RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1006985 - rhn-migrate-classic-to-rhsm should abort when it encounters RHN channels that map to different products certs that share the same productId
Summary: rhn-migrate-classic-to-rhsm should abort when it encounters RHN channels that...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Alex Wood
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel65
TreeView+ depends on / blocked
 
Reported: 2013-09-11 16:12 UTC by John Sefler
Modified: 2021-06-10 10:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Consequence: migration script clobbers product certs when duplicates found. Fix: Abort migration when we detect different certs with the same ID. Result:
Clone Of:
Environment:
Last Closed: 2013-11-21 21:29:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1659 0 normal SHIPPED_LIVE subscription-manager and python-rhsm bug fix and enhancement update 2013-11-20 21:53:10 UTC

Description John Sefler 2013-09-11 16:12:34 UTC 
Description of problem:
When consuming RHN Classic channels, it is possible that among the channels being consumed, there is a mapping to products certs that share the same productId.  When this happens, the rhn-migrate-classic-to-rhsm currently ends up installing each of the product certs on top of each other by the name <productId>.pem in a clobbering manner.  This is a bad idea because the tags provided by the product certs could differ and the version numbers likely differ.  If only the version dumbers differ, then the consequence is cosmetic, but if the tags differ, then the consequence is restricted access to entitled content.  The safest thing to do (after several discussions among awood, jsefler, alikins, ggainey) is to abort the migration script with an informative message.  The message could suggest specific RHN channels to be removed followed by another attempt to migrate.


Version-Release number of selected component (if applicable):
[root@jsefler-6 ~]# rpm -q subscription-manager-migration subscription-manager-migration-data
subscription-manager-migration-1.9.5-1.el6.x86_64
subscription-manager-migration-data-1.12.3.2-1.el6.noarch



Steps to Reproduce:
[root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo

Now add channels that will map to two different product certs, for example rhel-x86_64-rhev-agent-6-server and rhel-x86_64-rhev-agent-6-server-beta which I determined map to two different product certs as follows:


[root@jsefler-6 ~]# for i in `rpm -ql subscription-manager-migration-data | egrep *x86_64.*-69.pem`; do echo $i; rct cat-cert $i | grep Version | tail -1; done;
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-23d36f276d57-69.pem
	Version: 6.3
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-323beb20e916-69.pem
	Version: 6.4 Beta
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-4b918bda53c0-69.pem
	Version: 5.9 Beta
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-6f455e15aed9-69.pem
	Version: 6.4
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-a515006cc2b2-69.pem
	Version: 5.8
/usr/share/rhsm/product/RHEL-6/Server-Server-x86_64-dfb340743a6e-69.pem
	Version: 5.9

Now if I grep for the migration cert files in the mapping file, then we'll find the RHN channels that are candidates that will give rise to the issue in this bug.  Lets grep for the 6.3 and 6.4 Beta certs...
[root@jsefler-6 ~]# egrep "Server-Server-x86_64-23d36f276d57-69.pem|Server-Server-x86_64-323beb20e916-69.pem" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-rhev-agent-6-server-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-rhev-agent-6-server-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-cf-tools-1-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6-cf-tools-1-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-6-debuginfo: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-server-hpn-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-hpn-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-optional-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-optional-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-supplementary-6-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-supplementary-6-beta-debuginfo: Server-Server-x86_64-323beb20e916-69.pem

^^ Notice the first two channels in the list.  Let's classically consume these two channels...

[root@jsefler-6 ~]# rhn-channel --user qa --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta
Password: 
[root@jsefler-6 ~]# rhn-channel --list
rhel-x86_64-rhev-agent-6-server
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-server-6
[root@jsefler-6 ~]# 

Now we are consuming three channels, and...

[root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-323beb20e916-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-23d36f276d57-69.pem

The three channels map to two unique product certs ( Server-Server-x86_64-23d36f276d57-69.pem and Server-Server-x86_64-323beb20e916-69.pem) that share the same product ID (69).  One of them is for RHEL 6.3 and the other is for RHEL 6.4 Beta.


Now let's migrate....

[root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription
Red Hat account: qa
Password: 
System Engine Username: qa
Password: 

Retrieving existing RHN Classic subscription information...

+-----------------------------------------------------+
System is currently subscribed to these RHN Classic Channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

+-----------------------------------------------------+
Installing product certificates for these RHN Classic channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

Product certificates installed successfully to /etc/pki/product.

Preparing to unregister system from RHN Classic...
System successfully unregistered from RHN Classic.

Attempting to register system to Red Hat Subscription Management...
The system has been registered with ID: 76a338be-0651-4559-8243-c5eadf5ded23 
System 'jsefler-6.usersys.redhat.com' successfully registered to Red Hat Subscription Management.

Attempting to auto-attach to appropriate subscriptions...
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed


Please visit https://access.redhat.com/management/consumers/76a338be-0651-4559-8243-c5eadf5ded23 to view the details, and to make changes if necessary.
[root@jsefler-6 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        6.3
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         12/31/2012
Ends:           12/31/2013

[root@jsefler-6 ~]# ls /etc/pki/product/
69.pem

^^^ Notice that ONLY the RHEL 6.3 product cert was migrated as the 69.pem product.  It was the last cert migrated and it clobbered the RHEL6.4 Beta product cert.


Consensus among developers is that this circumstance should be detected by the script and aborted with an informative message.
Comment 2 John Sefler 2013-09-26 20:10:32 UTC 
Adding mreid to help us with an informative message that states something like this:

These currently subscribed RHN Classic Channels [%s] map to multiple product certs that have Product ID %s in common.  Remove one or more of these conflicting RHN Classic Channels before attempting to migrate from RHN to RHSM.  Aborting.
Comment 3 Matt Reid 2013-09-27 13:48:52 UTC 
Alex talked to me yesterday about this and I believe put in a PR with what we came up with. Are we still looking for a string on this?
Comment 4 Alex Wood 2013-09-27 19:49:47 UTC 
(In reply to Matt Reid from comment #3)
> Alex talked to me yesterday about this and I believe put in a PR with what
> we came up with. Are we still looking for a string on this?

We're good.
Comment 5 Alex Wood 2013-09-27 20:40:27 UTC 
commit 5873b8421267854a96f1be83621e79fb6431d7ba
Author: Alex Wood <awood>
Date:   Thu Sep 19 14:42:15 2013 -0400

    1006985: Abort migration when we detect different certs with the same ID.

Please note that this commit adds new strings!
Comment 9 John Sefler 2013-10-08 19:14:00 UTC 
Verifying Version...
[root@jsefler-6 ~]# rpm -q subscription-manager-migration
subscription-manager-migration-1.9.9-1.el6.x86_64
[root@jsefler-6 ~]# rpm -q subscription-manager-migration-data
subscription-manager-migration-data-2.0.4-1.el6.noarch


[root@jsefler-6 ~]# rhnreg_ks --serverUrl=https://xmlrpc.rhn.code.stage.redhat.com/XMLRPC --username=qa --password=**** --force --norhnsd --nohardware --nopackages --novirtinfo
[root@jsefler-6 ~]# rhn-channel --user qa --add -c rhel-x86_64-rhev-agent-6-server -c rhel-x86_64-rhev-agent-6-server-beta
Password: 
[root@jsefler-6 ~]# rhn-migrate-classic-to-rhsm --serverurl=subscription.rhn.stage.redhat.com:443/subscription
Red Hat account: qa
Password: 
System Engine Username: qa
Password: 

Retrieving existing RHN Classic subscription information...

+-----------------------------------------------------+
System is currently subscribed to these RHN Classic Channels:
+-----------------------------------------------------+
rhel-x86_64-server-6
rhel-x86_64-rhev-agent-6-server-beta
rhel-x86_64-rhev-agent-6-server

+-----------------------------------------------------+
Unable to continue migration!
+-----------------------------------------------------+
You are subscribed to channels that have conflicting product certificates.
The following channels map to product ID 69:
	rhel-x86_64-rhev-agent-6-server
	rhel-x86_64-rhev-agent-6-server-beta
	rhel-x86_64-server-6
Reduce the number of channels per product ID to 1 and run migration again.
To remove a channel, use 'rhn-channel --remove --channel=<conflicting_channel>'.
[root@jsefler-6 ~]# 


^^^^ VERIFIED: When consuming channels that map to different versions of the same product ID, the migration script aborts.

Note: By inspecting the channel-cert-mapping.txt, we can see that these three channels map to three different hashed versions of 69.pem
[root@jsefler-6 ~]# egrep "^rhel-x86_64-rhev-agent-6-server:|^rhel-x86_64-rhev-agent-6-server-beta:|^rhel-x86_64-server-6:" /usr/share/rhsm/product/RHEL-6/channel-cert-mapping.txt
rhel-x86_64-rhev-agent-6-server: Server-Server-x86_64-23d36f276d57-69.pem
rhel-x86_64-rhev-agent-6-server-beta: Server-Server-x86_64-e774841f1bf0-69.pem
rhel-x86_64-server-6: Server-Server-x86_64-06e8bd9df3f0-69.pem
Comment 10 errata-xmlrpc 2013-11-21 21:29:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1659.html
Note You need to log in before you can comment on or make changes to this bug.