Description of problem: While foreman-protector prevents unintended package install/update/downgrade, it silently allows removal of a package. This is 1) flaw in its consistency, 2) affected several customers who e.g. removed some package from Sat via REX unexpectedly. Please extend foreman-protector also to package removal protection. Version-Release number of selected component (if applicable): Sat 6.7 rubygem-foreman_maintain-0.5.4-1 How reproducible: 100% Steps to Reproduce: 0. yum install sos 1. install - via foreman-maintain - sos-3.9-2.el7.noarch (while older and also newer version exists) 2. yum update sos 3. yum downgrade sos 4. yum remove sos 5. yum remove foreman Actual results: 0. and 2. and 3. will be prohibited by foreman-protector. 4. and 5. will ask user to confirm the packages removal Expected results: Neither 0., 2.-5. to allow a package action. Additional info:
An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with a list of packages that should never be removed.
(In reply to Eric Helms from comment #7) > An idea to solve this is to ship a /etc/dnf/protected.d/satellite.conf with > a list of packages that should never be removed. A candidate package would be *pulp-rpm* . We have a customer who accidentally removed that package (due to a dependency when removing something else), and was surprised why most of pulp functionality is gone. We were surprised why katello fix repositories fails with 404 on querying objects that *are* present in DB - these situations are *really* dangerous.