Bug 1688489

Summary: CV Publish filters modular rpms leaving them in a potentially broken state
Product: Red Hat Satellite Reporter: Partha Aji <paji>
Component: Content ViewsAssignee: Partha Aji <paji>
Status: CLOSED ERRATA QA Contact: Omkar Khatavkar <okhatavk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5.0CC: okhatavk, sghai, swadeley, zhunting
Target Milestone: ReleasedKeywords: Triaged
Target Release: UnusedFlags: zhunting: needinfo? (paji)
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: tfm-rubygem-katello-,tfm-rubygem-katello- Doc Type: Known Issue
Doc Text:
Cause: The Content View publish process copies all modules irrespective of any filters. However, the RPMs belonging to these module are subject to package filtering. Consequence: A Content View publish action will copy all modules and any RPMs included by a filter, but not RPMs excluded by a filter, even if the excluded RPMs are required by a module. Workaround (if any): Check for the RPMs belonging to a module to be used in a Content View and include the modules RPMs in the Content View. Consider using Composite Content Views with modules your require in separate Content Views for ease of management. Result: A module's presence in a Content View will allow the module stream to be enabled, but some RPMs might not be present due to package filtering.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-14 19:57:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
attaching filtering result none

Description Partha Aji 2019-03-13 20:39:01 UTC
Consider a content view that has repositories with modules streams .
As of Sat 6.5 the Content View publish process copies over all the modules irrespective of any filters. However the rpms belonging to these module streams (aka Modular Rpms) are subject to the regular package filtering. This causes the module streams in the resulting content view environment to be in a semi-broken (aka ursine) state.

For example: Consider a content view with a repo that has a Module Stream M, and modular rpms R1 and R2 belonging to M. Assume this repo also has a non modular rpm N. If this content view had a package filter that says "Include only rpm N". The content view publish will copy over module stream M and rpm N but will ignore R1 and R2. This could lead to a dubious CVE where the customer enables the module stream but is not able to install the rpms belonging to this.

We need to mark rpms belonging to module streams as "modular" and have them evade the filtering process and automatically copied over. We need to limit the filtering to only non modular rpms. 

Version-Release number of selected component (if applicable): 6.5 nightly

Steps to Reproduce:

1) Create a content view 
2) Add a repo with module streams
3) Create an includes filter that says "Include foo" (where is foo is a non modular rpm.)
4) Publish the content view

All modules streams and modular rpms get copied over in addtion to what you have for the include.

Notice that all the module streams got copied over. However only foo got copied over in terms of rpms.

Comment 4 Partha Aji 2019-03-13 20:44:46 UTC
Connecting redmine issue https://projects.theforeman.org/issues/26223 from this bug

Comment 5 Partha Aji 2019-03-13 20:45:17 UTC
Connecting redmine issue https://projects.theforeman.org/issues/26221 from this bug

Comment 6 Bryan Kearney 2019-03-29 16:01:03 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26223 has been resolved.

Comment 9 Omkar Khatavkar 2019-04-09 10:44:50 UTC
Verified this in Satellite 6.5 with Snap 22, everything works fine. Executed all Scenarios mentioned as https://github.com/Katello/katello/pull/8014#issuecomment-477068810

Comment 10 Omkar Khatavkar 2019-04-09 12:13:43 UTC
Created attachment 1553831 [details]
attaching filtering result

Comment 11 Omkar Khatavkar 2019-04-15 06:33:48 UTC
Marking this ticket as verified, as per my above comment

Comment 12 Bryan Kearney 2019-05-14 19:57:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.