Red Hat Bugzilla – Bug 803357
erratas of filtered packages should not be promoted
Last modified: 2015-01-04 16:59:15 EST
Description of problem:
Right now Katello promotes the errata of a package that is filtered out to the next environment. Thus having errata but no package there.
Version-Release number of selected component (if applicable):
Recent CFSE build
Steps to Reproduce:
* client remember an org
* provider create --name pulp
* product create --name pulp --provider pulp
* repo create --name pulp-64bit --product pulp --url http://inecas.fedorapeople.org/fakerepos/zoo3/
* repo sync --name pulp-64bit --product pulp
* filter create --name no_bear --packages bear
* repo add_filter --name pulp-64bit --filter no_bear --product pulp
* environment create --name Dev --prior Library
* changeset create --name cs_Dev --environment Dev
* changeset update --from_product pulp --add_repo pulp-64bit --name cs_Dev --environment Dev
* changeset promote --name cs_Dev --environment Dev
errata list --repo pulp-64bit --product pulp --environment Dev
(shows RHEA-2012:0001 Bear_Erratum)
RHEA-2012:0001 should not be promoted (as the promoted repo does not contain the errata package: bear)
please consider also the case when just one package of errata (that might contain >1 packages there) is blacklisted.
Though we have to check this during promotion and it could be done on Pulp's side it would be good to also notify user in advance before the actual promotion starts.
e7e2ab8 803357 - errata with packages affected by filters are not promoted
I added validation for changeset errata that looks if contained packages are restricted by filters. If so, the erratum can't be added to changeset. User is notified in advance before the promotion starts.
The second part of the problem is promotion of a whole repo with errata. This must be solved in Pulp. It should not promote any of errata with filtered packages. I'm switching component of the bug to pulp and leaving the rest for Pulp specialists.
This bug brought me an idea:
If some errata are going to be skipped automatically users should know about it. We may consider adding some promotion status reports that would sum up what happened during the promotion. Eg. 20 packages updated, 10 packages filtered out, 1 errata filtered out. I expect more information that is worth reporting after we introduce demotion.
Not sure this is that simple. Errata's can contain references to multiple packages. Not sure the correct behavior would be to prevent an errata from being promoted if one of the packages is missing from the environment (or a specific nvrea is missing)....all of them....maybe.
Also, with regards to the validation you added....what if I promoted foo.0.rpm into production, and then added a filter for foo.rpm so that I could stay on version 0 regardless of what was sync'd into the Library. This validation would prevent me from seeing any RHSA (security) errata for foo. This seems bad to me; and something we should reconsider.
With regards to this bug, I would *not* consider this a blocker for 1.0.0; and would suggest that we move to 1.1 while we determine how to address. Regardless, the Pulp and the Katello-agent will only attempt to update the packages for an errata that *are* installed on the system
This does not meet the severity criteria for a beta blocker at this stage of the Cloudforms release cycle. Pushing to 1.1.
I agree with ToddS (his first part):
If I filter a package, say "emacs" and a security erratum comes down that updates both "emacs" and say "vim", I *think* the right default behavior should be to promote the erratum, but not that one package. And issue a warning that this happened. Maybe even a warning and a confirmation.
This is about "expected behavior". I want that erratum applied, but don't want a specific package.
What we might think about doing is to make this behavior configurable. I.e., I set it so that "if an erratum contains an RPM I have filtered, block the promotion of the erratum".
I believe that most folks want the erratum to promote through, but missing the filtered package.
ToddS's second part: if a customer wants to block foo.rpm > v22.214.171.124, we need to work towards filters that allow a range of versions. That requires more discussion.
This was resolved in the Beta release of Sat6. Feel free to re-open if this occurs again.