Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium

Upstream ticket:
https://fedorahosted.org/pki/ticket/1722

Christian pointed out that I probably wanted to say [ "$1" == "2" ] in comment 0.

Created attachment 1118549 [details]
pki-core.spec

I was not able to test it in Docker so I couldn't reproduce the problem. Could you give it a try? Thanks.

(In reply to Endi Sukma Dewata from comment #7)
> I was not able to test it in Docker so I couldn't reproduce the problem.
> Could you give it a try? Thanks.

How did you try to reproduce it? Even plain

   docker run -ti rhel7 yum install -y pki-server

produces

  Installing : velocity-1.7-10.el7.noarch         223/224 
  Installing : pki-server-10.2.5-6.el7.noarch     224/224 
Failed to get D-Bus connection: Operation not permitted
warning: %post(pki-server-10.2.5-6.el7.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package pki-server-10.2.5-6.el7.noarch
rhel-7-server-rpms/7Server/x86_64/productid                                                                           | 1.7 kB  00:00:00     
  Verifying  : libXext-1.3.3-3.el7.x86_64           1/224 
  Verifying  : perl-HTTP-Tiny-0.033-3.el7.noarch    2/224 
  Verifying  : systemd-sysv-219-19.el7.x86_64       3/224 

so the reproducer was fairly straightforward.

I have not used Docker before, so I'm not sure if this is an environment issue or there is a missing step. I followed this Docker setup instruction:
https://docs.docker.com/engine/installation/rhel/

Then I ran the steps to reproduce in the bug description:

# docker build -t freeipa-server .
Sending build context to Docker daemon 59.39 kB
Step 1 : FROM rhel7
 ---> 6c3a84d798dc
Step 2 : MAINTAINER Jan Pazdziora
 ---> Using cache
 ---> dc8e4818cb3f
Step 3 : RUN mkdir -p /run/lock ; yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y ipa-server ipa-server-dns bind bind-dyndb-ldap perl 'perl(Time::HiRes)' && yum clean all
 ---> Running in 263d0e957f01
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.


Error getting repository data for rhel-7-server-rpms, repository not found
The command '/bin/sh -c mkdir -p /run/lock ; yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y ipa-server ipa-server-dns bind bind-dyndb-ldap perl 'perl(Time::HiRes)' && yum clean all' returned a non-zero code: 1

I also tried the command in comment #8:

# docker run -ti rhel7 yum install -y pki-server
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 You can enable repos with yum-config-manager --enable <repo>

If you have better step-by-step instructions on how to setup Docker properly please let me know. Thanks.

(In reply to Endi Sukma Dewata from comment #9)
> I have not used Docker before, so I'm not sure if this is an environment
> 
> # docker run -ti rhel7 yum install -y pki-server
> Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
> This system is not registered to Red Hat Subscription Management. You can
> use subscription-manager to register.
> There are no enabled repos.
>  Run "yum repolist all" to see the repos you have.
>  You can enable repos with yum-config-manager --enable <repo>
> 
> If you have better step-by-step instructions on how to setup Docker properly
> please let me know. Thanks.

You need to run it on RHEL system which is subscribed. The docker containers, both in build time and in run time, then inherit the entitlements.

Thanks for the info, but the system was already subscribed. Even after forcing it to resubscribe I still got the same error. I have tried this on 3 VM's and always got the same error. The hello-world example works though:

$ docker run hello-world

(In reply to Endi Sukma Dewata from comment #12)
> Thanks for the info, but the system was already subscribed. Even after
> forcing it to resubscribe I still got the same error. I have tried this on 3
> VM's and always got the same error. The hello-world example works though:
> 
> $ docker run hello-world

Not sure what hello-world is or does but I suspect it does not install new packages so it does not need to be subscribed.

I suggest you contact Red Hat support about subscribed RHEL 7 system not providing the subscriptions to the docker containers (for build purposes) because that is something that really should be working.

Were you able to get the entitlements in docker build/docker run working, inheriting from the RHEL 7 host entitlements?

This will be investigated further in Dogtag 10.4 timeframe (i.e. RHEL 7.4).

Comment on attachment 1118549 [details]
pki-core.spec

Can you show the .spec as patch?

Matt,

Please replace the "systemctl daemon-reload" line in the spec file with the following code as suggested in comment #5:

# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
    systemctl daemon-reload
fi

Thanks.

Checked into 'DOGTAG_10_4_RHEL_BRANCH':

* ab164f2bf8b725a331efebdaea4fb8f9767fdc6f

Test Steps:
==========

1. Install docker.
2. Run the below mentioned command:

Step1 :
=====

docker run -ti rhel7 yum-config-manager --save --setopt=rhel-7-server-tus-rpms.skip_if_unavailable=true;yum install -y pki-server

Loaded plugins: ovl, product-id
============================================================ main ============================================================
[main]
alwaysprompt = True
assumeno = False
assumeyes = False
autocheck_running_kernel = True
autosavets = True
bandwidth = 0
bugtracker_url = https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=rawhide&component=yum
cache = 0
cachedir = /var/cache/yum/x86_64/7Server
check_config_file_age = True
clean_requirements_on_remove = False
color = auto
color_list_available_downgrade = dim,cyan
color_list_available_install = normal
color_list_available_reinstall = bold,underline,green
color_list_available_running_kernel = bold,underline
color_list_available_upgrade = bold,blue
color_list_installed_extra = bold,red
color_list_installed_newer = bold,yellow
color_list_installed_older = bold
color_list_installed_reinstall = normal
color_list_installed_running_kernel = bold,underline
color_search_match = bold
color_update_installed = normal
color_update_local = bold
color_update_remote = normal
commands = 
debuglevel = 2
deltarpm = 2
deltarpm_metadata_percentage = 100
deltarpm_percentage = 75
depsolve_loop_limit = 100
disable_includes = 
diskspacecheck = True
distroverpkg = system-release(releasever),
   redhat-release
downloaddir = 
downloadonly = 
enable_group_conditionals = True
enabled = True
enablegroups = True
errorlevel = 2
exactarch = True
exactarchlist = 
exclude = 
exit_on_lock = False
failovermethod = priority
fssnap_abort_on_errors = any
fssnap_automatic_keep = 1
fssnap_automatic_post = False
fssnap_automatic_pre = False
fssnap_devices = !*/swap,
   !*/lv_swap
fssnap_percentage = 100
ftp_disable_epsv = False
gaftonmode = False
gpgcheck = True
group_command = objects
group_package_types = mandatory,
   default
groupremove_leaf_only = False
history_list_view = single-user-commands
history_record = True
history_record_packages = yum,
   rpm
http_caching = all
installonly_limit = 3
installonlypkgs = kernel,
   kernel-bigmem,
   installonlypkg(kernel-module),
   installonlypkg(vm),
   kernel-enterprise,
   kernel-smp,
   kernel-debug,
   kernel-unsupported,
   kernel-source,
   kernel-devel,
   kernel-PAE,
   kernel-PAE-debug
installroot = /
ip_resolve = 
keepalive = True
keepcache = False
kernelpkgnames = kernel,
   kernel-smp,
   kernel-enterprise,
   kernel-bigmem,
   kernel-BOOT,
   kernel-PAE,
   kernel-PAE-debug
loadts_ignoremissing = False
loadts_ignorenewrpm = False
loadts_ignorerpm = False
localpkg_gpgcheck = False
logfile = /var/log/yum.log
max_connections = 0
mddownloadpolicy = sqlite
mdpolicy = group:small
metadata_expire = 21600
metadata_expire_filter = read-only:present
minrate = 0
mirrorlist_expire = 86400
multilib_policy = best
obsoletes = True
override_install_langs = en_US
overwrite_groups = False
password = 
persistdir = /var/lib/yum
pluginconfpath = /etc/yum/pluginconf.d
pluginpath = /usr/share/yum-plugins,
   /usr/lib/yum-plugins
plugins = True
progess_obj = 
protected_multilib = True
protected_packages = yum,
   systemd
proxy = False
proxy_password = 
proxy_username = 
query_install_excludes = False
recent = 7
recheck_installed_requires = True
remove_leaf_only = False
repo_gpgcheck = False
repopkgsremove_leaf_only = False
reposdir = /etc/yum/repos.d,
   /etc/yum.repos.d
reset_nice = True
retries = 10
rpm_check_debug = True
rpmverbosity = info
showdupesfromrepos = False
skip_broken = False
skip_missing_names_on_install = True
skip_missing_names_on_update = True
ssl_check_cert_permissions = True
sslcacert = 
sslclientcert = 
sslclientkey = 
sslverify = True
syslog_device = /dev/log
syslog_facility = LOG_USER
syslog_ident = 
throttle = 0
timeout = 30.0
tolerant = True
tsflags = nodocs
ui_repoid_vars = releasever,
   basearch
upgrade_group_objects_upgrade = True
upgrade_requirements_on_install = False
username = 
usr_w_check = True

Checksum type 'md5' disabled
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Repository RHDS10 is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package pki-server.noarch 0:10.4.1-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                        Arch                       Version                          Repository                   Size
==============================================================================================================================
Installing:
 pki-server                     noarch                     10.4.1-3.el7                     RHEL7.4                     2.8 M

Transaction Summary
==============================================================================================================================
Install  1 Package

Total download size: 2.8 M
Installed size: 4.4 M
Downloading packages:
pki-server-10.4.1-3.el7.noarch.rpm                                                                     | 2.8 MB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : pki-server-10.4.1-3.el7.noarch                                                                             1/1 
  Verifying  : pki-server-10.4.1-3.el7.noarch                                                                             1/1 

Installed:
  pki-server.noarch 0:10.4.1-3.el7                                                                                            

Complete!

Step 2:
=======

rpm -qa pki-server
pki-server-10.4.1-3.el7.noarch

Step 3:
======

git clone https://github.com/freeipa/freeipa-container.git

In this step, we try to do docker build -t freeipa-server .

Results are posted in attachment "docker_out.txt"


Note : Jan,please have a look.Do you think any other test case also i need to cover.

Thanks
Geetika

Created attachment 1277544 [details]
docker_out.txt

(In reply to Geetika Kapoor from comment #22)
> 
> Note : Jan,please have a look.Do you think any other test case also i need
> to cover.

I think this is sufficient.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110