Bug 2222963
| Summary: | Impossible to remove md5 from allowed_content_checksums without breaking the satellite-installer execution | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> |
| Component: | Installer | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | NEW --- | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.13.1 | CC: | ehelms, ggainey |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Satellite by default configures pulp to have these checksums allowed. # grep CHECKSUM /etc/pulp/settings.py ALLOWED_CONTENT_CHECKSUMS = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"] One must be able to opt md5 out of it as it's only used as a content_checksum for some older repos but doing so, breaks the satellite-installer completely. Version-Release number of selected component (if applicable): Satellite 6.13.1 ( probably 6.12 as well ) How reproducible: 100% Steps to Reproduce and Actual Results: ----------- Scenario 1: ----------- ## Break ### 1. Notice the current values of installer options": # satellite-installer -S satellite --full-help | grep checksum --foreman-proxy-content-pulpcore-allowed-content-checksums List of checksums to use for pulpcore content operations (current: ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]) --reset-foreman-proxy-content-pulpcore-allowed-content-checksums Reset pulpcore_allowed_content_checksums to the default value (["sha1", "sha224", "sha256", "sha384", "sha512"]) 2. Run "satellite-installer --reset-foreman-proxy-content-pulpcore-allowed-content-checksums" to get rid of md5 from the list. 3. Installer fails on : ~~ 2023-07-14 09:32:44 [NOTICE] [configure] 1250 configuration steps out of 1590 steps complete. 2023-07-14 09:33:45 [ERROR ] [configure] 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0] 2023-07-14 09:33:45 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: change from 'notrun' to ['0'] failed: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0] 2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: Failed to call refresh: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0] 2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0] ~~ 4. Reason\Traceback: ~~ 2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: raise e 2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: File "/usr/lib/python3.9/site-packages/pulpcore /app/settings.py", line 428, in <module> 2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: raise ImproperlyConfigured( 2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: django.core.exceptions.ImproperlyConfigured: Ther e have been identified artifacts with forbidden checksum 'md5'. Run 'pulpcore-manager handle-artifact-checksums' first to unset forbidden checksums. ~~ ## Rollback ## ** Either use satellite-installer itself or edit /etc/foreman-installer/scenarios.d/satellite-answers.yaml file and add back "md5" in the list of "pulpcore_allowed_content_checksums" ** Re-run satellite-installer if answer file was modified. ** Result: * Installer successfully completes. * We are back to the old value for ALLOWED_CONTENT_CHECKSUMS which includes md5 ----------- Scenario 2: ----------- ## Break ### A) Repeat Step 1 2 and 3 from Scenario 1. B) Run # PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp -- pulpcore-manager handle-artifact-checksums C) Re-run satellite-installer and it will fail on the exact same step. D) Try to revert back i.e. include back md5 but still it fails on the same step. ## Rollback ## ** Once again run handle-artifact-checksums so that whatever was removed in the first run, would be recalculated and added back in the second run w.r.t md5 checksum of content artifacts # PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp -- pulpcore-manager handle-artifact-checksums ** Re-run the installer and it will be successfully completed. Expected results: * No such issues should happen * Installer should allow removing md5 from the list of ALLOWED_CONTENT_CHECKSUMS Additional info: The end-user is afraid that, on their FIPS-enabled Satellite 6.13, since they cannot remove md5 from the ALLOWED_CONTENT_CHECKSUMS list, That is immediately marking the satellite non-compliant to FIPS-140-2 standards.