Bug 1525238 - yum plugin for productid neglects to remove HTB product cert from /etc/pki/product/ because it is tagged as a provider of "rhel-7"
Summary: yum plugin for productid neglects to remove HTB product cert from /etc/pki/pr...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.5
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Jiri Hnidek
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-12 20:58 UTC by John Sefler
Modified: 2020-04-15 10:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 1768 'None' closed 1525238: Do not protect rhel prod. cert with special case 2020-04-15 10:24:55 UTC
Red Hat Bugzilla 1526622 'medium' 'CLOSED' 'the productid plugin should never delete a /etc/pki/product-default/<ID>.pem cert provided by the redhat-release-<VARIA... 2019-11-21 07:10:03 UTC

Internal Links: 1526622

Description John Sefler 2017-12-12 20:58:50 UTC
Description of problem:
Currently, there is logic in subscription-manager/productid.py that prevents the deletion of a product cert from /etc/pki/product/ whose tags identify it as a base os "rhel-\d+" product.  This was important to prevent the accidental deletion of the base product cert as discussed in Bug 859197).  If the base os rhel product cert was programmatically removed, the system would no longer have access to entitled content from the CDN; which is bad.  However... with the introduction of a default RHEL product cert under /etc/pki/product-default/ (introduced by RFE Bug 1123029), the programmatic restriction to prevent the deletion of a base product cert from /etc/pki/product/ is no longer important.  In fact, today the High Touch Beta product cert 230 provides tags "rhel-7,rhel-7-server" which means that once a package from an enable htb is installed therby installing cert 230 to /etc/pki/product/, subsequent removal of the same package would leave the system dirty with the HTB product cert.  As a result, the system will have both a /etc/pki/product-default/ cert and a /etc/pki/product/ cert that provide a "rhel-7" tag.  This will cause problems if the user has effectively removed all the HTB packages and want to continue using RHEL functions like "subscription-manager release --list" and pin the system's CDN content access to a specific $releasever.


This bug is a proposal to augment these lines of code from subscription_manager/productid.py
2d23e49004 src/subscription_manager/productid.py (Adrian Likins      2014-01-31 12:25:28 -0500 662)             if rhel_matcher.is_rhel():
21450434fe src/subscription_manager/productid.py (Adrian Likins      2013-03-21 12:06:37 -0400 663)                 delete_product_cert = False

to add an AND condition to also check if no rhel product exists in /etc/pki/product-default/



Version-Release number of selected component (if applicable):
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.0.43-1
subscription management rules: 5.26
subscription-manager: 1.20.7-1.el7


How reproducible:

Steps to Reproduce:
[root@hp-dl380pgen8-02-vm-15 ~]# ls /etc/pki/product*
/etc/pki/product:

/etc/pki/product-default:
69.pem
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.5 Beta
Arch:           x86_64
Status:         Unknown
Status Details: 
Starts:         
Ends:           

[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: qa@redhat.com
Password: 
The system has been registered with ID: 05aea383-7420-468c-95ae-acdf05c2c03a
The registered system name is: hp-dl380pgen8-02-vm-15.lab.bos.redhat.com
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager list --available --matches="*Server High Touch Beta*" --pool-only
8a85f9823e3d5e43013e3ddd4e2a0977
8a85f9823e3d5e43013e3ddd4e9509c4
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager attach --pool=8a85f9823e3d5e43013e3ddd4e2a0977
Successfully attached a subscription for: Employee SKU
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager release --list
+-------------------------------------------+
          Available Releases
+-------------------------------------------+
7.0
7.1
7.2
7.3
7.4
7Server
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager repos --list-enabled | grep htb
Repo ID:   rhel-7-server-htb-rpms
Repo URL:  https://cdn.redhat.com/content/htb/rhel/server/7/$basearch/os
Repo ID:   rhel-7-server-rt-htb-rpms
Repo URL:  https://cdn.redhat.com/content/htb/rhel/server/7/$basearch/rt/os
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# yum list available --disablerepo=* --enablerepo=rhel-7-server-htb-rpms | tail -1
zziplib.x86_64                    0.13.62-5.el7           rhel-7-server-htb-rpms
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# yum install -y --disablerepo=* --enablerepo=rhel-7-server-htb-rpms zziplib.x86_64
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.x86_64 0:0.13.62-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================
 Package       Arch         Version                Repository                    Size
======================================================================================
Installing:
 zziplib       x86_64       0.13.62-5.el7          rhel-7-server-htb-rpms        81 k

Transaction Summary
======================================================================================
Install  1 Package

Total download size: 81 k
Installed size: 211 k
Downloading packages:
zziplib-0.13.62-5.el7.x86_64.rpm                               |  81 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : zziplib-0.13.62-5.el7.x86_64                                       1/1 
  Verifying  : zziplib-0.13.62-5.el7.x86_64                                       1/1 

Installed:
  zziplib.x86_64 0:0.13.62-5.el7                                                      

Complete!
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# ls /etc/pki/product*
/etc/pki/product:
230.pem

/etc/pki/product-default:
69.pem
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.5 Beta
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

Product Name:   Red Hat Enterprise Linux 7 Server High Touch Beta
Product ID:     230
Version:        7.4 HTB
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager release --list
Error: More than one release product certificate installed. Certificate paths: /etc/pki/product/230.pem, /etc/pki/product-default/69.pem
[root@hp-dl380pgen8-02-vm-15 ~]# 


AT THIS POINT WE HAVE SUCCESSFULLY INSTALLED A NEW PACKAGE FROM A HTB REPO WHICH CAUSED THE INSTALLATION OF HTP PRODUCT CERT 230 TO /etc/pki/product/.  AS A CONSEQUENCE, WE NOW HAVE TWO "rhel" PRODUCT CERTS INSTALLED WHICH BLOCKS THE ABILITY TO LIST/SET A RHEL RELEASE.  THIS MAY BE ACCEPTABLE.  HOWEVER....

[root@hp-dl380pgen8-02-vm-15 ~]# yum remove -y --disablerepo=* --enablerepo=rhel-7-server-htb-rpms zziplib.x86_64
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.x86_64 0:0.13.62-5.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================
 Package       Arch         Version               Repository                     Size
======================================================================================
Removing:
 zziplib       x86_64       0.13.62-5.el7         @rhel-7-server-htb-rpms       211 k

Transaction Summary
======================================================================================
Remove  1 Package

Installed size: 211 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : zziplib-0.13.62-5.el7.x86_64                                       1/1 
  Verifying  : zziplib-0.13.62-5.el7.x86_64                                       1/1 

Removed:
  zziplib.x86_64 0:0.13.62-5.el7                                                      

Complete!
[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.5 Beta
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

Product Name:   Red Hat Enterprise Linux 7 Server High Touch Beta
Product ID:     230
Version:        7.4 HTB
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

[root@hp-dl380pgen8-02-vm-15 ~]# 
[root@hp-dl380pgen8-02-vm-15 ~]# subscription-manager release --list
Error: More than one release product certificate installed. Certificate paths: /etc/pki/product/230.pem, /etc/pki/product-default/69.pem
[root@hp-dl380pgen8-02-vm-15 ~]# 

AFTER SUCCESSFULLY REMOVING THE ONLY PACKAGE ON THE SYSTEM FROM rhel-7-server-htb-rpms, THE PRODUCTID 230 REMAINS ON THE SYSTEM.  NORMALLY WE WOULD EXPECT THE PRODUCT CERT TO BE REMOVED WHEN THERE ARE NO LONGER ANY PACKAGES INSTALLED FROM THAT REPO.

/var/log/rhsm/rhsm.log shows...
2017-12-12 15:48:44,514 [DEBUG] yum:617:MainThread @productid.py:640 - Checking for product certs to remove. Active include: set(['rhel-7-server-htb-rpms'])
2017-12-12 15:48:44,517 [DEBUG] yum:617:MainThread @productid.py:686 - rhel-7-server-htb-rpms is an active repo. Not deleting product cert 230
2017-12-12 15:48:44,517 [WARNING] yum:617:MainThread @productid.py:692 - rhel-7-server-rpms is disabled via yum cmdline. Not deleting product cert 69

Additional Info:
[root@hp-dl380pgen8-02-vm-15 ~]# rct cat-cert /etc/pki/product/230.pem | grep -A5 Product:
Product:
	ID: 230
	Name: Red Hat Enterprise Linux 7 Server High Touch Beta
	Version: 7.4 HTB
	Arch: x86_64
	Tags: rhel-7,rhel-7-server

Comment 8 Shwetha Kallesh 2020-04-15 10:51:32 UTC
Verification:

[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.9.21-1
subscription management rules: 5.37
subscription-manager: 1.24.32


[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager register --serverurl subscription.rhsm.stage.redhat.com --username qa@redhat.com --password redhatqa --auto-attach --force
Unregistering from: subscription.rhsm.stage.redhat.com:443/subscription
The system with UUID 8526093d-4cf0-4f35-85d4-6255886a4bb6 has been unregistered
All local data removed
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
The system has been registered with ID: 1634f5cc-1f30-4668-aa3d-c2ca25345717
The registered system name is: hpe-dl380pgen8-02-vm-4.hpe2.lab.eng.bos.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager list --available --matches="*Server High Touch Beta*" --pool-only
[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager list --available --matches="*High Touch Beta*" --pool-only
8a85f99a6cbfea02016d20db58cd16e0
[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager attach --pool=8a85f99a6cbfea02016d20db58cd16e0
Successfully attached a subscription for: Red Hat Enterprise Linux High Touch Beta
[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager release --list
+-------------------------------------------+
          Available Releases
+-------------------------------------------+
7.0
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7Server
[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager repos --list-enabled | grep htb
Repo ID:   rhel-7-server-htb-rpms
Repo URL:  https://cdn.redhat.com/content/htb/rhel/server/7/$basearch/os


[root@hpe-dl380pgen8-02-vm-4 ~]# yum list available --disablerepo=* --enablerepo=rhel-7-server-htb-rpms | tail -1
zziplib.x86_64                    0.13.62-5.el7           rhel-7-server-htb-rpms
[root@hpe-dl380pgen8-02-vm-4 ~]# yum install -y --disablerepo=* --enablerepo=rhel-7-server-htb-rpms zziplib.x86_64
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.x86_64 0:0.13.62-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================================================
 Package                                             Arch                                               Version                                                      Repository                                                          Size
==============================================================================================================================================================================================================================================
Installing:
 zziplib                                             x86_64                                             0.13.62-5.el7                                                rhel-7-server-htb-rpms                                              81 k

Transaction Summary
==============================================================================================================================================================================================================================================
Install  1 Package

Total download size: 81 k
Installed size: 211 k
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/rhel-7-server-htb-rpms/packages/zziplib-0.13.62-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY                                             ]  0.0 B/s |    0 B  --:--:-- ETA 
Public key for zziplib-0.13.62-5.el7.x86_64.rpm is not installed
zziplib-0.13.62-5.el7.x86_64.rpm                                                                                                                                                                                       |  81 kB  00:00:01     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
Importing GPG key 0xF21541EB:
 Userid     : "Red Hat, Inc. (beta key 2) <security@redhat.com>"
 Fingerprint: b08b 659e e86a f623 bc90 e8db 938a 80ca f215 41eb
 Package    : redhat-release-server-7.9-0.el7.x86_64 (@beaker-Server/7.9)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
Importing GPG key 0x897DA07A:
 Userid     : "Red Hat, Inc. (Beta Test Software) <rawhide@redhat.com>"
 Fingerprint: 17e8 543d 1d4a a5fa a96a 7e9f fd37 2689 897d a07a
 Package    : redhat-release-server-7.9-0.el7.x86_64 (@beaker-Server/7.9)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security@redhat.com>"
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package    : redhat-release-server-7.9-0.el7.x86_64 (@beaker-Server/7.9)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0x2FA658E0:
 Userid     : "Red Hat, Inc. (auxiliary key) <security@redhat.com>"
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package    : redhat-release-server-7.9-0.el7.x86_64 (@beaker-Server/7.9)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : zziplib-0.13.62-5.el7.x86_64                                                                                                                                                                                               1/1 
  Verifying  : zziplib-0.13.62-5.el7.x86_64                                                                                                                                                                                               1/1 
rhel-7-server-htb-rpms/x86_64/productid                                                                                                                                                                                | 2.1 kB  00:00:00     

Installed:
  zziplib.x86_64 0:0.13.62-5.el7                                                                                                                                                                                                              

Complete!
[root@hpe-dl380pgen8-02-vm-4 ~]# ls /etc/pki/product*
/etc/pki/product:
230.pem

/etc/pki/product-default:
69.pem

[root@hpe-dl380pgen8-02-vm-4 ~]# rct cc /etc/pki/product/230.pem 

+-------------------------------------------+
	Product Certificate
+-------------------------------------------+

Certificate:
	Path: /etc/pki/product/230.pem
	Version: 1.0
	Serial: 12750047592154751154
	Start Date: 2018-02-07 19:16:01+00:00
	End Date: 2038-02-02 19:16:01+00:00

Subject:
	CN: Red Hat Product ID [609b7e0d-2c57-4030-be19-9a50e52564dd]

Issuer:
	C: US
	CN: Red Hat Entitlement Product Authority
	O: Red Hat, Inc.
	OU: Red Hat Network
	ST: North Carolina
	emailAddress: ca-support@redhat.com

Product:
	ID: 230
	Name: Red Hat Enterprise Linux 7 Server High Touch Beta
	Version: 7.5 HTB
	Arch: x86_64
	Tags: rhel-7-htb,rhel-7-server
              ^^ tagged as a provider of "rhel-7-htb" now
	Brand Type: 
	Brand Name: 


[root@hpe-dl380pgen8-02-vm-4 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux 7 Server High Touch Beta
Product ID:     230
Version:        7.5 HTB
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.9 Beta
Arch:           x86_64
Status:         Subscribed
Status Details: 
Starts:         04/24/2013
Ends:           12/31/2021

[root@hpe-dl380pgen8-02-vm-4 ~]# yum remove -y --disablerepo=* --enablerepo=rhel-7-server-htb-rpms zziplib.x86_64
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package zziplib.x86_64 0:0.13.62-5.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================================================================================
 Package                                             Arch                                               Version                                                     Repository                                                           Size
==============================================================================================================================================================================================================================================
Removing:
 zziplib                                             x86_64                                             0.13.62-5.el7                                               @rhel-7-server-htb-rpms                                             211 k

Transaction Summary
==============================================================================================================================================================================================================================================
Remove  1 Package

Installed size: 211 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : zziplib-0.13.62-5.el7.x86_64                                                                                                                                                                                               1/1 
  Verifying  : zziplib-0.13.62-5.el7.x86_64                                                                                                                                                                                               1/1 

Removed:
  zziplib.x86_64 0:0.13.62-5.el7                                                                                                                                                                                                              

Complete!
[root@hpe-dl380pgen8-02-vm-4 ~]# ls /etc/pki/product*
/etc/pki/product:

^^ 230.pem got removed

/etc/pki/product-default:
69.pem


Note You need to log in before you can comment on or make changes to this bug.