1980791 – Can"t import "paid" content in disconnected mode

Bug 1980791 - Can"t import "paid" content in disconnected mode

Summary: Can"t import "paid" content in disconnected mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Inter Satellite Sync
Sub Component:
Version:	6.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	6.10.0
Assignee:	Chris Roberts
QA Contact:	Radek Mynar
Docs Contact:
URL:	https://projects.theforeman.org/issue...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-09 14:31 UTC by Radek Mynar
Modified:	2021-11-16 14:12 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 14:12:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	33102	Normal	Assigned	Can"t import "paid" content in disconnected mode	2021-07-21 16:00:18 UTC
Github	Katello katello pull 9484	None	closed	Fixes #33102 - Allow validate to return if disc mode is enabled	2021-07-28 14:22:29 UTC
Red Hat Product Errata	RHSA-2021:4702	None	None	None	2021-11-16 14:12:42 UTC

Description Radek Mynar 2021-07-09 14:31:38 UTC

Description of problem:
"Paid" content can't be imported on airgapped (disconnected) satellite

Version-Release number of selected component (if applicable):
-

How reproducible:
always

Steps to Reproduce:
1. Prepare an export of "paid" content (e.g. RHSCL repository)  - (use valid manifest, sync the repo, set download policy to immediate, do the export)
hammer content-export complete library --organization-id <id>
2. Prepare airgapped(disconnected) machine (hammer settings set --name content_disconnected --value true)
3. Copy the exported content to airgapped(disconnected) machine (scp ...)
4a. Use "invalid" manifest (i.e. does not have rights to access RHSCL repository)
4b. Disable outgoing connection on port 443
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j DROP
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -j ACCEPT
5. Try to import
hammer content-import library --organization-id <id> --path /var/lib/pulp/imports/<path>

Actual results:
Could not import the archive.:
a) Forbidden - server refused to process the request.
b) Request Timeout

Expected results:
The content should be imported in both cases, Satellite should not try to contact RH CDN, when it's in "Disconnected mode"

Additional info:
-

Comment 1 Partha Aji 2021-07-09 14:44:46 UTC

Sounds like disabling the cdn validation on enablement seems to fix it -  But further investigation needed

diff --git a/app/models/katello/candlepin/repository_mapper.rb b/app/models/katello/candlepin/repository_mapper.rb
index 90ddcb3..7009de7 100644
--- a/app/models/katello/candlepin/repository_mapper.rb
+++ b/app/models/katello/candlepin/repository_mapper.rb
@@ -44,7 +44,7 @@ module Katello
       end
 
       def validate!
-        return if katello_content_type == Repository::OSTREE_TYPE
+       return if katello_content_type == Repository::OSTREE_TYPE || Setting[:content_disconnected]
         substitutor.validate_substitutions(content, substitutions)
       end

Comment 2 Chris Roberts 2021-07-20 19:55:33 UTC

Radek, There is a check that we enabled to confirm the manifest has the correct access to the repos here, so doing a bad manifest should not let you proceed.

https://github.com/Katello/katello/blob/master/app/services/katello/pulp3/content_view_version/import_validator.rb#L126

I tested this the following ways:

## Import with a correct manifest and firewalld off - Worked

## Import with a correct manifest and disconnected mode on - Worked

## With the firewall commands run and disconnected mode on, it does time out as reported.

When applying Partha's code change it does work correctly:

[root@import ~]# less /var/lib/pulp/imports/metadata.json 
[root@import ~]# hammer content-import library --organization-id 1 --path /var/lib/pulp/imports/
[.............................................................................................................................................................................................................................................................................................................................................] [100%]

We will get a PR opened for this, thanks for catching it Radek.

Comment 3 Bryan Kearney 2021-08-19 08:05:26 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33102 has been resolved.

Comment 4 Radek Mynar 2021-08-20 15:18:52 UTC

VERIFIED with Satellite 6.10.0 SNAP 13.0

Importing of "paid" content (tested with RHSCL) in disconnected mode and with port 443 blocked on firewall was successful with valid manifest.

Attempt to import with "invalid" manifest (a manifest that does not inlude required subscription) returns following message:
# Could not import the archive.:
#   The organization's manifest does not contain the subscriptions required to enable the following repositories.
#    
#   * Product = 'Red Hat Software Collections (for RHEL Server)', Repository = 'Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_64 7.9'

Attempt to import without a manifest returns: 
# Could not import the archive.:
#   No manifest found. Import a manifest with the appropriate subscriptions before importing content.

Comment 7 errata-xmlrpc 2021-11-16 14:12:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702

Note You need to log in before you can comment on or make changes to this bug.