Red Hat Bugzilla – Bug 1269963
[RFE] When transitioning from RHN classis to RHSM, subscript-manager doesn't carry over protectbase
Last modified: 2017-01-11 13:34:41 EST
Description of problem:
When 3rd party repos are being used on RHEL6/7 and system transitions from RHN classic to RHSM (Subscriptions), yum-plugin-protectbase becomes ineffective at protecting the base OS until /etc/yum.repos.d/redhat.repo is edited.
Version-Release number of selected component (if applicable):
Happens on RHEL6 and RHEL7 (6.6, 6.7, 7.1 tested, both x86_64 and ia32).
Steps to Reproduce:
1) Install yum-plugin-protectbase
2) make sure it is enabled:
# cat /etc/yum/pluginconf.d/protectbase.conf
enabled = 1
3) Add a 3rd party repo that holds *some* packages which are newer than those found in the base OS.
4) yum update
(don't accept but witness how yum-plugin-protectbase prevents base RHEL packages from being replaced by yum (look for the string 'Skipped due to repository protection'.. that's from memory.
5) transition to RHSM with subscription-manager
6) run 'yum update' again and notice how the protection is gone!!! (as a result, several base packages from my RHEL machines were replaced by stuff from other non-RHEL repositories).
workaround, add 'protect' to the RHEL repo file (here I use the gpgcheck string to help brutally adding the string to every repo in my RHEL repos):
# test -f /etc/yum.repos.d/redhat.repo && \
grep -q 'protect.*=.*1' /etc/yum.repos.d/redhat.repo || \
perl -pi -e 's/gpgcheck = 1/gpgcheck = 1\nprotect = 1/g' \
As a result, there are -tons- of added lines:
# uname -a
Linux daltigoth 2.6.32-573.7.1.el6.x86_64 #1 SMP Thu Sep 10 13:42:16 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# grep -c protect /etc/yum.repos.d/redhat.repo
protectbase feature is gone when transitionning from RHN classis to RHSM.
protectbase should be carried over (if present and enabled)
Tested on several RHEL6/RHEL7 machines. I'm currently manually downgrading the packages wrongly updated after protectbase was gone.
Several large enterprise customers that I know of have their own repos.. I am not sure if some of them are using protectbase but perhaps this should be considered for an RFE as this might make alot of people unhappy when switching over from RHN classic/Satellite to RHSM.
I just noticed your comments. Sorry if I wasn't clear enough.. let me try to explain a bit further:
Yes, I agree that this would in fact be a new feature request for rhsm-migrate-classic-to-rhsm, which is a tool I couldn't use (my systems were already registered but not subscribed to any pool so the tool refused to proceed).
However, I don't think this whole thing is the same as setting a base release to a specific version (e.g: 7.0). Protecting base stills allows you to remain current on the latest z-stream (7.1.z, 7.2.z, etc..) but it disallows external 3rd party repos that carry some higher-than-RHEL packages to replace base RHEL packages (whatever the version may be).
I wasn't aware of 'subscription-manager repo-override --add=protect:1'.. I'm going to look it up in the docs.
A workaround was provided of using "subscription-manager repo-override --add=protect:1 ...". If that is not sufficient please re-open.