Bug 1526622

Summary: the productid plugin should never delete a /etc/pki/product-default/<ID>.pem cert provided by the redhat-release-<VARIANT>.rpm
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Jiri Hnidek <jhnidek>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: medium    
Version: 7.5-AltCC: bkearney, drusek, fhanzelk, ftan, jhnidek, jreznik, khowell, salmy, skallesh, soliu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.20.10-1 Doc Type: Release Note
Doc Text:
*subscription-manager* now protects all product certificates in `/etc/pki/product-default/` Previously, the *subscription-manager* utility only protected those product certificates provided by the _redhat-release_ package whose tag matched `rhel-#`. Consequently, product certificates such as `RHEL-ALT` or `High Touch Beta` were sometimes removed from the `/etc/pki/product-default/` directory by the `product-id yum` plugin. With this update, *subscription-manager* has been modified to protect all certificates in `/etc/pki/product-default/` against automatic removal.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 09:52:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1527213, 1539427    

Description John Sefler 2017-12-15 21:28:20 UTC
Description of problem:

In the scenario demonstrated below, you will see that the product cert provided by the redhat-release package for a RHEL-ALT beta compose is actually deleted by the productid yum plugin.  In the scenario you will see that the beta eng product 363 for RHEL-ALT-7.5 is deleted while eng product 419 from the current released content for RHEL-ALT-7.4 is added as a result of yum installing a single package from the CDN.  This behavior is not desirable...  We should NOT be deleting the /etc/pki/product-default/363.pem cert.

This bug is a proposal to alter the productid plugin logic to protect the removal of any product cert that has been provided by a package.  For example: since /etc/pki/product-default/363.pem is provided by redhat-release-server-7.5-1.el7a.aarch64, it should never be deleted.

In the offending scenario below, the proper behavior would be for both eng products 363 and 419 to be installed following the yum install of a sample package.


It is also worth noting that the beta eng product 363 lacks a tag matching regex "rhel-\d+" that currently makes it susceptible from deletion.  One could suggest that RCM add an additional tag to the beta product cert to protect it from deletion by the productid plugin.  However this is a bad idea in light of the proposal in Bug 1525238 which suggests to relinquish the protection of "rhel-#" tagged product certs from deletion.  The smarter logic for the productid plugin would be to protect product certs that are provided by an installed package (e.g. the one(s) in /etc/pki/product-default/ provided by redhat-release).


Version-Release number of selected component (if applicable):
[root@hp-moonshot-03-c08 ~]# rpm -q subscription-manager
subscription-manager-1.20.8-1.el7.aarch64


How reproducible:


Steps to Reproduce:
Starting with a RHEL-ALT-7.5 aarch64 compose registered to an account with access to SKU RH00783...

[root@hp-moonshot-03-c08 ~]# subscription-manager list --available --matches=RH00783 --pool-only
8a99f9835f8d43be015f92861a997437

[root@hp-moonshot-03-c08 ~]# subscription-manager attach --pool=8a99f9835f8d43be015f92861a997437
Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only)

[root@hp-moonshot-03-c08 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux for ARM 64 Beta
Product ID:     363
Version:        7.5 Beta
Arch:           aarch64
Status:         Subscribed
Status Details: 
Starts:         09/20/2017
Ends:           09/19/2018

[root@hp-moonshot-03-c08 ~]# ls /etc/pki/product*
/etc/pki/product:

/etc/pki/product-default:
363.pem

[root@hp-moonshot-03-c08 ~]# cat /var/lib/rhsm/productid.js 
{
  "363": [
    "beaker-Server"
  ]
}

[root@hp-moonshot-03-c08 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem 
redhat-release-server-7.5-1.el7a.aarch64

[root@hp-moonshot-03-c08 ~]# yum repolist --disablerepo=beaker*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
repo id                                  repo name                                        status
rhel-7-for-arm-64-beta-rpms/aarch64      Red Hat Enterprise Linux 7 for ARM Beta (RPMs)       0
rhel-7-for-arm-64-rpms/7Server/aarch64   Red Hat Enterprise Linux 7 for ARM (RPMs)        3,767
repolist: 3,767

[root@hp-moonshot-03-c08 ~]# yum list available --disablerepo=beaker* | tail -1
zziplib.aarch64                   0.13.62-5.el7           rhel-7-for-arm-64-rpms

[root@hp-moonshot-03-c08 ~]# yum install zziplib.aarch64 --disablerepo=beaker* --quiet

================================================================================================
 Package          Arch             Version                Repository                       Size
================================================================================================
Installing:
 zziplib          aarch64          0.13.62-5.el7          rhel-7-for-arm-64-rpms           81 k

Transaction Summary
================================================================================================
Install  1 Package

Is this ok [y/d/N]: y

[root@hp-moonshot-03-c08 ~]# ls /etc/pki/product*
/etc/pki/product:
419.pem

/etc/pki/product-default:

[root@hp-moonshot-03-c08 ~]# cat /var/lib/rhsm/productid.js 
{
  "419": [
    "rhel-7-for-arm-64-rpms"
  ]
}

[root@hp-moonshot-03-c08 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux for ARM 64
Product ID:     419
Version:        7.4
Arch:           aarch64
Status:         Subscribed
Status Details: 
Starts:         11/06/2017
Ends:           11/05/2018





Actual results:
  BANG! All traces of the prior installed beta product 363 are now gone.
  As a result of installing one package from the current CDN repo rhel-7-for-arm-64-rpms, eng product 419 was installed and the default eng id 363 was removed.

Expected results:
  Both the default product cert 363 should be installed together with the new product cert 419 from the entitled repo.



Additional info:
[root@hp-moonshot-03-c08 ~]# tail -f /var/log/rhsm/rhsm.log 
2017-12-15 16:11:57,743 [WARNING] yum:16910:MainThread @logutil.py:141 - logging already initialized
2017-12-15 16:11:57,751 [DEBUG] yum:16910:MainThread @plugins.py:569 - loaded plugin modules: [<module 'container_content' from '/usr/share/rhsm-plugins/container_content.pyc'>, <module 'ostree_content' from '/usr/share/rhsm-plugins/ostree_content.pyc'>]
2017-12-15 16:11:57,751 [DEBUG] yum:16910:MainThread @plugins.py:570 - loaded plugins: {'container_content.ContainerContentPlugin': <container_content.ContainerContentPlugin object at 0xffffa35ccf90>, 'ostree_content.OstreeContentPlugin': <ostree_content.OstreeContentPlugin object at 0xffffa35d6590>}
2017-12-15 16:11:58,465 [DEBUG] yum:16910:MainThread @productid.py:640 - Checking for product certs to remove. Active include: set(['rhel-7-for-arm-64-rpms'])
2017-12-15 16:11:58,469 [INFO] yum:16910:MainThread @productid.py:707 - None of the repos for 363 are active: [u'beaker-Server']
2017-12-15 16:11:58,469 [INFO] yum:16910:MainThread @productid.py:708 - product cert 363 for 363 is being deleted
2017-12-15 16:11:58,470 [DEBUG] yum:16910:MainThread @productid.py:420 - Checking for product id certs to install or update.
2017-12-15 16:11:58,470 [DEBUG] yum:16910:MainThread @productid.py:425 - active set(['rhel-7-for-arm-64-rpms'])
2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:426 - enabled [(<rhsm.certificate2.ProductCertificate object at 0xffffa35d6a50>, 'rhel-7-for-arm-64-beta-rpms'), (<rhsm.certificate2.ProductCertificate object at 0xffffa35d6d10>, 'rhel-7-for-arm-64-rpms')]
2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:442 - product cert: 363 repo: rhel-7-for-arm-64-beta-rpms
2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:442 - product cert: 419 repo: rhel-7-for-arm-64-rpms
2017-12-15 16:11:58,472 [INFO] yum:16910:MainThread @productid.py:530 - Updating product db with 419 -> rhel-7-for-arm-64-rpms
2017-12-15 16:11:58,473 [INFO] yum:16910:MainThread @productid.py:581 - Installed product cert 419: Red Hat Enterprise Linux for ARM 64 /etc/pki/product/419.pem
2017-12-15 16:11:58,473 [DEBUG] yum:16910:MainThread @productid.py:558 - about to run post_product_id_install
2017-12-15 16:11:58,473 [DEBUG] yum:16910:MainThread @productid.py:569 - about to run post_product_id_update

Comment 3 Jiri Hnidek 2018-01-24 14:43:38 UTC
I added link to PR with quite complicated implementation of bug fix (all product certificates provided by RPM are protected). Another and not so complicated implementation will be provided soon (all prod. certs in /etc/pki/product-default will be protected).

Comment 4 Jiri Hnidek 2018-01-24 15:29:53 UTC
I'm attaching link to Github PR with simple implementation as I promised.

Comment 7 Shwetha Kallesh 2018-01-31 16:18:24 UTC
Moving bug to verified as product cert 363.pem is not removed from /etc/pki/product-default and 419.pem is installed as well

[root@hp-moonshot-03-c13 ~]# subscription-manager  version
server type: Red Hat Subscription Management
subscription management server: 2.0.43-1
subscription management rules: 5.26
subscription-manager: 1.20.10-1.el7

[root@hp-moonshot-03-c13 ~]#  subscription-manager list --available --matches=RH00783 --pool-only
8a99f984614aa73001614c13ba821f7e
[root@hp-moonshot-03-c13 ~]# subscription-manager attach --pool 8a99f984614aa73001614c13ba821f7e
Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only)
[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux for ARM 64 Beta
Product ID:     363
Version:        7.5 Beta
Arch:           aarch64
Status:         Subscribed
Status Details: 
Starts:         01/31/2018
Ends:           01/30/2019

[root@hp-moonshot-03-c13 ~]# ls /etc/pki/product*
/etc/pki/product:

/etc/pki/product-default:
363.pem
[root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js 
{
  "363": [
    "beaker-Server"
  ]
}[root@hp-moonshot-03-c13 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem 
redhat-release-server-7.5-1.el7a.aarch64
[root@hp-moonshot-03-c13 ~]# yum repolist --disablerepo=beaker*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
rhel-7-for-arm-64-rpms                                                                                                                                                                                                | 4.0 kB  00:00:00     
(1/3): rhel-7-for-arm-64-rpms/7Server/aarch64/updateinfo                                                                                                                                                              |  69 kB  00:00:00     
(2/3): rhel-7-for-arm-64-rpms/7Server/aarch64/primary_db                                                                                                                                                              | 4.6 MB  00:00:00     
(3/3): rhel-7-for-arm-64-rpms/7Server/aarch64/group                                                                                                                                                                   | 660 kB  00:00:01     
repo id                                                                                                           repo name                                                                                                            status
rhel-7-for-arm-64-rpms/7Server/aarch64                                                                            Red Hat Enterprise Linux 7 for ARM (RPMs)                                                                            3,888
repolist: 3,888
[root@hp-moonshot-03-c13 ~]# yum list available --disablerepo=beaker* | tail -1
zziplib.aarch64                   0.13.62-5.el7           rhel-7-for-arm-64-rpms
[root@hp-moonshot-03-c13 ~]# yum install zziplib.aarch64 --disablerepo=beaker* 
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.aarch64 0:0.13.62-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================
 Package                                             Arch                                                Version                                                    Repository                                                          Size
=============================================================================================================================================================================================================================================
Installing:
 zziplib                                             aarch64                                             0.13.62-5.el7                                              rhel-7-for-arm-64-rpms                                              81 k

Transaction Summary
=============================================================================================================================================================================================================================================
Install  1 Package

Total download size: 81 k
Installed size: 403 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/aarch64/7Server/rhel-7-for-arm-64-rpms/packages/zziplib-0.13.62-5.el7.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY                                          ]  0.0 B/s |    0 B  --:--:-- ETA 
Public key for zziplib-0.13.62-5.el7.aarch64.rpm is not installed
zziplib-0.13.62-5.el7.aarch64.rpm                                                                                                                                                                                     |  81 kB  00:00:00     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security>"
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package    : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
 Userid     : "Red Hat, Inc. (auxiliary key) <security>"
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package    : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : zziplib-0.13.62-5.el7.aarch64                                                                                                                                                                                             1/1 
rhel-7-for-arm-64-rpms/7Server/aarch64/productid                                                                                                                                                                      | 2.1 kB  00:00:00     
  Verifying  : zziplib-0.13.62-5.el7.aarch64                                                                                                                                                                                             1/1 

Installed:
  zziplib.aarch64 0:0.13.62-5.el7                                                                                                                                                                                                            

Complete!
[root@hp-moonshot-03-c13 ~]#  ls /etc/pki/product*
/etc/pki/product:
419.pem

/etc/pki/product-default:
363.pem
[root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js 
{
  "363": [
    "beaker-Server"
  ], 
  "419": [
    "rhel-7-for-arm-64-rpms"
  ]
}[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux for ARM 64
Product ID:     419
Version:        7.4
Arch:           aarch64
Status:         Subscribed
Status Details: 
Starts:         01/31/2018
Ends:           01/30/2019

Product Name:   Red Hat Enterprise Linux for ARM 64 Beta
Product ID:     363
Version:        7.5 Beta
Arch:           aarch64
Status:         Subscribed
Status Details: 
Starts:         01/31/2018
Ends:           01/30/2019

Comment 8 Kevin Howell 2018-02-05 16:13:30 UTC
*** Bug 1539928 has been marked as a duplicate of this bug. ***

Comment 9 Djordje Todorovic 2018-02-06 12:15:37 UTC
*** Bug 1539922 has been marked as a duplicate of this bug. ***

Comment 10 Lubos Kocman 2018-02-07 11:50:28 UTC
*** Bug 1537997 has been marked as a duplicate of this bug. ***

Comment 16 Kevin Howell 2018-04-09 14:21:30 UTC
*** Bug 1540596 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2018-04-10 09:52:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0681