Bug 2222963

Summary: Impossible to remove md5 from allowed_content_checksums without breaking the satellite-installer execution
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: InstallerAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.13.1CC: ehelms, ggainey
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sayan Das 2023-07-14 15:53:26 UTC
Description of problem:

Satellite by default configures pulp to have these checksums allowed.

# grep CHECKSUM /etc/pulp/settings.py
ALLOWED_CONTENT_CHECKSUMS = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]

One must be able to opt md5 out of it as it's only used as a content_checksum for some older repos but doing so, breaks the satellite-installer completely. 


Version-Release number of selected component (if applicable):

Satellite 6.13.1 ( probably 6.12 as well )


How reproducible:

100%

Steps to Reproduce and Actual Results:

-----------
Scenario 1:
-----------

## Break ###

1. Notice the current values of installer options":

# satellite-installer -S satellite --full-help | grep checksum

    --foreman-proxy-content-pulpcore-allowed-content-checksums  List of checksums to use for pulpcore content operations (current: ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"])

    --reset-foreman-proxy-content-pulpcore-allowed-content-checksums Reset pulpcore_allowed_content_checksums to the default value (["sha1", "sha224", "sha256", "sha384", "sha512"])


2. Run "satellite-installer --reset-foreman-proxy-content-pulpcore-allowed-content-checksums" to get rid of md5 from the list.

3. Installer fails on :
~~
2023-07-14 09:32:44 [NOTICE] [configure] 1250 configuration steps out of 1590 steps complete.
2023-07-14 09:33:45 [ERROR ] [configure] 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
2023-07-14 09:33:45 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: change from 'notrun' to ['0'] failed: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: Failed to call refresh: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]

~~

4. Reason\Traceback:
~~
2023-07-14 09:33:45 [INFO  ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns:     raise e
2023-07-14 09:33:45 [INFO  ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns:   File "/usr/lib/python3.9/site-packages/pulpcore
/app/settings.py", line 428, in <module>
2023-07-14 09:33:45 [INFO  ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns:     raise ImproperlyConfigured(
2023-07-14 09:33:45 [INFO  ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: django.core.exceptions.ImproperlyConfigured: Ther
e have been identified artifacts with forbidden checksum 'md5'. Run 'pulpcore-manager handle-artifact-checksums' first to unset forbidden checksums.

~~

## Rollback ## 

** Either use satellite-installer itself or edit /etc/foreman-installer/scenarios.d/satellite-answers.yaml file and add back "md5" in the list of "pulpcore_allowed_content_checksums" 

** Re-run satellite-installer if answer file was modified. 

** Result:

   * Installer successfully completes. 
   * We are back to the old value for ALLOWED_CONTENT_CHECKSUMS which includes md5



-----------
Scenario 2:
-----------

## Break ###

A) Repeat Step 1 2 and 3 from Scenario 1.

B) Run 

# PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp -- pulpcore-manager handle-artifact-checksums

C) Re-run satellite-installer and it will fail on the exact same step. 

D) Try to revert back i.e. include back md5 but still it fails on the same step. 
 
## Rollback ## 

** Once again run handle-artifact-checksums so that whatever was removed in the first run, would be recalculated and added back in the second run w.r.t md5 checksum of content artifacts

# PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp -- pulpcore-manager handle-artifact-checksums


** Re-run the installer and it will be successfully completed. 


Expected results:

* No such issues should happen
* Installer should allow removing md5 from the list of ALLOWED_CONTENT_CHECKSUMS 


Additional info:

The end-user is afraid that, on their FIPS-enabled Satellite 6.13,  since they cannot remove md5 from the ALLOWED_CONTENT_CHECKSUMS list, That is immediately marking the satellite non-compliant to FIPS-140-2 standards.