Description of problem: VDSM has a dependency on `fence-agents-all` https://github.com/oVirt/vdsm/blob/master/vdsm.spec.in#L278 If other packages, which are not needed by VDSM, needs to be removed, telnet for example, VDSM will be pulled as a dependency and will remove others. [root@rhvh43 ~]# yum remove telnet : : ============================================================================================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================================================================================== Removing: telnet x86_64 1:0.17-64.el7 installed 113 k Removing for dependencies: cockpit-ovirt-dashboard noarch 0.13.1-2.el7ev installed 16 M fence-agents-all x86_64 4.2.1-11.el7_6.8 installed 0.0 fence-agents-apc x86_64 4.2.1-11.el7_6.8 installed 9.3 k fence-agents-bladecenter x86_64 4.2.1-11.el7_6.8 installed 4.9 k fence-agents-brocade x86_64 4.2.1-11.el7_6.8 installed 4.4 k fence-agents-drac5 x86_64 4.2.1-11.el7_6.8 installed 6.8 k fence-agents-hpblade x86_64 4.2.1-11.el7_6.8 installed 5.5 k fence-agents-ilo-moonshot x86_64 4.2.1-11.el7_6.8 installed 3.2 k fence-agents-ilo-mp x86_64 4.2.1-11.el7_6.8 installed 2.8 k fence-agents-ilo-ssh x86_64 4.2.1-11.el7_6.8 installed 14 k fence-agents-rsa x86_64 4.2.1-11.el7_6.8 installed 3.4 k fence-agents-rsb x86_64 4.2.1-11.el7_6.8 installed 3.9 k fence-agents-wti x86_64 4.2.1-11.el7_6.8 installed 9.3 k ovirt-host x86_64 4.3.3-1.el7ev installed 11 k ovirt-host-dependencies x86_64 4.3.3-1.el7ev installed 11 k ovirt-hosted-engine-ha noarch 2.3.1-1.el7ev installed 1.8 M ovirt-hosted-engine-setup noarch 2.3.9-1.el7ev installed 1.4 M ovirt-provider-ovn-driver noarch 1.2.22-1.el7ev installed 70 k redhat-release-virtualization-host-content x86_64 4.3-0.8.el7 installed 0.0 vdsm x86_64 4.30.17-1.el7ev installed 185 k vdsm-gluster x86_64 4.30.17-1.el7ev installed 261 k vdsm-hook-ethtool-options noarch 4.30.17-1.el7ev installed 5.6 k vdsm-hook-fcoe noarch 4.30.17-1.el7ev installed 6.5 k vdsm-hook-vmfex-dev noarch 4.30.17-1.el7ev installed 21 k Transaction Summary ============================================================================================================================================================================================================================================== Remove 1 Package (+24 Dependent packages) Installed size: 19 M Is this ok [y/N]: n Version-Release number of selected component (if applicable): 4.3 RHV-H (rhvh-4.3.0.8-0.20190610.0+1) How reproducible: 100% Steps to Reproduce: 1. yum remove telnet 2. vdsm will be pulled as a dependency among others Actual results: Host will not work under RHV Expected results: Removing VDSM unrelated packages shouldn't trigger this behavior. Additional info: As an example, FIPS 140-2 compliance requires telnet service to be disable / removed. Removing telnet from a host will remove fence-agents and vdsm, among others, as dependencies. We should have some sort of lock on vdsm to avoid this scenario
Martin, do you think we can really remove the dependency?
(In reply to Simone Tiraboschi from comment #4) > Martin, do you think we can really remove the dependency? It's not that easy, right now we depend on fence-agents-all so we know that each up-to-date host always has all required and updated fence agents. Currently in RHV 4.3 we support following fence agents: apc apc_snmp bladecenter cisco_ucs drac5 drac7 eps hpblade ilo ilo2 ilo3 ilo4 ilo_ssh ipmilan kdump rsa rsb wti So to maintain current functionality we would need to depend on 14 packages instead of 1: fence-agents-apc fence-agents-apc-snmp fence-agents-bladecenter fence-agents-cisco-ucs fence-agents-drac5 fence-agents-eps fence-agents-hpblade fence-agents-ilo fence-agents-ilo-ssh fence-agents-ipmilan fence-agents-rsa fence-agents-rsb fence-agents-wti That's not such a big problem until we will add new supported agent (which will happen in 4.4, when we introduce support for redfish): because we can't be sure that all hosts in cluster/datacenter are updated into latest version, so new supported agent is installed, fencing operation might not be successful, so host will stay non-responsive. But even with above change we will not get rid of telnet, because apc fence agent depends on it, so we would need to remove support for APC fence agent, which doesn't seem to me as a good idea. Martin, what do you think?
Moving to virt, not really a node team issue. this will affect plain RHEL deployments as well when removing telnet after host is deployed.
Moving to Infra to track fencing
We need to add requirement for fence-agents-4.2.1-53.el8_3.1 into VDSM
# yum list vdsm Updating Subscription Management repositories. Last metadata expiration check: 0:40:19 ago on Mon 02 Nov 2020 12:16:35 PM CET. Installed Packages vdsm.x86_64 4.40.26.3-1.el8ev @rhv-4-mgmt-agent-for-rhel-8-x86_64-rpms Available Packages vdsm.ppc64le 4.40.35.1-1.el8ev rhv-4.4.3 vdsm.x86_64 4.40.35.1-1.el8ev rhv-4.4.3 [root@demo-rhv-host ~]# yum list telnet Updating Subscription Management repositories. Last metadata expiration check: 0:40:36 ago on Mon 02 Nov 2020 12:16:35 PM CET. Available Packages telnet.x86_64 1:0.17-73.el8_1.1 rhel-8-for-x86_64-appstream-rpms telnet.x86_64 1:0.17-73.el8_1.1 rhel-8.2.0-appstream-rpms was able to removed telnet from server and vdsm with fence agent stayed on server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.3]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5213