Description of problem: When installing a new self-hosted RHVM-4.4 as documented in "https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/installing_red_hat_virtualization_as_a_self-hosted_engine_using_the_command_line/index#Deploying_the_Self-Hosted_Engine_Using_the_CLI_install_RHVM", the following command: # dnf distro-sync --nobest downgrades some packages: aopalliance-1.0-17.module+el8+2452+b359bfcd.noarch apache-commons-codec-1.11-3.module+el8+2452+b359bfcd.noarch apache-commons-io-1:2.6-3.module+el8+2452+b359bfcd.noarch apache-commons-logging-1.2-13.module+el8+2452+b359bfcd.noarch httpcomponents-client-4.5.5-4.module+el8+2452+b359bfcd.noarch httpcomponents-core-4.4.10-3.module+el8+2452+b359bfcd.noarch javapackages-filesystem-5.3.0-1.module+el8+2447+6f56d9a6.noarch javapackages-tools-5.3.0-1.module+el8+2447+6f56d9a6.noarch nodejs-1:10.21.0-3.module+el8.2.0+7071+d2377ea3.x86_64 ovirt-imageio-common-2.0.10-1.el8ev.x86_64 ovirt-imageio-daemon-2.0.10-1.el8ev.x86_64 It's not clear if this is expected behavior, missing documentation steps, or a problem with appliance build. Version-Release number of selected component (if applicable): RHV-M 4.4.x How reproducible: 100% Steps to Reproduce: 1. Build new RHV 4.4 hosted engine environment 2. Continue to follow documentation to the end 3. Finish with the recommended 'dnf distro-sync --nobest' command Actual results: Downgraded packages Expected results: Only Updated packages Additional info: From the customer: "For example, for NodeJS, I found that the RHV appliance was built with newer stream, so nodejs-14 was installed by Red Hat builders. But the appliance has stream 10 by default, so nodejs gets downgraded to an older version 10 with security vulnerabilities. I've enabled stream 12, updated NodeJS to v.12, RHVM looks good so far."
let's flip it back to on_qa and see it live
Verified in rhvm-appliance-4.5-20220603.1.el8ev # dnf distro-sync --nobest Updating Subscription Management repositories. Last metadata expiration check: 0:00:43 ago on Mon 06 Jun 2022 03:58:37 PM IDT. Dependencies resolved. =============================================================================================================================================================== Package Architecture Version Repository Size =============================================================================================================================================================== Upgrading: apache-commons-lang noarch 2.6-21.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 283 k bea-stax-api noarch 1.2.0-16.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 37 k glassfish-fastinfoset noarch 1.2.13-9.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 354 k glassfish-jaxb-api noarch 2.2.12-8.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 102 k glassfish-jaxb-core noarch 2.2.11-11.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 158 k glassfish-jaxb-runtime noarch 2.2.11-11.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 936 k glassfish-jaxb-txw2 noarch 2.2.11-11.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 90 k jackson-module-jaxb-annotations noarch 2.7.6-4.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 46 k relaxngDatatype noarch 2011.1-7.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 28 k slf4j noarch 1.7.25-4.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 77 k slf4j-jdk14 noarch 1.7.25-4.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 25 k stax-ex noarch 1.7.7-8.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 56 k xmlstreambuffer noarch 1.5.4-8.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 87 k xsom noarch 0-19.20110809svn.module+el8+2468+c564cec5 rhel-8-for-x86_64-appstream-rpms 399 k Transaction Summary =============================================================================================================================================================== Upgrade 14 Packages
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Appliance (rhvm-appliance) security update [ovirt-4.5.0]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4931