Bug 2186765
| Summary: | Capsule redundantly synces *-Export-Library repos | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Pavel Moravec <pmoravec> | |
| Component: | Capsule - Content | Assignee: | Samir Jha <sajha> | |
| Status: | CLOSED ERRATA | QA Contact: | Vladimír Sedmík <vsedmik> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.12.3 | CC: | ahumbe, beat, damoore, iballou, paji, pcreech, sajha, vsedmik | |
| Target Milestone: | 6.14.0 | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2238359 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-08 14:19:08 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Created redmine issue https://projects.theforeman.org/issues/36436 from this bug Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36436 has been resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6818 |
Description of problem: When exporting complete library content (hammer content-export complete library), an auxiliary CV "Export-Library" is created, backed by auxiliary katello repositories (with pulp_id like 1-Export-Library-Library-25807266-9eb3-4361-ab75-c9a928083c6f and relative_path like RedHat/Library/Export-Library/custom/ZOO_Product/ZOO-repo). (Only?) When Library LE is assigned to a Capsule, these auxiliary repos are synchronized there, redundantly. Moreover, in some scenario I am unable to reproduce ATM, presence of these repos on Capsule can block package download from Sat to Caps, since: - the pulpcore Repo objects on the Capsule are created along with Remotee objects with some weird certs (this bit I cant reproduce but saw it at a customer) - assuming the Capsule has On Demand download policy set and a client wants to fetch a package from Capsule that is not present, the Capsule choses among *all* repos that has the RPM associated - from that list of repos, it *can* chose the 1-Export-Library repo, with wrong certs - so then Capsule requests Satellite to fetch packages with invalid certs, which fails on "[SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')]" error - when this happens, it is SUPER confusing and difficult to understand the core issue (ridiculous & offending repo on Capsule) Please prevent synchronizing the auxiliary repos to Capsules. Version-Release number of selected component (if applicable): Sat 6.11 or newer How reproducible: 100% Steps to Reproduce: 1. Have some (smaller) repos with Immediate download policy synced to Satellite 2. Run "hammer content-export complete library" to pretend ISS 3. Have Capsule associated with Library LE 4. Sync that Capsule 5. Check the Capsule has also the 1-Export-Library repos synced and available to consumers: (in pulpcore psql - in my example, I had 2 repos with Immediate download policy, both appears in the ISS export *and* also on Caps): pulpcore=# SELECT pulp_id,name FROM core_repository WHERE name LIKE '%Export-Library%'; pulp_id | name --------------------------------------+--------------------------------------------------------------- 8575a7ab-4103-43b8-91f2-aac7b8f8fed9 | 1-Export-Library-Library-beaed1e1-c3be-4ad6-a888-560278447cf2 7268423f-cab9-4cb6-885b-72273a92644f | 1-Export-Library-Library-25807266-9eb3-4361-ab75-c9a928083c6f (2 rows) pulpcore=# SELECT pulp_id,name,base_path FROM core_distribution WHERE base_path LIKE '%Export-Library%'; pulp_id | name | base_path --------------------------------------+---------------------------------------------------------------+--------------------------------------------------------------------------------- 55a4620a-cb81-4124-ad24-b82d79b19d90 | 1-Export-Library-Library-25807266-9eb3-4361-ab75-c9a928083c6f | RedHat/Library/Export-Library/custom/ZOO_Product/ZOO-repo 4213903f-1142-4eed-b189-10ef150864e6 | 1-Export-Library-Library-beaed1e1-c3be-4ad6-a888-560278447cf2 | RedHat/Library/Export-Library/content/dist/layered/rhel8/x86_64/sat-client/6/os (2 rows) pulpcore=# 6. Check the same on Satellite - there wont be any pulp repo (while distribution will be there, just for the sake of data export) Actual results: 5. shows repos synced to the Capsule, while they are not present on Satellite. MOREOVER (this deserves a new bug?): registering a client directly via sub-man, I can chose Library/Export-Library Environment - is that expected? Like: # subscription-manager register --username=admin --password=nereknu Registering to: pmoravec-caps612.satotest.redhat.com:443/rhsm Hint: User "admin" is member of following organizations: RedHat, test_org Organization: RedHat Hint: Organization "RedHat" contains following environments: Library, Library/cv_rhel8, DEV/cv_rhel8, Library/Export-Library ## <<<--- is this OK? Environment: Library/Export-Library The system has been registered with ID: f09c7f1f-1236-403c-9909-316666ca9893 .. Expected results: 5. Caps should not get the Export-Library repos synced (can a client get offered the Library/Export-Library Environment..? I really dont know..) Additional info: ibalou++ and partha++ for hints: 1) product.repositories.has_url.library.with_type(acs.content_type) I think we need to change this to: product.repositories.has_url.library.in_default_view.with_type(acs.content_type) 2) Caps sync repos to ignore shall be modified accordingly at https://github.com/Katello/katello/blob/master/app/models/katello/content_view.rb#L98 ?