Bug 1889979 - repos valitation fails when CDN repositories are used
Summary: repos valitation fails when CDN repositories are used
Keywords:
Status: CLOSED DUPLICATE of bug 1882826
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-validations
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: David Peacock
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-21 06:55 UTC by Takashi Kajinami
Modified: 2020-11-04 16:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 16:05:27 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Takashi Kajinami 2020-10-21 06:55:18 UTC
Description of problem:

While running pre-upgrade validation[1], it was observed that repos validation fails with the following error.
~~~
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Failed to validate the SSL certificate for cdn.redhat.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618).
~~~

Even after installing CA cert for Red Hat CDN into trusted CA certs, the validation again fails because of 403 .
~~~
=== Running validation: "repos" ===

Task 'Call repository URLs' failed:
Host: undercloud
Message: Status code was 403 and not [200]: HTTP Error 403: Forbidden
~~~

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/framework_for_upgrades_13_to_16.1/planning-and-preparation-for-an-in-place-openstack-platform-upgrade#validating-red-hat-openstack-platform-oldvernum-before-the-upgrade

I checked the current implenmentation of repos validation, but it seems that this validation tries direct url access to the repository URLs which appear in "yum repolist".

https://github.com/openstack/tripleo-validations/blob/5d9383059e49e774502f191727303acc5e2950c4/validations/repos.yaml#L29-L32

However this doesn't work for CDN repository because
 - CA cert for CDN is not installed in systemwide CA certs
 - CDN repos doesn't accept HTTP request without authentication.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Deploy RHOSP13 with CDN repository
2. Run validation as described in the documentation[1]

Actual results:
repos validation always fails

Expected results:
repos validation doesn't fail

Additional info:

Comment 1 David Peacock 2020-11-04 16:05:27 UTC

*** This bug has been marked as a duplicate of bug 1882826 ***


Note You need to log in before you can comment on or make changes to this bug.