Bug 1729222 - VDSM should depend on fence-agents-all which doesn't require telnet package
Summary: VDSM should depend on fence-agents-all which doesn't require telnet package
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 4.3.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.4.3
: ---
Assignee: Eli Mesika
QA Contact: Pavol Brilla
URL:
Whiteboard:
Depends On: 1883420
Blocks: 1835650
TreeView+ depends on / blocked
 
Reported: 2019-07-11 15:52 UTC by Javier Coscia
Modified: 2020-11-24 13:11 UTC (History)
22 users (show)

Fixed In Version: vdsm-4.40.35
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-24 13:11:27 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5265441 None None None 2020-07-29 09:06:03 UTC
Red Hat Product Errata RHBA-2020:5213 None None None 2020-11-24 13:11:48 UTC
oVirt gerrit 111680 master MERGED use fence agents without telnet dependency on RHEL 2020-12-04 20:18:47 UTC

Description Javier Coscia 2019-07-11 15:52:21 UTC
Description of problem:

VDSM has a dependency on `fence-agents-all`

https://github.com/oVirt/vdsm/blob/master/vdsm.spec.in#L278

If other packages, which are not needed by VDSM, needs to be removed, 
telnet for example, VDSM will be pulled as a dependency and will remove 
others.


[root@rhvh43 ~]# yum remove telnet
:
:
==============================================================================================================================================================================================================================================
 Package                                                                          Arch                                         Version                                                  Repository                                       Size
==============================================================================================================================================================================================================================================
Removing:
 telnet                                                                           x86_64                                       1:0.17-64.el7                                            installed                                       113 k
Removing for dependencies:
 cockpit-ovirt-dashboard                                                          noarch                                       0.13.1-2.el7ev                                           installed                                        16 M
 fence-agents-all                                                                 x86_64                                       4.2.1-11.el7_6.8                                         installed                                       0.0  
 fence-agents-apc                                                                 x86_64                                       4.2.1-11.el7_6.8                                         installed                                       9.3 k
 fence-agents-bladecenter                                                         x86_64                                       4.2.1-11.el7_6.8                                         installed                                       4.9 k
 fence-agents-brocade                                                             x86_64                                       4.2.1-11.el7_6.8                                         installed                                       4.4 k
 fence-agents-drac5                                                               x86_64                                       4.2.1-11.el7_6.8                                         installed                                       6.8 k
 fence-agents-hpblade                                                             x86_64                                       4.2.1-11.el7_6.8                                         installed                                       5.5 k
 fence-agents-ilo-moonshot                                                        x86_64                                       4.2.1-11.el7_6.8                                         installed                                       3.2 k
 fence-agents-ilo-mp                                                              x86_64                                       4.2.1-11.el7_6.8                                         installed                                       2.8 k
 fence-agents-ilo-ssh                                                             x86_64                                       4.2.1-11.el7_6.8                                         installed                                        14 k
 fence-agents-rsa                                                                 x86_64                                       4.2.1-11.el7_6.8                                         installed                                       3.4 k
 fence-agents-rsb                                                                 x86_64                                       4.2.1-11.el7_6.8                                         installed                                       3.9 k
 fence-agents-wti                                                                 x86_64                                       4.2.1-11.el7_6.8                                         installed                                       9.3 k
 ovirt-host                                                                       x86_64                                       4.3.3-1.el7ev                                            installed                                        11 k
 ovirt-host-dependencies                                                          x86_64                                       4.3.3-1.el7ev                                            installed                                        11 k
 ovirt-hosted-engine-ha                                                           noarch                                       2.3.1-1.el7ev                                            installed                                       1.8 M
 ovirt-hosted-engine-setup                                                        noarch                                       2.3.9-1.el7ev                                            installed                                       1.4 M
 ovirt-provider-ovn-driver                                                        noarch                                       1.2.22-1.el7ev                                           installed                                        70 k
 redhat-release-virtualization-host-content                                       x86_64                                       4.3-0.8.el7                                              installed                                       0.0  
 vdsm                                                                             x86_64                                       4.30.17-1.el7ev                                          installed                                       185 k
 vdsm-gluster                                                                     x86_64                                       4.30.17-1.el7ev                                          installed                                       261 k
 vdsm-hook-ethtool-options                                                        noarch                                       4.30.17-1.el7ev                                          installed                                       5.6 k
 vdsm-hook-fcoe                                                                   noarch                                       4.30.17-1.el7ev                                          installed                                       6.5 k
 vdsm-hook-vmfex-dev                                                              noarch                                       4.30.17-1.el7ev                                          installed                                        21 k

Transaction Summary
==============================================================================================================================================================================================================================================
Remove  1 Package (+24 Dependent packages)

Installed size: 19 M
Is this ok [y/N]: n



Version-Release number of selected component (if applicable):

4.3 RHV-H (rhvh-4.3.0.8-0.20190610.0+1)

How reproducible:

100%

Steps to Reproduce:
1. yum remove telnet
2. vdsm will be pulled as a dependency among others


Actual results:

Host will not work under RHV

Expected results:

Removing VDSM unrelated packages shouldn't trigger this behavior.

Additional info:

As an example, FIPS 140-2 compliance requires telnet service to be disable 
/ removed. Removing telnet from a host will remove fence-agents and vdsm, 
among others, as dependencies.

We should have some sort of lock on vdsm to avoid this scenario

Comment 4 Simone Tiraboschi 2019-07-17 07:15:18 UTC
Martin, do you think we can really remove the dependency?

Comment 6 Martin Perina 2019-07-22 07:39:41 UTC
(In reply to Simone Tiraboschi from comment #4)
> Martin, do you think we can really remove the dependency?

It's not that easy, right now we depend on fence-agents-all so we know that each up-to-date host always has all required and updated fence agents. Currently in RHV 4.3 we support following fence agents:

  apc
  apc_snmp
  bladecenter
  cisco_ucs
  drac5
  drac7
  eps
  hpblade
  ilo
  ilo2
  ilo3
  ilo4
  ilo_ssh
  ipmilan
  kdump
  rsa
  rsb
  wti

So to maintain current functionality we would need to depend on 14 packages instead of 1:

  fence-agents-apc
  fence-agents-apc-snmp
  fence-agents-bladecenter
  fence-agents-cisco-ucs
  fence-agents-drac5
  fence-agents-eps
  fence-agents-hpblade
  fence-agents-ilo
  fence-agents-ilo-ssh
  fence-agents-ipmilan
  fence-agents-rsa
  fence-agents-rsb
  fence-agents-wti

That's not such a big problem until we will add new supported agent (which will happen in 4.4, when we introduce support for redfish): because we can't be sure that all hosts in cluster/datacenter are updated into latest version, so new supported agent is installed, fencing operation might not be successful, so host will stay non-responsive.

But even with above change we will not get rid of telnet, because apc fence agent depends on it, so we would need to remove support for APC fence agent, which doesn't seem to me as a good idea.
Martin, what do you think?

Comment 7 Sandro Bonazzola 2019-07-22 08:50:53 UTC
Moving to virt, not really a node team issue. this will affect plain RHEL deployments as well when removing telnet after host is deployed.

Comment 8 Ryan Barry 2019-07-29 10:31:50 UTC
Moving to Infra to track fencing

Comment 26 Martin Perina 2020-10-12 09:13:16 UTC
We need to add requirement for fence-agents-4.2.1-53.el8_3.1 into VDSM

Comment 29 Pavol Brilla 2020-11-02 11:58:57 UTC
# yum list vdsm
Updating Subscription Management repositories.
Last metadata expiration check: 0:40:19 ago on Mon 02 Nov 2020 12:16:35 PM CET.
Installed Packages
vdsm.x86_64                                                                              4.40.26.3-1.el8ev                                                                              @rhv-4-mgmt-agent-for-rhel-8-x86_64-rpms
Available Packages
vdsm.ppc64le                                                                             4.40.35.1-1.el8ev                                                                              rhv-4.4.3                               
vdsm.x86_64                                                                              4.40.35.1-1.el8ev                                                                              rhv-4.4.3                               
[root@demo-rhv-host ~]# yum list telnet
Updating Subscription Management repositories.
Last metadata expiration check: 0:40:36 ago on Mon 02 Nov 2020 12:16:35 PM CET.
Available Packages
telnet.x86_64                                                                                 1:0.17-73.el8_1.1                                                                                 rhel-8-for-x86_64-appstream-rpms
telnet.x86_64                                                                                 1:0.17-73.el8_1.1                                                                                 rhel-8.2.0-appstream-rpms  


was able to removed telnet from server and vdsm with fence agent stayed on server

Comment 33 errata-xmlrpc 2020-11-24 13:11:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.3]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5213


Note You need to log in before you can comment on or make changes to this bug.