Bug 2040706 - Leapp cannot upgrade with a custom https repo
Summary: Leapp cannot upgrade with a custom https repo
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: leapp-repository
Version: 7.9
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Leapp Notifications Bot
QA Contact: upgrades-and-conversions
URL:
Whiteboard:
: 1917469 (view as bug list)
Depends On:
Blocks: 1818088
TreeView+ depends on / blocked
 
Reported: 2022-01-14 15:21 UTC by Christophe Besson
Modified: 2023-07-31 07:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OAMG-6388 0 None None None 2022-01-14 15:32:20 UTC
Red Hat Issue Tracker RHELPLAN-108196 0 None None None 2022-01-14 15:32:25 UTC

Description Christophe Besson 2022-01-14 15:21:58 UTC 
Description of problem:
Customer uses custom repositories hosted behind an HTTPS server.
They use a dedicated certificate which is not copied into the target userspace, leading to an error while trying to retrieve the metadata.

Version-Release number of selected component (if applicable):
leapp-upgrade-el7toel8-0.15.0-6.el7_9

How reproducible:
Always

Steps to Reproduce:
1. Setup an HTTPS server hosting your repositories
2. Specify the certificate in sslcacert in the repo file

Actual results:
[MIRROR] libcgroup-0.41-19.el8.x86_64.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://<HIDDEN_HOSTNAME>/pulp/content/ci-rhel8-baseos2/Packages/l/libcgroup-0.41-19.el8.x86_64.rpm [SSL certificate problem: unable to get local issuer certificate]

Additional info:
- Setting sslverify=0 is a workaround, but this is not what the customer wants.

- The issue was workarounded by bind-mounting the /etc/pki/ca-trust directory into the container (by modifying ALWAYS_BIND in mounting.py).

- I think something allowing to simply add files into the target userspace could help. With the below patch, a user can execute the following command to move forward:
# for f in $(find /etc/pki/ca-trust -type f); do echo $f:$f >> /etc/leapp/filesfortargetuserspace.conf; done

--- /usr/share/leapp-repository/repositories/system_upgrade/common/actors/scanfilesfortargetuserspace/libraries/scanfilesfortargetuserspace.py.orig	2022-01-14 15:55:58.698593070 +0100
+++ /usr/share/leapp-repository/repositories/system_upgrade/common/actors/scanfilesfortargetuserspace/libraries/scanfilesfortargetuserspace.py	2022-01-14 16:08:35.738180885 +0100
@@ -8,6 +8,8 @@
     '/etc/hosts': '/etc/hosts'
 }
 
+FILES_FOR_TARGET_USERSPACE_CFG = '/etc/leapp/filesfortargetuserspace.conf'
+
 
 def scan_files_to_copy():
     """
@@ -21,6 +23,17 @@
             dst_path = FILES_TO_COPY_IF_PRESENT[src_path]
             files_to_copy.append(CopyFile(src=src_path, dst=dst_path))
 
+    if os.path.exists(FILES_FOR_TARGET_USERSPACE_CFG):
+        try:
+            with open(FILES_FOR_TARGET_USERSPACE_CFG, "r") as f:
+                additional_files = f.readlines()
+            for line in additional_files:
+                src_path, dst_path = line.split(':')
+                files_to_copy.append(CopyFile(src=src_path, dst=dst_path))
+        except:
+            # silence any error (EACCES, EPERM, bad file format, ...)
+            pass
+
     preupgrade_task = TargetUserSpacePreupgradeTasks(copy_files=files_to_copy)
 
     api.produce(preupgrade_task)
Comment 10 Petr Stodulka 2023-07-26 07:56:32 UTC 
*** Bug 1917469 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.