Bug 1995540 - Playbook verification fails on RHEL 7
Summary: Playbook verification fails on RHEL 7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: RH Cloud - Cloud Connector
Version: 6.10.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 6.10.0
Assignee: satellite6-bugs
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks: 1833033 1990864
TreeView+ depends on / blocked
 
Reported: 2021-08-19 11:19 UTC by Petr Pochop
Modified: 2021-11-16 14:13 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: The code used for verification of playbook signatures was meant to be run on RHEL 8 clients, where python 3 is the default python version. On RHEL 7 with python 2.7.5 it fails to verify the signatures, even if they are in fact valid. Consequence: Remediations triggered from console.redhat.com as part of find-it-fix-it will not work at all. Satellite will not be able to verify signatures of incoming playbooks and will refuse to execute them. Workaround (if any): Insights engineering recommends making insights-client use python 3. 1. Install python 3 satellite-maintain packages install rh-python36 2. Modify insights-client to use python 3 # Make a backup cp /usr/bin/insights-client /usr/bin/insights-client.bak # Patch insights-client cat /usr/bin/insights-client.bak \ | sed 's|#!/usr/bin/python.*$|#!/usr/bin/python3|' \ | sed 's|python2\.7|python3.6|' \ > /usr/bin/insights-client 3. Symlink insights_client library from python2.7 site-packages to python3.6 site-packages ln -s /usr/lib/python2.7/site-packages/insights_client /usr/lib/python3.6/site-packages/insights_client To revert the workaround: 1. Remove site-packages symlink rm /usr/lib/python3.6/site-packages/insights_client 2. Restore insights-client backup cp /usr/bin/insights-client.bak /usr/bin/insights-client Result: Insights-client uses python 3 instead of python 2, playbook signatures now can be verified and find-it-fix-it works.
Clone Of:
Environment:
Last Closed: 2021-11-16 14:13:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Insights-client log (23.15 KB, text/plain)
2021-08-19 11:19 UTC, Petr Pochop
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCLOUD-15742 0 None None None 2021-09-02 13:38:01 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:13:33 UTC

Description Petr Pochop 2021-08-19 11:19:31 UTC
Created attachment 1815579 [details]
Insights-client log

Description of problem:
When applying a remediation, the playbook signature verification fails.

From receptor log:
"""
receptor[1057]: Playbook Verification has started
receptor[1057]: gpg returned a non-zero error code: 1
receptor[1057]: SIGNATURE NOT VALID: Template [name: Block sudoedit with systemtap] has invalid signature', aborting.
"""
Attached also insights-client log.

Version-Release number of selected component (if applicable):
Satellite 6.10.0 snap 14 on RHEL 7.9
insights-client 3.1.5
insights-core 3.0.235-1

How reproducible:
Always

Steps to Reproduce:
1. Configure cloud connector, have a remediable host and inventory uploaded
2. On CRC, create a remediation
3. Attempt to apply that remediation

OR:
1. Download a remediation playbook from CRC
2. insights-client --module insights.client.apps.ansible.playbook_verifier < playbook.yml

Actual results:
Signature validation fails due to an invalid signature

Expected results:
Successful remediation/signature validation

Additional info:
After discussion with Alec Cohan, this seems to be because the verification code is meant for RHEL8+. When I tried to run the signature validation on a RHEL 8.3 system, the validation passed.

Comment 1 Adam Ruzicka 2021-08-19 14:14:06 UTC
Just to make things clear, this is completely dependent on insights-client. Does it make sense to block the beta on something that can't even be updated by us as the update is delivered out of band?

Comment 9 Lukáš Hellebrandt 2021-10-04 14:47:28 UTC
Verified with Sat 6.10.0 snap 20.0. Playbook verification now passes for a remediation with correct certs and the playbook is run on the host.

Comment 13 errata-xmlrpc 2021-11-16 14:13:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.