Bug 1784341

Summary: disable CertificateRevocationListTask job in candlepin.conf by default
Product: Red Hat Satellite Reporter: Pavel Moravec <pmoravec>
Component: InstallationAssignee: Eric Helms <ehelms>
Status: CLOSED ERRATA QA Contact: Devendra Singh <desingh>
Severity: medium Docs Contact:
Priority: high    
Version: 6.6.0CC: egolov, ehelms, jhanley, kupadhya, risantam, sadas
Target Milestone: 6.8.0Keywords: Performance, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-installer-2.1.0-0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 12:59:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1806626    

Description Pavel Moravec 2019-12-17 09:43:02 UTC 
Description of problem:
CertificateRevocationListTask is a candlepin's job to populate CRL. The CRL is not used in Satellite (at least katello nor RHSM queries for "crl" URI against candlepin/rhsm. So this job is being performed redundantly on a Satellite6.

Since:
- there were 5+ cases where CRL had impacted Satellite performance
- the only workaround is in modifying /etc/candlepin/candlepin.conf
- .. and this workaround does not survive an upgrade or even satellite-installer run

I am requesting to disable the Job via installer directly & by default.

Fix is very trivial, just add anywhere to

https://github.com/theforeman/puppet-candlepin/blob/master/templates/candlepin.conf.erb

a line like:

pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0 0 0 1 1 ?

(see KCS 3888591 linked)


Version-Release number of selected component (if applicable):
Sat6.6 (any version)


How reproducible:
100%


Steps to Reproduce:
1. Install Satellite6 (or just run satellite-installer on already installed Sat6)
2. Check if CertificateRevocationListTask schedule is changed in /etc/candlepin/candlepin.conf
3. Wait for noon and check "Starting job: org.candlepin.pinsetter.tasks.CertificateRevocationListTask" log in candlepin.log


Actual results:
2. no such entry in candlepin.conf
3. such a task/job is fired every noon (by default, it finishes soon, but not in various scaled environments)


Expected results:
2. have the schedule practicaly disabled via candlepin.conf
3. no such job invoked on a noon


Additional info:
There are customers where CRLT took hours to finish, negatively affecting candlepin (and hence whole Sat6) performance. If not disabled, the impact to CPU grows over time.
Comment 3 Eric Helms 2020-02-28 01:18:40 UTC 
Created redmine issue https://projects.theforeman.org/issues/29220 from this bug
Comment 4 Bryan Kearney 2020-02-28 03:05:56 UTC 
Upstream bug assigned to ehelms
Comment 5 Bryan Kearney 2020-02-28 03:05:58 UTC 
Upstream bug assigned to ehelms
Comment 6 Bryan Kearney 2020-02-28 19:06:00 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29220 has been resolved.
Comment 7 Devendra Singh 2020-07-14 15:11:01 UTC 
Verification steps:

* Build Version: 6.8 Snap8

* foreman-installer version:

# rpm -q foreman-installer
foreman-installer-2.1.0-1.el7sat.noarch

* Entries is proper as mentioned in PR#https://github.com/theforeman/puppet-candlepin/pull/145

# less /etc/candlepin/candlepin.conf|grep "pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0"
pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0 0 0 1 1 ?

* Didn't see any entry related to "Starting job: org.candlepin.pinsetter.tasks.CertificateRevocationListTask" log in the candlepin.log
Comment 8 Eric Helms 2020-08-20 20:51:25 UTC 
*** Bug 1783481 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2020-10-27 12:59:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366