Bug 1754883
Summary: | foreman-protector blocks lots of updates (both RHEL and Satellite packages) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> | ||||
Component: | Satellite Maintain | Assignee: | satellite6-bugs <satellite6-bugs> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Jameer Pathan <jpathan> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | Unspecified | CC: | ahumbe, anestero, apatel, aupadhye, ehelms, inecas, jalviso, jpathan, kgaikwad, mbacovsk, mmccune, mschibli, mvanderw, ofalk, peter.vreman, rakumar, smajumda, vchepkov, wpinheir | ||||
Target Milestone: | Unspecified | Keywords: | Regression, Triaged | ||||
Target Release: | Unused | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2022-05-23 10:10:56 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1122832 | ||||||
Attachments: |
|
Description
Jan Hutař
2019-09-24 09:46:36 UTC
Created attachment 1618546 [details]
full `yum upgrade` output on unlocked system
For those who stumbled on the same problem https://access.redhat.com/solutions/4591281 See this RFE which I wrote up to attempt to address some of the pain we are causing our customers with the package locking: https://bugzilla.redhat.com/show_bug.cgi?id=1773648 Installation of BaseOS updates should not necessitate an execution of 'satellite-installer --upgrade'. This may be hard to determine but if we could only run the --upgrade step if packages were We are taking a possible ~5-10 second package installation into in some cases a 15+ minute run of the installer as well as outage inducing restart. As an extreme but illustrating example: # foreman-maintain packages unlock ... Running unlocking of package versions ===================================== Unlock packages: [OK] ------------------------------------- # time yum -y install zsh Loaded plugins: product-id, search-disabled-repos, subscription-manager Resolving Dependencies ... Installed: zsh.x86_64 0:5.0.2-34.el7_8.2 Complete! real 0m5.179s **** 5 seconds. Now, with the installer: # foreman-maintain packages lock ... Running locking of package versions =================================== Lock packages: [OK] ----------------------------------- # time foreman-maintain packages install -y zsh .... Installed: zsh.x86_64 0:5.0.2-34.el7_8.2 Complete! [OK] ------------------------------------ Running satellite-installer --upgrade --disable-system-checks: Upgrading, to monitor the progress on all related services, please do: foreman-tail | tee upgrade-$(date +%Y-%m-%d-%H%M).log ... Upgrade completed! Package versions are being locked. [OK] -------------------------------------------------------------------------------- Check status of version locking of packages: Automatic locking of package versions is enabled in installer. Packages are locked. [OK] -------------------------------------------------------------------------------- real 16m40.003s *** 16 minutes and an outage just to install a package from the BaseOS repository. `satellite-maintain packages [install|update]` is the recommended way of installing packages from Satellite 6.6+ [1] While we're exploring if it is easy to detect if packages are installed exclusively from baseOS repos, it should not stop customers from using `satellite-maintain packages` method. Please keep us updated if this is deemed as a blocker. [1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.6/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-maintaining_a_red_hat_satellite_server#installing-and-updating-packages-on-satellite-server Patel, Any company taking security and control serious uses an OS Configuration manager to configure the OS used on the Satellite server. The proposed 'satellite-maintain packages [install|update]` is not supported by OS Configuration tools like Puppet and Ansible. Peter All, while we wait for this BZ and the RFE mentioned in Comment #10 to be implement, everyone is free to disable the package locking in satellite-maintain, simply run: # satellite-maintain packages unlock and yum will behave as normal and will still be supported. While we recommend utilizing the package locking provided by satellite-maintain, we realize that in some environments it is not a desired solution to ensure that Satellite packages are upgraded without running the upgrade routine. A very simple workaround, that we also use in the Nagios plugin for checking for updates [1] is to disable foreman-protector on the command line. So, for example: # yum update --disableplugin=foreman-protector Note: This can only be considered a workaround to avoid having to run satellite-maintain for unlocking or install/update packages. Oliver [1] https://github.com/matteocorti/check_updates/blob/16a0ea72cd0c137884f0d1e2a3a50470934a8f58/check_updates#L1187 Hello, The recommended way to do the Satellite or Capsule upgrades are using satellite-maintain and any changes in Base OS may result in the need to run the installer. Considering this I am closing this bugzilla. If you think this is still an issue request to reopen or raise new bugzilla. Thank You, Amit Upadhye. This is a documentation reference: Managing Packages on the Base Operating System of Satellite or Capsule https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html-single/administering_red_hat_satellite/index#installing-and-updating-packages-on-satellite-server The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |