Bug 1906188
| Summary: | openssl is missing from base Fedora IoT 33 image | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | nicolasoliver03 |
| Component: | IoT | Assignee: | Peter Robinson <pbrobinson> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 33 | CC: | crypto-team, michaelamorrell, sahana, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 33.20201226.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-27 10:52:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
nicolasoliver03
2020-12-09 21:04:10 UTC
After installing openssl manually, and trying to update, run into the following issue: [test@automation-test ~]$ sudo rpm-ostree update 1 metadata, 0 content objects fetched; 592 B transferred in 2 seconds; 0 bytes content written Checking out tree 1dab36e... done Enabled rpm-md repositories: updates fedora-cisco-openh264 fedora docker-ce-stable rpm-md repo 'updates' (cached); generated: 2020-12-09T01:06:48Z rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2020-08-25T19:10:34Z rpm-md repo 'fedora' (cached); generated: 2020-10-19T23:27:19Z rpm-md repo 'docker-ce-stable' (cached); generated: 2020-12-09T01:47:09Z Importing rpm-md... done Resolving dependencies... done error: Could not depsolve transaction; 1 problem detected: Problem: conflicting requests - package openssl-1:1.1.1h-1.fc33.x86_64 requires openssl-libs(x86-64) = 1:1.1.1h-1.fc33, but none of the providers can be installed - package openssl-1:1.1.1g-15.fc33.x86_64 requires openssl-libs(x86-64) = 1:1.1.1g-15.fc33, but none of the providers can be installed - cannot install both openssl-libs-1:1.1.1h-1.fc33.x86_64 and openssl-libs-1:1.1.1i-1.fc33.x86_64 - cannot install both openssl-libs-1:1.1.1g-15.fc33.x86_64 and openssl-libs-1:1.1.1i-1.fc33.x86_6 > There is no openssl command in the anaconda installation or deployed ostree
> image.
That as is it currently stands is intended as there's no direct dependency on it and we try not to ship anything that we don't actively need. Why do you think it should be in the base image, what is the use case?
The use case is automation of the initial configuration of the device. We use the tpm2-pkcs11 module to generate private keys in the device (network, vpn, tls), Then we use openssl to generate certificate signing requests (CSRs) for such keys. Then, there are services that receive those CSRs and generate certificates for the device Those certs are finally installed in the PKCS11 database as well. The use case is described in this whitepaper authored by Intel and Red Hat https://software.intel.com/content/www/us/en/develop/articles/tpm-iot-hw-root-of-trust.html https://www.redhat.com/en/resources/intel-IoT-edge-device-wifi-authentication-analyst-paper Where are this modifications discussed? So I can be aware of them before they happen.
> Where are this modifications discussed?
> So I can be aware of them before they happen.
It was mentioned at the weekly IoT meeting (reminder and details are sent out to the mailing list each week), but it wasn't explicitly discussed because the base openssl utilities was never explicitly included, it was pulled in by other dependencies, when what ever it was (I don't remember off hand) ceased to require it as a dependency it just was no longer included. Do feel free to come to the meetings and participate.
I am using cockpit and when I do an upgrade it get the same issue.
[root@rpi4iot ~]# rpm-ostree status
State: idle
Deployments:
* ostree://fedora-iot:fedora/stable/aarch64/iot
Version: 33.20201204.0 (2020-12-04T14:20:00Z)
BaseCommit: 2be42bcf293808ee4adec4b2d2e1525ad9df13d8424abf9073486ce4f2ac5c8d
GPGSignature: Valid signature by 963A2BEB02009608FE67EA4249FD77499570FF31
LayeredPackages: cockpit cockpit-ostree cockpit-system
ostree://fedora-iot:fedora/stable/aarch64/iot
Version: 33.20201204.0 (2020-12-04T14:20:00Z)
Commit: 2be42bcf293808ee4adec4b2d2e1525ad9df13d8424abf9073486ce4f2ac5c8d
GPGSignature: Valid signature by 963A2BEB02009608FE67EA4249FD77499570FF31
[root@rpi4iot ~]# rpm-ostree upgrade
2 metadata, 0 content objects fetched; 788 B transferred in 2 seconds; 0 bytes content written
Checking out tree 4f817bc... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2020-08-25T19:10:34Z
rpm-md repo 'updates' (cached); generated: 2020-12-13T01:59:56Z
rpm-md repo 'fedora' (cached); generated: 2020-10-19T23:26:59Z
Importing rpm-md... done
Resolving dependencies... done
error: Could not depsolve transaction; 1 problem detected:
Problem: conflicting requests
- package cockpit-233.1-1.fc33.aarch64 requires cockpit-ws, but none of the providers can be installed
- package cockpit-229-1.fc33.aarch64 requires cockpit-ws, but none of the providers can be installed
- package cockpit-ws-233.1-1.fc33.aarch64 requires openssl, but none of the providers can be installed
- package cockpit-ws-229-1.fc33.aarch64 requires openssl, but none of the providers can be installed
- package openssl-1:1.1.1h-1.fc33.aarch64 requires openssl-libs(aarch-64) = 1:1.1.1h-1.fc33, but none of the providers can be installed
- package openssl-1:1.1.1g-15.fc33.aarch64 requires openssl-libs(aarch-64) = 1:1.1.1g-15.fc33, but none of the providers can be installed
- cannot install both openssl-libs-1:1.1.1h-1.fc33.aarch64 and openssl-libs-1:1.1.1i-1.fc33.aarch64
- cannot install both openssl-libs-1:1.1.1g-15.fc33.aarch64 and openssl-libs-1:1.1.1i-1.fc33.aarch64
|