Bug 971945
| Summary: | product-id plugin for yum fails to remove /etc/pki/product cert upon deletion of final package from yum repo | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
| Component: | subscription-manager | Assignee: | Adrian Likins <alikins> |
| Status: | CLOSED NOTABUG | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | alikins, jesusr, jsefler |
| Target Milestone: | rc | ||
| Target Release: | 7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-02-03 21:50:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 863175 | ||
|
Description
John Sefler
2013-06-07 16:11:54 UTC
This seems to be working for me:
<subscribe to cloud forms steps>
[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js
total 12
-rw-r--r--. 1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
drwxr-xr-x. 2 root root 4096 Jun 10 10:28 .
{
"69": [
"anaconda-RedHatEnterpriseLinux-201301150237.x86_64",
"rhel-6-server-cf-tools-1-rpms",
"rhel-6-server-rpms",
"rhel-nightly"
],
"92": [
"rhel-scalefs-for-rhel-6-server-rpms"
]
[]$ sudo yum install unittest --enablerepo=rhel-6-server-cf-ce-1-rpms
Loaded plugins: auto-update-debuginfo, product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-cf-ce-1-rpms | 3.1 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
unittest x86_64 0.50-62.6.el6 rhel-6-server-cf-ce-1-rpms 37 k
Transaction Summary
==================================================================================================================================
Install 1 Package(s)
Total download size: 37 k
Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
unittest-0.50-62.6.el6.x86_64.rpm | 37 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : unittest-0.50-62.6.el6.x86_64 1/1
Verifying : unittest-0.50-62.6.el6.x86_64 1/1
Installed:
unittest.x86_64 0:0.50-62.6.el6
Complete!
[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js
total 16
-rw-r--r--. 1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
-rw-r--r--. 1 root root 2122 Jun 10 10:31 167.pem
drwxr-xr-x. 2 root root 4096 Jun 10 10:31 .
{
"69": [
"anaconda-RedHatEnterpriseLinux-201301150237.x86_64",
"rhel-6-server-cf-tools-1-rpms",
"rhel-6-server-rpms",
"rhel-nightly"
],
"167": [
"rhel-6-server-cf-ce-1-rpms"
],
"92": [
"rhel-scalefs-for-rhel-6-server-rpms"
]
[]$ yum list installed | grep rhel-6-server-cf-ce-1-rpms
unittest.x86_64 0.50-62.6.el6 @rhel-6-server-cf-ce-1-rpms
[]$ sudo yum remove unittest
Loaded plugins: auto-update-debuginfo, product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Removing:
unittest x86_64 0.50-62.6.el6 @rhel-6-server-cf-ce-1-rpms 141 k
Transaction Summary
==================================================================================================================================
Remove 1 Package(s)
Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : unittest-0.50-62.6.el6.x86_64 1/1
Verifying : unittest-0.50-62.6.el6.x86_64 1/1
Removed:
unittest.x86_64 0:0.50-62.6.el6
Complete!
[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js
total 12
-rw-r--r--. 1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
drwxr-xr-x. 2 root root 4096 Jun 10 10:34 .
{
"69": [
"anaconda-RedHatEnterpriseLinux-201301150237.x86_64",
"rhel-6-server-cf-tools-1-rpms",
"rhel-6-server-rpms",
"rhel-nightly"
],
"92": [
"rhel-scalefs-for-rhel-6-server-rpms"
]
From /var/log/rhsm/rhsm.log:
2013-06-10 10:34:07,101 [INFO] @productid.py:407 - product cert 167 for 167 is being deleted
2013-06-10 10:34:07,101 [INFO] @productid.py:407 - product cert 167 for 167 is being deleted
2013-06
(aside, not the double entries, probably another bug in that...)
Restesting on RHEL65 with version... [root@jsefler-6 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: Unknown subscription-manager: 1.9.5-1.el6 python-rhsm: 1.9.4-1.el6 The scenario in comment 0 continues to fail for me. Just tried this again, and it still works for me. For a system that this fails on, what repo's are enabled? Wondering if there is another repo enabled that has 'unittest' in it. (I know epel does, but that shouldn't matter). What does "yum list available --enablerepo=rhel-6-server-cf-ce-1-rpms | grep unittest" show? Actually, what other repos are setup? If it tries to get repodata from a repo that fails, that can cause it to skip deleting the cert. Any msgs in the logs about repo meta data errors? Looking at some of the tests systems...
The '167' product cert isn't being removed because the productid code thinks
the repo associated with it 'rhel-6-server-cf-ce-1-rpms' is still 'active'.
'active' is supposed to mean "there are packages from this repo installed".
What seems to be happening is that the system has a 'rubygems' package installed from the base rhel repo. 'rubygems' (of a different version) is also available in the 'rhel-6-server-cf-ce-1-rpms' repos.
Then it is hitting the code:
# if a pkg is in multiple repo's, this will consider
# all the repo's with the pkg "active".
db_pkg = yb.rpmdb.searchNevra(name=p.name, arch=p.arch)
And since it is finding that a package available from the 'rhel-6-server-cf-ce-1-rpms' repo ('rubygems') is installed, it's counting that repo as active and not
removing the product info.
That seems to be intentional, but I'm not sure it's correct.
The history of why that change is included is kind of fuzzy, it seems to have gotten included as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=709754 But I'm not entirely sure that was intentional or related. Been discussing this with dgoodwin, and I think I've decided this is working as designed. Basically, in the case outlined in comment 1, the system has 'rubygems' installed, originally from a rhel6 repo[1]. The rhel-6-server-cf-ce-1-rpms contains 'unittest', but also a newer version of 'rubygems'. Since a version of 'rubygems' is installed, and rhel-6-server-cf-ce-1-rpms provides rubygems, rhel-6-server-cf-ce-1-rpms is considered an active repo. That makes more sense if you think about doing a yum update in that case, in which the system would get the newer content from rhel-6-server-cf-ce-1-rpms. So even though that particular installed version isn't from rhel-6-server-cf-ce-1-rpms, the rhel-6-server-cf-ce-1-rpms does provide available and enabled updates. To count as not active, the system would have to remove all packages that are also provided by rhel-6-server-cf-ce-1-rpms. We do know the repoid the installed packaged was installed from, but we can't particularly trust that. The installed repo is likely to be an 'anaconda-repo', or an RHN channel, or a pulp provided repo, etc. [2] To avoid deleting certs installed from a different repoid, we don't enforce a matching repoid. This also supports repoids changing. To keep that working, I think we need to leave this alone and consider it working. [1] in this case, a repo pointing to dev trees, but it could just as easily be an rhsm repo with the rhel6 product id in it. [2] A potential improvement for this case would to be consider the product ids associated with repos in the comparison. Instead of just checking if an installed package from repo FOO is also available in some enabled repo (BAR), we would follow the productid->repo map, and require the productid is the same. ie, a package installed from base rhel should have a repoid associated with it of some-base-rhel-server-repo which productid.js would map to product id 69. If the enabled repo that also provides that package also maps to productid 69, we would count that as 'active'. If the available enabled repo maps to a different product id (ie, "167"->"rhel-6-server-cf-ce-1-rpms"), we wouldn't consider that repo as 'active. Note however, for the case in comment 1, this wouldn't help, since the repoid the 'rubygems' packages has, is not in productid.js, so we couldn't compare product ids. tl;dr: It's weird, but I think it's doing the right thing. notabug. https://bugzilla.redhat.com/show_bug.cgi?id=1060838 ( [RFE] Consider productid->repoid mapping when calculating active repos ) file based on [2] in comment 7 Moving to NOTABUG |