.repo.
Comment 6 Micah Abbott 2016-12-02 15:55:53 UTC 
(In reply to Jonathan Lebon from comment #5)

> This looks like a potentially badly formatted "gpgkey=" entry in redhat.repo.

I think Jonathan nailed it.  I registered with the employee sub again and inspected the redhat.repo file:

# grep gpgkey /etc/yum.repos.d/redhat.repo 
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
...
Comment 7 Colin Walters 2016-12-02 16:03:01 UTC 
https://github.com/rpm-software-management/libhif/issues/223
Comment 8 Colin Walters 2016-12-02 16:06:45 UTC 
I'm pretty sure since the introduction of package layering, we have failed on such repositories.  Hence, not a regression here.  Micah already confirmed that the primary repositories don't have this problem.

So, something to fix but not a blocker.
Comment 9 Colin Walters 2017-04-04 18:56:39 UTC 
This is a variant of https://github.com/rpm-software-management/libdnf/pull/263 and should be fixed by the next version of rpm-ostree.
Comment 13 Jonathan Lebon 2018-07-20 15:59:11 UTC 
This is definitely fixed. I've just tested it on RHELAH 7.5.1.