Red Hat Bugzilla – Bug 1006985
rhn-migrate-classic-to-rhsm should abort when it encounters RHN channels that map to different products certs that share the same productId
Last modified: 2018-04-13 07:26:36 EDT
Description of problem: When consuming RHN Classic channels, it is possible that among the channels being consumed, there is a mapping to products certs that share the same productId. When this happens, the rhn-migrate-classic-to-rhsm currently ends up installing each of the product certs on top of each other by the name <productId>.pem in a clobbering manner. This is a bad idea because the tags provided by the product certs could differ and the version numbers likely differ. If only the version dumbers differ, then the consequence is cosmetic, but if the tags differ, then the consequence is restricted access to entitled content. The safest thing to do (after several discussions among awood, jsefler, alikins, ggainey) is to abort the migration script with an informative message. The message could suggest specific RHN channels to be removed followed by another attempt to migrate. Version-Release number of selected component (if applicable): [root@jsefler-6 ~]# rpm -q subscription-manager-migration subscription-manager-migration-data subscription-manager-migration-1.9.5-1.el6.x86_64 subscription-manager-migration-data-1.12.3.2-1.el6.noarch Steps to Reproduce: [root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa@redhat.com --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo Now add channels that will map to two different product certs, for example rhel-x86_64-rhev-agent-6-server and rhel-x86_64-rhev-agent-6-server-beta which I determined map to two different product certs as follows: [root@jsefler-6 ~]# for i in `rpm -ql subscription-manager-migration-data | egrep *x86_64.*-69.pem`; do echo $i; rct cat-cert $i | grep Version | tail -1; done; /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-23d36f276d57-69.pem Version: 6.3 /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-323beb20e916-69.pem Version: 6.4 Beta /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-4b918bda53c0-69.pem Version: 5.9 Beta /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-6f455e15aed9-69.pem Version: 6.4 /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-a515006cc2b2-69.pem Version: 5.8 /usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-dfb340743a6e-69.pem Version: 5.9 Now if I grep for the migration cert files in the mapping file, then we'll find the RHN channels that are candidates that will give rise to the issue in this bug. Lets grep for the 6.3 and 6.4 Beta certs... [root@jsefler-6 ~]# egrep "Server-Server-x86_64-23d36f276d57-69.pem|Server-Server-x86_64-323beb20e916-69.pem" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-rhev-agent-6-server-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-rhev-agent-6-server-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-server-6-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-6-cf-tools-1: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-server-6-cf-tools-1-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-6-cf-tools-1-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-6-cf-tools-1-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-server-6-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-server-hpn-6-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-hpn-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-optional-6-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-optional-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-supplementary-6-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-supplementary-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem ^^ Notice the first two channels in the list. Let's classically consume these two channels... [root@jsefler-6 ~]# rhn-channel --user qa@redhat.com --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta Password: [root@jsefler-6 ~]# rhn-channel --list rhel-x86_64-rhev-agent-6-server rhel-x86_64-rhev-agent-6-server-beta rhel-x86_64-server-6 [root@jsefler-6 ~]# Now we are consuming three channels, and... [root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem The three channels map to two unique product certs ( Server-Server-x86_64-23d36f276d57-69.pem and Server-Server-x86_64-323beb20e916-69.pem) that share the same product ID (69). One of them is for RHEL 6.3 and the other is for RHEL 6.4 Beta. Now let's migrate.... [root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription Red Hat account: qa@redhat.com Password: System Engine Username: qa@redhat.com Password: Retrieving existing RHN Classic subscription information... +-----------------------------------------------------+ System is currently subscribed to these RHN Classic Channels: +-----------------------------------------------------+ rhel-x86_64-server-6 rhel-x86_64-rhev-agent-6-server-beta rhel-x86_64-rhev-agent-6-server +-----------------------------------------------------+ Installing product certificates for these RHN Classic channels: +-----------------------------------------------------+ rhel-x86_64-server-6 rhel-x86_64-rhev-agent-6-server-beta rhel-x86_64-rhev-agent-6-server Product certificates installed successfully to /etc/pki/product. Preparing to unregister system from RHN Classic... System successfully unregistered from RHN Classic. Attempting to register system to Red Hat Subscription Management... The system has been registered with ID: 76a338be-0651-4559-8243-c5eadf5ded23 System 'jsefler-6.usersys.redhat.com' successfully registered to Red Hat Subscription Management. Attempting to auto-attach to appropriate subscriptions... Installed Product Current Status: Product Name: Red Hat Enterprise Linux Server Status: Subscribed Please visit https://access.redhat.com/management/consumers/76a338be-0651-4559-8243-c5eadf5ded23 to view the details, and to make changes if necessary. [root@jsefler-6 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux Server Product ID: 69 Version: 6.3 Arch: x86_64 Status: Subscribed Status Details: Starts: 12/31/2012 Ends: 12/31/2013 [root@jsefler-6 ~]# ls /etc/pki/product/ 69.pem ^^^ Notice that ONLY the RHEL 6.3 product cert was migrated as the 69.pem product. It was the last cert migrated and it clobbered the RHEL6.4 Beta product cert. Consensus among developers is that this circumstance should be detected by the script and aborted with an informative message.
Adding mreid to help us with an informative message that states something like this: These currently subscribed RHN Classic Channels [%s] map to multiple product certs that have Product ID %s in common. Remove one or more of these conflicting RHN Classic Channels before attempting to migrate from RHN to RHSM. Aborting.
Alex talked to me yesterday about this and I believe put in a PR with what we came up with. Are we still looking for a string on this?
(In reply to Matt Reid from comment #3) > Alex talked to me yesterday about this and I believe put in a PR with what > we came up with. Are we still looking for a string on this? We're good.
commit 5873b8421267854a96f1be83621e79fb6431d7ba Author: Alex Wood <awood@redhat.com> Date: Thu Sep 19 14:42:15 2013 -0400 1006985: Abort migration when we detect different certs with the same ID. Please note that this commit adds new strings!
Verifying Version... [root@jsefler-6 ~]# rpm -q subscription-manager-migration subscription-manager-migration-1.9.9-1.el6.x86_64 [root@jsefler-6 ~]# rpm -q subscription-manager-migration-data subscription-manager-migration-data-2.0.4-1.el6.noarch [root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa@redhat.com --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo [root@jsefler-6 ~]# rhn-channel --user qa@redhat.com --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta Password: [root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription Red Hat account: qa@redhat.com Password: System Engine Username: qa@redhat.com Password: Retrieving existing RHN Classic subscription information... +-----------------------------------------------------+ System is currently subscribed to these RHN Classic Channels: +-----------------------------------------------------+ rhel-x86_64-server-6 rhel-x86_64-rhev-agent-6-server-beta rhel-x86_64-rhev-agent-6-server +-----------------------------------------------------+ Unable to continue migration! +-----------------------------------------------------+ You are subscribed to channels that have conflicting product certificates. The following channels map to product ID 69: rhel-x86_64-rhev-agent-6-server rhel-x86_64-rhev-agent-6-server-beta rhel-x86_64-server-6 Reduce the number of channels per product ID to 1 and run migration again. To remove a channel, use 'rhn-channel --remove --channel=<conflicting_channel>'. [root@jsefler-6 ~]# ^^^^ VERIFIED: When consuming channels that map to different versions of the same product ID, the migration script aborts. Note: By inspecting the channel-cert-mapping.txt, we can see that these three channels map to three different hashed versions of 69.pem [root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-e774841f1bf0-69.pem rhel-x86_64-server-6: Server-Server-x86_64-06e8bd9df3f0-69.pem
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1659.html