2271398 – keycloak-httpd-client-install doesn't work without python3-lxml but it's not dependency and not documented

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2271398 - keycloak-httpd-client-install doesn't work without python3-lxml but it's not dependency and not documented

Summary: keycloak-httpd-client-install doesn't work without python3-lxml but it's not ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Authentication
Sub Component:
Version:	6.15.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Adam Lazik
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-25 12:42 UTC by Lukáš Hellebrandt
Modified:	2024-04-16 09:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-04-16 09:53:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	theforeman foreman-documentation pull 2918	0	None	open	Add missing required package	2024-03-28 14:31:33 UTC
Red Hat Issue Tracker	SAT-24144	0	None	None	None	2024-03-25 12:43:28 UTC

Description Lukáš Hellebrandt 2024-03-25 12:42:05 UTC

Description of problem:
keycloak-httpd-client-install doesn't work without python3-lxml rpm installed, the error message is:
```
from lxml import etree
ModuleNotFoundError: No module named 'lxml'
```

keycloak-httpd-client-install doesn't have python3-lxml as a requirement.

Our documentation doesn't mention python3-lxml needs to be installed manually:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/installing_satellite_server_in_a_connected_network_environment/configuring_external_authentication_satellite#Configuring_Project_with_Keycloak_Authentication_keycloak-general

This KB article shows the solution:
https://access.redhat.com/solutions/7048727

I think this BZ should be flipped either into an RHSSO bug because the package should have a dependency specified, or a Satellite docs bug because we should document the package needs to be installed manually. I will leave it up to triage.

Version-Release number of selected component (if applicable):
All

How reproducible:
Deterministic

Steps to Reproduce:
1. Follow the linked docs

Actual results:
Error, docs can't be followed and the KB article needs to be followed to continue

Expected results:
python3-lxml is either installed automatically as a dependency or the docs mentions its installation

Comment 1 Odilon Sousa 2024-03-25 15:02:56 UTC

Hi @lhellebr 

On Satellite we package python-lxml, but we only package with our supported version of Python, for 6.15 is python3.11, you can run dnf info python3.11-lxml and the package will be present in the list.

For python3-lxml, this is the packaging built with the base python from the RHEL release, it would be necessary to add python3-lxml to the requirements of keycloak-httpd-client-install if that's the package/module requiring lxml, we don't control keycloak-httpd-client-install or mod_auth_openidc at Satellite Packaging.

Comment 2 Adam Ruzicka 2024-03-27 09:09:35 UTC

Filed https://issues.redhat.com/browse/RHEL-30559 against rhel to have the dependency added. In the meantime, let's reuse the bz for resolving this in our docs.

Comment 3 Adam Lazik 2024-03-28 12:01:14 UTC

Hi, created PR to add python3-lxml to the step with installing packages: https://github.com/theforeman/foreman-documentation/pull/2918

Comment 4 Ewoud Kohl van Wijngaarden 2024-04-03 10:12:07 UTC

Which version (In reply to Lukáš Hellebrandt from comment #0)
> Description of problem:
> keycloak-httpd-client-install doesn't work without python3-lxml rpm
> installed, the error message is:
> ```
> from lxml import etree
> ModuleNotFoundError: No module named 'lxml'
> ```
> 
> keycloak-httpd-client-install doesn't have python3-lxml as a requirement.

Which version do you have installed? There's a keycloak-httpd-client-install in RHEL appstream (1.0 for RHEL 8), but we also ship one ourselves (1.2.2) which does contain the dependency.

> Our documentation doesn't mention python3-lxml needs to be installed
> manually:

Because it shouldn't be needed.

> I think this BZ should be flipped either into an RHSSO bug because the
> package should have a dependency specified, or a Satellite docs bug because
> we should document the package needs to be installed manually. I will leave
> it up to triage.

There should be a bug against RHEL for the base version, but our version is correct. At least in upstream.

If you didn't enable the DNF module, then you don't get our version. I also only tested upstream,but it could be an issue in the Satellite repos.

Comment 5 Ewoud Kohl van Wijngaarden 2024-04-03 10:13:55 UTC

(In reply to Odilon Sousa from comment #1)
> For python3-lxml, this is the packaging built with the base python from the
> RHEL release, it would be necessary to add python3-lxml to the requirements
> of keycloak-httpd-client-install if that's the package/module requiring
> lxml, we don't control keycloak-httpd-client-install or mod_auth_openidc at
> Satellite Packaging.

In upstream we do have a newer version of keycloak-httpd-client-install:
https://github.com/theforeman/foreman-packaging/tree/rpm/develop/packages/foreman/keycloak-httpd-client-install

Comment 6 Ewoud Kohl van Wijngaarden 2024-04-03 14:06:51 UTC

Digging deeper we have:

* RHEL 7 ships https://github.com/jdennis/keycloak-httpd-client-install version 0.8
* RHEL 8 ships https://github.com/jdennis/keycloak-httpd-client-install version 1.0
* RHEL 9 ships https://github.com/jdennis/keycloak-httpd-client-install version 1.1
* Fedora also ships https://src.fedoraproject.org/rpms/keycloak-httpd-client-install version 1.1

In upstream we use https://github.com/jdennis/keycloak-httpd-client-install version 1.2

This fork has effectively two patches:

* https://github.com/jdennis/keycloak-httpd-client-install/commit/6dd6b7d9c7241a2d2054a6cabd96b0ff2b77e760 include keycloak-rest as a binary
* https://github.com/jdennis/keycloak-httpd-client-install/commit/d60f325eb85bfdf41cbbcd7209d75cd7cca059e4 Python 2 compatibility

The former is also included in Fedora & RHEL, the latter is irrelevant on RHEL 8+.

That only leaves the difference between RHEL 8 & 9, which is 1.0 vs 1.1:

https://github.com/jdennis/keycloak-httpd-client-install/compare/RELEASE_1_0...RELEASE_1_1 doesn't show anything that looks needed. My suspicion is that in upstream we added keycloak-httpd-client-install for EL7 support (0.8 doesn't support mod-auth_openidc) and then continued building it for newer releases, unaware that we could rely on the base OS.

I see a few follow up actions:
* Open a bug against RHEL 8
* Change the Satellite documentation to install python3-lxml, referencing the above bug to note it was only for RHEL 8
* Either once the bug is resolved or once we drop RHEL 8 we stop installing python3-lxml in the documentation
* Upstream we consider how to move away from our custom package

Comment 7 Ewoud Kohl van Wijngaarden 2024-04-08 16:34:26 UTC

(In reply to Ewoud Kohl van Wijngaarden from comment #6)
> In upstream we use https://github.com/jdennis/keycloak-httpd-client-install
> version 1.2

This should be https://github.com/latchset/keycloak-httpd-client-install

> I see a few follow up actions:
> * Open a bug against RHEL 8

https://issues.redhat.com/browse/RHEL-31496

Comment 9 Adam Lazik 2024-04-16 09:53:23 UTC

The documentation has been updated with the python3-lxml package:
6.14: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general
6.13: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general
6.12: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general

Note You need to log in before you can comment on or make changes to this bug.