Bug 791257

Summary: Katello Agent needs to expose ability to override importkeys
Product: Red Hat Satellite Reporter: Og Maciel <omaciel>
Component: Content ManagementAssignee: Jeff Ortel <jortel>
Status: CLOSED WONTFIX QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: bkearney, hhovsepy, jason.dobies, jturner, mmccune, snansi
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Suggested release_note posted to comment#1
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-18 17:39:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 791265    

Description Og Maciel 2012-02-16 15:46:47 UTC 
Description of problem:

To install packages to a subscribed system via the web ui, it is necessary to install and configure the katello-agent as per the following instructions:

* https://fedorahosted.org/katello/wiki/GuideSystemKatelloAgent
* https://fedorahosted.org/katello/wiki/KatelloAgent

After performing the steps above, I attempted to install several different packages via the web ui, but they all failed to install with errors related to gpg key import:

2012-02-16 09:27:39,442 11655:140629566809856: pulp.server.tasking.task:ERROR: task:474 Task failed: Task 5db85914-58aa-11e1-9f1b-5254001dfa20: ConsumerApi.__installpackages(aacb86b2-1b47-47c7-bd1f-1efe1d0b9fae, ['httpd'], )
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pulp/server/tasking/task.py", line 420, in run
    result = self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/consumer.py", line 448, in __installpackages
    return packages.install(names, reboot)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 72, in __call__
    return self.stub._send(request, opts)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 133, in _send
    return self.__send(request, options)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 164, in __send
    any=opts.any)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/policy.py", line 144, in send
    return self.__getreply(sn, reader)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/policy.py", line 181, in __getreply
    return self.__onreply(envelope)
  File "/usr/lib/python2.6/site-packages/gofer/rmi/policy.py", line 197, in __onreply
    raise RemoteException.instance(reply)
YumBaseError: Didn't install any keys

I checked that the gpg keys were in the client/consumer:

ls -l /etc/pki/rpm-gpg
total 20
-rw-r--r--. 1 root root 3375 Nov  8 10:38 RPM-GPG-KEY-redhat-beta
-rw-r--r--. 1 root root 1990 Nov  8 10:38 RPM-GPG-KEY-redhat-legacy-former
-rw-r--r--. 1 root root 1164 Nov  8 10:38 RPM-GPG-KEY-redhat-legacy-release
-rw-r--r--. 1 root root  885 Nov  8 10:38 RPM-GPG-KEY-redhat-legacy-rhx
-rw-r--r--. 1 root root 3211 Nov  8 10:38 RPM-GPG-KEY-redhat-release

I find this to be strange since one of the packages I tried to install was httpd, which is provided by a repository that is part of my subscription. Trying to install httpd with yum in the client/consumer gave me:

Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid : Red Hat, Inc. (release key 2) <security>
 Package: redhat-release-server-6Server-6.2.0.3.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201111171049.x86_64/6.2)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]:

<jortel> OgMaciel:  hm.. so the key is there but not installed in the rpm sense

jortel proposes that we add a *permit_import* parameter to /etc/gofer/plugins/katelloplugin.conf as a fix for this.

Version-Release number of selected component (if applicable):

Verified on:
* candlepin-0.5.18-1.el6.noarch
* candlepin-tomcat6-0.5.18-1.el6.noarch
* katello-0.1.235-2.el6.noarch
* katello-all-0.1.235-2.el6.noarch
* katello-certs-tools-1.0.2-2.el6.noarch
* katello-cli-0.1.54-3.el6.noarch
* katello-cli-common-0.1.54-3.el6.noarch
* katello-common-0.1.235-2.el6.noarch
* katello-configure-0.1.64-3.el6.noarch
* katello-glue-candlepin-0.1.235-2.el6.noarch
* katello-glue-foreman-0.1.235-2.el6.noarch
* katello-glue-pulp-0.1.235-2.el6.noarch
* katello-httpd-ssl-key-pair-1.0-1.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-repos-0.1.5-1.el6.noarch
* katello-selinux-0.1.3-1.el6.noarch
* katello-trusted-ssl-cert-1.0-1.noarch
* pulp-0.0.265-1.el6.noarch
* pulp-common-0.0.265-1.el6.noarch
* pulp-selinux-server-0.0.265-1.el6.noarch

How reproducible:


Steps to Reproduce:
1. Subscribe a vanilla RHEL 6.2 client to a product that exposes RHEL 6.2 and 6Server repositories
2. Install and configure the katello-agent against your SE
3. Select your system and try to install the httpd package to it.
  
Actual results:

2012-02-16 09:27:39,390 [ERROR][worker-0] __call__() @ dispatcher.py:488 - Didn't install any keys
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/gofer/rmi/dispatcher.py", line 485, in __call__
    retval = method(*args, **keywords)
  File "/usr/lib64/gofer/plugins/katelloplugin.py", line 139, in install
    installed = p.install(names)
  File "/usr/lib64/gofer/plugins/package.py", line 180, in install
    yb.processTransaction()
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 4877, in processTransaction
    self._checkSignatures(pkgs,callback)
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 4920, in _checkSignatures
    self.getKeyForPackage(po, self._askForGPGKeyImport)
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 4652, in getKeyForPackage
    raise Errors.YumBaseError, _("Didn't install any keys")
YumBaseError: Didn't install any keys

Expected results:


Additional info:
Comment 1 James Laska 2012-03-27 21:59:22 UTC 
Adding requires_release_note flag to document this known issue for CloudForms 1.0.0.  

Impact: Remotely installing GPG signed RHEL content using the System Engine Web-UI may fail if the GPG package signature has not been imported on the system.  

Details: Typically, when installing gpg signed packages, yum will prompt to install the associated gpgkey (typically /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release).  When attempting to install signed gpg packages remotely from System Engine (using katello-agent), the package install will fail since it cannot yet import gpg package key.s

Workaround: The suggested workaround is to manually import GPG-KEY's for signed packages prior to scheduling remote package installations/updates.  You can manually import a GPG package signature using the following command:

# To install the 'redhat-release' gpgkey ...
$ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

To automate this operation, you may consider importing the necessary RPM gpg-keys during application deployment from CloudForms Cloud Engine.
Comment 2 James Laska 2012-03-27 21:59:22 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Suggested release_note posted to comment#1
Comment 3 Shikha 2012-05-09 01:46:04 UTC 
Release Note added. Link:
http://documentation-stage.bne.redhat.com/docs/en-US/CloudForms/1.0/html-single/Release_Notes/index.html#sect-Release_Notes-System_Engine-System_Engine_Considerations-known_issues_07

Regards, 
Shikha
Comment 4 Jeff Ortel 2012-08-28 14:27:52 UTC 
Passing importkeys to the agent is fully supported in pulp v2.  Any chance we can just default importkeys=True in the agent for 1.1 instead of adding to the Pulp REST API / Manager layers and passing it through to the agent?
Comment 5 Mike McCune 2012-08-28 22:16:39 UTC 
I'm going to punt this to v.next when we start using Pulp V2.  No sense doing extra work when we get it for free with the upcoming version.
Comment 6 Mike McCune 2012-08-29 15:23:26 UTC 
*** Bug 852333 has been marked as a duplicate of this bug. ***
Comment 7 Mike McCune 2013-08-16 18:20:49 UTC 
getting rid of 6.0.0 version since that doesn't exist
Comment 8 Mike McCune 2014-03-18 17:39:12 UTC 
This bug was closed because of a lack of activity.  If you feel this bug should be reconsidered for attention please feel free to re-open the bug with a comment stating why it should be reconsidered.