Bug 1512600

Summary: [RFE] Implement a yum version lock type of protections against upgrades
Product: Red Hat Satellite Reporter: Bryan Kearney <bkearney>
Component: Satellite MaintainAssignee: Martin Bacovsky <mbacovsk>
Status: CLOSED ERRATA QA Contact: Jameer Pathan <jpathan>
Severity: medium Docs Contact:
Priority: medium    
Version: NightlyCC: apatel, egolov, inecas, jpathan, kgaikwad, lpramuk, mbacovsk, mpusater, mvanderw, pcreech, peter.vreman, rjerrido, spetrosi, zhunting
Target Milestone: 6.6.0Keywords: FutureFeature
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-foreman_maintain-0.4.2-1,foreman-installer-1.22.0-1,satellite-installer-6.6.0.14-1.beta Doc Type: If docs needed, set a value
Doc Text:
Previously, using yum to update or install packages on the base system where Satellite is installed might have resulted in Satellite being partially updated and therefore caused conflicts. With this release, Satellite packages are locked against updates. The lock is released automatically only when you issue the `satellite-installer` command. This feature is not enabled on Capsule Server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-22 16:36:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832    
Attachments:
Description Flags
version_locking_issue_1 none

Description Bryan Kearney 2017-11-13 15:47:52 UTC 
Breaking out part of the RFE from 

https://bugzilla.redhat.com/show_bug.cgi?id=1184568

Specifically, that there should be a version lock so that a customer can not upgrade the satellite exception through approved tools like foreman maintain.
Comment 1 Bryan Kearney 2017-11-13 15:49:27 UTC 
I am guessing that we do not need to implement all of 1512600, 1459358, and 1316246. Linking them all together so we decide which to do and then close out the others.
Comment 3 Martin Bacovsky 2019-03-04 14:56:49 UTC 
Created redmine issue https://projects.theforeman.org/issues/26216 from this bug
Comment 4 Bryan Kearney 2019-03-19 16:07:25 UTC 
Upstream bug assigned to mbacovsk
Comment 5 Bryan Kearney 2019-03-19 16:07:26 UTC 
Upstream bug assigned to mbacovsk
Comment 6 Bryan Kearney 2019-05-16 16:06:55 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26409 has been resolved.
Comment 18 Jameer Pathan 2019-07-31 11:48:57 UTC 
Created attachment 1595049 [details]
version_locking_issue_1
Comment 20 Lukas Pramuk 2019-08-06 13:31:05 UTC 
RE comment#16 and comment#17:

There are still some packages not handled by installer which are not installed by default and the locking mechanism is preventing to install these packages, e.g. foreman-dicovery-image 

Filed BZ1738199 to resolve the situation around these packages.
Comment 22 Martin Bacovsky 2019-08-09 10:28:25 UTC 
Requested release notes, Docs BZ was linked. https://bugzilla.redhat.com/show_bug.cgi?id=1739389
Comment 23 Martin Bacovsky 2019-08-09 12:15:44 UTC 
Updated Docs request
Comment 24 Jameer Pathan 2019-08-09 13:26:57 UTC 
Verified

Verified with:
- rubygem-foreman_maintain-0.4.5-1.el7sat.noarch

Version locking via yum working with foreman-maintain considering:

- Feature is locking all packages from Satellite repo, not just installed packages.
- This means lock is applied on installed package updates along with new packages from Satellite repo.

- In case user try to run katello-remove on existing satellite install then version lock still remains there and not allowing users to install packages even though repos are enabled. a bz[1] is filed to address it and workaround is there.
- Redundant options for all subcommands under package commands but its not a blocker. Bug is filed[2]

Note: currently lock is working for packages coming from Satellite repo not for everything e.g. lock for RHEL repo/custom repo is not in place for now and requires additional changes, so another RFE is filed for it[3]. And, it is not supported for capsule.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1728253
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1734766
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1728253
Comment 28 errata-xmlrpc 2019-10-22 16:36:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3181