Bug 1784341 - disable CertificateRevocationListTask job in candlepin.conf by default
Summary: disable CertificateRevocationListTask job in candlepin.conf by default
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.6.0
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: 6.8.0
Assignee: Eric Helms
QA Contact: Devendra Singh
: 1783481 (view as bug list)
Depends On:
Blocks: 1806626
TreeView+ depends on / blocked
Reported: 2019-12-17 09:43 UTC by Pavel Moravec
Modified: 2021-06-26 13:06 UTC (History)
6 users (show)

Fixed In Version: foreman-installer-2.1.0-0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 12:59:35 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 29220 0 High Closed disable CertificateRevocationListTask job in candlepin.conf by default 2021-01-27 06:01:28 UTC
Red Hat Knowledge Base (Solution) 3888591 0 None None None 2019-12-17 09:43:01 UTC
Red Hat Product Errata RHSA-2020:4366 0 None None None 2020-10-27 12:59:51 UTC

Description Pavel Moravec 2019-12-17 09:43:02 UTC
Description of problem:
CertificateRevocationListTask is a candlepin's job to populate CRL. The CRL is not used in Satellite (at least katello nor RHSM queries for "crl" URI against candlepin/rhsm. So this job is being performed redundantly on a Satellite6.

- there were 5+ cases where CRL had impacted Satellite performance
- the only workaround is in modifying /etc/candlepin/candlepin.conf
- .. and this workaround does not survive an upgrade or even satellite-installer run

I am requesting to disable the Job via installer directly & by default.

Fix is very trivial, just add anywhere to


a line like:

pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0 0 0 1 1 ?

(see KCS 3888591 linked)

Version-Release number of selected component (if applicable):
Sat6.6 (any version)

How reproducible:

Steps to Reproduce:
1. Install Satellite6 (or just run satellite-installer on already installed Sat6)
2. Check if CertificateRevocationListTask schedule is changed in /etc/candlepin/candlepin.conf
3. Wait for noon and check "Starting job: org.candlepin.pinsetter.tasks.CertificateRevocationListTask" log in candlepin.log

Actual results:
2. no such entry in candlepin.conf
3. such a task/job is fired every noon (by default, it finishes soon, but not in various scaled environments)

Expected results:
2. have the schedule practicaly disabled via candlepin.conf
3. no such job invoked on a noon

Additional info:
There are customers where CRLT took hours to finish, negatively affecting candlepin (and hence whole Sat6) performance. If not disabled, the impact to CPU grows over time.

Comment 3 Eric Helms 2020-02-28 01:18:40 UTC
Created redmine issue https://projects.theforeman.org/issues/29220 from this bug

Comment 4 Bryan Kearney 2020-02-28 03:05:56 UTC
Upstream bug assigned to ehelms

Comment 5 Bryan Kearney 2020-02-28 03:05:58 UTC
Upstream bug assigned to ehelms

Comment 6 Bryan Kearney 2020-02-28 19:06:00 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29220 has been resolved.

Comment 7 Devendra Singh 2020-07-14 15:11:01 UTC
Verification steps:

* Build Version: 6.8 Snap8

* foreman-installer version:

# rpm -q foreman-installer

* Entries is proper as mentioned in PR#https://github.com/theforeman/puppet-candlepin/pull/145

# less /etc/candlepin/candlepin.conf|grep "pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0"
pinsetter.org.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule=0 0 0 1 1 ?

* Didn't see any entry related to "Starting job: org.candlepin.pinsetter.tasks.CertificateRevocationListTask" log in the candlepin.log

Comment 8 Eric Helms 2020-08-20 20:51:25 UTC
*** Bug 1783481 has been marked as a duplicate of this bug. ***

Comment 11 errata-xmlrpc 2020-10-27 12:59:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.