Bug 834125 - subscription-manager refresh does not update gpgcheck settings
subscription-manager refresh does not update gpgcheck settings
Status: CLOSED CURRENTRELEASE
Product: Candlepin
Classification: Community
Component: candlepin (Show other bugs)
0.5
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Bryan Kearney
Entitlement Bugs
:
: 859434 (view as bug list)
Depends On:
Blocks: 814118 827943 rhsm-rhel70
  Show dependency treegraph
 
Reported: 2012-06-20 17:58 EDT by Mike McCune
Modified: 2015-05-14 12:04 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-29 15:04:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike McCune 2012-06-20 17:58:36 EDT
If an upstream repository in Candlepin (Katello) has a GPG key added *after* a system has registered, subscription-manager will not update the redhat.repo file to note this change.

The only way you can get the redhat.repo file to update the gpgcheck field is to wipe out the file or re-register the machine.

Exact steps:

1) create repository in Katello, ensure that NO gpg key is assigned
2) sync content, promote to an environment, eg Dev
3) register system to Dev, subscribe to product containing repo from step (1)
4) Note that gpgckeck is 0:

gpgcheck = 0

5) Assign a GPG key, re-promote the repo in Katello to Dev.
6) Run 'subscription-manager refresh && yum repolist'
7) Note that gpgcheck is still 0
8) Wipe out redhat.repo with a 0 byte file: "echo '' > /etc/yum.repos.d/redhat.repo"
9) Run 'subscription-manager refresh && yum repolist'
10) Note that gpgcheck is now 1:

gpgcheck = 1

You can also just re-register the system instead of step 8, that will also set the correct gpgcheck param.

NOTE: This may be a regression between versions 0.96 -> 0.99 because while testing the following you will note it worked fine for me : https://bugzilla.redhat.com/show_bug.cgi?id=824581#c5
Comment 1 Mike McCune 2012-06-20 17:59:20 EDT
See also:

https://bugzilla.redhat.com/show_bug.cgi?id=827943

I filed this bug because of the behavior noticed in the above
Comment 3 James Bowes 2012-10-09 12:12:35 EDT
We should check to see if there was _not_ a gpgUrl when we detect one. if the state has changed from no url to a url, turn on checking, else leave as it was.
Comment 4 RHEL Product and Program Management 2012-12-14 02:49:20 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 5 Bryan Kearney 2013-02-22 15:44:56 EST
*** Bug 859434 has been marked as a duplicate of this bug. ***
Comment 6 William Poteat 2013-10-14 12:47:06 EDT
This will get covered in the new Consumer Content Override work. The behavoir may  be slightly different, but the values will be stored at the CP server and will not be wiped out on refresh.
Comment 10 William Poteat 2013-11-11 15:05:34 EST
Confirmed that changes to the gpgkey url at teh server will get propigated to the repo file when 'subscription-manager refresh && yum repolist' is called.
Comment 11 John Sefler 2014-01-24 19:48:31 EST
[root@jsefler-7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.2-1
subscription-manager: 1.10.11-1.el7
python-rhsm: 1.10.11-1.el7


Not sure whether or not to move this to VERIFIED because (as indicated in comment 6), the new Consumer Content Override feature allows a system consumer to create repo parameter overrides (including gpgcheck) that will persist overriding repo parameters as subscriptions are attached/removed/refreshed on a per consumer basis.  The new Consumer Content Override feature puts the power to manage gpgcheck in the hands of the consumer.

Comment 0 is reporting a different issue... changes to the gpgcheck in the repo definitions are being made on the server which are not causing the consumer's already existing entitlements to refresh (or should I say be automatically revoked and re-issued with the altered repo definition).

Setting a NEEDINFO on mmccune and the Katello QE team to decide if the original problem still exists and/or is satisfied by the new Consumer Content Override feature which works like this...


After attaching a subscription, here are my default gpgchecks in redhat.repo....

[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck"
[awesomeos]
gpgcheck = 1
[awesomeos-x86_64]
gpgcheck = 1
[never-enabled-content]
gpgcheck = 1


Now I can create content overrides specific to each repo id...

[root@jsefler-7 ~]# subscription-manager repo-override --repo=awesomeos --repo=awesomeos-x86_64 --repo=never-enabled-content --add=gpgcheck:0 
[root@jsefler-7 ~]# subscription-manager repo-override --list
Repository: awesomeos
  gpgcheck: 0

Repository: awesomeos-x86_64
  gpgcheck: 0

Repository: never-enabled-content
  gpgcheck: 0

[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck"
[awesomeos]
gpgcheck = 0
[awesomeos-x86_64]
gpgcheck = 0
[never-enabled-content]
gpgcheck = 0

And I can remove them too...

[root@jsefler-7 ~]# subscription-manager repo-override --remove-all
[root@jsefler-7 ~]# subscription-manager repo-override --list
This system does not have any content overrides applied to it.
[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck"
[awesomeos]
gpgcheck = 1
[awesomeos-x86_64]
gpgcheck = 1
[never-enabled-content]
gpgcheck = 1
Comment 12 John Sefler 2014-02-21 12:18:57 EST
Testing Version...
[root@jsefler-7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.3-1
subscription-manager: 1.10.14-2.el7
python-rhsm: 1.10.12-1.el7


Testing with the candlepin TESTDATA deployed...


[root@jsefler-7 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name: Awesome OS Server Basic
Provides:          Awesome OS Server Bits
SKU:               awesomeos-server-basic
Contract:          5
Account:           12331131231
Serial:            7713088041753855444
Pool ID:           8a9087e3445087800144508852f20606
Active:            True
Quantity Used:     1
Service Level:     None
Service Type:      Self-Support
Status Details:    
Subscription Type: Standard
Starts:            02/19/2014
Ends:              02/19/2015
System Type:       Physical


[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"
[content-label-empty-gpg]
gpgcheck = 0
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 0
[content-label]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/gpg/


NOTICE: Above we have a single entitlement that grants us access to four repos.  Each repo has a value for gpgcheck as granted by the candlepin server.  Two of them are disabled, because there is no gpgkey.  Let's issue a candlepin API call to update the presence of a gpgkey which will inturn set gpgcheck values to 1...

First we need to get their ids...
[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/ | python -m simplejson/tool | egrep "id|label|gpgUrl" | egrep -B2 "(content-label-empty-gpg|content-label-no-gpg)"
        "gpgUrl": "",
        "id": "234",
        "label": "content-label-no-gpg",
--
        "gpgUrl": "",
        "id": "235",
        "label": "content-label-empty-gpg",

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "created": "2014-02-20T18:21:13.259+0000",
    "gpgUrl": "",
    "id": "234",
    "label": "content-label-no-gpg",
    "metadataExpire": 0,
    "modifiedProductIds": [],
    "name": "content-nogpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-02-20T18:21:13.259+0000",
    "vendor": "test-vendor"
}
[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool{
    "arches": null,
    "contentUrl": "/foo/path",
    "created": "2014-02-20T18:21:13.370+0000",
    "gpgUrl": "",
    "id": "235",
    "label": "content-label-empty-gpg",
    "metadataExpire": 0,
    "modifiedProductIds": [],
    "name": "content-emptygpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-02-20T18:21:13.370+0000",
    "vendor": "test-vendor"
}


Now that we know their id's, let's update their gpgkey values (without changing other values) which is done by setting a gpgUrl...


[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/234", "contentUrl": "/foo/path", "label": "content-label-no-gpg", "name": "content-nogpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "gpgUrl": "/test/gpgkey/234",
    "id": "234",
    "label": "content-label-no-gpg",
    "metadataExpire": null,
    "modifiedProductIds": [],
    "name": "content-nogpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-02-21T16:00:03.889+0000",
    "vendor": "test-vendor"
}

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/235", "contentUrl": "/foo/path", "label": "content-label-empty-gpg", "name": "content-emptygpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "gpgUrl": "/test/gpgkey/235",
    "id": "235",
    "label": "content-label-empty-gpg",
    "metadataExpire": null,
    "modifiedProductIds": [],
    "name": "content-emptygpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-02-21T16:02:08.306+0000",
    "vendor": "test-vendor"
}


Now that the content has been updated on the candlepin server, let's see it flow to the client.  For this to happen, we need the rhsmcertd to trigger.  By default this triggers once every 4 hours.  I can't wait that long so I will trigger it manually by running rhsmcertd-worker...

[root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker
Updating entitlement certificates & repositories
5 updates required
done


Now we should see that our entitlement has automaically been updated to reflect gpgcheck=1...

[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"
[content-label-empty-gpg]
gpgcheck = 0                   <======  FAILED QA
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 0                   <======  FAILED QA
[content-label]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/gpg/
[root@jsefler-7 ~]# 

Nope, did not work.
Let's try refreshing to pools for the admin owner and checking again...

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/owners/admin/subscriptions | python -m simplejson/tool
{
    "created": "2014-02-21T16:54:26.643+0000",
    "finishTime": null,
    "group": "async group",
    "id": "refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f",
    "principalName": "admin",
    "result": null,
    "startTime": null,
    "state": "CREATED",
    "statusPath": "/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f",
    "targetId": "admin",
    "targetType": "owner",
    "updated": "2014-02-21T16:54:26.643+0000"
}
[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f | python -m simplejson/tool
{
    "created": "2014-02-21T16:54:26.643+0000",
    "finishTime": "2014-02-21T16:54:27.791+0000",
    "group": "async group",
    "id": "refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f",
    "principalName": "admin",
    "result": "Pools refreshed for owner Admin Owner",
    "startTime": "2014-02-21T16:54:26.647+0000",
    "state": "FINISHED",
    "statusPath": "/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f",
    "targetId": "admin",
    "targetType": "owner",
    "updated": "2014-02-21T16:54:27.809+0000"
}
[root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker
Updating entitlement certificates & repositories
5 updates required
done
[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"[content-label-empty-gpg]
gpgcheck = 0                  <======  STILL FAILED QA
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 0                  <======  STILL FAILED QA
[content-label]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/gpg/

Still failing.



For sanity sake, let's register from a different client and attach the same pool and verify that the content set has really been updated on the server

[root@jsefler-6 ~]# subscription-manager register --username testuser1 --org admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
Password: 
The system has been registered with ID: d52ba8b9-b801-4d65-9cfb-77d0b2c2f12a 
[root@jsefler-6 ~]# subscription-manager attach --pool 8a9087e3445087800144508852f20606
Successfully attached a subscription for: Awesome OS Server Basic
[root@jsefler-6 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"
[content-label-empty-gpg]
gpgcheck = 1                 <======  EXPECTED
gpgkey = https://cdn.redhat.com/test/gpgkey/235
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 1                 <======  EXPECTED
gpgkey = https://cdn.redhat.com/test/gpgkey/234
[content-label]
gpgcheck = 1
gpgkey = https://cdn.redhat.com/foo/path/gpg/

Yup, the updated content is correctly flowing to a newly registered consumer with a newly granted entitlement.


Not sure why the new content is failing to revoke the entitlements that are affected by the content change and giving me a new entitlement.
Moving back to NEW/FailedQA for further investigation.
Comment 17 Carter Kozak 2014-02-25 15:55:29 EST
commit d3134b9c4fe7515d3b85343d604547e368958746
Author: ckozak <ckozak@redhat.com>
Date:   Tue Feb 25 14:36:22 2014 -0500

    Add spec tests for content modification causing ent regen

commit d74540cf08a3828e2158c8917c001a4e6f92ceaf
Author: ckozak <ckozak@redhat.com>
Date:   Fri Feb 21 15:13:14 2014 -0500

    regenerate ents when content is modified
Comment 18 John Sefler 2014-03-03 18:23:37 EST
Verifying Version...
[root@jsefler-7 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.9.4-1
subscription-manager: 1.10.14-3.el7
python-rhsm: 1.10.12-1.el7

[root@jsefler-f14-candlepin candlepin]# git branch 
* master
[root@jsefler-f14-candlepin candlepin]# git show-ref | grep master | head -1
d8eebb26598ab81088c6d5ce058e7d42ddac2538 refs/heads/master


Testing with the candlepin TESTDATA deployed...

[root@jsefler-7 ~]# subscription-manager register
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: b8dcdb69-9cf6-4fbb-87f1-a408c5489cc4 

[root@jsefler-7 ~]# subscription-manager attach --pool=8a9087e3448960ba0144896183b1048b
Successfully attached a subscription for: Awesome OS Server Basic

[root@jsefler-7 ~]# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name: Awesome OS Server Basic
Provides:          Awesome OS Server Bits
SKU:               awesomeos-server-basic
Contract:          0
Account:           12331131231
Serial:            176808115268088813
Pool ID:           8a9087e3448960ba0144896183b1048b
Active:            True
Quantity Used:     1
Service Level:     None
Service Type:      Self-Support
Status Details:    
Subscription Type: Standard
Starts:            03/02/2014
Ends:              03/02/2015
System Type:       Physical

[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"
[content-label-empty-gpg]
gpgcheck = 0
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.qa.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 0
[content-label]
gpgcheck = 1
gpgkey = https://cdn.qa.redhat.com/foo/path/gpg/

NOTICE: Above we have a single entitlement that grants us access to four repos.  Each repo has a value for gpgcheck as granted by the candlepin server.  Two of them are disabled, because there is no gpgkey.  Let's issue a candlepin API call to update the presence of a gpgkey which will inturn set gpgcheck values to 1...

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/ | python -m simplejson/tool | egrep "id|label|gpgUrl" | egrep -B2 "(content-label-empty-gpg|content-label-no-gpg)"
        "gpgUrl": "",
        "id": "234",
        "label": "content-label-no-gpg",
--
        "gpgUrl": "",
        "id": "235",
        "label": "content-label-empty-gpg",

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "created": "2014-03-03T19:17:14.404+0000",
    "gpgUrl": "",
    "id": "234",
    "label": "content-label-no-gpg",
    "metadataExpire": 0,
    "modifiedProductIds": [],
    "name": "content-nogpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-03-03T19:17:14.404+0000",
    "vendor": "test-vendor"
}
[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET  https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "created": "2014-03-03T19:17:14.507+0000",
    "gpgUrl": "",
    "id": "235",
    "label": "content-label-empty-gpg",
    "metadataExpire": 0,
    "modifiedProductIds": [],
    "name": "content-emptygpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-03-03T19:17:14.507+0000",
    "vendor": "test-vendor"
}

Now that we know their id's, let's update their gpgkey values (without changing other values) which is done by setting a gpgUrl...

[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/234", "contentUrl": "/foo/path", "label": "content-label-no-gpg", "name": "content-nogpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "gpgUrl": "/test/gpgkey/234",
    "id": "234",
    "label": "content-label-no-gpg",
    "metadataExpire": null,
    "modifiedProductIds": [],
    "name": "content-nogpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-03-03T23:11:12.774+0000",
    "vendor": "test-vendor"
}
[root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/235", "contentUrl": "/foo/path", "label": "content-label-empty-gpg", "name": "content-emptygpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool
{
    "arches": null,
    "contentUrl": "/foo/path",
    "gpgUrl": "/test/gpgkey/235",
    "id": "235",
    "label": "content-label-empty-gpg",
    "metadataExpire": null,
    "modifiedProductIds": [],
    "name": "content-emptygpg",
    "releaseVer": null,
    "requiredTags": null,
    "type": "yum",
    "updated": "2014-03-03T23:12:06.204+0000",
    "vendor": "test-vendor"
}


Now that the content has been updated on the candlepin server, let's see it flow to the client.  For this to happen, we need the rhsmcertd to trigger.  By default this triggers once every 4 hours.  I can't wait that long so I will trigger it manually by running rhsmcertd-worker...

[root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker
Updating entitlement certificates & repositories
1 local certificate has been deleted.
7 updates required
done

Now we should see that our entitlement has automatically been updated to reflect gpgcheck=1...

[root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"
[content-label-empty-gpg]
gpgcheck = 1                   <======  VERIFIED
gpgkey = https://cdn.qa.redhat.com/test/gpgkey/235
[never-enabled-content]
gpgcheck = 1
gpgkey = https://cdn.qa.redhat.com/foo/path/never/gpg
[content-label-no-gpg]
gpgcheck = 1                   <======  VERIFIED
gpgkey = https://cdn.qa.redhat.com/test/gpgkey/234
[content-label]
gpgcheck = 1
gpgkey = https://cdn.qa.redhat.com/foo/path/gpg/


VERIFIED: Updates to a content set will now trigger regeneration of consumed entitlements that provide the updated content sets which will automatically flow to the consumer at the next rhsmcertd run in the form of a new entitlement.
Comment 20 Bryan Kearney 2014-09-29 15:04:48 EDT
These bugs were fixed during 7.0 but not moved to CLOSED. They have been delivered

Note You need to log in before you can comment on or make changes to this bug.