Bug 1884395

Summary: [RFE] Prevent removal of satellite\satellite-capsule\satellite-common\katello\foreman etc all important packages of satellite and capsules
Product: Red Hat Satellite Reporter: Pavel Moravec <pmoravec>
Component: PackagingAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.8.0CC: ahumbe, apatel, aupadhye, dhjoshi, ehelms, jbhatia, jiehuang, jpasqual, jyejare, kgaikwad, ktordeur, msunil, rgreene, saydas
Target Milestone: UnspecifiedKeywords: FutureFeature, PrioBumpGSS, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Moravec 2020-10-01 20:07:05 UTC 
Description of problem:
While foreman-protector prevents unintended package install/update/downgrade, it silently allows removal of a package. This is 1) flaw in its consistency, 2) affected several customers who e.g. removed some package from Sat via REX unexpectedly.

Please extend foreman-protector also to package removal protection.


Version-Release number of selected component (if applicable):
Sat 6.7
rubygem-foreman_maintain-0.5.4-1


How reproducible:
100%


Steps to Reproduce:
0. yum install sos
1. install - via foreman-maintain - sos-3.9-2.el7.noarch (while older and also newer version exists)
2. yum update sos
3. yum downgrade sos
4. yum remove sos
5. yum remove foreman


Actual results:
0. and 2. and 3. will be prohibited by foreman-protector.
4. and 5. will ask user to confirm the packages removal


Expected results:
Neither 0., 2.-5. to allow a package action.


Additional info:
Comment 7 Eric Helms 2022-08-09 13:24:12 UTC 
An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with a list of packages that should never be removed.
Comment 8 Pavel Moravec 2022-10-18 10:01:15 UTC 
(In reply to Eric Helms from comment #7)
> An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with
> a list of packages that should never be removed.

A candidate package would be *pulp-rpm* . We have a customer who accidentally removed that package (due to a dependency when removing something else), and was surprised why most of pulp functionality is gone. We were surprised why katello fix repositories fails with 404 on querying objects that *are* present in DB - these situations are *really* dangerous.