Bug 1526622
| Summary: | the productid plugin should never delete a /etc/pki/product-default/<ID>.pem cert provided by the redhat-release-<VARIANT>.rpm | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
| Component: | subscription-manager | Assignee: | Jiri Hnidek <jhnidek> |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> |
| Severity: | medium | Docs Contact: | Filip Hanzelka <fhanzelk> |
| Priority: | medium | ||
| Version: | 7.5-Alt | CC: | bkearney, drusek, fhanzelk, ftan, jhnidek, jreznik, khowell, salmy, skallesh, soliu |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | subscription-manager-1.20.10-1 | Doc Type: | Release Note |
| Doc Text: |
*subscription-manager* now protects all product certificates in `/etc/pki/product-default/`
Previously, the *subscription-manager* utility only protected those product certificates provided by the _redhat-release_ package whose tag matched `rhel-#`. Consequently, product certificates such as `RHEL-ALT` or `High Touch Beta` were sometimes removed from the `/etc/pki/product-default/` directory by the `product-id yum` plugin. With this update, *subscription-manager* has been modified to protect all certificates in `/etc/pki/product-default/` against automatic removal.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 09:52:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1527213, 1539427 | ||
|
Description
John Sefler
2017-12-15 21:28:20 UTC
I added link to PR with quite complicated implementation of bug fix (all product certificates provided by RPM are protected). Another and not so complicated implementation will be provided soon (all prod. certs in /etc/pki/product-default will be protected). I'm attaching link to Github PR with simple implementation as I promised. Moving bug to verified as product cert 363.pem is not removed from /etc/pki/product-default and 419.pem is installed as well
[root@hp-moonshot-03-c13 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.0.43-1
subscription management rules: 5.26
subscription-manager: 1.20.10-1.el7
[root@hp-moonshot-03-c13 ~]# subscription-manager list --available --matches=RH00783 --pool-only
8a99f984614aa73001614c13ba821f7e
[root@hp-moonshot-03-c13 ~]# subscription-manager attach --pool 8a99f984614aa73001614c13ba821f7e
Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only)
[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
Product Name: Red Hat Enterprise Linux for ARM 64 Beta
Product ID: 363
Version: 7.5 Beta
Arch: aarch64
Status: Subscribed
Status Details:
Starts: 01/31/2018
Ends: 01/30/2019
[root@hp-moonshot-03-c13 ~]# ls /etc/pki/product*
/etc/pki/product:
/etc/pki/product-default:
363.pem
[root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js
{
"363": [
"beaker-Server"
]
}[root@hp-moonshot-03-c13 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem
redhat-release-server-7.5-1.el7a.aarch64
[root@hp-moonshot-03-c13 ~]# yum repolist --disablerepo=beaker*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
rhel-7-for-arm-64-rpms | 4.0 kB 00:00:00
(1/3): rhel-7-for-arm-64-rpms/7Server/aarch64/updateinfo | 69 kB 00:00:00
(2/3): rhel-7-for-arm-64-rpms/7Server/aarch64/primary_db | 4.6 MB 00:00:00
(3/3): rhel-7-for-arm-64-rpms/7Server/aarch64/group | 660 kB 00:00:01
repo id repo name status
rhel-7-for-arm-64-rpms/7Server/aarch64 Red Hat Enterprise Linux 7 for ARM (RPMs) 3,888
repolist: 3,888
[root@hp-moonshot-03-c13 ~]# yum list available --disablerepo=beaker* | tail -1
zziplib.aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms
[root@hp-moonshot-03-c13 ~]# yum install zziplib.aarch64 --disablerepo=beaker*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.aarch64 0:0.13.62-5.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================
Installing:
zziplib aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms 81 k
Transaction Summary
=============================================================================================================================================================================================================================================
Install 1 Package
Total download size: 81 k
Installed size: 403 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/aarch64/7Server/rhel-7-for-arm-64-rpms/packages/zziplib-0.13.62-5.el7.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY ] 0.0 B/s | 0 B --:--:-- ETA
Public key for zziplib-0.13.62-5.el7.aarch64.rpm is not installed
zziplib-0.13.62-5.el7.aarch64.rpm | 81 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
Userid : "Red Hat, Inc. (release key 2) <security>"
Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
Userid : "Red Hat, Inc. (auxiliary key) <security>"
Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : zziplib-0.13.62-5.el7.aarch64 1/1
rhel-7-for-arm-64-rpms/7Server/aarch64/productid | 2.1 kB 00:00:00
Verifying : zziplib-0.13.62-5.el7.aarch64 1/1
Installed:
zziplib.aarch64 0:0.13.62-5.el7
Complete!
[root@hp-moonshot-03-c13 ~]# ls /etc/pki/product*
/etc/pki/product:
419.pem
/etc/pki/product-default:
363.pem
[root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js
{
"363": [
"beaker-Server"
],
"419": [
"rhel-7-for-arm-64-rpms"
]
}[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
Product Name: Red Hat Enterprise Linux for ARM 64
Product ID: 419
Version: 7.4
Arch: aarch64
Status: Subscribed
Status Details:
Starts: 01/31/2018
Ends: 01/30/2019
Product Name: Red Hat Enterprise Linux for ARM 64 Beta
Product ID: 363
Version: 7.5 Beta
Arch: aarch64
Status: Subscribed
Status Details:
Starts: 01/31/2018
Ends: 01/30/2019
*** Bug 1539928 has been marked as a duplicate of this bug. *** *** Bug 1539922 has been marked as a duplicate of this bug. *** *** Bug 1537997 has been marked as a duplicate of this bug. *** *** Bug 1540596 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0681 |