RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1697963 - DNF has inconsistent behaviour for kernel-core package
Summary: DNF has inconsistent behaviour for kernel-core package
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnf
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Packaging Maintenance Team
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 1698145
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-09 11:12 UTC by Andrei Stepanov
Modified: 2019-05-22 05:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-09 15:14:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 1 Andrei Stepanov 2019-04-09 11:25:40 UTC 
Okay, it seems because of hidden logic:

/usr/lib64/python3.6/site-packages/libdnf/conf.py:    def autocheck_running_kernel(self):

Could you please help me ? How can I check that package can be clearly removed without actual removing it?
Comment 2 Andrei Stepanov 2019-04-09 11:34:02 UTC 
# dnf remove --setopt=autocheck_running_kernel=no --allowerasing kernel-core-4.18.0-80.el8.x86_64
Doesn't help.
Comment 3 Andrei Stepanov 2019-04-09 12:50:19 UTC 
# dnf --assumeno remove kernel-core-4.18.0-80.5.el8.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Error:
 Problem: The operation would result in removing the following protected packages: kernel-core
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
# echo $?
1



# dnf --assumeno remove bc
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Dependencies resolved.
=============================================================================================================================================================================================================
 Package                                      Arch                                             Version                                                 Repository                                       Size
=============================================================================================================================================================================================================
Removing:
 bc                                           x86_64                                           1.07.1-5.el8                                            @rhel                                           234 k
 
Transaction Summary
=============================================================================================================================================================================================================
Remove  1 Package
 
Freed space: 234 k
Operation aborted.
# echo $?
1
Comment 4 Andrei Stepanov 2019-04-09 12:56:38 UTC 
It seems a solution can be:

# dnf --assumeyes --setopt tsflags=test remove kernel-core-4.18.0-80.5.el8.x86_64
Comment 5 Jaroslav Mracek 2019-04-09 15:14:56 UTC 
The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action. If you know what you do you can  always run "rpm -e kernel-core". In general users of DNF expects a certain level of security that includes protecting of a running kernel. Please don't hesitate to reopen the bug if you thing that approach with rpm is not suitable for your user case. Then please explain your story in details and why it is essential to implement disablement of basic mechanisms of protection of system integrity and stability.
Comment 6 Eugene Syromiatnikov 2019-04-09 15:45:01 UTC 
(In reply to Jaroslav Mracek from comment #5)
> The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action.

Protection of kernel image itself is close to meaningless, the only meaningful protection is protection of kernel modules (as they may be loaded on demand at any time and their absence may lead to severe issues), and DNF doesn't provide that.

Moreover, the protection is meaningless if the action is requested within a mount namespace.
Note You need to log in before you can comment on or make changes to this bug.