Bug 1526622
Summary: | the productid plugin should never delete a /etc/pki/product-default/<ID>.pem cert provided by the redhat-release-<VARIANT>.rpm | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
Component: | subscription-manager | Assignee: | Jiri Hnidek <jhnidek> |
Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> |
Severity: | medium | Docs Contact: | Filip Hanzelka <fhanzelk> |
Priority: | medium | ||
Version: | 7.5-Alt | CC: | bkearney, drusek, fhanzelk, ftan, jhnidek, jreznik, khowell, salmy, skallesh, soliu |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | subscription-manager-1.20.10-1 | Doc Type: | Release Note |
Doc Text: |
*subscription-manager* now protects all product certificates in `/etc/pki/product-default/`
Previously, the *subscription-manager* utility only protected those product certificates provided by the _redhat-release_ package whose tag matched `rhel-#`. Consequently, product certificates such as `RHEL-ALT` or `High Touch Beta` were sometimes removed from the `/etc/pki/product-default/` directory by the `product-id yum` plugin. With this update, *subscription-manager* has been modified to protect all certificates in `/etc/pki/product-default/` against automatic removal.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 09:52:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1527213, 1539427 |
Description
John Sefler
2017-12-15 21:28:20 UTC
I added link to PR with quite complicated implementation of bug fix (all product certificates provided by RPM are protected). Another and not so complicated implementation will be provided soon (all prod. certs in /etc/pki/product-default will be protected). I'm attaching link to Github PR with simple implementation as I promised. Moving bug to verified as product cert 363.pem is not removed from /etc/pki/product-default and 419.pem is installed as well [root@hp-moonshot-03-c13 ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 2.0.43-1 subscription management rules: 5.26 subscription-manager: 1.20.10-1.el7 [root@hp-moonshot-03-c13 ~]# subscription-manager list --available --matches=RH00783 --pool-only 8a99f984614aa73001614c13ba821f7e [root@hp-moonshot-03-c13 ~]# subscription-manager attach --pool 8a99f984614aa73001614c13ba821f7e Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only) [root@hp-moonshot-03-c13 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Beta Product ID: 363 Version: 7.5 Beta Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019 [root@hp-moonshot-03-c13 ~]# ls /etc/pki/product* /etc/pki/product: /etc/pki/product-default: 363.pem [root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js { "363": [ "beaker-Server" ] }[root@hp-moonshot-03-c13 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem redhat-release-server-7.5-1.el7a.aarch64 [root@hp-moonshot-03-c13 ~]# yum repolist --disablerepo=beaker* Loaded plugins: product-id, search-disabled-repos, subscription-manager rhel-7-for-arm-64-rpms | 4.0 kB 00:00:00 (1/3): rhel-7-for-arm-64-rpms/7Server/aarch64/updateinfo | 69 kB 00:00:00 (2/3): rhel-7-for-arm-64-rpms/7Server/aarch64/primary_db | 4.6 MB 00:00:00 (3/3): rhel-7-for-arm-64-rpms/7Server/aarch64/group | 660 kB 00:00:01 repo id repo name status rhel-7-for-arm-64-rpms/7Server/aarch64 Red Hat Enterprise Linux 7 for ARM (RPMs) 3,888 repolist: 3,888 [root@hp-moonshot-03-c13 ~]# yum list available --disablerepo=beaker* | tail -1 zziplib.aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms [root@hp-moonshot-03-c13 ~]# yum install zziplib.aarch64 --disablerepo=beaker* Loaded plugins: product-id, search-disabled-repos, subscription-manager Resolving Dependencies --> Running transaction check ---> Package zziplib.aarch64 0:0.13.62-5.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: zziplib aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms 81 k Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 81 k Installed size: 403 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/aarch64/7Server/rhel-7-for-arm-64-rpms/packages/zziplib-0.13.62-5.el7.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY ] 0.0 B/s | 0 B --:--:-- ETA Public key for zziplib-0.13.62-5.el7.aarch64.rpm is not installed zziplib-0.13.62-5.el7.aarch64.rpm | 81 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Importing GPG key 0xFD431D51: Userid : "Red Hat, Inc. (release key 2) <security>" Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51 Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Importing GPG key 0x2FA658E0: Userid : "Red Hat, Inc. (auxiliary key) <security>" Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0 Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : zziplib-0.13.62-5.el7.aarch64 1/1 rhel-7-for-arm-64-rpms/7Server/aarch64/productid | 2.1 kB 00:00:00 Verifying : zziplib-0.13.62-5.el7.aarch64 1/1 Installed: zziplib.aarch64 0:0.13.62-5.el7 Complete! [root@hp-moonshot-03-c13 ~]# ls /etc/pki/product* /etc/pki/product: 419.pem /etc/pki/product-default: 363.pem [root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js { "363": [ "beaker-Server" ], "419": [ "rhel-7-for-arm-64-rpms" ] }[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Product ID: 419 Version: 7.4 Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019 Product Name: Red Hat Enterprise Linux for ARM 64 Beta Product ID: 363 Version: 7.5 Beta Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019 *** Bug 1539928 has been marked as a duplicate of this bug. *** *** Bug 1539922 has been marked as a duplicate of this bug. *** *** Bug 1537997 has been marked as a duplicate of this bug. *** *** Bug 1540596 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0681 |