Hide Forgot
Description of problem: In the scenario demonstrated below, you will see that the product cert provided by the redhat-release package for a RHEL-ALT beta compose is actually deleted by the productid yum plugin. In the scenario you will see that the beta eng product 363 for RHEL-ALT-7.5 is deleted while eng product 419 from the current released content for RHEL-ALT-7.4 is added as a result of yum installing a single package from the CDN. This behavior is not desirable... We should NOT be deleting the /etc/pki/product-default/363.pem cert. This bug is a proposal to alter the productid plugin logic to protect the removal of any product cert that has been provided by a package. For example: since /etc/pki/product-default/363.pem is provided by redhat-release-server-7.5-1.el7a.aarch64, it should never be deleted. In the offending scenario below, the proper behavior would be for both eng products 363 and 419 to be installed following the yum install of a sample package. It is also worth noting that the beta eng product 363 lacks a tag matching regex "rhel-\d+" that currently makes it susceptible from deletion. One could suggest that RCM add an additional tag to the beta product cert to protect it from deletion by the productid plugin. However this is a bad idea in light of the proposal in Bug 1525238 which suggests to relinquish the protection of "rhel-#" tagged product certs from deletion. The smarter logic for the productid plugin would be to protect product certs that are provided by an installed package (e.g. the one(s) in /etc/pki/product-default/ provided by redhat-release). Version-Release number of selected component (if applicable): [root@hp-moonshot-03-c08 ~]# rpm -q subscription-manager subscription-manager-1.20.8-1.el7.aarch64 How reproducible: Steps to Reproduce: Starting with a RHEL-ALT-7.5 aarch64 compose registered to an account with access to SKU RH00783... [root@hp-moonshot-03-c08 ~]# subscription-manager list --available --matches=RH00783 --pool-only 8a99f9835f8d43be015f92861a997437 [root@hp-moonshot-03-c08 ~]# subscription-manager attach --pool=8a99f9835f8d43be015f92861a997437 Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only) [root@hp-moonshot-03-c08 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Beta Product ID: 363 Version: 7.5 Beta Arch: aarch64 Status: Subscribed Status Details: Starts: 09/20/2017 Ends: 09/19/2018 [root@hp-moonshot-03-c08 ~]# ls /etc/pki/product* /etc/pki/product: /etc/pki/product-default: 363.pem [root@hp-moonshot-03-c08 ~]# cat /var/lib/rhsm/productid.js { "363": [ "beaker-Server" ] } [root@hp-moonshot-03-c08 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem redhat-release-server-7.5-1.el7a.aarch64 [root@hp-moonshot-03-c08 ~]# yum repolist --disablerepo=beaker* Loaded plugins: product-id, search-disabled-repos, subscription-manager repo id repo name status rhel-7-for-arm-64-beta-rpms/aarch64 Red Hat Enterprise Linux 7 for ARM Beta (RPMs) 0 rhel-7-for-arm-64-rpms/7Server/aarch64 Red Hat Enterprise Linux 7 for ARM (RPMs) 3,767 repolist: 3,767 [root@hp-moonshot-03-c08 ~]# yum list available --disablerepo=beaker* | tail -1 zziplib.aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms [root@hp-moonshot-03-c08 ~]# yum install zziplib.aarch64 --disablerepo=beaker* --quiet ================================================================================================ Package Arch Version Repository Size ================================================================================================ Installing: zziplib aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms 81 k Transaction Summary ================================================================================================ Install 1 Package Is this ok [y/d/N]: y [root@hp-moonshot-03-c08 ~]# ls /etc/pki/product* /etc/pki/product: 419.pem /etc/pki/product-default: [root@hp-moonshot-03-c08 ~]# cat /var/lib/rhsm/productid.js { "419": [ "rhel-7-for-arm-64-rpms" ] } [root@hp-moonshot-03-c08 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Product ID: 419 Version: 7.4 Arch: aarch64 Status: Subscribed Status Details: Starts: 11/06/2017 Ends: 11/05/2018 Actual results: BANG! All traces of the prior installed beta product 363 are now gone. As a result of installing one package from the current CDN repo rhel-7-for-arm-64-rpms, eng product 419 was installed and the default eng id 363 was removed. Expected results: Both the default product cert 363 should be installed together with the new product cert 419 from the entitled repo. Additional info: [root@hp-moonshot-03-c08 ~]# tail -f /var/log/rhsm/rhsm.log 2017-12-15 16:11:57,743 [WARNING] yum:16910:MainThread @logutil.py:141 - logging already initialized 2017-12-15 16:11:57,751 [DEBUG] yum:16910:MainThread @plugins.py:569 - loaded plugin modules: [<module 'container_content' from '/usr/share/rhsm-plugins/container_content.pyc'>, <module 'ostree_content' from '/usr/share/rhsm-plugins/ostree_content.pyc'>] 2017-12-15 16:11:57,751 [DEBUG] yum:16910:MainThread @plugins.py:570 - loaded plugins: {'container_content.ContainerContentPlugin': <container_content.ContainerContentPlugin object at 0xffffa35ccf90>, 'ostree_content.OstreeContentPlugin': <ostree_content.OstreeContentPlugin object at 0xffffa35d6590>} 2017-12-15 16:11:58,465 [DEBUG] yum:16910:MainThread @productid.py:640 - Checking for product certs to remove. Active include: set(['rhel-7-for-arm-64-rpms']) 2017-12-15 16:11:58,469 [INFO] yum:16910:MainThread @productid.py:707 - None of the repos for 363 are active: [u'beaker-Server'] 2017-12-15 16:11:58,469 [INFO] yum:16910:MainThread @productid.py:708 - product cert 363 for 363 is being deleted 2017-12-15 16:11:58,470 [DEBUG] yum:16910:MainThread @productid.py:420 - Checking for product id certs to install or update. 2017-12-15 16:11:58,470 [DEBUG] yum:16910:MainThread @productid.py:425 - active set(['rhel-7-for-arm-64-rpms']) 2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:426 - enabled [(<rhsm.certificate2.ProductCertificate object at 0xffffa35d6a50>, 'rhel-7-for-arm-64-beta-rpms'), (<rhsm.certificate2.ProductCertificate object at 0xffffa35d6d10>, 'rhel-7-for-arm-64-rpms')] 2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:442 - product cert: 363 repo: rhel-7-for-arm-64-beta-rpms 2017-12-15 16:11:58,471 [DEBUG] yum:16910:MainThread @productid.py:442 - product cert: 419 repo: rhel-7-for-arm-64-rpms 2017-12-15 16:11:58,472 [INFO] yum:16910:MainThread @productid.py:530 - Updating product db with 419 -> rhel-7-for-arm-64-rpms 2017-12-15 16:11:58,473 [INFO] yum:16910:MainThread @productid.py:581 - Installed product cert 419: Red Hat Enterprise Linux for ARM 64 /etc/pki/product/419.pem 2017-12-15 16:11:58,473 [DEBUG] yum:16910:MainThread @productid.py:558 - about to run post_product_id_install 2017-12-15 16:11:58,473 [DEBUG] yum:16910:MainThread @productid.py:569 - about to run post_product_id_update
I added link to PR with quite complicated implementation of bug fix (all product certificates provided by RPM are protected). Another and not so complicated implementation will be provided soon (all prod. certs in /etc/pki/product-default will be protected).
I'm attaching link to Github PR with simple implementation as I promised.
Moving bug to verified as product cert 363.pem is not removed from /etc/pki/product-default and 419.pem is installed as well [root@hp-moonshot-03-c13 ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 2.0.43-1 subscription management rules: 5.26 subscription-manager: 1.20.10-1.el7 [root@hp-moonshot-03-c13 ~]# subscription-manager list --available --matches=RH00783 --pool-only 8a99f984614aa73001614c13ba821f7e [root@hp-moonshot-03-c13 ~]# subscription-manager attach --pool 8a99f984614aa73001614c13ba821f7e Successfully attached a subscription for: Red Hat Enterprise Linux Server for ARM, Standard (Physical Node, L3 Only) [root@hp-moonshot-03-c13 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Beta Product ID: 363 Version: 7.5 Beta Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019 [root@hp-moonshot-03-c13 ~]# ls /etc/pki/product* /etc/pki/product: /etc/pki/product-default: 363.pem [root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js { "363": [ "beaker-Server" ] }[root@hp-moonshot-03-c13 ~]# rpm -q --whatprovides /etc/pki/product-default/363.pem redhat-release-server-7.5-1.el7a.aarch64 [root@hp-moonshot-03-c13 ~]# yum repolist --disablerepo=beaker* Loaded plugins: product-id, search-disabled-repos, subscription-manager rhel-7-for-arm-64-rpms | 4.0 kB 00:00:00 (1/3): rhel-7-for-arm-64-rpms/7Server/aarch64/updateinfo | 69 kB 00:00:00 (2/3): rhel-7-for-arm-64-rpms/7Server/aarch64/primary_db | 4.6 MB 00:00:00 (3/3): rhel-7-for-arm-64-rpms/7Server/aarch64/group | 660 kB 00:00:01 repo id repo name status rhel-7-for-arm-64-rpms/7Server/aarch64 Red Hat Enterprise Linux 7 for ARM (RPMs) 3,888 repolist: 3,888 [root@hp-moonshot-03-c13 ~]# yum list available --disablerepo=beaker* | tail -1 zziplib.aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms [root@hp-moonshot-03-c13 ~]# yum install zziplib.aarch64 --disablerepo=beaker* Loaded plugins: product-id, search-disabled-repos, subscription-manager Resolving Dependencies --> Running transaction check ---> Package zziplib.aarch64 0:0.13.62-5.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================================================================= Installing: zziplib aarch64 0.13.62-5.el7 rhel-7-for-arm-64-rpms 81 k Transaction Summary ============================================================================================================================================================================================================================================= Install 1 Package Total download size: 81 k Installed size: 403 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/aarch64/7Server/rhel-7-for-arm-64-rpms/packages/zziplib-0.13.62-5.el7.aarch64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY ] 0.0 B/s | 0 B --:--:-- ETA Public key for zziplib-0.13.62-5.el7.aarch64.rpm is not installed zziplib-0.13.62-5.el7.aarch64.rpm | 81 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Importing GPG key 0xFD431D51: Userid : "Red Hat, Inc. (release key 2) <security>" Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51 Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Importing GPG key 0x2FA658E0: Userid : "Red Hat, Inc. (auxiliary key) <security>" Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0 Package : redhat-release-server-7.5-1.el7a.aarch64 (@beaker-Server/7.5) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : zziplib-0.13.62-5.el7.aarch64 1/1 rhel-7-for-arm-64-rpms/7Server/aarch64/productid | 2.1 kB 00:00:00 Verifying : zziplib-0.13.62-5.el7.aarch64 1/1 Installed: zziplib.aarch64 0:0.13.62-5.el7 Complete! [root@hp-moonshot-03-c13 ~]# ls /etc/pki/product* /etc/pki/product: 419.pem /etc/pki/product-default: 363.pem [root@hp-moonshot-03-c13 ~]# cat /var/lib/rhsm/productid.js { "363": [ "beaker-Server" ], "419": [ "rhel-7-for-arm-64-rpms" ] }[root@hp-moonshot-03-c13 ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ Product Name: Red Hat Enterprise Linux for ARM 64 Product ID: 419 Version: 7.4 Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019 Product Name: Red Hat Enterprise Linux for ARM 64 Beta Product ID: 363 Version: 7.5 Beta Arch: aarch64 Status: Subscribed Status Details: Starts: 01/31/2018 Ends: 01/30/2019
*** Bug 1539928 has been marked as a duplicate of this bug. ***
*** Bug 1539922 has been marked as a duplicate of this bug. ***
*** Bug 1537997 has been marked as a duplicate of this bug. ***
*** Bug 1540596 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0681