If an upstream repository in Candlepin (Katello) has a GPG key added *after* a system has registered, subscription-manager will not update the redhat.repo file to note this change. The only way you can get the redhat.repo file to update the gpgcheck field is to wipe out the file or re-register the machine. Exact steps: 1) create repository in Katello, ensure that NO gpg key is assigned 2) sync content, promote to an environment, eg Dev 3) register system to Dev, subscribe to product containing repo from step (1) 4) Note that gpgckeck is 0: gpgcheck = 0 5) Assign a GPG key, re-promote the repo in Katello to Dev. 6) Run 'subscription-manager refresh && yum repolist' 7) Note that gpgcheck is still 0 8) Wipe out redhat.repo with a 0 byte file: "echo '' > /etc/yum.repos.d/redhat.repo" 9) Run 'subscription-manager refresh && yum repolist' 10) Note that gpgcheck is now 1: gpgcheck = 1 You can also just re-register the system instead of step 8, that will also set the correct gpgcheck param. NOTE: This may be a regression between versions 0.96 -> 0.99 because while testing the following you will note it worked fine for me : https://bugzilla.redhat.com/show_bug.cgi?id=824581#c5
See also: https://bugzilla.redhat.com/show_bug.cgi?id=827943 I filed this bug because of the behavior noticed in the above
We should check to see if there was _not_ a gpgUrl when we detect one. if the state has changed from no url to a url, turn on checking, else leave as it was.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
*** Bug 859434 has been marked as a duplicate of this bug. ***
This will get covered in the new Consumer Content Override work. The behavoir may be slightly different, but the values will be stored at the CP server and will not be wiped out on refresh.
Confirmed that changes to the gpgkey url at teh server will get propigated to the repo file when 'subscription-manager refresh && yum repolist' is called.
[root@jsefler-7 ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 0.9.2-1 subscription-manager: 1.10.11-1.el7 python-rhsm: 1.10.11-1.el7 Not sure whether or not to move this to VERIFIED because (as indicated in comment 6), the new Consumer Content Override feature allows a system consumer to create repo parameter overrides (including gpgcheck) that will persist overriding repo parameters as subscriptions are attached/removed/refreshed on a per consumer basis. The new Consumer Content Override feature puts the power to manage gpgcheck in the hands of the consumer. Comment 0 is reporting a different issue... changes to the gpgcheck in the repo definitions are being made on the server which are not causing the consumer's already existing entitlements to refresh (or should I say be automatically revoked and re-issued with the altered repo definition). Setting a NEEDINFO on mmccune and the Katello QE team to decide if the original problem still exists and/or is satisfied by the new Consumer Content Override feature which works like this... After attaching a subscription, here are my default gpgchecks in redhat.repo.... [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck" [awesomeos] gpgcheck = 1 [awesomeos-x86_64] gpgcheck = 1 [never-enabled-content] gpgcheck = 1 Now I can create content overrides specific to each repo id... [root@jsefler-7 ~]# subscription-manager repo-override --repo=awesomeos --repo=awesomeos-x86_64 --repo=never-enabled-content --add=gpgcheck:0 [root@jsefler-7 ~]# subscription-manager repo-override --list Repository: awesomeos gpgcheck: 0 Repository: awesomeos-x86_64 gpgcheck: 0 Repository: never-enabled-content gpgcheck: 0 [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck" [awesomeos] gpgcheck = 0 [awesomeos-x86_64] gpgcheck = 0 [never-enabled-content] gpgcheck = 0 And I can remove them too... [root@jsefler-7 ~]# subscription-manager repo-override --remove-all [root@jsefler-7 ~]# subscription-manager repo-override --list This system does not have any content overrides applied to it. [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|gpgcheck" [awesomeos] gpgcheck = 1 [awesomeos-x86_64] gpgcheck = 1 [never-enabled-content] gpgcheck = 1
Testing Version... [root@jsefler-7 ~]# subscription-manager version server type: Red Hat Subscription Management subscription management server: 0.9.3-1 subscription-manager: 1.10.14-2.el7 python-rhsm: 1.10.12-1.el7 Testing with the candlepin TESTDATA deployed... [root@jsefler-7 ~]# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Awesome OS Server Basic Provides: Awesome OS Server Bits SKU: awesomeos-server-basic Contract: 5 Account: 12331131231 Serial: 7713088041753855444 Pool ID: 8a9087e3445087800144508852f20606 Active: True Quantity Used: 1 Service Level: None Service Type: Self-Support Status Details: Subscription Type: Standard Starts: 02/19/2014 Ends: 02/19/2015 System Type: Physical [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg" [content-label-empty-gpg] gpgcheck = 0 [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 0 [content-label] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/gpg/ NOTICE: Above we have a single entitlement that grants us access to four repos. Each repo has a value for gpgcheck as granted by the candlepin server. Two of them are disabled, because there is no gpgkey. Let's issue a candlepin API call to update the presence of a gpgkey which will inturn set gpgcheck values to 1... First we need to get their ids... [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/ | python -m simplejson/tool | egrep "id|label|gpgUrl" | egrep -B2 "(content-label-empty-gpg|content-label-no-gpg)" "gpgUrl": "", "id": "234", "label": "content-label-no-gpg", -- "gpgUrl": "", "id": "235", "label": "content-label-empty-gpg", [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "created": "2014-02-20T18:21:13.259+0000", "gpgUrl": "", "id": "234", "label": "content-label-no-gpg", "metadataExpire": 0, "modifiedProductIds": [], "name": "content-nogpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-02-20T18:21:13.259+0000", "vendor": "test-vendor" } [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool{ "arches": null, "contentUrl": "/foo/path", "created": "2014-02-20T18:21:13.370+0000", "gpgUrl": "", "id": "235", "label": "content-label-empty-gpg", "metadataExpire": 0, "modifiedProductIds": [], "name": "content-emptygpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-02-20T18:21:13.370+0000", "vendor": "test-vendor" } Now that we know their id's, let's update their gpgkey values (without changing other values) which is done by setting a gpgUrl... [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/234", "contentUrl": "/foo/path", "label": "content-label-no-gpg", "name": "content-nogpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "gpgUrl": "/test/gpgkey/234", "id": "234", "label": "content-label-no-gpg", "metadataExpire": null, "modifiedProductIds": [], "name": "content-nogpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-02-21T16:00:03.889+0000", "vendor": "test-vendor" } [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/235", "contentUrl": "/foo/path", "label": "content-label-empty-gpg", "name": "content-emptygpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "gpgUrl": "/test/gpgkey/235", "id": "235", "label": "content-label-empty-gpg", "metadataExpire": null, "modifiedProductIds": [], "name": "content-emptygpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-02-21T16:02:08.306+0000", "vendor": "test-vendor" } Now that the content has been updated on the candlepin server, let's see it flow to the client. For this to happen, we need the rhsmcertd to trigger. By default this triggers once every 4 hours. I can't wait that long so I will trigger it manually by running rhsmcertd-worker... [root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker Updating entitlement certificates & repositories 5 updates required done Now we should see that our entitlement has automaically been updated to reflect gpgcheck=1... [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg" [content-label-empty-gpg] gpgcheck = 0 <====== FAILED QA [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 0 <====== FAILED QA [content-label] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/gpg/ [root@jsefler-7 ~]# Nope, did not work. Let's try refreshing to pools for the admin owner and checking again... [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/owners/admin/subscriptions | python -m simplejson/tool { "created": "2014-02-21T16:54:26.643+0000", "finishTime": null, "group": "async group", "id": "refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f", "principalName": "admin", "result": null, "startTime": null, "state": "CREATED", "statusPath": "/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f", "targetId": "admin", "targetType": "owner", "updated": "2014-02-21T16:54:26.643+0000" } [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f | python -m simplejson/tool { "created": "2014-02-21T16:54:26.643+0000", "finishTime": "2014-02-21T16:54:27.791+0000", "group": "async group", "id": "refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f", "principalName": "admin", "result": "Pools refreshed for owner Admin Owner", "startTime": "2014-02-21T16:54:26.647+0000", "state": "FINISHED", "statusPath": "/jobs/refresh_pools_910be4d9-07a0-4559-a2ee-0fae4184083f", "targetId": "admin", "targetType": "owner", "updated": "2014-02-21T16:54:27.809+0000" } [root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker Updating entitlement certificates & repositories 5 updates required done [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg"[content-label-empty-gpg] gpgcheck = 0 <====== STILL FAILED QA [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 0 <====== STILL FAILED QA [content-label] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/gpg/ Still failing. For sanity sake, let's register from a different client and attach the same pool and verify that the content set has really been updated on the server [root@jsefler-6 ~]# subscription-manager register --username testuser1 --org admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure Password: The system has been registered with ID: d52ba8b9-b801-4d65-9cfb-77d0b2c2f12a [root@jsefler-6 ~]# subscription-manager attach --pool 8a9087e3445087800144508852f20606 Successfully attached a subscription for: Awesome OS Server Basic [root@jsefler-6 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg" [content-label-empty-gpg] gpgcheck = 1 <====== EXPECTED gpgkey = https://cdn.redhat.com/test/gpgkey/235 [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 1 <====== EXPECTED gpgkey = https://cdn.redhat.com/test/gpgkey/234 [content-label] gpgcheck = 1 gpgkey = https://cdn.redhat.com/foo/path/gpg/ Yup, the updated content is correctly flowing to a newly registered consumer with a newly granted entitlement. Not sure why the new content is failing to revoke the entitlements that are affected by the content change and giving me a new entitlement. Moving back to NEW/FailedQA for further investigation.
commit d3134b9c4fe7515d3b85343d604547e368958746 Author: ckozak <ckozak> Date: Tue Feb 25 14:36:22 2014 -0500 Add spec tests for content modification causing ent regen commit d74540cf08a3828e2158c8917c001a4e6f92ceaf Author: ckozak <ckozak> Date: Fri Feb 21 15:13:14 2014 -0500 regenerate ents when content is modified
Verifying Version... [root@jsefler-7 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.4-1 subscription-manager: 1.10.14-3.el7 python-rhsm: 1.10.12-1.el7 [root@jsefler-f14-candlepin candlepin]# git branch * master [root@jsefler-f14-candlepin candlepin]# git show-ref | grep master | head -1 d8eebb26598ab81088c6d5ce058e7d42ddac2538 refs/heads/master Testing with the candlepin TESTDATA deployed... [root@jsefler-7 ~]# subscription-manager register Username: testuser1 Password: Organization: admin The system has been registered with ID: b8dcdb69-9cf6-4fbb-87f1-a408c5489cc4 [root@jsefler-7 ~]# subscription-manager attach --pool=8a9087e3448960ba0144896183b1048b Successfully attached a subscription for: Awesome OS Server Basic [root@jsefler-7 ~]# subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Awesome OS Server Basic Provides: Awesome OS Server Bits SKU: awesomeos-server-basic Contract: 0 Account: 12331131231 Serial: 176808115268088813 Pool ID: 8a9087e3448960ba0144896183b1048b Active: True Quantity Used: 1 Service Level: None Service Type: Self-Support Status Details: Subscription Type: Standard Starts: 03/02/2014 Ends: 03/02/2015 System Type: Physical [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg" [content-label-empty-gpg] gpgcheck = 0 [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.qa.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 0 [content-label] gpgcheck = 1 gpgkey = https://cdn.qa.redhat.com/foo/path/gpg/ NOTICE: Above we have a single entitlement that grants us access to four repos. Each repo has a value for gpgcheck as granted by the candlepin server. Two of them are disabled, because there is no gpgkey. Let's issue a candlepin API call to update the presence of a gpgkey which will inturn set gpgcheck values to 1... [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/ | python -m simplejson/tool | egrep "id|label|gpgUrl" | egrep -B2 "(content-label-empty-gpg|content-label-no-gpg)" "gpgUrl": "", "id": "234", "label": "content-label-no-gpg", -- "gpgUrl": "", "id": "235", "label": "content-label-empty-gpg", [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "created": "2014-03-03T19:17:14.404+0000", "gpgUrl": "", "id": "234", "label": "content-label-no-gpg", "metadataExpire": 0, "modifiedProductIds": [], "name": "content-nogpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-03-03T19:17:14.404+0000", "vendor": "test-vendor" } [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request GET https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "created": "2014-03-03T19:17:14.507+0000", "gpgUrl": "", "id": "235", "label": "content-label-empty-gpg", "metadataExpire": 0, "modifiedProductIds": [], "name": "content-emptygpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-03-03T19:17:14.507+0000", "vendor": "test-vendor" } Now that we know their id's, let's update their gpgkey values (without changing other values) which is done by setting a gpgUrl... [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/234", "contentUrl": "/foo/path", "label": "content-label-no-gpg", "name": "content-nogpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/234 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "gpgUrl": "/test/gpgkey/234", "id": "234", "label": "content-label-no-gpg", "metadataExpire": null, "modifiedProductIds": [], "name": "content-nogpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-03-03T23:11:12.774+0000", "vendor": "test-vendor" } [root@jsefler-7 ~]# curl --stderr /dev/null --insecure --user admin:admin --request PUT --data '{"gpgUrl": "/test/gpgkey/235", "contentUrl": "/foo/path", "label": "content-label-empty-gpg", "name": "content-emptygpg", "type": "yum", "vendor": "test-vendor"}' --header 'accept: application/json' --header 'content-type: application/json' https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/content/235 | python -m simplejson/tool { "arches": null, "contentUrl": "/foo/path", "gpgUrl": "/test/gpgkey/235", "id": "235", "label": "content-label-empty-gpg", "metadataExpire": null, "modifiedProductIds": [], "name": "content-emptygpg", "releaseVer": null, "requiredTags": null, "type": "yum", "updated": "2014-03-03T23:12:06.204+0000", "vendor": "test-vendor" } Now that the content has been updated on the candlepin server, let's see it flow to the client. For this to happen, we need the rhsmcertd to trigger. By default this triggers once every 4 hours. I can't wait that long so I will trigger it manually by running rhsmcertd-worker... [root@jsefler-7 ~]# /usr/libexec/rhsmcertd-worker Updating entitlement certificates & repositories 1 local certificate has been deleted. 7 updates required done Now we should see that our entitlement has automatically been updated to reflect gpgcheck=1... [root@jsefler-7 ~]# cat /etc/yum.repos.d/redhat.repo | egrep "^\[|^gpg" [content-label-empty-gpg] gpgcheck = 1 <====== VERIFIED gpgkey = https://cdn.qa.redhat.com/test/gpgkey/235 [never-enabled-content] gpgcheck = 1 gpgkey = https://cdn.qa.redhat.com/foo/path/never/gpg [content-label-no-gpg] gpgcheck = 1 <====== VERIFIED gpgkey = https://cdn.qa.redhat.com/test/gpgkey/234 [content-label] gpgcheck = 1 gpgkey = https://cdn.qa.redhat.com/foo/path/gpg/ VERIFIED: Updates to a content set will now trigger regeneration of consumed entitlements that provide the updated content sets which will automatically flow to the consumer at the next rhsmcertd run in the form of a new entitlement.
These bugs were fixed during 7.0 but not moved to CLOSED. They have been delivered