Cause:
The code used for verification of playbook signatures was meant to be run on
RHEL 8 clients, where python 3 is the default python version. On RHEL 7 with
python 2.7.5 it fails to verify the signatures, even if they are in fact valid.
Consequence:
Remediations triggered from console.redhat.com as part of find-it-fix-it will
not work at all. Satellite will not be able to verify signatures of incoming
playbooks and will refuse to execute them.
Workaround (if any):
Insights engineering recommends making insights-client use python 3.
1. Install python 3
satellite-maintain packages install rh-python36
2. Modify insights-client to use python 3
# Make a backup
cp /usr/bin/insights-client /usr/bin/insights-client.bak
# Patch insights-client
cat /usr/bin/insights-client.bak \
| sed 's|#!/usr/bin/python.*$|#!/usr/bin/python3|' \
| sed 's|python2\.7|python3.6|' \
> /usr/bin/insights-client
3. Symlink insights_client library from python2.7 site-packages to python3.6 site-packages
ln -s /usr/lib/python2.7/site-packages/insights_client /usr/lib/python3.6/site-packages/insights_client
To revert the workaround:
1. Remove site-packages symlink
rm /usr/lib/python3.6/site-packages/insights_client
2. Restore insights-client backup
cp /usr/bin/insights-client.bak /usr/bin/insights-client
Result:
Insights-client uses python 3 instead of python 2, playbook signatures now can
be verified and find-it-fix-it works.
Created attachment 1815579[details]
Insights-client log
Description of problem:
When applying a remediation, the playbook signature verification fails.
From receptor log:
"""
receptor[1057]: Playbook Verification has started
receptor[1057]: gpg returned a non-zero error code: 1
receptor[1057]: SIGNATURE NOT VALID: Template [name: Block sudoedit with systemtap] has invalid signature', aborting.
"""
Attached also insights-client log.
Version-Release number of selected component (if applicable):
Satellite 6.10.0 snap 14 on RHEL 7.9
insights-client 3.1.5
insights-core 3.0.235-1
How reproducible:
Always
Steps to Reproduce:
1. Configure cloud connector, have a remediable host and inventory uploaded
2. On CRC, create a remediation
3. Attempt to apply that remediation
OR:
1. Download a remediation playbook from CRC
2. insights-client --module insights.client.apps.ansible.playbook_verifier < playbook.yml
Actual results:
Signature validation fails due to an invalid signature
Expected results:
Successful remediation/signature validation
Additional info:
After discussion with Alec Cohan, this seems to be because the verification code is meant for RHEL8+. When I tried to run the signature validation on a RHEL 8.3 system, the validation passed.
Just to make things clear, this is completely dependent on insights-client. Does it make sense to block the beta on something that can't even be updated by us as the update is delivered out of band?
Comment 9Lukáš Hellebrandt
2021-10-04 14:47:28 UTC
Verified with Sat 6.10.0 snap 20.0. Playbook verification now passes for a remediation with correct certs and the playbook is run on the host.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:4702
Created attachment 1815579 [details] Insights-client log Description of problem: When applying a remediation, the playbook signature verification fails. From receptor log: """ receptor[1057]: Playbook Verification has started receptor[1057]: gpg returned a non-zero error code: 1 receptor[1057]: SIGNATURE NOT VALID: Template [name: Block sudoedit with systemtap] has invalid signature', aborting. """ Attached also insights-client log. Version-Release number of selected component (if applicable): Satellite 6.10.0 snap 14 on RHEL 7.9 insights-client 3.1.5 insights-core 3.0.235-1 How reproducible: Always Steps to Reproduce: 1. Configure cloud connector, have a remediable host and inventory uploaded 2. On CRC, create a remediation 3. Attempt to apply that remediation OR: 1. Download a remediation playbook from CRC 2. insights-client --module insights.client.apps.ansible.playbook_verifier < playbook.yml Actual results: Signature validation fails due to an invalid signature Expected results: Successful remediation/signature validation Additional info: After discussion with Alec Cohan, this seems to be because the verification code is meant for RHEL8+. When I tried to run the signature validation on a RHEL 8.3 system, the validation passed.