Bug 824581
| Summary: | GPG Key added to product/repo not added to existing instances which are subscribed to that product/repo | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | james labocki <jlabocki> | |
| Component: | Content Management | Assignee: | Dmitri Dolguikh <dmitri> | |
| Status: | CLOSED ERRATA | QA Contact: | Og Maciel <omaciel> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.0.1 | CC: | asettle, bkearney, cpelland, dmacpher, ftaylor, gkhachik, jlaska, jsherril, mmccune, omaciel, snansi | |
| Target Milestone: | Unspecified | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Adding a GPG key to a product repository after creation did not properly set the "gpgcheck" configuration option in the client's repo file. This fix updates the content and configuration files after adding a GPG key, which sets the "gpgcheck" configuration option.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 827943 (view as bug list) | Environment: | ||
| Last Closed: | 2012-12-04 19:46:08 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 827554, 827943 | |||
|
Description
james labocki
2012-05-23 19:05:43 UTC
I have experienced the same issue. Running `subscription-manager refresh` does not remedy the issue either. this bug is indeed fixed by 814118: this repo config on my client was setup before with NO gpg key: [ACME_Corporation_gpg-testproduct_test-no-gpg] name = test-no-gpg baseurl = https://sat-perf-04.idm.lab.bos.redhat.com/pulp/repos/ACME_Corporation/DEV/custom/gpg-testproduct/test-no-gpg enabled = 1 gpgcheck = 1 I then added a GPG key to that repo and promoted it. Ran 'subscription-manager refresh && yum repolist' on the client and it showed: [ACME_Corporation_gpg-testproduct_test-no-gpg] name = test-no-gpg baseurl = https://sat-perf-04.idm.lab.bos.redhat.com/pulp/repos/ACME_Corporation/DEV/custom/gpg-testproduct/test-no-gpg enabled = 1 gpgcheck = 1 gpgkey = https://sat-perf-04.idm.lab.bos.redhat.com/katello/api/repositories/10/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/8739679596628872417-key.pem sslclientcert = /etc/pki/entitlement/8739679596628872417.pem since the 2 bugs are different behavior I think we should test both scenarios Scenario #1: Started with a GPG key: [AlphabetSoup_Zoo_Countries] name = Countries baseurl = https://qetello02.usersys.redhat.com/pulp/repos/AlphabetSoup/Cook//custom/Zoo/Countries enabled = 1 gpgcheck = 1 gpgkey = https://qetello02.usersys.redhat.com/cfse/api/repositories/11/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/4404120300149630446-key.pem sslclientcert = /etc/pki/entitlement/4404120300149630446.pem [AlphabetSoup_Zoo_Animals] name = Animals baseurl = https://qetello02.usersys.redhat.com/pulp/repos/AlphabetSoup/Cook//custom/Zoo/Animals enabled = 1 gpgcheck = 1 gpgkey = https://qetello02.usersys.redhat.com/cfse/api/repositories/10/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/4404120300149630446-key.pem sslclientcert = /etc/pki/entitlement/4404120300149630446.pem Scenario #2: Started without a GPG key: Registed and subscribed system: [Starbucks_Sumatra_Decaf] name = Decaf baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Sumatra/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/8070411902983536767-key.pem sslclientcert = /etc/pki/entitlement/8070411902983536767.pem [Starbucks_Ethiopia_Decaf] name = Decaf baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/2672051796109379031-key.pem sslclientcert = /etc/pki/entitlement/2672051796109379031.pem [Starbucks_Komodo_Gold_Coast] name = Gold Coast baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem sslclientcert = /etc/pki/entitlement/1244508361121645977.pem [Starbucks_Komodo_Fair_Trade] name = Fair Trade baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem sslclientcert = /etc/pki/entitlement/1244508361121645977.pem I then imported a GPG key and associated it with a product (fwiw provider has 3 different products and only one was selected for association with GPG key via web ui). [root@qeclient20 ~]# service rhsmcertd restart Stopping rhsmcertd [ OK ] Starting rhsmcertd 240 1440 [ OK ] [root@qeclient20 ~]# yum clean all Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. Cleaning repos: Starbucks_Ethiopia_Decaf Starbucks_Komodo_Fair_Trade Starbucks_Komodo_Gold_Coast : Starbucks_Sumatra_Decaf Cleaning up Everything [root@qeclient20 ~]# yum repolist Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Please use yum-config-manager to configure which software repositories are used with Red Hat Subscription Management. Starbucks_Ethiopia_Decaf | 3.7 kB 00:00 Starbucks_Ethiopia_Decaf/primary_db | 6.4 kB 00:00 Starbucks_Komodo_Fair_Trade | 2.3 kB 00:00 Starbucks_Komodo_Fair_Trade/primary_db | 3.6 kB 00:00 Starbucks_Komodo_Gold_Coast | 2.3 kB 00:00 Starbucks_Komodo_Gold_Coast/primary_db | 3.8 kB 00:00 Starbucks_Sumatra_Decaf | 3.4 kB 00:00 Starbucks_Sumatra_Decaf/primary_db | 5.4 kB 00:00 repo id repo name status Starbucks_Ethiopia_Decaf Decaf 32 Starbucks_Komodo_Fair_Trade Fair Trade 3 Starbucks_Komodo_Gold_Coast Gold Coast 3 Starbucks_Sumatra_Decaf Decaf 10 repolist: 48 [root@qeclient20 ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [Starbucks_Sumatra_Decaf] name = Decaf baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Sumatra/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/8070411902983536767-key.pem sslclientcert = /etc/pki/entitlement/8070411902983536767.pem [Starbucks_Ethiopia_Decaf] name = Decaf baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/2672051796109379031-key.pem sslclientcert = /etc/pki/entitlement/2672051796109379031.pem [Starbucks_Komodo_Gold_Coast] name = Gold Coast baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem sslclientcert = /etc/pki/entitlement/1244508361121645977.pem [Starbucks_Komodo_Fair_Trade] name = Fair Trade baseurl = https://qetello02.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/1244508361121645977-key.pem sslclientcert = /etc/pki/entitlement/1244508361121645977.pem I was able to reproduce this bug with the help of Justin. I tried a few different things with Candlepin but nothing seemed to add the gpg key to the client. I checked katello and it's properly storing the key and the gpgUrl in candlepin is there and it is accessible. I fixed the bug where gpg key was not getting set. I've opened the pull request that should send the gpg key to the repos on the system: https://github.com/Katello/katello/pull/729 SHA: fb5744d123ac6e32f86192ce29fdcb6b50f5e209 However, even though the gpg key is getting set properly now, gpgcheck still is set to 0 instead of 1. I've asked the candlepin guys to look into this. The gpgcheck bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=859434 what is really strange is I reproduced the issue above where the gpgcheck value was stuck at 0... I walked away from my desk can came back to the issue a few hours later and the gpgcheck was updated to 1: before: [ACME_Corporation_Random_random-noarch] name = random-noarch baseurl = https://dhcp77-129.rhndev.redhat.com/pulp/repos/ACME_Corporation/dev//custom/Random/random-noarch enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/6687192850652944804-key.pem sslclientcert = /etc/pki/entitlement/6687192850652944804.pem after: [ACME_Corporation_Random_random-noarch] name = random-noarch baseurl = https://dhcp77-129.rhndev.redhat.com/pulp/repos/ACME_Corporation/dev//custom/Random/random-noarch enabled = 1 gpgcheck = 1 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/6687192850652944804-key.pem sslclientcert = /etc/pki/entitlement/6687192850652944804.pem I'm not sure yet what timing issue we are having .. will do a bit more digging Whoa. Let me know what you find or let me know if I should take a look at it tomorrow. Sorry the katello commit SHA is actually a609539ac3b4f9f72c155f15b7521ad4bfd1f429 and not fb5744d123ac6e32f86192ce29fdcb6b50f5e209. Moving back to assigned as bug fix was reverted. I'll get with Justin and find out how to fix this problem without affecting the creation of repos. Assigning to Dmitri as I believe he was working on a fix in Candlepin. Dmitri, let me know if I need to do anything in Katello. Thanks. fixed in 352d4dd6eb120ccd238658d7f8593163d77a8af2 in katello master. Before adding a GPG key: [root@qeclient01 ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [Starbucks_Ethiopia_Decaf] name = Decaf baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/3030170799466065509-key.pem sslclientcert = /etc/pki/entitlement/3030170799466065509.pem [Starbucks_Komodo_Gold_Coast] name = Gold Coast baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/792282951203242299-key.pem sslclientcert = /etc/pki/entitlement/792282951203242299.pem [Starbucks_Komodo_Fair_Trade] name = Fair Trade baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/792282951203242299-key.pem sslclientcert = /etc/pki/entitlement/792282951203242299.pem After adding the gpg key [root@qeclient01 ~]# cat /etc/yum.repos.d/redhat.repo # # Certificate-Based Repositories # Managed by (rhsm) subscription-manager # # If this file is empty and this system is subscribed consider # a "yum repolist" to refresh available repos # [Starbucks_Ethiopia_Decaf] name = Decaf baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Ethiopia/Decaf enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/3030170799466065509-key.pem sslclientcert = /etc/pki/entitlement/3030170799466065509.pem [Starbucks_Komodo_Gold_Coast] name = Gold Coast baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Gold_Coast enabled = 1 gpgcheck = 0 gpgkey = https://qetello04.usersys.redhat.com/cfse/api/repositories/38/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/7280119511062001365-key.pem sslclientcert = /etc/pki/entitlement/7280119511062001365.pem [Starbucks_Komodo_Fair_Trade] name = Fair Trade baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade enabled = 1 gpgcheck = 0 gpgkey = https://qetello04.usersys.redhat.com/cfse/api/repositories/37/gpg_key_content sslverify = 1 sslcacert = /etc/rhsm/ca/candlepin-local.pem sslclientkey = /etc/pki/entitlement/7280119511062001365-key.pem sslclientcert = /etc/pki/entitlement/7280119511062001365.pem So the gpg key bit was added to my client's repo file but gpgcheck is still disabled. I am not sure what version of candlepin this BZ requires to properly verify though. My environment: * candlepin-0.7.8.1-1.el6cf.noarch * candlepin-selinux-0.7.8.1-1.el6cf.noarch * candlepin-tomcat6-0.7.8.1-1.el6cf.noarch * katello-1.1.12-14.el6cf.noarch * katello-all-1.1.12-14.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-7.el6cf.noarch * katello-cli-common-1.1.8-7.el6cf.noarch * katello-common-1.1.12-14.el6cf.noarch * katello-configure-1.1.9-7.el6cf.noarch * katello-glue-candlepin-1.1.12-14.el6cf.noarch * katello-glue-pulp-1.1.12-14.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch Katello/SYstem engine has no control over that setting. I'm not entirely sure about the details of the process, but yum repo config file is probably being updated by the subscriprion-manager yum plugin. Which takes time to pull updates from candlepin. I'd suggest leave things as they are and come back later to check the state of the flag. So you are hitting this RHSM bug: https://bugzilla.redhat.com/show_bug.cgi?id=834125 if you do a: # rm /etc/yum.repos.d/redhat.repo # yum repolist you should see gpgcheck = 1 I tried qeclient01: [Starbucks_Komodo_Fair_Trade] name = Fair Trade baseurl = https://qetello04.usersys.redhat.com/pulp/repos/Starbucks/Demi//custom/Komodo/Fair_Trade enabled = 1 gpgcheck = 1 Verified: * candlepin-0.7.8.1-1.el6cf.noarch * candlepin-selinux-0.7.8.1-1.el6cf.noarch * candlepin-tomcat6-0.7.8.1-1.el6cf.noarch * katello-1.1.12-14.el6cf.noarch * katello-all-1.1.12-14.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-7.el6cf.noarch * katello-cli-common-1.1.8-7.el6cf.noarch * katello-common-1.1.12-14.el6cf.noarch * katello-configure-1.1.9-7.el6cf.noarch * katello-glue-candlepin-1.1.12-14.el6cf.noarch * katello-glue-pulp-1.1.12-14.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch *** Bug 814118 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html getting rid of 6.0.0 version since that doesn't exist |