Bug 2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
Summary: removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.4.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.5.0
: 4.5.0
Assignee: Ales Musil
QA Contact: Petr Kubica
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-22 19:45 UTC by schandle
Modified: 2022-08-22 22:34 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Red Hat Virtualization 4.4 SP1 uses the updated DISA STIG OpenSCAP profile from RHEL 8.6, which does not remove the gssproxy package. As a result, the Red Hat Virtualization host works correctly after applying the DISA STIG profile.
Clone Of:
Environment:
Last Closed: 2022-05-26 16:23:26 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHV-44399 0 None None None 2021-12-22 19:48:37 UTC
Red Hat Knowledge Base (Solution) 6609341 0 None None None 2021-12-22 21:16:05 UTC
Red Hat Product Errata RHSA-2022:4711 0 None None None 2022-05-26 16:23:39 UTC

Description schandle 2021-12-22 19:45:10 UTC 
Description of problem:
When deploying HostedEngine and using OpenScap, when the package 'gssproxy' is removed from HostedEngineLocal it removes:
~~~
Removing:
 gssproxy                                           x86_64  0.8.0-19.el8                                  @anaconda         263 k
Removing dependent packages:
 nfs-utils                                          x86_64  1:2.3.3-46.el8                                @anaconda         1.5 M
 ovirt-engine                                       noarch  4.4.9.5-0.1.el8ev                             @koji-override-0   38 M
 ovirt-engine-setup                                 noarch  4.4.9.5-0.1.el8ev                             @koji-override-0  671  
 ovirt-engine-setup-plugin-ovirt-engine             noarch  4.4.9.5-0.1.el8ev                             @koji-override-0  776 k
~~~



Version-Release number of selected component (if applicable):


How reproducible:
100% Customer is seeing, and has been verified in the lab

Steps to Reproduce:
1. Deploy RHVH with security profile
2. Deploy Self Hosted engine
3. Yes to openscap

Actual results:

The deployment will fail as engine setup is not installed:
~~~
2021-12-21 13:55:18,532-0500 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:112 TASK [**FILTERED**.rhv.engine_setup : Install oVirt Engine package]
2021-12-21 13:55:22,246-0500 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:106 {'msg': 'Failed to install some of the specified packages', 'failures': ['No package ovirt-engine available.'], 'results': [], 'rc': 1, 'invocation': {'module_args': {'name': ['ovirt-engine'], 'state': 'present', 'allow_downgrade': False, 'autoremove': False, 'bugfix': False, 'disable_gpg_check': False, 'disable_plugin': [], 'disablerepo': [], 'download_only': False, 'enable_plugin': [], 'enablerepo': [], 'exclude': [], 'installroot': '/', 'install_repoquery': True, 'install_weak_deps': True, 'security': False, 'skip_broken': False, 'update_cache': False, 'update_only': False, 'validate_certs': True, 'lock_timeout': 30, 'conf_file': None, 'disable_excludes': None, 'download_dir': None, 'list': None, 'releasever': None}}, '_ansible_no_log': False, 'changed': False, '_ansible_delegated_vars': {'ansible_host': '192.168.222.225', 'ansible_port': None, 'ansible_user': 'root', 'ansible_connection': 'smart'}}
2021-12-21 13:55:22,347-0500 ERROR otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:110 fatal: [localhost -> 192.168.222.225]: FAILED! => {"changed": false, "failures": ["No package ovirt-engine available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}
~~~

While configuring Openscap for bootstrap, it needs to remove several packages that do not meet this security protocol.  The issue is that when removing gssproxy, it removes 'rhvm'

Expected results:
When preparing for openscap, need to prevent the removal of the dependencies.  


Additional info:

The current workaround is to pause the deployment prior to engine-setup, add the engine repos, yum install rhvm, and finally remove the individual rpm package for the deployment to continue.
Comment 1 schandle 2021-12-22 19:47:28 UTC 
This looks like BZ https://bugzilla.redhat.com/show_bug.cgi?id=1867158 that has since been closed in 4.4.3
Comment 2 Sandro Bonazzola 2022-01-07 15:37:59 UTC 
nfs-utils is not required anymore since Tue Oct 13 13:43:39 2020 - ovirt-engine-4.4.3.8 - https://gerrit.ovirt.org/c/ovirt-engine/+/111689

gssproxy is not required at all.

Going to dig into this.
Comment 4 Sandro Bonazzola 2022-01-07 15:53:08 UTC 
nfs-utils is required by python3-os-brick which is required by python3-cinder-common which is required by python3-cinderlib which is needed by ovirt-engine.

Moving to storage team as they need to either:
- fix the dependency chain
- or give up on requiring cinderlib 
- or fix the security profile for not removing gssproxy for RHV
Comment 5 Martin Perina 2022-01-07 18:23:59 UTC 
This is going to be fixed in RHV 4.4 SP1 where we introduce proper support to DISA STIG (BZ2015796 and BZ2015802) and PCI-DSS (BZ2030596 and BZ2030226) openscap profiles, so aligning status with those RFEs.
Comment 6 Ales Musil 2022-03-03 10:13:07 UTC 
This will be fixed with release of RHV SP1.
Comment 10 Petr Kubica 2022-05-09 07:03:04 UTC 
Verified in rhv-release-4.5.0-8-001.noarch

Installed RHEL8, yes to Openscap profile, choosed stig.
Engine was successfully deployed
Comment 15 errata-xmlrpc 2022-05-26 16:23:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4711
Note You need to log in before you can comment on or make changes to this bug.