Description of problem: When subscribing to a subscription pool and installing the first package from that repo, the product-id plugin will lay down the product cert pem into /etc/pki/product, but then when you yum remove that same package, the product cert should be removed. Currently it is not getting removed. This is important because once all the packages from a product are removed, then the product id should not stay on the client otherwise subscription manager will report the product as "invalid/out-of-compliance". Version-Release number of selected component (if applicable): [root@jsefler-onprem-5server ~]# rpm -qa | grep subscription-manager subscription-manager-firstboot-0.95.5.18-1.el5 subscription-manager-0.95.5.18-1.el5 subscription-manager-gnome-0.95.5.18-1.el5 How reproducible: Steps to Reproduce: # create the following repo: [root@jsefler-onprem-5server ~]# cat /etc/yum.repos.d/rhel57test.repo [rhel57test] name=test $releasever - $basearch baseurl=http://porkchop.devel.redhat.com/rel-eng/RHEL-5.7-Server-Beta-1.2/tree-x86_64/Server/ enabled=1 gpgcheck=0 root@jsefler-onprem-5server ~]# grep hostname /etc/rhsm/rhsm.conf # Server hostname: hostname = subscription.rhn.stage.redhat.com proxy_hostname = [root@jsefler-onprem-5server yum.repos.d]# subscription-manager register --username=stage_test_10 --password=redhat 1be4ad84-5fbe-4e7d-a41b-af08b731fcbd jsefler-onprem-5server.usersys.redhat.com [root@jsefler-onprem-5server yum.repos.d]# subscription-manager list --installed No installed Products to list ^^^^ Notice that no products are installed (nothing in /etc/pki/product) [root@jsefler-onprem-5server ~]# yum list zsh Loaded plugins: product-id, security, subscription-manager Updating Red Hat repositories. Available Packages zsh.x86_64 4.2.6-5.el5 rhel57test [root@jsefler-onprem-5server ~]# [root@jsefler-onprem-5server ~]# yum install zsh Loaded plugins: product-id, security, subscription-manager Updating Red Hat repositories. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package zsh.x86_64 0:4.2.6-5.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: zsh x86_64 4.2.6-5.el5 rhel57test 1.8 M Transaction Summary ==================================================================================================================================================== Install 1 Package(s) Upgrade 0 Package(s) Total download size: 1.8 M Is this ok [y/N]: y Downloading Packages: zsh-4.2.6-5.el5.x86_64.rpm | 1.8 MB 00:01 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : zsh 1/1 rhel57test/productid | 1.7 kB 00:00 duration: 344(ms) installing: 95.pem Installed products updated. Installed: zsh.x86_64 0:4.2.6-5.el5 Complete! ^^^^ Notice that package zsh was installed from the rhel57test repo and that the 95.pem product cert was installed... [root@jsefler-onprem-5server ~]# ls /etc/pki/product/ 95.pem [root@jsefler-onprem-5server ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ ProductName: Red Hat Enterprise Linux Server Status: Not Subscribed Expires: Subscription: ContractNumber: AccountNumber: Now, let's remove the package... [root@jsefler-onprem-5server ~]# yum remove zsh Loaded plugins: product-id, security, subscription-manager Updating Red Hat repositories. Setting up Remove Process Resolving Dependencies --> Running transaction check ---> Package zsh.x86_64 0:4.2.6-5.el5 set to be erased --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Removing: zsh x86_64 4.2.6-5.el5 installed 3.6 M Transaction Summary ==================================================================================================================================================== Remove 1 Package(s) Reinstall 0 Package(s) Downgrade 0 Package(s) Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Erasing : zsh 1/1 duration: 321(ms) Installed products updated. Removed: zsh.x86_64 0:4.2.6-5.el5 Complete! [root@jsefler-onprem-5server ~]# ls /etc/pki/product/ 95.pem [root@jsefler-onprem-5server ~]# subscription-manager list --installed +-------------------------------------------+ Installed Product Status +-------------------------------------------+ ProductName: Red Hat Enterprise Linux Server Status: Not Subscribed Expires: Subscription: ContractNumber: AccountNumber: ^^^ Notice that after removing the zsh package (from the rhel57test repo) the product cert (95.pem) was not uninstalled. [root@jsefler-onprem-5server ~]# subscription-manager facts --list | grep .entitlements_valid system.entitlements_valid: False ^^^ And notice that we are now considered "invalid/uncompliant" Expected results: When all packages from a repo are removed, then the corresponding product cert should be removed. Additional info:
I tested this some more, and the cert gets removed only if the repo is removed or disabled. For example, if you set "enabled=0" in the repo conf file, that will do it. I'm testing now to see if this is the same behavior as 6.
rhel6 is package based, not repo based. "yum install ccs" will lay down the HA cert, and "yum remove ccs" will remove it. The docs also mention that product certs are package based.
*** This bug has been marked as a duplicate of bug 707313 ***