Bug 1957280

Summary: DNF with versionlock silences a conflict due to a provide
Product: Red Hat Enterprise Linux 8 Reporter: Christophe Besson <cbesson>
Component: dnf-plugins-coreAssignee: Marek Blaha <mblaha>
Status: CLOSED ERRATA QA Contact: Eva Mrakova <emrakova>
Severity: high Docs Contact:
Priority: high    
Version: 8.3CC: james.antill, mblaha, pkratoch
Target Milestone: betaKeywords: Reproducer, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnf-plugins-core-4.0.21-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:53:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christophe Besson 2021-05-05 14:05:45 UTC 
Description of problem:
According to the security compliance of its sector, a customer is using locked versions for ~25000 packages thanks to versionlock. However, they are not able to update "puppet-agent" to the version *correctly* defined in versionlock.list, whereas this version is available. Disabling the versionlock plugin allows them to update that 3rd party package.

The problem here is the fact DNF is completely silent about the conflict, it just tells "Nothing to do" while trying to update, making the issue difficult to diagnose.

Version-Release number of selected component (if applicable):
python3-dnf-plugin-versionlock-4.0.17-5.el8.noarch
dnf-plugins-core-4.0.17-5.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install 3rd party repositories. EPEL is also necessary, as it provides the "facter" package which is causing the issue.
# dnf install https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

2. Install puppet-agent and downgrade to a previous version
# dnf install puppet-agent
# dnf downgrade puppet-agent

3. Setup this minimal versionlock.list which will create a silent conflict.
# cat << EOF > /etc/dnf/plugins/versionlock.list
facter-0:3.14.2-4.el8.*
puppet-agent-0:6.21.1-1.el8.*
EOF


Actual results:
~~~
# dnf update puppet-agent 
Last metadata expiration check: 0:00:01 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
Nothing to do.
Complete!
~~~

Excluding the "facter" package leads to the upgrade to the version given in versionlock.list:
~~~
# dnf -x facter update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:04:52 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
 Package                        Architecture             Version                         Repository                 Size
=========================================================================================================================
Upgrading:
 puppet-agent                   x86_64                   6.21.1-1.el8                    puppet6                    26 M
~~~

Disabling the versionlock plugin leads to the upgrade of the latest package available:
~~~
# dnf --disableplugin=versionlock update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:12 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
 Package                        Architecture             Version                         Repository                 Size
=========================================================================================================================
Upgrading:
 puppet-agent                   x86_64                   6.22.1-1.el8                    puppet6                    26 M
~~~


Expected results:
Something explaining the why.

Additional info:
* The issue is partially visible thanks to the debugsolver (btw, why libsolv-tools isn't shipped???)
~~~
# testsolv -vvv debugdata/rpms/testcase.t | grep -v -e installing -e update | grep -A2 puppet-agent
propagate decision 512:    puppet-agent-6.21.0-1.el8.x86_64 [512]I Install.level1
  unit Rule #49337:
    !facter-3.14.2-4.el8.x86_64 [1863] (w1)
    !puppet-agent-6.21.0-1.el8.x86_64 [512]I (w2) Install.level1
    next rules: 0 50535
    -> decided to conflict facter-3.14.2-4.el8.x86_64
~~~

* The package puppet-agent provides the "facter" capability, package which is available from EPEL 8.
~~~
# rpm -q puppet-agent
puppet-agent-6.21.0-1.el8.x86_64

# rpm -q --requires puppet-agent | uniq
/bin/mkdir
/bin/sh
/bin/touch
findutils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
systemd
tar
util-linux

# rpm -q --provides puppet-agent | uniq
cfacter >= 0.5.0
facter >= 1:3.0.0
hiera >= 2.0.0
puppet >= 4.0.0
puppet-agent = 6.21.0-1.el8
puppet-agent(x86-64) = 6.21.0-1.el8
~~~

* I think the bug may ultimately reside in dnf/libdnf itself, feel free to re-assign that bug to another component if needed.

* This bug possibly depends on this one (?)
https://bugzilla.redhat.com/show_bug.cgi?id=1896489
Comment 1 Marek Blaha 2021-05-11 07:27:48 UTC 
Let me start with short explanation of what the versionlock plugin does. After reading the versionlock.list file it

1. excludes from available packages all versions of packages other than those mentioned
2. excludes also all packages that are obsoleting any the locked packages

These excluded packages are completely unavailable and to the solver. Unfortunately this might lead to the situation described in this issue.

In case that both
- obsoleted package - facter package here (see `rpm -q --obsoletes puppet-agent`)
- and its obsoleter (puppet-agent package)
are part of the versionlock.list file, then due to the rule 2. all puppet-agent package versions are excluded so that the `dnf upgrade` command says 'Nothing to do.'. And it is not only the upgrade command, you are even not able to install the puppet-agent package, it's completely invisible:

# dnf install puppet-agent
All matches were filtered out by exclude filtering for argument: puppet-agent
Error: Unable to find a match: puppet-agent

Here is the patch for versionlock plugin that should fix the issue: https://github.com/rpm-software-management/dnf-plugins-core/pull/429 and here is PR with test https://github.com/rpm-software-management/ci-dnf-stack/pull/990

Meanwhile, to workaround the issue, you can remove facter package from the versionlock.list file.
Comment 9 errata-xmlrpc 2021-11-09 19:53:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464