Bug 2040706

Summary: Leapp cannot upgrade with a custom https repo
Product: Red Hat Enterprise Linux 7 Reporter: Christophe Besson <cbesson>
Component: leapp-repositoryAssignee: Leapp Notifications Bot <leapp-notifications-bot>
Status: ASSIGNED --- QA Contact: upgrades-and-conversions
Severity: medium Docs Contact:
Priority: medium    
Version: 7.9CC: anrussel, nico.van.roijen, pholica, pstodulk, sujagtap
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1818088    

Description Christophe Besson 2022-01-14 15:21:58 UTC 
Description of problem:
Customer uses custom repositories hosted behind an HTTPS server.
They use a dedicated certificate which is not copied into the target userspace, leading to an error while trying to retrieve the metadata.

Version-Release number of selected component (if applicable):
leapp-upgrade-el7toel8-0.15.0-6.el7_9

How reproducible:
Always

Steps to Reproduce:
1. Setup an HTTPS server hosting your repositories
2. Specify the certificate in sslcacert in the repo file

Actual results:
[MIRROR] libcgroup-0.41-19.el8.x86_64.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://<HIDDEN_HOSTNAME>/pulp/content/ci-rhel8-baseos2/Packages/l/libcgroup-0.41-19.el8.x86_64.rpm [SSL certificate problem: unable to get local issuer certificate]

Additional info:
- Setting sslverify=0 is a workaround, but this is not what the customer wants.

- The issue was workarounded by bind-mounting the /etc/pki/ca-trust directory into the container (by modifying ALWAYS_BIND in mounting.py).

- I think something allowing to simply add files into the target userspace could help. With the below patch, a user can execute the following command to move forward:
# for f in $(find /etc/pki/ca-trust -type f); do echo $f:$f >> /etc/leapp/filesfortargetuserspace.conf; done

--- /usr/share/leapp-repository/repositories/system_upgrade/common/actors/scanfilesfortargetuserspace/libraries/scanfilesfortargetuserspace.py.orig	2022-01-14 15:55:58.698593070 +0100
+++ /usr/share/leapp-repository/repositories/system_upgrade/common/actors/scanfilesfortargetuserspace/libraries/scanfilesfortargetuserspace.py	2022-01-14 16:08:35.738180885 +0100
@@ -8,6 +8,8 @@
     '/etc/hosts': '/etc/hosts'
 }
 
+FILES_FOR_TARGET_USERSPACE_CFG = '/etc/leapp/filesfortargetuserspace.conf'
+
 
 def scan_files_to_copy():
     """
@@ -21,6 +23,17 @@
             dst_path = FILES_TO_COPY_IF_PRESENT[src_path]
             files_to_copy.append(CopyFile(src=src_path, dst=dst_path))
 
+    if os.path.exists(FILES_FOR_TARGET_USERSPACE_CFG):
+        try:
+            with open(FILES_FOR_TARGET_USERSPACE_CFG, "r") as f:
+                additional_files = f.readlines()
+            for line in additional_files:
+                src_path, dst_path = line.split(':')
+                files_to_copy.append(CopyFile(src=src_path, dst=dst_path))
+        except:
+            # silence any error (EACCES, EPERM, bad file format, ...)
+            pass
+
     preupgrade_task = TargetUserSpacePreupgradeTasks(copy_files=files_to_copy)
 
     api.produce(preupgrade_task)
Comment 10 Petr Stodulka 2023-07-26 07:56:32 UTC 
*** Bug 1917469 has been marked as a duplicate of this bug. ***