RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1269963 - [RFE] When transitioning from RHN classis to RHSM, subscript-manager doesn't carry over protectbase
Summary: [RFE] When transitioning from RHN classis to RHSM, subscript-manager doesn't ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.3
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: candlepin-bugs
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-08 15:35 UTC by Vincent S. Cojot
Modified: 2019-09-12 09:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-11 18:34:41 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Vincent S. Cojot 2015-10-08 15:35:58 UTC
Description of problem:

When 3rd party repos are being used on RHEL6/7 and system transitions from RHN classic to RHSM (Subscriptions), yum-plugin-protectbase becomes ineffective at protecting the base OS until /etc/yum.repos.d/redhat.repo is edited.

Version-Release number of selected component (if applicable):

Happens on RHEL6 and RHEL7 (6.6, 6.7, 7.1 tested, both x86_64 and ia32).


How reproducible:

100%

Steps to Reproduce:

1) Install yum-plugin-protectbase
2) make sure it is enabled:

# cat /etc/yum/pluginconf.d/protectbase.conf
[main]
enabled = 1

3) Add a 3rd party repo that holds *some* packages which are newer than those found in the base OS.
4) yum update
(don't accept but witness how yum-plugin-protectbase prevents base RHEL packages from being replaced by yum (look for the string 'Skipped due to repository protection'.. that's from memory.

5) transition to RHSM with subscription-manager

6) run 'yum update' again and notice how the protection is gone!!! (as a result, several base packages from my RHEL machines were replaced by stuff from other non-RHEL repositories).

workaround, add 'protect' to the RHEL repo file (here I use the gpgcheck string to help brutally adding the string to every repo in my RHEL repos):


# test -f /etc/yum.repos.d/redhat.repo && \
grep -q 'protect.*=.*1' /etc/yum.repos.d/redhat.repo || \
perl -pi -e 's/gpgcheck = 1/gpgcheck = 1\nprotect = 1/g' \
/etc/yum.repos.d/redhat.repo

As a result, there are -tons- of added lines:
# uname -a
Linux daltigoth 2.6.32-573.7.1.el6.x86_64 #1 SMP Thu Sep 10 13:42:16 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# grep -c protect /etc/yum.repos.d/redhat.repo
532


Actual results:
protectbase feature is gone when transitionning from RHN classis to RHSM.

Expected results:
protectbase should be carried over (if present and enabled)

Additional info:
Tested on several RHEL6/RHEL7 machines. I'm currently manually downgrading the packages wrongly updated after protectbase was gone.

Several large enterprise customers that I know of have their own repos..  I am not sure if some of them are using protectbase but perhaps this should be considered for an RFE as this might make alot of people unhappy when switching over from RHN classic/Satellite to RHSM.

Comment 3 Vincent S. Cojot 2015-10-13 13:33:30 UTC
Hi John,
I just noticed your comments. Sorry if I wasn't clear enough.. let me try to explain a bit further:

Yes, I agree that this would in fact be a new feature request for rhsm-migrate-classic-to-rhsm, which is a tool I couldn't use (my systems were already registered but not subscribed to any pool so the tool refused to proceed).

However, I don't think this whole thing is the same as setting a base release to a specific version (e.g: 7.0). Protecting base stills allows you to remain current on the latest z-stream (7.1.z, 7.2.z, etc..) but it disallows external 3rd party repos that carry some higher-than-RHEL packages to replace base RHEL packages (whatever the version may be).

I wasn't aware of 'subscription-manager repo-override --add=protect:1'.. I'm going to look it up in the docs.
Best regards

Comment 8 Barnaby Court 2017-01-11 18:34:41 UTC
A workaround was provided of using "subscription-manager repo-override --add=protect:1 ...". If that is not sufficient please re-open.


Note You need to log in before you can comment on or make changes to this bug.