Description of problem: "Paid" content can't be imported on airgapped (disconnected) satellite Version-Release number of selected component (if applicable): - How reproducible: always Steps to Reproduce: 1. Prepare an export of "paid" content (e.g. RHSCL repository) - (use valid manifest, sync the repo, set download policy to immediate, do the export) hammer content-export complete library --organization-id <id> 2. Prepare airgapped(disconnected) machine (hammer settings set --name content_disconnected --value true) 3. Copy the exported content to airgapped(disconnected) machine (scp ...) 4a. Use "invalid" manifest (i.e. does not have rights to access RHSCL repository) 4b. Disable outgoing connection on port 443 firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j DROP firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -j ACCEPT 5. Try to import hammer content-import library --organization-id <id> --path /var/lib/pulp/imports/<path> Actual results: Could not import the archive.: a) Forbidden - server refused to process the request. b) Request Timeout Expected results: The content should be imported in both cases, Satellite should not try to contact RH CDN, when it's in "Disconnected mode" Additional info: -
Sounds like disabling the cdn validation on enablement seems to fix it - But further investigation needed diff --git a/app/models/katello/candlepin/repository_mapper.rb b/app/models/katello/candlepin/repository_mapper.rb index 90ddcb3..7009de7 100644 --- a/app/models/katello/candlepin/repository_mapper.rb +++ b/app/models/katello/candlepin/repository_mapper.rb @@ -44,7 +44,7 @@ module Katello end def validate! - return if katello_content_type == Repository::OSTREE_TYPE + return if katello_content_type == Repository::OSTREE_TYPE || Setting[:content_disconnected] substitutor.validate_substitutions(content, substitutions) end
Radek, There is a check that we enabled to confirm the manifest has the correct access to the repos here, so doing a bad manifest should not let you proceed. https://github.com/Katello/katello/blob/master/app/services/katello/pulp3/content_view_version/import_validator.rb#L126 I tested this the following ways: ## Import with a correct manifest and firewalld off - Worked ## Import with a correct manifest and disconnected mode on - Worked ## With the firewall commands run and disconnected mode on, it does time out as reported. When applying Partha's code change it does work correctly: [root@import ~]# less /var/lib/pulp/imports/metadata.json [root@import ~]# hammer content-import library --organization-id 1 --path /var/lib/pulp/imports/ [.............................................................................................................................................................................................................................................................................................................................................] [100%] We will get a PR opened for this, thanks for catching it Radek.
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33102 has been resolved.
VERIFIED with Satellite 6.10.0 SNAP 13.0 Importing of "paid" content (tested with RHSCL) in disconnected mode and with port 443 blocked on firewall was successful with valid manifest. Attempt to import with "invalid" manifest (a manifest that does not inlude required subscription) returns following message: # Could not import the archive.: # The organization's manifest does not contain the subscriptions required to enable the following repositories. # # * Product = 'Red Hat Software Collections (for RHEL Server)', Repository = 'Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_64 7.9' Attempt to import without a manifest returns: # Could not import the archive.: # No manifest found. Import a manifest with the appropriate subscriptions before importing content.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702