Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1697963

Summary: DNF has inconsistent behaviour for kernel-core package
Product: Red Hat Enterprise Linux 8 Reporter: Andrei Stepanov <astepano>
Component: dnfAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: esyr, james.antill
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-09 15:14:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1698145    
Bug Blocks:    

Comment 1 Andrei Stepanov 2019-04-09 11:25:40 UTC 
Okay, it seems because of hidden logic:

/usr/lib64/python3.6/site-packages/libdnf/conf.py:    def autocheck_running_kernel(self):

Could you please help me ? How can I check that package can be clearly removed without actual removing it?
Comment 2 Andrei Stepanov 2019-04-09 11:34:02 UTC 
# dnf remove --setopt=autocheck_running_kernel=no --allowerasing kernel-core-4.18.0-80.el8.x86_64
Doesn't help.
Comment 3 Andrei Stepanov 2019-04-09 12:50:19 UTC 
# dnf --assumeno remove kernel-core-4.18.0-80.5.el8.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Error:
 Problem: The operation would result in removing the following protected packages: kernel-core
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
# echo $?
1



# dnf --assumeno remove bc
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Dependencies resolved.
=============================================================================================================================================================================================================
 Package                                      Arch                                             Version                                                 Repository                                       Size
=============================================================================================================================================================================================================
Removing:
 bc                                           x86_64                                           1.07.1-5.el8                                            @rhel                                           234 k
 
Transaction Summary
=============================================================================================================================================================================================================
Remove  1 Package
 
Freed space: 234 k
Operation aborted.
# echo $?
1
Comment 4 Andrei Stepanov 2019-04-09 12:56:38 UTC 
It seems a solution can be:

# dnf --assumeyes --setopt tsflags=test remove kernel-core-4.18.0-80.5.el8.x86_64
Comment 5 Jaroslav Mracek 2019-04-09 15:14:56 UTC 
The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action. If you know what you do you can  always run "rpm -e kernel-core". In general users of DNF expects a certain level of security that includes protecting of a running kernel. Please don't hesitate to reopen the bug if you thing that approach with rpm is not suitable for your user case. Then please explain your story in details and why it is essential to implement disablement of basic mechanisms of protection of system integrity and stability.
Comment 6 Eugene Syromiatnikov 2019-04-09 15:45:01 UTC 
(In reply to Jaroslav Mracek from comment #5)
> The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action.

Protection of kernel image itself is close to meaningless, the only meaningful protection is protection of kernel modules (as they may be loaded on demand at any time and their absence may lead to severe issues), and DNF doesn't provide that.

Moreover, the protection is meaningless if the action is requested within a mount namespace.