Description of problem:
I've provisioned a brand new rhel62 box using beaker and I register it to the production environment with qa account. I subscribe to a subscription that provides content for rhel-6,rhel-6-server. and then I install a package. The 69.pem product cert (version "6.2 Beta") that was originally installed during the provision is getting clobbered with the 69.pem product cert (version "6.1") from the subscribed repo.
Effectively the system's access to content does not change because both of the 69.pem product certs (clobberer and cloberee) contain the same tags "rhel-6,rhel-6-server" in OID 1.3.6.1.4.1.2312.9.1.69.4. While I can rationalize that the yum product_id plugin is doing the right thing, I can also argue that clobbering a newer installed product cert with an older product cert is a bad thing. Please re-evaluate what the product-id plugin should be doing in this case. I suspect that clobbering an older versioned product cert may be appropriate while clobbering a newer product cert is not. Certainly if the OID value for 1.3.6.1.4.1.2312.9.1.<product_hash>.4 is different, then clobbering can have adverse affects to access content.
Version-Release number of selected component (if applicable):
subscription-manager-0.96.13-1.el6.x86_64
How reproducible:
Steps to Reproduce:
Beginning with a beaker provisioned RHEL62 nightly build...
[jsefler@jseflerT5400 ~]$ ssh -XYC root.eng.bos.redhat.com
The authenticity of host 'dell-pem905-01.rhts.eng.bos.redhat.com (10.16.66.75)' can't be established.
RSA key fingerprint is 64:92:cd:9b:a1:af:50:3a:16:be:45:7e:d7:fa:57:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dell-pem905-01.rhts.eng.bos.redhat.com,10.16.66.75' (RSA) to the list of known hosts.
root.eng.bos.redhat.com's password:
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is reserved by jsefler.
To return this system early. You can run the command: return2beaker.sh
Ensure you have your logs off the system before returning to Beaker
To extend your reservation time. You can run the command:
extendtesttime.sh
This is an interactive script. You will be prompted for how many
hours you would like to extend the reservation.
Please use this command responsibly, Everyone uses these machines.
You should verify the watchdog was updated succesfully after
you extend your reservation.
https://beaker.engineering.redhat.com/recipes/289035
For ssh, kvm, serial and power control operations please look here:
https://beaker.engineering.redhat.com/view/dell-pem905-01.rhts.eng.bos.redhat.com
Beaker Test information:
HOSTNAME=dell-pem905-01.rhts.eng.bos.redhat.com
JOBID=139493
RECIPEID=289035
RESULT_SERVER=127.0.0.1:7094
DISTRO=RHEL6.2-20111005.n.0
ARCHITECTURE=x86_64
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
[root@dell-pem905-01 ~]# rpm -q subscription-manager
subscription-manager-0.96.13-1.el6.x86_64
[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Version: 6.2 Beta
Arch: x86_64
Status: Not Subscribed
Starts:
Expires:
[root@dell-pem905-01 ~]# cp /etc/pki/product/69.pem /tmp
^^^ NOTICE THAT 69.pem IS INSTALLED FOR VERSION 6.2 Beta AS EXPECTED. I COPIED IT TO /tmp FOR SAFE KEEPING AND LATER COMPARISON
[root@dell-pem905-01 ~]# subscription-manager register --username qa
Password:
The system has been registered with id: 8de4323d-cebd-4593-8edf-52adf2c41eb0
[root@dell-pem905-01 ~]# subscription-manager list --avail
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: Red Hat Employee Subscription
ProductId: SYS0395
PoolId: 8a85f9812ede00af012edf01c89f5cf9
Quantity: 9965
Multi-Entitlement: No
Expires: 10/07/2011
MachineType: physical
ProductName: Red Hat Employee Subscription
ProductId: SYS0395
PoolId: 8a85f98132d071210132d24bf5d21352
Quantity: 25
Multi-Entitlement: No
Expires: 01/01/2022
MachineType: physical
ProductName: Red Hat Enterprise Linux Server for HPC Compute Node,
Self-support (8 sockets) (Up to 1 guest)
ProductId: RH0604852
PoolId: 8a85f98332b5d10c0132ca0b53942101
Quantity: 99
Multi-Entitlement: No
Expires: 01/01/2012
MachineType: physical
[root@dell-pem905-01 ~]# subscription-manager subscribe --pool 8a85f9812ede00af012edf01c89f5cf9
Successfully subscribed the system to Pool 8a85f9812ede00af012edf01c89f5cf9
[root@dell-pem905-01 ~]# yum repolist
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
rhel-6-server-rpms | 2.4 kB 00:00
rhel-ha-for-rhel-6-server-rpms | 2.4 kB 00:00
rhel-lb-for-rhel-6-server-rpms | 2.0 kB 00:00
rhel-rs-for-rhel-6-server-rpms | 2.4 kB 00:00
rhel-scalefs-for-rhel-6-server-rpms | 2.0 kB 00:00
repo id repo name status
beaker-HighAvailability beaker-HighAvailability 50
beaker-LoadBalancer beaker-LoadBalancer 2
beaker-ResilientStorage beaker-ResilientStorage 56
beaker-ScalableFileSystem beaker-ScalableFileSystem 7
beaker-Server beaker-Server 3,524
beaker-debug beaker-debug 1,651
beaker-harness beaker-harness 35
beaker-optional-x86_64-debug beaker-optional-x86_64-debug 1,185
beaker-optional-x86_64-os beaker-optional-x86_64-os 2,638
beaker-tasks beaker-tasks 11,722
rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RP 5,400
rhel-ha-for-rhel-6-server-rpms Red Hat Enterprise Linux High Availab 100
rhel-lb-for-rhel-6-server-rpms Red Hat Enterprise Linux Load Balance 2
rhel-rs-for-rhel-6-server-rpms Red Hat Enterprise Linux Resilient St 115
rhel-scalefs-for-rhel-6-server-rpms Red Hat Enterprise Linux Scalable Fil 7
repolist: 26,494
[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Version: 6.2 Beta
Arch: x86_64
Status: Subscribed
Starts: 10/08/2010
Expires: 10/07/2011
^^^ WE STILL HAVE THE ORIGINAL 69.pem PRODUCT CERT INSTALLED
[root@dell-pem905-01 ~]# yum install --disablerepo=beaker* zsh
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
rhel-6-server-rpms | 2.4 kB 00:00
rhel-ha-for-rhel-6-server-rpms | 2.4 kB 00:00
rhel-lb-for-rhel-6-server-rpms | 2.0 kB 00:00
rhel-rs-for-rhel-6-server-rpms | 2.4 kB 00:00
rhel-scalefs-for-rhel-6-server-rpms | 2.0 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package zsh.x86_64 0:4.3.10-4.1.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
zsh x86_64 4.3.10-4.1.el6 rhel-6-server-rpms 2.1 M
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 2.1 M
Installed size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
zsh-4.3.10-4.1.el6.x86_64.rpm | 2.1 MB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
Userid : Red Hat, Inc. (release key 2) <security>
Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
Userid : Red Hat, Inc. (auxiliary key) <security>
Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : zsh-4.3.10-4.1.el6.x86_64 1/1
rhel-6-server-rpms/productid | 1.7 kB 00:00
rhel-ha-for-rhel-6-server-rpms/productid | 1.7 kB 00:00
rhel-lb-for-rhel-6-server-rpms/productid | 1.7 kB 00:00
rhel-rs-for-rhel-6-server-rpms/productid | 1.7 kB 00:00
rhel-scalefs-for-rhel-6-server-rpms/productid | 1.7 kB 00:00
Installed products updated.
Installed:
zsh.x86_64 0:4.3.10-4.1.el6
Complete!
[root@dell-pem905-01 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux 6 Server
Version: 6.1
Arch: x86_64
Status: Subscribed
Starts: 10/08/2010
Expires: 10/07/2011
^^^ BANG! WE NOW HAVE A DIFFERENT 69.pem PRODUCT CERT INSTALLED
[root@dell-pem905-01 ~]# diff /etc/pki/product/69.pem /tmp/69.pem | wc -l
44
^^ YUP - THESE 69.pem PRODUCT CERTS ARE DEFINITELY DIFFERENT
[root@dell-pem905-01 ~]# openssl x509 -text -in /etc/pki/product/69.pem | grep Validity -A2
Validity
Not Before: Apr 27 19:37:13 2011 GMT
Not After : Apr 22 19:37:13 2031 GMT
[root@dell-pem905-01 ~]# openssl x509 -text -in /tmp/69.pem | grep Validity -A2 Validity
Not Before: Jul 28 13:59:26 2011 GMT
Not After : Jul 23 13:59:26 2031 GMT
[root@dell-pem905-01 ~]#
^^^ THE ORIGINAL 69.pem PRODUCT CERT LAID DOWN DURING THE PROVISIONING OF THE SYSTEM IS NEWER
From my quick check, the intention of the code seems to be to keep whichever version of the cert is already on the system, which is not happening here at all. This definitely needs work (and probably should take the newest version).
Comment 16RHEL Program Management
2012-07-10 08:49:01 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 17RHEL Program Management
2012-07-11 02:08:01 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 18RHEL Program Management
2012-12-14 08:48:26 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Description of problem: I've provisioned a brand new rhel62 box using beaker and I register it to the production environment with qa account. I subscribe to a subscription that provides content for rhel-6,rhel-6-server. and then I install a package. The 69.pem product cert (version "6.2 Beta") that was originally installed during the provision is getting clobbered with the 69.pem product cert (version "6.1") from the subscribed repo. Effectively the system's access to content does not change because both of the 69.pem product certs (clobberer and cloberee) contain the same tags "rhel-6,rhel-6-server" in OID 1.3.6.1.4.1.2312.9.1.69.4. While I can rationalize that the yum product_id plugin is doing the right thing, I can also argue that clobbering a newer installed product cert with an older product cert is a bad thing. Please re-evaluate what the product-id plugin should be doing in this case. I suspect that clobbering an older versioned product cert may be appropriate while clobbering a newer product cert is not. Certainly if the OID value for 1.3.6.1.4.1.2312.9.1.<product_hash>.4 is different, then clobbering can have adverse affects to access content. Version-Release number of selected component (if applicable): subscription-manager-0.96.13-1.el6.x86_64 How reproducible: Steps to Reproduce: Beginning with a beaker provisioned RHEL62 nightly build... [jsefler@jseflerT5400 ~]$ ssh -XYC root.eng.bos.redhat.com The authenticity of host 'dell-pem905-01.rhts.eng.bos.redhat.com (10.16.66.75)' can't be established. RSA key fingerprint is 64:92:cd:9b:a1:af:50:3a:16:be:45:7e:d7:fa:57:79. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dell-pem905-01.rhts.eng.bos.redhat.com,10.16.66.75' (RSA) to the list of known hosts. root.eng.bos.redhat.com's password: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by jsefler. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. Please use this command responsibly, Everyone uses these machines. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/289035 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/dell-pem905-01.rhts.eng.bos.redhat.com Beaker Test information: HOSTNAME=dell-pem905-01.rhts.eng.bos.redhat.com JOBID=139493 RECIPEID=289035 RESULT_SERVER=127.0.0.1:7094 DISTRO=RHEL6.2-20111005.n.0 ARCHITECTURE=x86_64 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** [root@dell-pem905-01 ~]# rpm -q subscription-manager subscription-manager-0.96.13-1.el6.x86_64 [root@dell-pem905-01 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ ProductName: Red Hat Enterprise Linux Server Version: 6.2 Beta Arch: x86_64 Status: Not Subscribed Starts: Expires: [root@dell-pem905-01 ~]# cp /etc/pki/product/69.pem /tmp ^^^ NOTICE THAT 69.pem IS INSTALLED FOR VERSION 6.2 Beta AS EXPECTED. I COPIED IT TO /tmp FOR SAFE KEEPING AND LATER COMPARISON [root@dell-pem905-01 ~]# subscription-manager register --username qa Password: The system has been registered with id: 8de4323d-cebd-4593-8edf-52adf2c41eb0 [root@dell-pem905-01 ~]# subscription-manager list --avail +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: Red Hat Employee Subscription ProductId: SYS0395 PoolId: 8a85f9812ede00af012edf01c89f5cf9 Quantity: 9965 Multi-Entitlement: No Expires: 10/07/2011 MachineType: physical ProductName: Red Hat Employee Subscription ProductId: SYS0395 PoolId: 8a85f98132d071210132d24bf5d21352 Quantity: 25 Multi-Entitlement: No Expires: 01/01/2022 MachineType: physical ProductName: Red Hat Enterprise Linux Server for HPC Compute Node, Self-support (8 sockets) (Up to 1 guest) ProductId: RH0604852 PoolId: 8a85f98332b5d10c0132ca0b53942101 Quantity: 99 Multi-Entitlement: No Expires: 01/01/2012 MachineType: physical [root@dell-pem905-01 ~]# subscription-manager subscribe --pool 8a85f9812ede00af012edf01c89f5cf9 Successfully subscribed the system to Pool 8a85f9812ede00af012edf01c89f5cf9 [root@dell-pem905-01 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. rhel-6-server-rpms | 2.4 kB 00:00 rhel-ha-for-rhel-6-server-rpms | 2.4 kB 00:00 rhel-lb-for-rhel-6-server-rpms | 2.0 kB 00:00 rhel-rs-for-rhel-6-server-rpms | 2.4 kB 00:00 rhel-scalefs-for-rhel-6-server-rpms | 2.0 kB 00:00 repo id repo name status beaker-HighAvailability beaker-HighAvailability 50 beaker-LoadBalancer beaker-LoadBalancer 2 beaker-ResilientStorage beaker-ResilientStorage 56 beaker-ScalableFileSystem beaker-ScalableFileSystem 7 beaker-Server beaker-Server 3,524 beaker-debug beaker-debug 1,651 beaker-harness beaker-harness 35 beaker-optional-x86_64-debug beaker-optional-x86_64-debug 1,185 beaker-optional-x86_64-os beaker-optional-x86_64-os 2,638 beaker-tasks beaker-tasks 11,722 rhel-6-server-rpms Red Hat Enterprise Linux 6 Server (RP 5,400 rhel-ha-for-rhel-6-server-rpms Red Hat Enterprise Linux High Availab 100 rhel-lb-for-rhel-6-server-rpms Red Hat Enterprise Linux Load Balance 2 rhel-rs-for-rhel-6-server-rpms Red Hat Enterprise Linux Resilient St 115 rhel-scalefs-for-rhel-6-server-rpms Red Hat Enterprise Linux Scalable Fil 7 repolist: 26,494 [root@dell-pem905-01 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ ProductName: Red Hat Enterprise Linux Server Version: 6.2 Beta Arch: x86_64 Status: Subscribed Starts: 10/08/2010 Expires: 10/07/2011 ^^^ WE STILL HAVE THE ORIGINAL 69.pem PRODUCT CERT INSTALLED [root@dell-pem905-01 ~]# yum install --disablerepo=beaker* zsh Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. rhel-6-server-rpms | 2.4 kB 00:00 rhel-ha-for-rhel-6-server-rpms | 2.4 kB 00:00 rhel-lb-for-rhel-6-server-rpms | 2.0 kB 00:00 rhel-rs-for-rhel-6-server-rpms | 2.4 kB 00:00 rhel-scalefs-for-rhel-6-server-rpms | 2.0 kB 00:00 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package zsh.x86_64 0:4.3.10-4.1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: zsh x86_64 4.3.10-4.1.el6 rhel-6-server-rpms 2.1 M Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 2.1 M Installed size: 2.1 M Is this ok [y/N]: y Downloading Packages: zsh-4.3.10-4.1.el6.x86_64.rpm | 2.1 MB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Importing GPG key 0xFD431D51: Userid : Red Hat, Inc. (release key 2) <security> Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Importing GPG key 0x2FA658E0: Userid : Red Hat, Inc. (auxiliary key) <security> Package: redhat-release-server-6Server-6.2.0.2.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201110050206.x86_64/6.2) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : zsh-4.3.10-4.1.el6.x86_64 1/1 rhel-6-server-rpms/productid | 1.7 kB 00:00 rhel-ha-for-rhel-6-server-rpms/productid | 1.7 kB 00:00 rhel-lb-for-rhel-6-server-rpms/productid | 1.7 kB 00:00 rhel-rs-for-rhel-6-server-rpms/productid | 1.7 kB 00:00 rhel-scalefs-for-rhel-6-server-rpms/productid | 1.7 kB 00:00 Installed products updated. Installed: zsh.x86_64 0:4.3.10-4.1.el6 Complete! [root@dell-pem905-01 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ ProductName: Red Hat Enterprise Linux 6 Server Version: 6.1 Arch: x86_64 Status: Subscribed Starts: 10/08/2010 Expires: 10/07/2011 ^^^ BANG! WE NOW HAVE A DIFFERENT 69.pem PRODUCT CERT INSTALLED [root@dell-pem905-01 ~]# diff /etc/pki/product/69.pem /tmp/69.pem | wc -l 44 ^^ YUP - THESE 69.pem PRODUCT CERTS ARE DEFINITELY DIFFERENT [root@dell-pem905-01 ~]# openssl x509 -text -in /etc/pki/product/69.pem | grep Validity -A2 Validity Not Before: Apr 27 19:37:13 2011 GMT Not After : Apr 22 19:37:13 2031 GMT [root@dell-pem905-01 ~]# openssl x509 -text -in /tmp/69.pem | grep Validity -A2 Validity Not Before: Jul 28 13:59:26 2011 GMT Not After : Jul 23 13:59:26 2031 GMT [root@dell-pem905-01 ~]# ^^^ THE ORIGINAL 69.pem PRODUCT CERT LAID DOWN DURING THE PROVISIONING OF THE SYSTEM IS NEWER