Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionChristophe Besson
2021-05-05 14:05:45 UTC
Description of problem:
According to the security compliance of its sector, a customer is using locked versions for ~25000 packages thanks to versionlock. However, they are not able to update "puppet-agent" to the version *correctly* defined in versionlock.list, whereas this version is available. Disabling the versionlock plugin allows them to update that 3rd party package.
The problem here is the fact DNF is completely silent about the conflict, it just tells "Nothing to do" while trying to update, making the issue difficult to diagnose.
Version-Release number of selected component (if applicable):
python3-dnf-plugin-versionlock-4.0.17-5.el8.noarch
dnf-plugins-core-4.0.17-5.el8.noarch
How reproducible:
100%
Steps to Reproduce:
1. Install 3rd party repositories. EPEL is also necessary, as it provides the "facter" package which is causing the issue.
# dnf install https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
2. Install puppet-agent and downgrade to a previous version
# dnf install puppet-agent
# dnf downgrade puppet-agent
3. Setup this minimal versionlock.list which will create a silent conflict.
# cat << EOF > /etc/dnf/plugins/versionlock.list
facter-0:3.14.2-4.el8.*
puppet-agent-0:6.21.1-1.el8.*
EOF
Actual results:
~~~
# dnf update puppet-agent
Last metadata expiration check: 0:00:01 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
Nothing to do.
Complete!
~~~
Excluding the "facter" package leads to the upgrade to the version given in versionlock.list:
~~~
# dnf -x facter update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:04:52 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================
Upgrading:
puppet-agent x86_64 6.21.1-1.el8 puppet6 26 M
~~~
Disabling the versionlock plugin leads to the upgrade of the latest package available:
~~~
# dnf --disableplugin=versionlock update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:12 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================
Upgrading:
puppet-agent x86_64 6.22.1-1.el8 puppet6 26 M
~~~
Expected results:
Something explaining the why.
Additional info:
* The issue is partially visible thanks to the debugsolver (btw, why libsolv-tools isn't shipped???)
~~~
# testsolv -vvv debugdata/rpms/testcase.t | grep -v -e installing -e update | grep -A2 puppet-agent
propagate decision 512: puppet-agent-6.21.0-1.el8.x86_64 [512]I Install.level1
unit Rule #49337:
!facter-3.14.2-4.el8.x86_64 [1863] (w1)
!puppet-agent-6.21.0-1.el8.x86_64 [512]I (w2) Install.level1
next rules: 0 50535
-> decided to conflict facter-3.14.2-4.el8.x86_64
~~~
* The package puppet-agent provides the "facter" capability, package which is available from EPEL 8.
~~~
# rpm -q puppet-agent
puppet-agent-6.21.0-1.el8.x86_64
# rpm -q --requires puppet-agent | uniq
/bin/mkdir
/bin/sh
/bin/touch
findutils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
systemd
tar
util-linux
# rpm -q --provides puppet-agent | uniq
cfacter >= 0.5.0
facter >= 1:3.0.0
hiera >= 2.0.0
puppet >= 4.0.0
puppet-agent = 6.21.0-1.el8
puppet-agent(x86-64) = 6.21.0-1.el8
~~~
* I think the bug may ultimately reside in dnf/libdnf itself, feel free to re-assign that bug to another component if needed.
* This bug possibly depends on this one (?)
https://bugzilla.redhat.com/show_bug.cgi?id=1896489
Let me start with short explanation of what the versionlock plugin does. After reading the versionlock.list file it
1. excludes from available packages all versions of packages other than those mentioned
2. excludes also all packages that are obsoleting any the locked packages
These excluded packages are completely unavailable and to the solver. Unfortunately this might lead to the situation described in this issue.
In case that both
- obsoleted package - facter package here (see `rpm -q --obsoletes puppet-agent`)
- and its obsoleter (puppet-agent package)
are part of the versionlock.list file, then due to the rule 2. all puppet-agent package versions are excluded so that the `dnf upgrade` command says 'Nothing to do.'. And it is not only the upgrade command, you are even not able to install the puppet-agent package, it's completely invisible:
# dnf install puppet-agent
All matches were filtered out by exclude filtering for argument: puppet-agent
Error: Unable to find a match: puppet-agent
Here is the patch for versionlock plugin that should fix the issue: https://github.com/rpm-software-management/dnf-plugins-core/pull/429 and here is PR with test https://github.com/rpm-software-management/ci-dnf-stack/pull/990
Meanwhile, to workaround the issue, you can remove facter package from the versionlock.list file.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:4464