RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1104332 - [RFE] Separate out the rhsm certs into a separate RPM
Summary: [RFE] Separate out the rhsm certs into a separate RPM
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-rhsm
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: 7.3
Assignee: vritant
QA Contact: John Sefler
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel72 1298337 1313485
TreeView+ depends on / blocked
 
Reported: 2014-06-03 18:50 UTC by Daniel Walsh
Modified: 2016-11-03 20:26 UTC (History)
9 users (show)

Fixed In Version: python-rhsm-1.17.5-1
Doc Type: Enhancement
Doc Text:
`redhat-uep.pem` CA certificate moved to a *python-rhsm-certificates* package The `/etc/rhsm/ca/redhat-uep.pem` certificate authority (CA) certificate was previously included in the *python-rhsm* package. This update moves this certificate into a simplified *python-rhsm-certificates* package that provides only the certificate. As a result, container images can now be built only with *python-rhsm-certificates* without all the package dependencies required by *python-rhsm*, specifically the *python* package.
Clone Of:
Environment:
Last Closed: 2016-11-03 20:26:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2592 0 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC

Description Daniel Walsh 2014-06-03 18:50:35 UTC 
We need the cert in a docker based image, but we do not want the python or more specifically the requires python package.

We want to get to the point where we could use a docker image without python being included.
Comment 2 Bryan Kearney 2014-07-30 19:23:05 UTC 
Acking 7.1
Comment 5 Adrian Likins 2015-07-09 18:59:00 UTC 
(In reply to Daniel Walsh from comment #0)
> We need the cert in a docker based image, but we do not want the python or
> more specifically the requires python package.
> 
> We want to get to the point where we could use a docker image without python
> being included.


Which cert?
Comment 6 Daniel Walsh 2015-07-09 21:22:49 UTC 
It has been a while, but we wanted these in a subpackage, I believe.

/etc/rhsm
/etc/rhsm/ca
/etc/rhsm/ca/candlepin-stage.pem
/etc/rhsm/ca/redhat-uep.pem
Comment 10 vritant 2015-08-26 19:25:14 UTC 
This bz now only applies to /etc/rhsm/ca/redhat-uep.pem , as /etc/rhsm/ca/candlepin-stage.pem is being removed anyways per
https://bugzilla.redhat.com/show_bug.cgi?id=1242057
Comment 13 Daniel Walsh 2016-06-08 21:02:39 UTC 
Well it has been two years since we requested this.  Aaron do you remember?
Comment 16 Aaron Weitekamp 2016-06-14 12:03:47 UTC 
The CA /etc/rhsm/ca/redhat-uep.pem is used for securely connecting to CDN to install RPMs inside the running container.
Comment 17 Barnaby Court 2016-06-15 20:31:58 UTC 
Aaron, 

The tools used to install the RPMs are all built using python, and require the python-rhsm package in order to properly generate the repo files used to connect to the CDN. Why do you need the files separated out into a new RPM if the other packages would still be required?
Comment 18 Aaron Weitekamp 2016-06-15 21:03:23 UTC 
I think the initial BZ comment made 2 years ago says it pretty clearly:

> We need the cert in a docker based image, but we do not want the python or more specifically the requires python package.
> We want to get to the point where we could use a docker image without python being included.

Bottom line is if we eliminate all of the python dependencies in the base image we will still want the CA cert to make secure calls to Red Hat.

Can we add the rhsm CA certs to redhat-release? I understand we have already done this with product certs. It is also similar to the method used to install the default rpm GPG keys.
Comment 19 Barnaby Court 2016-06-16 13:52:08 UTC 
We have a use case where we need these certificates on non Red Hat systems so adding them to redhat-release where only RHEL has access would be problematic. The certificate will be packaged with a new rhsm-certificates rpm.
Comment 22 vritant 2016-06-28 22:51:38 UTC 
Pull Request:
https://github.com/candlepin/python-rhsm/pull/173/commits
Commits:
14aecdf15ba841fce1769d38cfecc8b621a565aa
Comment 24 Shwetha Kallesh 2016-07-07 13:54:55 UTC 
[root@dhcp35-128 ~]# rpm -qa | grep python-rhsm
python-rhsm-1.17.5-1.el7.x86_64
python-rhsm-certificates-1.17.5-1.el7.x86_64
 
python-rhsm is dependent on python-rhsm-certificate:
-------------------------------------------------------
[root@dhcp35-128 ~]# yum install python-rhsm-1.17.5-1.el7.x86_64.rpm -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.2-1.el7.x86_64
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.2-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
--> Processing Dependency: python-rhsm-certificates = 1.17.5-1.el7 for package: python-rhsm-1.17.5-1.el7.x86_64
--> Finished Dependency Resolution
Error: Package: python-rhsm-1.17.5-1.el7.x86_64 (/python-rhsm-1.17.5-1.el7.x86_64)
           Requires: python-rhsm-certificates = 1.17.5-1.el7
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
 
python-rhsm no longer contains /etc/rhsm/ca/redhat-uep.pem:
-----------------------------------------------------------------
 
[root@dhcp35-128 ~]# rpm -ql python-rhsm | grep "/etc/rhsm/ca/"
[root@dhcp35-128 ~]#
 
/etc/rhsm/ca/redhat-uep.pem is moved to python-rhsm-certificates:
------------------------------------------------------------------------
 
[root@dhcp35-128 ~]# rpm -ql python-rhsm-certificates | grep "/etc/rhsm/ca/"
/etc/rhsm/ca/redhat-uep.pem


No selinux denials while installing:
-------------------------------------------------------------
 
[root@shwetha-workstation ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@shwetha-workstation ~]# yum install python-rhsm-* -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Examining python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64
python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.4-1.el7.x86_64.rpm: python-rhsm-1.17.4-1.el7.x86_64
python-rhsm-1.17.4-1.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.4-1.el7.x86_64
Examining python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm: python-rhsm-certificates-1.17.5-1.el7.x86_64
Marking python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.4-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
---> Package python-rhsm-certificates.x86_64 0:1.17.5-1.el7 will be installed
--> Finished Dependency Resolution
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below knowledge base article
 
https://access.redhat.com/solutions/69319
 
If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.
 
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
 
Dependencies Resolved
 
========================================================================================================================================================================
 Package                                   Arch                    Version                         Repository                                                      Size
========================================================================================================================================================================
Installing:
 python-rhsm-certificates                  x86_64                  1.17.5-1.el7                    /python-rhsm-certificates-1.17.5-1.el7.x86_64                  7.6 k
Updating:
 python-rhsm                               x86_64                  1.17.5-1.el7                    /python-rhsm-1.17.5-1.el7.x86_64                               341 k
 
Transaction Summary
========================================================================================================================================================================
Install  1 Package
Upgrade  1 Package
 
Total size: 348 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : python-rhsm-certificates-1.17.5-1.el7.x86_64                                                                                                         1/3
  Updating   : python-rhsm-1.17.5-1.el7.x86_64                                                                                                                      2/3
  Cleanup    : python-rhsm-1.17.4-1.el7.x86_64                                                                                                                      3/3
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
failure: repodata/repomd.xml from admin-content-label: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
  Verifying  : python-rhsm-1.17.5-1.el7.x86_64                                                                                                                      1/3
  Verifying  : python-rhsm-certificates-1.17.5-1.el7.x86_64                                                                                                         2/3
  Verifying  : python-rhsm-1.17.4-1.el7.x86_64                                                                                                                      3/3
 
Installed:
  python-rhsm-certificates.x86_64 0:1.17.5-1.el7                                                                                                                        
 
Updated:
  python-rhsm.x86_64 0:1.17.5-1.el7                                                                                                                                    
 
Complete!
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
Comment 25 John Sefler 2016-07-07 15:04:25 UTC 
Augmenting verification comment 24...

The new package python-rhsm-certificates is minimal, provides only one file (redhat-uep.pem), and depends only on rpmlib...

[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates
python-rhsm-certificates-1.17.5-1.el7.x86_64
[root@jsefler-rhel7 ~]# rpm -ql python-rhsm-certificates
/etc/rhsm
/etc/rhsm/ca
/etc/rhsm/ca/redhat-uep.pem
[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --requires
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1

As demonstrated in comment 24, package python-rhsm now depends on python-rhsm-certificates...
[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --whatrequires
python-rhsm-1.17.5-1.el7.x86_64
Comment 31 errata-xmlrpc 2016-11-03 20:26:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html
Note You need to log in before you can comment on or make changes to this bug.