Bug 1104332 - [RFE] Separate out the rhsm certs into a separate RPM
Summary: [RFE] Separate out the rhsm certs into a separate RPM
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-rhsm   
(Show other bugs)
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: 7.3
Assignee: vritant
QA Contact: John Sefler
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1298337 1313485 rhsm-rhel72
TreeView+ depends on / blocked
 
Reported: 2014-06-03 18:50 UTC by Daniel Walsh
Modified: 2016-11-03 20:26 UTC (History)
9 users (show)

Fixed In Version: python-rhsm-1.17.5-1
Doc Type: Enhancement
Doc Text:
`redhat-uep.pem` CA certificate moved to a *python-rhsm-certificates* package The `/etc/rhsm/ca/redhat-uep.pem` certificate authority (CA) certificate was previously included in the *python-rhsm* package. This update moves this certificate into a simplified *python-rhsm-certificates* package that provides only the certificate. As a result, container images can now be built only with *python-rhsm-certificates* without all the package dependencies required by *python-rhsm*, specifically the *python* package.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 20:26:36 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC

Description Daniel Walsh 2014-06-03 18:50:35 UTC
We need the cert in a docker based image, but we do not want the python or more specifically the requires python package.

We want to get to the point where we could use a docker image without python being included.

Comment 2 Bryan Kearney 2014-07-30 19:23:05 UTC
Acking 7.1

Comment 5 Adrian Likins 2015-07-09 18:59:00 UTC
(In reply to Daniel Walsh from comment #0)
> We need the cert in a docker based image, but we do not want the python or
> more specifically the requires python package.
> 
> We want to get to the point where we could use a docker image without python
> being included.


Which cert?

Comment 6 Daniel Walsh 2015-07-09 21:22:49 UTC
It has been a while, but we wanted these in a subpackage, I believe.

/etc/rhsm
/etc/rhsm/ca
/etc/rhsm/ca/candlepin-stage.pem
/etc/rhsm/ca/redhat-uep.pem

Comment 10 vritant 2015-08-26 19:25:14 UTC
This bz now only applies to /etc/rhsm/ca/redhat-uep.pem , as /etc/rhsm/ca/candlepin-stage.pem is being removed anyways per
https://bugzilla.redhat.com/show_bug.cgi?id=1242057

Comment 13 Daniel Walsh 2016-06-08 21:02:39 UTC
Well it has been two years since we requested this.  Aaron do you remember?

Comment 16 Aaron Weitekamp 2016-06-14 12:03:47 UTC
The CA /etc/rhsm/ca/redhat-uep.pem is used for securely connecting to CDN to install RPMs inside the running container.

Comment 17 Barnaby Court 2016-06-15 20:31:58 UTC
Aaron, 

The tools used to install the RPMs are all built using python, and require the python-rhsm package in order to properly generate the repo files used to connect to the CDN. Why do you need the files separated out into a new RPM if the other packages would still be required?

Comment 18 Aaron Weitekamp 2016-06-15 21:03:23 UTC
I think the initial BZ comment made 2 years ago says it pretty clearly:

> We need the cert in a docker based image, but we do not want the python or more specifically the requires python package.
> We want to get to the point where we could use a docker image without python being included.

Bottom line is if we eliminate all of the python dependencies in the base image we will still want the CA cert to make secure calls to Red Hat.

Can we add the rhsm CA certs to redhat-release? I understand we have already done this with product certs. It is also similar to the method used to install the default rpm GPG keys.

Comment 19 Barnaby Court 2016-06-16 13:52:08 UTC
We have a use case where we need these certificates on non Red Hat systems so adding them to redhat-release where only RHEL has access would be problematic. The certificate will be packaged with a new rhsm-certificates rpm.

Comment 22 vritant 2016-06-28 22:51:38 UTC
Pull Request:
https://github.com/candlepin/python-rhsm/pull/173/commits
Commits:
14aecdf15ba841fce1769d38cfecc8b621a565aa

Comment 24 Shwetha Kallesh 2016-07-07 13:54:55 UTC
[root@dhcp35-128 ~]# rpm -qa | grep python-rhsm
python-rhsm-1.17.5-1.el7.x86_64
python-rhsm-certificates-1.17.5-1.el7.x86_64
 
python-rhsm is dependent on python-rhsm-certificate:
-------------------------------------------------------
[root@dhcp35-128 ~]# yum install python-rhsm-1.17.5-1.el7.x86_64.rpm -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.2-1.el7.x86_64
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.2-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
--> Processing Dependency: python-rhsm-certificates = 1.17.5-1.el7 for package: python-rhsm-1.17.5-1.el7.x86_64
--> Finished Dependency Resolution
Error: Package: python-rhsm-1.17.5-1.el7.x86_64 (/python-rhsm-1.17.5-1.el7.x86_64)
           Requires: python-rhsm-certificates = 1.17.5-1.el7
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
 
python-rhsm no longer contains /etc/rhsm/ca/redhat-uep.pem:
-----------------------------------------------------------------
 
[root@dhcp35-128 ~]# rpm -ql python-rhsm | grep "/etc/rhsm/ca/"
[root@dhcp35-128 ~]#
 
/etc/rhsm/ca/redhat-uep.pem is moved to python-rhsm-certificates:
------------------------------------------------------------------------
 
[root@dhcp35-128 ~]# rpm -ql python-rhsm-certificates | grep "/etc/rhsm/ca/"
/etc/rhsm/ca/redhat-uep.pem


No selinux denials while installing:
-------------------------------------------------------------
 
[root@shwetha-workstation ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@shwetha-workstation ~]# yum install python-rhsm-* -y
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
Examining python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64
python-rhsm-1.17.3-0.git.10.a0557db.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.4-1.el7.x86_64.rpm: python-rhsm-1.17.4-1.el7.x86_64
python-rhsm-1.17.4-1.el7.x86_64.rpm: does not update installed package.
Examining python-rhsm-1.17.5-1.el7.x86_64.rpm: python-rhsm-1.17.5-1.el7.x86_64
Marking python-rhsm-1.17.5-1.el7.x86_64.rpm as an update to python-rhsm-1.17.4-1.el7.x86_64
Examining python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm: python-rhsm-certificates-1.17.5-1.el7.x86_64
Marking python-rhsm-certificates-1.17.5-1.el7.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package python-rhsm.x86_64 0:1.17.4-1.el7 will be updated
---> Package python-rhsm.x86_64 0:1.17.5-1.el7 will be an update
---> Package python-rhsm-certificates.x86_64 0:1.17.5-1.el7 will be installed
--> Finished Dependency Resolution
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below knowledge base article
 
https://access.redhat.com/solutions/69319
 
If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.
 
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
 
Dependencies Resolved
 
========================================================================================================================================================================
 Package                                   Arch                    Version                         Repository                                                      Size
========================================================================================================================================================================
Installing:
 python-rhsm-certificates                  x86_64                  1.17.5-1.el7                    /python-rhsm-certificates-1.17.5-1.el7.x86_64                  7.6 k
Updating:
 python-rhsm                               x86_64                  1.17.5-1.el7                    /python-rhsm-1.17.5-1.el7.x86_64                               341 k
 
Transaction Summary
========================================================================================================================================================================
Install  1 Package
Upgrade  1 Package
 
Total size: 348 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : python-rhsm-certificates-1.17.5-1.el7.x86_64                                                                                                         1/3
  Updating   : python-rhsm-1.17.5-1.el7.x86_64                                                                                                                      2/3
  Cleanup    : python-rhsm-1.17.4-1.el7.x86_64                                                                                                                      3/3
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/foo/path/never/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
failure: repodata/repomd.xml from admin-content-label: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/admin/foo/path/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
  Verifying  : python-rhsm-1.17.5-1.el7.x86_64                                                                                                                      1/3
  Verifying  : python-rhsm-certificates-1.17.5-1.el7.x86_64                                                                                                         2/3
  Verifying  : python-rhsm-1.17.4-1.el7.x86_64                                                                                                                      3/3
 
Installed:
  python-rhsm-certificates.x86_64 0:1.17.5-1.el7                                                                                                                        
 
Updated:
  python-rhsm.x86_64 0:1.17.5-1.el7                                                                                                                                    
 
Complete!
[root@shwetha-workstation ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>

Comment 25 John Sefler 2016-07-07 15:04:25 UTC
Augmenting verification comment 24...

The new package python-rhsm-certificates is minimal, provides only one file (redhat-uep.pem), and depends only on rpmlib...

[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates
python-rhsm-certificates-1.17.5-1.el7.x86_64
[root@jsefler-rhel7 ~]# rpm -ql python-rhsm-certificates
/etc/rhsm
/etc/rhsm/ca
/etc/rhsm/ca/redhat-uep.pem
[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --requires
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1

As demonstrated in comment 24, package python-rhsm now depends on python-rhsm-certificates...
[root@jsefler-rhel7 ~]# rpm -q python-rhsm-certificates --whatrequires
python-rhsm-1.17.5-1.el7.x86_64

Comment 31 errata-xmlrpc 2016-11-03 20:26:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html


Note You need to log in before you can comment on or make changes to this bug.