Bug 1269963 - [RFE] When transitioning from RHN classis to RHSM, subscript-manager doesn't carry over protectbase
[RFE] When transitioning from RHN classis to RHSM, subscript-manager doesn't ...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
All Linux
medium Severity high
: rc
: ---
Assigned To: candlepin-bugs
John Sefler
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-10-08 11:35 EDT by Vincent S. Cojot
Modified: 2017-01-11 13:34 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-11 13:34:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent S. Cojot 2015-10-08 11:35:58 EDT
Description of problem:

When 3rd party repos are being used on RHEL6/7 and system transitions from RHN classic to RHSM (Subscriptions), yum-plugin-protectbase becomes ineffective at protecting the base OS until /etc/yum.repos.d/redhat.repo is edited.

Version-Release number of selected component (if applicable):

Happens on RHEL6 and RHEL7 (6.6, 6.7, 7.1 tested, both x86_64 and ia32).

How reproducible:


Steps to Reproduce:

1) Install yum-plugin-protectbase
2) make sure it is enabled:

# cat /etc/yum/pluginconf.d/protectbase.conf
enabled = 1

3) Add a 3rd party repo that holds *some* packages which are newer than those found in the base OS.
4) yum update
(don't accept but witness how yum-plugin-protectbase prevents base RHEL packages from being replaced by yum (look for the string 'Skipped due to repository protection'.. that's from memory.

5) transition to RHSM with subscription-manager

6) run 'yum update' again and notice how the protection is gone!!! (as a result, several base packages from my RHEL machines were replaced by stuff from other non-RHEL repositories).

workaround, add 'protect' to the RHEL repo file (here I use the gpgcheck string to help brutally adding the string to every repo in my RHEL repos):

# test -f /etc/yum.repos.d/redhat.repo && \
grep -q 'protect.*=.*1' /etc/yum.repos.d/redhat.repo || \
perl -pi -e 's/gpgcheck = 1/gpgcheck = 1\nprotect = 1/g' \

As a result, there are -tons- of added lines:
# uname -a
Linux daltigoth 2.6.32-573.7.1.el6.x86_64 #1 SMP Thu Sep 10 13:42:16 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# grep -c protect /etc/yum.repos.d/redhat.repo

Actual results:
protectbase feature is gone when transitionning from RHN classis to RHSM.

Expected results:
protectbase should be carried over (if present and enabled)

Additional info:
Tested on several RHEL6/RHEL7 machines. I'm currently manually downgrading the packages wrongly updated after protectbase was gone.

Several large enterprise customers that I know of have their own repos..  I am not sure if some of them are using protectbase but perhaps this should be considered for an RFE as this might make alot of people unhappy when switching over from RHN classic/Satellite to RHSM.
Comment 3 Vincent S. Cojot 2015-10-13 09:33:30 EDT
Hi John,
I just noticed your comments. Sorry if I wasn't clear enough.. let me try to explain a bit further:

Yes, I agree that this would in fact be a new feature request for rhsm-migrate-classic-to-rhsm, which is a tool I couldn't use (my systems were already registered but not subscribed to any pool so the tool refused to proceed).

However, I don't think this whole thing is the same as setting a base release to a specific version (e.g: 7.0). Protecting base stills allows you to remain current on the latest z-stream (7.1.z, 7.2.z, etc..) but it disallows external 3rd party repos that carry some higher-than-RHEL packages to replace base RHEL packages (whatever the version may be).

I wasn't aware of 'subscription-manager repo-override --add=protect:1'.. I'm going to look it up in the docs.
Best regards
Comment 8 Barnaby Court 2017-01-11 13:34:41 EST
A workaround was provided of using "subscription-manager repo-override --add=protect:1 ...". If that is not sufficient please re-open.

Note You need to log in before you can comment on or make changes to this bug.