Bug 1303103 - [RFE] Allow ISO repositories to be added to a content view and published/distributed
Summary: [RFE] Allow ISO repositories to be added to a content view and published/dist...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Content Views
Version: 6.1.6
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Sachin Ghai
URL: http://projects.theforeman.org/issues...
: 1480358 (view as bug list)
Depends On:
Blocks: 1321771
TreeView+ depends on / blocked
Reported: 2016-01-29 14:56 UTC by Brad Buckingham
Modified: 2020-09-10 09:31 UTC (History)
16 users (show)

Fixed In Version: katello-installer-base-,tfm-rubygem-runcible-,tfm-rubygem-katello-
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-02-21 12:33:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
UI shows 49 files in CV (22.77 KB, image/png)
2017-12-08 12:06 UTC, Sachin Ghai
no flags Details
updated CV with RHEL 7Server iso and it includes 49 files. (36.29 KB, image/png)
2017-12-08 12:07 UTC, Sachin Ghai
no flags Details

System ID Priority Status Summary Last Updated
Foreman Issue Tracker 13661 Normal Closed Allow adding file type repositories to content views 2020-09-07 12:51:12 UTC
Foreman Issue Tracker 22446 Normal Closed ISO repositories not published to correct path 2020-09-07 12:51:12 UTC
Red Hat Knowledge Base (Solution) 3428461 None None None 2018-04-30 16:59:04 UTC
Red Hat Product Errata RHSA-2018:0336 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Description Brad Buckingham 2016-01-29 14:56:01 UTC
Description of problem:

Today, when an ISO repository is synced to a Satellite 6 server, the content of the repository is not distributed to Capsules that have requested updates for Library.

The lack of this capability causes issues for users with systems that only have access to the capsule, but also need access to ISOs.

Version-Release number of selected component (if applicable):

Satellite 6.1.6

How reproducible:


Steps to Reproduce:
1. Install Satellite and 1 Capsule
2. Configure the Capsule to get content from Library
3. Enable a Red Hat ISO repository (e.g Red Hat Enterprise Linux 7 Server (ISOs))
4. Sync the repository
5. Create a content view
6. Attempt to add an ISO repository to the content view

Actual results:

ISO repositories are not listed for adding/removing to content views.

Expected results:

ISO repositories should be listed for adding/removing to content views.

Additional info:

As part of this, we need to ensure that those repositories are also published and promoted as part of the content view.  In addition, if there is a capsule associated with the target lifecycle environment, the content should be synced to that capsule.

Comment 2 Michael Hrivnak 2016-01-31 18:29:44 UTC
Nope, I think everything you need is already available. But an early review from someone on katello would be a good idea to make sure they agree.

Comment 6 Bryan Kearney 2016-03-30 16:05:51 UTC
Upstream bug component is Content Views

Comment 10 Bryan Kearney 2016-08-08 02:11:37 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/13661 has been closed

Comment 13 Sachin Ghai 2017-12-08 12:06:21 UTC
Tested with satellite6.3 snap27.

I can add synced RHEL ISOs to CV and publish as well as promote them to next environment. Please see the attached screenshots

Comment 14 Sachin Ghai 2017-12-08 12:06:55 UTC
Created attachment 1364812 [details]
UI shows 49 files in CV

Comment 15 Sachin Ghai 2017-12-08 12:07:47 UTC
Created attachment 1364813 [details]
updated CV with RHEL 7Server iso and it includes 49 files.

Comment 16 Sachin Ghai 2017-12-08 13:55:01 UTC
ISO files are not being synced to capsule. Earlier, I selected the on_demand download policy for capsule and later I changed to "Immediate" but still no luck.

There are 49 ISO files that I synced and published. However, none of them was synced to capsule. 

@Eric: Is there anything specific I need to do to sync ISO files to capsule ?

Comment 17 Evgeni Golov 2017-12-08 14:17:28 UTC
As Eric is out today, I had a quick look at the setup.

First observation was that Satellite thinks the Capsule never synced, which in a way is true, as each Sync Job has failed.

example of a failed job: https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/foreman_tasks/tasks/0b399f7c-5395-4288-9665-579f73c14c32
PLP0000: Importer indicated a failed response

looking into dynflow: https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/foreman_tasks/dynflow/f6a45e70-ac19-44f8-b65e-09bcca24bb7e
"Actions::Pulp::Consumer::SyncCapsule" is skipped as it contains a traceback:

capsule_id: 2
repo_pulp_id: 1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2
  remove_missing: false
remote_user: admin
remote_cp_user: admin

- exception: 
  task_type: pulp.server.managers.repo.sync.sync
  _href: "/pulp/api/v2/tasks/0cbc8638-54d9-435c-a32f-fa8e30ebdfae/"
  task_id: 0cbc8638-54d9-435c-a32f-fa8e30ebdfae
  - pulp:repository:1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2
  - pulp:action:sync
  finish_time: '2017-12-08T12:10:16Z'
  _ns: task_status
  start_time: '2017-12-08T12:10:15Z'
  traceback: |
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
        R = retval = fun(*args, **kwargs)
      File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 527, in __call__
        return super(Task, self).__call__(*args, **kwargs)
      File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__
        return super(PulpTask, self).__call__(*args, **kwargs)
      File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__
        return self.run(*args, **kwargs)
      File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 827, in sync
        raise pulp_exceptions.PulpExecutionException(_('Importer indicated a failed response'))
    PulpExecutionException: Importer indicated a failed response
  spawned_tasks: []
        response_code: 403
        response_msg: Forbidden
      finished_bytes: 0
      state: manifest_failed
        not_started: '2017-12-08T12:10:15'
        manifest_in_progress: '2017-12-08T12:10:15'
        manifest_failed: '2017-12-08T12:10:15'
      num_isos_finished: 0
      iso_error_messages: []
  queue: reserved_resource_worker-0@cloud-qe-06.idmqe.lab.eng.bos.redhat.com.dq
  state: error
  worker_name: reserved_resource_worker-0@cloud-qe-06.idmqe.lab.eng.bos.redhat.com
    code: PLP0000
    data: {}
    description: Importer indicated a failed response
    sub_errors: []
    "$oid": 5a2a8127266e6d3221798d1c
  id: 5a2a8127266e6d3221798d1c
  total: 1
  failed: 1

the interesting part of that is:
        response_code: 403
        response_msg: Forbidden
      state: manifest_failed

the systemd journal on the capsule contains (as expected):
Dec 08 05:57:39 cloud-qe-06.idmqe.lab.eng.bos.redhat.com pulp[1834]: nectar.downloaders.threaded:INFO: Download failed: Download of https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST failed with code 403: Forbidden
Dec 08 05:57:39 cloud-qe-06.idmqe.lab.eng.bos.redhat.com pulp[1834]: pulp_rpm.plugins.importers.iso.sync:ERROR: Failed to download https://cloud-qe-14.idmqe.lab.eng.bos.redhat.com/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST: Forbidden.

and on the satellite the httpd log contains:
[Fri Dec 08 05:57:39.876851 2017] [:error] [pid 29888] [client] Request denied to destination [/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST
[Fri Dec 08 05:57:39.876874 2017] [:error] [pid 29888] [client] mod_wsgi (pid=29888): Client denied by server configuration: '/var/www/pub/https/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST'.
[Fri Dec 08 06:27:22.452082 2017] [:error] [pid 10376] [client] Request denied to destination [/pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/1-cv_rhel73-Dev-f0a46c4b-9b33-4d2b-a126-eda4a8bb5fd2/PULP_MANIFEST

I am not sure what is happening here, so leaving the NI on Eric. Hope my debugging helps :)

Comment 18 Eric Helms 2017-12-21 15:32:58 UTC
From my investigation, I tested the certs the importer is configured with and was able to curl that Forbidden file with them just fine. So I am not currently sure what is happening when the actual sync operation occurs and will have to dig further.

Comment 20 Eric Helms 2018-01-25 16:39:45 UTC
*** Bug 1480358 has been marked as a duplicate of this bug. ***

Comment 21 Stephen Benjamin 2018-01-25 17:53:40 UTC
Testing on upstream, but get the same results.  I don't think the certificate the capsule is getting is configured correctly. Using the certificate in the database, I am not able to retrieve a file from the repo:

[root@centos7-foreman-proxy-3-5 ~]# curl --cert /root/cert.crt --key /root/key.crt https://centos7-katello-3-5.zpm.example.com/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST
<title>403 Forbidden</title>
<p>You don't have permission to access /pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST
on this server.</p>

HTTP logs show:

[Thu Jan 25 17:43:02.353200 2018] [:error] [pid 11693] [client] Request denied to destination [/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST]Client certificate failed extension check for destination: /pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST

Pulp's OID validator seems to be doing some kind of check that determines if the certificate has access to /pulp/isos: /usr/lib/python2.7/site-packages/pulp/oid_validation/oid_validation.py

I'm not sure how to decode the extensions exactly:

[root@centos7-foreman-proxy-3-5 ~]# openssl x509 -in cert.crt -text -noout
        Version: 3 (0x2)
        Serial Number: 2032182190564053392 (0x1c33c2ef73721190)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=centos7-katello-3-5.zpm.example.com
            Not Before: Jan 24 15:32:10 2018 GMT
            Not After : Dec  1 13:00:00 2049 GMT
        Subject: O=Default_Organization
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier: 
                DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=centos7-katello-3-5.zpm.example.com

            X509v3 Subject Key Identifier: 
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
ueber_content   .
1516807930959   .

But rhsm seems to confirm the certificate has no rights to this file:

>>> from rhsm import certificate
>>> cert = certificate.create_from_file("/root/cert.crt")
>>> cert.check_path("/pulp/isos/901986be-6f88-4903-930a-2b90dc9bea96/PULP_MANIFEST")

Comment 23 pm-sat@redhat.com 2018-01-25 19:28:24 UTC
Upstream bug assigned to ehelms@redhat.com

Comment 24 pm-sat@redhat.com 2018-01-26 01:07:37 UTC
Upstream bug assigned to ehelms@redhat.com

Comment 25 Stephen Benjamin 2018-01-29 15:47:34 UTC
Created redmine issue http://projects.theforeman.org/issues/22446 from this bug

Comment 29 Sachin Ghai 2018-02-04 10:33:56 UTC
Verified with sat6.3 snap35

[root@cloud-qe-17 ~]# hammer -u admin -p changeme capsule content synchronize --id=2
[.......................                                                                                                                                                                                    ] [11%]
[..........................................................................................................................................................................................................] [100%]
[root@cloud-qe-17 ~]# 

I can sync iso repos to capsule by publishing through CV.

synced isos from capsule.


Comment 32 errata-xmlrpc 2018-02-21 12:33:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.