Bug 988476

Summary: eliminate extra parameters from subscription-manager config --list/--set/--remove
Product: Red Hat Enterprise Linux 5 Reporter: John Sefler <jsefler>
Component: python-rhsmAssignee: Carter Kozak <ckozak>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.10CC: bkearney, fsharath, jesusr, lmiksik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 22:32:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 840995    

Description John Sefler 2013-07-25 16:28:20 UTC
Description of problem:
For the past several releases, the subscription-manager config module has allowed you to set and remove parameters in all three sections (server,rhsm,rhsmcertd) of the rhsm.conf file even though the parameter is only used in one section.  I have see this lead to confusion for the user.  The user thinks she has set the hostname, but in reality she set the rhsm.hostname when she should have set the server.hostname.

Please remove the extraneous configurations.

Version-Release number of selected component (if applicable):
[root@jsefler-5 ~]# rpm -q subscription-manager
subscription-manager-1.8.14-1.el5


[root@jsefler-5 ~]# rpm -q subscription-manager
subscription-manager-1.8.14-1.el5
[root@jsefler-5 ~]# subscription-manager config --list
[server]
   autoattachinterval = [1440]                      <====== REMOVE
   baseurl = [https://cdn.redhat.com]               <====== REMOVE
   ca_cert_dir = [/etc/rhsm/ca/]
   certcheckinterval = [240]                        <====== REMOVE
   consumercertdir = [/etc/pki/consumer]            <====== REMOVE
   entitlementcertdir = [/etc/pki/entitlement]      <====== REMOVE
   hostname = subscription.rhn.redhat.com
   insecure = [0]
   manage_repos = [1]                               <====== REMOVE
   pluginconfdir = [/etc/rhsm/pluginconf.d/]        <====== REMOVE
   plugindir = [/usr/share/rhsm-plugins]            <====== REMOVE
   port = 443
   prefix = /subscription
   productcertdir = [/etc/pki/product]              <====== REMOVE
   proxy_hostname = []
   proxy_password = []
   proxy_port = []
   proxy_user = []
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]     <====== REMOVE
   report_package_profile = [1]                     <====== REMOVE
   ssl_verify_depth = [3]

[rhsm]
   autoattachinterval = [1440]                     <====== REMOVE
   baseurl = [https://cdn.redhat.com]
   ca_cert_dir = [/etc/rhsm/ca/]                   <====== REMOVE
   certcheckinterval = [240]                       <====== REMOVE
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   hostname = [localhost]                          <====== REMOVE
   insecure = [0]                                  <====== REMOVE
   manage_repos = [1]
   pluginconfdir = /etc/rhsm/pluginconf.d
   plugindir = [/usr/share/rhsm-plugins]
   port = [8443]                                   <====== REMOVE
   prefix = [/candlepin]                           <====== REMOVE
   productcertdir = [/etc/pki/product]
   proxy_hostname = []                             <====== REMOVE
   proxy_password = []                             <====== REMOVE
   proxy_port = []                                 <====== REMOVE
   proxy_user = []                                 <====== REMOVE
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]
   report_package_profile = [1]
   ssl_verify_depth = [3]                          <====== REMOVE

[rhsmcertd]
   autoattachinterval = [1440]
   baseurl = [https://cdn.redhat.com]               <====== REMOVE
   ca_cert_dir = [/etc/rhsm/ca/]                    <====== REMOVE
   certcheckinterval = [240]
   consumercertdir = [/etc/pki/consumer]            <====== REMOVE
   entitlementcertdir = [/etc/pki/entitlement]      <====== REMOVE
   hostname = [localhost]                           <====== REMOVE
   insecure = [0]                                   <====== REMOVE
   manage_repos = [1]                               <====== REMOVE
   pluginconfdir = [/etc/rhsm/pluginconf.d/]        <====== REMOVE
   plugindir = [/usr/share/rhsm-plugins]            <====== REMOVE
   port = [8443]                                    <====== REMOVE
   prefix = [/candlepin]                            <====== REMOVE
   productcertdir = [/etc/pki/product]              <====== REMOVE
   proxy_hostname = []                              <====== REMOVE
   proxy_password = []                              <====== REMOVE
   proxy_port = []                                  <====== REMOVE
   proxy_user = []                                  <====== REMOVE
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]     <====== REMOVE
   report_package_profile = [1]                     <====== REMOVE
   ssl_verify_depth = [3]                           <====== REMOVE

[] - Default value in use



Here are the list of configurations that really matter:
[root@jsefler-5 ~]# cat /etc/rhsm/rhsm.conf
# Red Hat Subscription Manager Configuration File:

# Unified Entitlement Platform Configuration
[server]
# Server hostname:
hostname=subscription.rhn.redhat.com

# Server prefix:
prefix=/subscription

# Server port:
port=443

# Set to 1 to disable certificate validation:
insecure = 0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl=https://cdn.redhat.com

# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir=/etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

# If set to zero, the client will not report the package profile to
# the subscription management service.
report_package_profile = 1

# The directory to search for subscription manager plugins
pluginDir = /usr/share/rhsm-plugins

# The directory to search for plugin configuration files
pluginConfDir = /etc/rhsm/pluginconf.d

[rhsmcertd]
# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440

Comment 1 Carter Kozak 2013-07-31 19:32:07 UTC
commit 4761f79238e0181333296d43beef3cd79e765fb8
Author: ckozak <ckozak>
Date:   Thu Jul 25 10:46:59 2013 -0400

    988476, 988085: fix default hostname, remove excess config list output

commit ccb343c6330e16694b0ab9450c216ba3fa42f0cb
Author: ckozak <ckozak>
Date:   Wed Jul 31 12:08:11 2013 -0400

    fix config failure

Comment 2 Bryan Kearney 2013-08-01 15:55:17 UTC
Moving these to ON_QA. The tooling must have missed moving these.

Comment 3 John Sefler 2013-08-01 16:28:42 UTC
Moving back to POST.  These commits were made to python-rhsm (not subscription-manager)

Comment 5 Sharath Dwaral 2013-08-05 18:21:48 UTC
version:
# rpm -qa | egrep "subscription-manager|python-rhsm"
subscription-manager-1.8.16-1.el5
subscription-manager-debuginfo-1.8.16-1.el5
subscription-manager-migration-data-1.11.3.2-1.git.0.14f9d59.el5
subscription-manager-firstboot-1.8.16-1.el5
python-rhsm-1.8.16-1.el5
subscription-manager-migration-1.8.16-1.el5
python-rhsm-debuginfo-1.8.16-1.el5
subscription-manager-gui-1.8.16-1.el5


Verification:
# subscription-manager config --list
[server]
   ca_cert_dir = [/etc/rhsm/ca/]
   hostname = sharath-candlepin.usersys.redhat.com
   insecure = [0]
   port = 8443
   prefix = /candlepin
   proxy_hostname = []
   proxy_password = []
   proxy_port = []
   proxy_user = []
   ssl_verify_depth = [3]

[rhsm]
   baseurl = [https://cdn.redhat.com]
   ca_cert_dir = [/etc/rhsm/ca/]              <<<<<<<  TO BE REMOVED
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   manage_repos = [1]
   pluginconfdir = [/etc/rhsm/pluginconf.d]
   plugindir = [/usr/share/rhsm-plugins]
   productcertdir = [/etc/pki/product]
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]
   report_package_profile = [1]

[rhsmcertd]
   autoattachinterval = [1440]
   certcheckinterval = [240]

[] - Default value in use

Moving back to NEW

Comment 6 Carter Kozak 2013-08-05 19:06:35 UTC
This bug is fixed.  The output you pointed out shows an ca_cert_dir in both server and rhsm (it is only used in the [rhsm] section), however it is wrong in your config file.  If you make the config file valid, it will only appear in [rhsm]

the real bug is https://bugzilla.redhat.com/show_bug.cgi?id=993202

Comment 7 Jesus M. Rodriguez 2013-08-14 14:49:19 UTC
As per Comment #6 this bug results in a misconfigured client. Moving back to ON_QA

Comment 8 John Sefler 2013-08-14 20:39:09 UTC
The following confguration will be installed by a fresh install of subscription-manager (not an upgrade)...
[root@jsefler-5 ~]# rpm -q subscription-manager
subscription-manager-1.8.20-1.el5
[root@jsefler-5 ~]# subscription-manager config
[server]
   hostname = [subscription.rhn.redhat.com]
   insecure = [0]
   port = [443]
   prefix = [/subscription]
   proxy_hostname = []
   proxy_password = []
   proxy_port = []
   proxy_user = []
   ssl_verify_depth = [3]

[rhsm]
   baseurl = https://cdn.rcm-qa.redhat.com
   ca_cert_dir = [/etc/rhsm/ca/]
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   manage_repos = [1]
   pluginconfdir = [/etc/rhsm/pluginconf.d]
   plugindir = [/usr/share/rhsm-plugins]
   productcertdir = [/etc/pki/product]
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]
   report_package_profile = [1]

[rhsmcertd]
   autoattachinterval = [1440]
   certcheckinterval = [240]

[] - Default value in use

^ Notice that ca_cert_dir now resides in the [rhsm] section as a result of comment 6 bug 993202


However as demonstrated in comment 5 (and below), if you upgrade subscription-manager, the ca_cert_dir will appear in both [server] and [rhsm] sections of the config --list.  The [server].ca_cert_dir will actually be ignored - it's a casualty of war since it remains in place from the old subscription-manager version.  The [rhsm].ca_cert_dir is the actual value that now matters and will be used.  Unfortunately if you inspect the rhsm.conf, it will not have been changed during the yum update and therefore will still show ca_cert_dir in the [server] section and *not* in the [rhsm] section where it belongs.  Also notice below that [rhsmcertd] configuration parameters certfrequency and healfrequency are present in the rhsm.conf but are not actually used - they are also casualties of war - certcheckinterval and autoattachinterval are the names of their new replacements.

[root@rhsm-accept-rhel6 ~]# rpm -q subscription-manager
subscription-manager-1.8.20-1.el6_4.x86_64
[root@rhsm-accept-rhel6 ~]# subscription-manager  config
[server]
   ca_cert_dir = /etc/rhsm/ca/
   hostname = subscription.rhn.stage.redhat.com
   insecure = [0]
   port = [443]
   prefix = [/subscription]
   proxy_hostname = []
   proxy_password = []
   proxy_port = []
   proxy_user = []
   ssl_verify_depth = [3]

[rhsm]
   baseurl = [https://cdn.redhat.com]
   ca_cert_dir = [/etc/rhsm/ca/]
   consumercertdir = [/etc/pki/consumer]
   entitlementcertdir = [/etc/pki/entitlement]
   manage_repos = [1]
   pluginconfdir = [/etc/rhsm/pluginconf.d]
   plugindir = [/usr/share/rhsm-plugins]
   productcertdir = [/etc/pki/product]
   repo_ca_cert = [/etc/rhsm/ca/redhat-uep.pem]
   report_package_profile = [1]

[rhsmcertd]
   autoattachinterval = [1440]
   certcheckinterval = [240]
   certfrequency = 240
   healfrequency = 1440

[] - Default value in use


Realize that when development changes are made to the default rhsm.conf file, an upgrade will not change the old rhsm.conf thereby creating the casualty situations described above.  This can definitely be a confusing situation for the user.


Moving to VERIFIED

Comment 10 errata-xmlrpc 2013-09-30 22:32:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1331.html