RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1957280 - DNF with versionlock silences a conflict due to a provide
Summary: DNF with versionlock silences a conflict due to a provide
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnf-plugins-core
Version: 8.3
Hardware: All
OS: Linux
high
high
Target Milestone: beta
: ---
Assignee: Marek Blaha
QA Contact: Eva Mrakova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-05 14:05 UTC by Christophe Besson
Modified: 2021-11-10 09:39 UTC (History)
3 users (show)

Fixed In Version: dnf-plugins-core-4.0.21-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 19:53:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4464 0 None None None 2021-11-09 19:53:37 UTC

Description Christophe Besson 2021-05-05 14:05:45 UTC
Description of problem:
According to the security compliance of its sector, a customer is using locked versions for ~25000 packages thanks to versionlock. However, they are not able to update "puppet-agent" to the version *correctly* defined in versionlock.list, whereas this version is available. Disabling the versionlock plugin allows them to update that 3rd party package.

The problem here is the fact DNF is completely silent about the conflict, it just tells "Nothing to do" while trying to update, making the issue difficult to diagnose.

Version-Release number of selected component (if applicable):
python3-dnf-plugin-versionlock-4.0.17-5.el8.noarch
dnf-plugins-core-4.0.17-5.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install 3rd party repositories. EPEL is also necessary, as it provides the "facter" package which is causing the issue.
# dnf install https://yum.puppet.com/puppet6-release-el-8.noarch.rpm
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

2. Install puppet-agent and downgrade to a previous version
# dnf install puppet-agent
# dnf downgrade puppet-agent

3. Setup this minimal versionlock.list which will create a silent conflict.
# cat << EOF > /etc/dnf/plugins/versionlock.list
facter-0:3.14.2-4.el8.*
puppet-agent-0:6.21.1-1.el8.*
EOF


Actual results:
~~~
# dnf update puppet-agent 
Last metadata expiration check: 0:00:01 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
Nothing to do.
Complete!
~~~

Excluding the "facter" package leads to the upgrade to the version given in versionlock.list:
~~~
# dnf -x facter update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:04:52 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
 Package                        Architecture             Version                         Repository                 Size
=========================================================================================================================
Upgrading:
 puppet-agent                   x86_64                   6.21.1-1.el8                    puppet6                    26 M
~~~

Disabling the versionlock plugin leads to the upgrade of the latest package available:
~~~
# dnf --disableplugin=versionlock update puppet-agent
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:12 ago on Wed 05 May 2021 08:48:46 AM EDT.
Dependencies resolved.
=========================================================================================================================
 Package                        Architecture             Version                         Repository                 Size
=========================================================================================================================
Upgrading:
 puppet-agent                   x86_64                   6.22.1-1.el8                    puppet6                    26 M
~~~


Expected results:
Something explaining the why.

Additional info:
* The issue is partially visible thanks to the debugsolver (btw, why libsolv-tools isn't shipped???)
~~~
# testsolv -vvv debugdata/rpms/testcase.t | grep -v -e installing -e update | grep -A2 puppet-agent
propagate decision 512:    puppet-agent-6.21.0-1.el8.x86_64 [512]I Install.level1
  unit Rule #49337:
    !facter-3.14.2-4.el8.x86_64 [1863] (w1)
    !puppet-agent-6.21.0-1.el8.x86_64 [512]I (w2) Install.level1
    next rules: 0 50535
    -> decided to conflict facter-3.14.2-4.el8.x86_64
~~~

* The package puppet-agent provides the "facter" capability, package which is available from EPEL 8.
~~~
# rpm -q puppet-agent
puppet-agent-6.21.0-1.el8.x86_64

# rpm -q --requires puppet-agent | uniq
/bin/mkdir
/bin/sh
/bin/touch
findutils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
systemd
tar
util-linux

# rpm -q --provides puppet-agent | uniq
cfacter >= 0.5.0
facter >= 1:3.0.0
hiera >= 2.0.0
puppet >= 4.0.0
puppet-agent = 6.21.0-1.el8
puppet-agent(x86-64) = 6.21.0-1.el8
~~~

* I think the bug may ultimately reside in dnf/libdnf itself, feel free to re-assign that bug to another component if needed.

* This bug possibly depends on this one (?)
https://bugzilla.redhat.com/show_bug.cgi?id=1896489

Comment 1 Marek Blaha 2021-05-11 07:27:48 UTC
Let me start with short explanation of what the versionlock plugin does. After reading the versionlock.list file it

1. excludes from available packages all versions of packages other than those mentioned
2. excludes also all packages that are obsoleting any the locked packages

These excluded packages are completely unavailable and to the solver. Unfortunately this might lead to the situation described in this issue.

In case that both
- obsoleted package - facter package here (see `rpm -q --obsoletes puppet-agent`)
- and its obsoleter (puppet-agent package)
are part of the versionlock.list file, then due to the rule 2. all puppet-agent package versions are excluded so that the `dnf upgrade` command says 'Nothing to do.'. And it is not only the upgrade command, you are even not able to install the puppet-agent package, it's completely invisible:

# dnf install puppet-agent
All matches were filtered out by exclude filtering for argument: puppet-agent
Error: Unable to find a match: puppet-agent

Here is the patch for versionlock plugin that should fix the issue: https://github.com/rpm-software-management/dnf-plugins-core/pull/429 and here is PR with test https://github.com/rpm-software-management/ci-dnf-stack/pull/990

Meanwhile, to workaround the issue, you can remove facter package from the versionlock.list file.

Comment 9 errata-xmlrpc 2021-11-09 19:53:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464


Note You need to log in before you can comment on or make changes to this bug.