Bug 1884395

Summary: Prevent removal of satellite\satellite-capsule\satellite-common\katello\foreman etc all important packages of satellite and capsules
Product: Red Hat Satellite Reporter: Pavel Moravec <pmoravec>
Component: InstallationAssignee: Evgeni Golov <egolov>
Status: CLOSED ERRATA QA Contact: Griffin Sullivan <gsulliva>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.8.0CC: ahumbe, apatel, aupadhye, dhjoshi, egolov, ehelms, gsulliva, jbhatia, jiehuang, jpasqual, jyejare, kgaikwad, ktordeur, msunil, rgreene, saydas
Target Milestone: 6.15.0Keywords: PrioBumpGSS, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: satellite-6.15.0-0.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-23 17:10:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Moravec 2020-10-01 20:07:05 UTC 
Description of problem:
While foreman-protector prevents unintended package install/update/downgrade, it silently allows removal of a package. This is 1) flaw in its consistency, 2) affected several customers who e.g. removed some package from Sat via REX unexpectedly.

Please extend foreman-protector also to package removal protection.


Version-Release number of selected component (if applicable):
Sat 6.7
rubygem-foreman_maintain-0.5.4-1


How reproducible:
100%


Steps to Reproduce:
0. yum install sos
1. install - via foreman-maintain - sos-3.9-2.el7.noarch (while older and also newer version exists)
2. yum update sos
3. yum downgrade sos
4. yum remove sos
5. yum remove foreman


Actual results:
0. and 2. and 3. will be prohibited by foreman-protector.
4. and 5. will ask user to confirm the packages removal


Expected results:
Neither 0., 2.-5. to allow a package action.


Additional info:
Comment 7 Eric Helms 2022-08-09 13:24:12 UTC 
An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with a list of packages that should never be removed.
Comment 8 Pavel Moravec 2022-10-18 10:01:15 UTC 
(In reply to Eric Helms from comment #7)
> An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with
> a list of packages that should never be removed.

A candidate package would be *pulp-rpm* . We have a customer who accidentally removed that package (due to a dependency when removing something else), and was surprised why most of pulp functionality is gone. We were surprised why katello fix repositories fails with 404 on querying objects that *are* present in DB - these situations are *really* dangerous.
Comment 13 Evgeni Golov 2023-10-05 13:50:19 UTC 
While I agree it would be nice if we protect all "important" packages, I have no idea what these important packages are (and they will change over time for sure).

The attached PR protects the original request "satellite" and "satellite-capsule", as those depend on -common and foreman and katello etc, those can't be removed either now.
As for the important packages we do not depend on, well, I think we just should add the right dependency then.
Comment 14 Brad Buckingham 2023-10-30 11:29:29 UTC 
Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set.
Comment 15 Griffin Sullivan 2023-11-08 17:06:37 UTC 
Verified on stream snap 36

Unable to remove satellite and it's dependencies.

Steps to reproduce:

1) yum remove foreman


Results:

Error: 
 Problem: The operation would result in removing the following protected packages: satellite
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
Comment 19 errata-xmlrpc 2024-04-23 17:10:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.15.0 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:2010