Bug 2218720

Summary:	switching ruby modules stream to 3.1 cause removing of pcs package
Product:	Red Hat Enterprise Linux 8	Reporter:	William LEE <reli>
Component:	ruby	Assignee:	ruby maint <ruby-maint>
Status:	CLOSED NOTABUG	QA Contact:	RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.8	CC:	vondruch
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-06-30 08:40:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description William LEE 2023-06-30 02:08:04 UTC

Description of problem:

system hitting CVE-2022-28739, as this cve page https://access.redhat.com/security/cve/cve-2022-28739

Red Hat Enterprise Linux 8 ruby:3.0 Fixed RHSA-2022:6450 September 13, 2022
Red Hat Enterprise Linux 8 ruby:2.7 Fixed RHSA-2022:6447 September 13, 2022
Red Hat Enterprise Linux 8 ruby:2.6 Fixed RHSA-2022:5338 July 1, 2022
Red Hat Enterprise Linux     8       ruby Will not fix.  <==========

from ruby module below, system have 2.5 stream enabled , so it "will not fix" for this cve.

# dnf module list ruby
Name            Stream             Profiles                  Summary                                                       
ruby               2.5 [d][e]              common [d]           An interpreter of object-oriented scripting language         
ruby               2.6                   common [d]           An interpreter of object-oriented scripting language         
ruby               2.7                   common [d]           An interpreter of object-oriented scripting language         
ruby               3.0                   common [d]           An interpreter of object-oriented scripting language         
ruby               3.1                   common [d]           An interpreter of object-oriented scripting language  

so my idea is trying to switch ruby stream to 3.1.  but from my test, after switching, the cluster package "pcs"  was removed by this switching process!


Version-Release number of selected component (if applicable):

Rhel 8.8 with pcs-0.10.15-4.el8_8.1.x86_64 and ruby 2.5.9

How reproducible:


Steps to Reproduce:
1. follow steps here to switch ruby stream to 3.1:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_managing_and_removing_user-space_components/managing-versions-of-appstream-content_using-appstream

2.but when run “yum distro-sync”, it show error here:

*******
[root@reli-rhel8-ha1 ~]# yum distro-sync
Updating Subscription Management repositories.
Last metadata expiration check: 1:58:13 ago on Thu 29 Jun 2023 02:45:34 AM EDT.
Error: 
 Problem 1: package pcs-0.10.15-4.el8_8.1.x86_64 requires libruby.so.2.5()(64bit), but none of the providers can be installed
  - cannot install the best update candidate for package pcs-0.10.14-5.el8_7.2.x86_64
  - ruby-libs-2.5.9-110.module+el8.6.0+15956+aa803fc1.x86_64 does not belong to a distupgrade repository
  - package ruby-libs-2.5.3-103.module+el8+2671+ebcc7ee0.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.3-104.module+el8.0.0+3250+4b7d6d43.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.5-105.module+el8.1.0+3656+f80bfa1d.x86_64 is filt
…………
………..
  - package ruby-libs-2.5.9-109.module+el8.5.0+14275+d9c243ca.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-110.module+el8.6.0+15956+aa803fc1.x86_64 is filtered out by modular filtering
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
*************


3.3, then run “yum --allowerasing distro-sync”  by following kb below:

https://access.redhat.com/articles/4422071

Then it seem worked, but to my surprise, the “pcs” package (which is pacemaker management tools will be removed by this process!!!!, like below:

*************
[root@reli-rhel8-ha1 ~]# yum --allowerasing distro-sync
Updating Subscription Management repositories.
Last metadata expiration check: 4:29:42 ago on Thu 29 Jun 2023 01:36:53 AM EDT.
Dependencies resolved.
==========================================================================================================================================================================================
 Package                                            Architecture       Version                                                 Repository                                            Size
==========================================================================================================================================================================================
Installing:
 kernel                                             x86_64             4.18.0-477.15.1.el8_8                                   rhel-8-for-x86_64-baseos-rpms                        9.4 M
 kernel-core                                        x86_64             4.18.0-477.15.1.el8_8                                   rhel-8-for-x86_64-baseos-rpms                         42 M
 kernel-modules                                     x86_64             4.18.0-477.15.1.el8_8                                   rhel-8-for-x86_64-baseos-rpms                         34 M
Upgrading:
…………..
……………

Removing:
 kernel                                             x86_64             4.18.0-372.32.1.el8_6                                   @rhel-8-for-x86_64-baseos-rpms                         0  
 kernel-core                                        x86_64             4.18.0-372.32.1.el8_6                                   @rhel-8-for-x86_64-baseos-rpms                        69 M
 kernel-modules                                     x86_64             4.18.0-372.32.1.el8_6                                   @rhel-8-for-x86_64-baseos-rpms                        24 M
Removing dependent packages:
 pcs                                                x86_64             0.10.15-4.el8_8.1                                       @rhel-8-for-x86_64-highavailability-rpms              30 M  <============

********************

4, Even after “pcs” was removed , it can’t be installed anymore:

# yum install pcs
Updating Subscription Management repositories.
Last metadata expiration check: 3:08:05 ago on Thu 29 Jun 2023 02:45:34 AM EDT.
Error: 
 Problem: package pcs-0.10.15-4.el8_8.1.x86_64 requires libruby.so.2.5()(64bit), but none of the providers can be installed
  - cannot install the best candidate for the job
  - package ruby-libs-2.5.3-103.module+el8+2671+ebcc7ee0.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.3-104.module+el8.0.0+3250+4b7d6d43.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.5-105.module+el8.1.0+3656+f80bfa1d.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.5-106.module+el8.3.0+7153+c6f6daa5.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-107.module+el8.4.0+10822+fe4fffb1.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-107.module+el8.5.0+13840+ec418553.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-109.module+el8.5.0+14275+d9c243ca.x86_64 is filtered out by modular filtering
  - package ruby-libs-2.5.9-110.module+el8.6.0+15956+aa803fc1.x86_64 is filtered out by modular filtering
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Actual results:

pcs package was removed after ruby stream switch to 3.1 from 2.5.9.


Expected results:

pcs package remain intact after ruby stream switch to 3.1.


Additional info:

Comment 2 Vít Ondruch 2023-06-30 08:40:15 UTC

In short, this behavior is expected unfortunately.

Let me quote a note from the documentation you have linked above:

"If certain installed packages depend on the earlier stream, and there is no compatible version in the later stream, yum reports a dependency conflict. In this case, use the --allowerasing option to remove such packages because they cannot be installed together with the later stream due to missing dependencies."

In more detail, the pcs package is bare/plain RPM, build against default module, which is Ruby 2.5 in RHEL 8. In ideal world, as was imagined with introduction of modularity, the pcs would also be modular package and the modular expansion would ensure, that the pcs is build against all available Ruby modules. But as you can imagine, this greatly expands the support matrix, therefore this ware never really implemented in practice.

Our recommendation for cases like this is captured in this [1] part of the documentation:

"Only one stream of a particular module can be active at a given point in time. Therefore, only one version of a component can be installed on a system. Different versions can be used in separate containers."

I hope this explanation help and closing as NOTABUG.


[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_managing_and_removing_user-space_components/index#module-streams_introduction-to-modules

Comment 3 William LEE 2023-06-30 09:29:44 UTC

Thanks, Vit.

        But customer is very concerning CVE-2022-28739. it seem pcs package is "hard dependence" on ruby, I am seeing the same symptom if I tried switch to ruby. 

        If possible to avoid such conflict if we install ruby stream (in rhel 8) before pcs package installation? (in my previous experience, it seem ruby was installed as dependence when we run "yum install pcs" in a fresh system. 


--William

Comment 4 Vít Ondruch 2023-06-30 10:28:17 UTC

(In reply to William LEE from comment #3)
> Thanks, Vit.
> 
>         But customer is very concerning CVE-2022-28739.

That is something we might be able to help to address. Please keep the discussion in the appropriate trackers.

> it seem pcs package
> is "hard dependence" on ruby, I am seeing the same symptom if I tried
> switch to ruby.

That is correct. pcs seems to have some binary extension which depends on Ruby 2.5

 
>         If possible to avoid such conflict if we install ruby stream (in
> rhel 8) before pcs package installation? (in my previous experience, it seem
> ruby was installed as dependence when we run "yum install pcs" in a
> fresh system. 

pcs and ruby:3.1 unfortunately can't be installed at the same time, unless you go with container or similar technology. You would need to ask the pcs maintainer to build pcs against ruby:3.1, but that would mean also modularizing pcs and I don't think they'll be open to this idea.