971945 – product-id plugin for yum fails to remove /etc/pki/product cert upon deletion of final package from yum repo

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 971945 - product-id plugin for yum fails to remove /etc/pki/product cert upon deletion of final package from yum repo

Summary: product-id plugin for yum fails to remove /etc/pki/product cert upon deletion...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.0
Assignee:	Adrian Likins
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel70
TreeView+	depends on / blocked

Reported:	2013-06-07 16:11 UTC by John Sefler
Modified:	2014-02-03 21:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-03 21:50:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description John Sefler 2013-06-07 16:11:54 UTC

Description of problem:
This bug is a continuation of the scenarios detailed in bug 859197.
While the original problem in bug 859197 appears to be working, the final scenario where a product cert (that does not provide rhel* tags) is supposed to be removed from /etc/pki/product upon yum removal of the last package from a repository. 


Version-Release number of selected component (if applicable):
[root@rhsm-compat-rhel64 ~]# rpm -q subscription-manager python-rhsm
subscription-manager-1.8.10-1.el6.x86_64
python-rhsm-1.8.12-1.el6.x86_64

How reproducible:


Steps to Reproduce:
configure /etc/rhsm/rhsm.conf to the stage environment, then...

[root@rhsm-compat-rhel64 ~]# subscription-manager register --username stage_test_47 --force
The system with UUID a19c19ed-286d-4b9f-920d-bb4e28e7dca5 has been unregistered
Password: 
The system has been registered with ID: 9a024bcd-c34d-4a9b-802e-56632af9d70a 
[root@rhsm-compat-rhel64 ~]# subscription-manager list --avail | grep MCT2358 -B1 -A1
Subscription Name: CloudForms (10-pack)
SKU:               MCT2358
Pool ID:           8a99f9843c01ccba013c037f9a22050c
[root@rhsm-compat-rhel64 ~]# subscription-manager subscribe --pool 8a99f9843c01ccba013c037f9a22050c
Successfully attached a subscription for: CloudForms (10-pack)
[root@rhsm-compat-rhel64 ~]# yum list available --enablerepo=rhel-6-server-cf-ce-1-rpms | tail -1
This system is receiving updates from Red Hat Subscription Management.
This system is not registered with RHN Classic or RHN Satellite.
You can use rhn_register to register.
RHN Satellite or RHN Classic support will be disabled.
unittest.x86_64                       0.50-62.6.el6   rhel-6-server-cf-ce-1-rpms
[root@rhsm-compat-rhel64 ~]# ls /etc/pki/product
69.pem  83.pem
[root@rhsm-compat-rhel64 ~]# yum install unittest --enablerepo=rhel-6-server-cf-ce-1-rpms
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security,
              : subscription-manager
This system is receiving updates from Red Hat Subscription Management.
This system is not registered with RHN Classic or RHN Satellite.
You can use rhn_register to register.
RHN Satellite or RHN Classic support will be disabled.
rhel-6-server-cf-ce-1-rpms                               | 3.1 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package      Arch       Version           Repository                      Size
================================================================================
Installing:
 unittest     x86_64     0.50-62.6.el6     rhel-6-server-cf-ce-1-rpms      37 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 37 k
Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
unittest-0.50-62.6.el6.x86_64.rpm                        |  37 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : unittest-0.50-62.6.el6.x86_64                                1/1 
  Verifying  : unittest-0.50-62.6.el6.x86_64                                1/1 

Installed:
  unittest.x86_64 0:0.50-62.6.el6                                               

Complete!
[root@rhsm-compat-rhel64 ~]# ls /etc/pki/product
167.pem  69.pem  83.pem
[root@rhsm-compat-rhel64 ~]# cat /var/lib/rhsm/productid.js
{
  "69": [
    "anaconda-RedHatEnterpriseLinux-201301162040.x86_64", 
    "rhel-6-server-cf-tools-1-rpms", 
    "rhel-6-server-rhev-agent-rpms", 
    "rhel-6-server-rpms"
  ], 
  "167": [
    "rhel-6-server-cf-ce-1-rpms"
  ], 
  "83": [
    "rhel-ha-for-rhel-6-server-rpms"
  ]
}

NOTE THAT PRODUCT CERT 167 IS NEWLY INSTALLED.

[root@rhsm-compat-rhel64 ~]# rct cat-cert /etc/pki/product/167.pem | grep Tags
	Tags: None
[root@rhsm-compat-rhel64 ~]#

NOTE THAT PRODUCT CERT 167 DOES NOT PROVIDE rhel* TAGS.

[root@rhsm-compat-rhel64 ~]# yum list installed | grep rhel-6-server-cf-ce-1-rpms
This system is receiving updates from Red Hat Subscription Management.
This system is not registered with RHN Classic or RHN Satellite.
You can use rhn_register to register.
RHN Satellite or RHN Classic support will be disabled.
unittest.x86_64                       0.50-62.6.el6            @rhel-6-server-cf-ce-1-rpms
[root@rhsm-compat-rhel64 ~]#

NOTE THAT unittest IS THE ONLY PACKAGE INSTALLED FROM rhel-6-server-cf-ce-1-rpms.

[root@rhsm-compat-rhel64 ~]# yum remove unittest
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security,
              : subscription-manager
This system is receiving updates from Red Hat Subscription Management.
This system is not registered with RHN Classic or RHN Satellite.
You can use rhn_register to register.
RHN Satellite or RHN Classic support will be disabled.
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package     Arch      Version             Repository                      Size
================================================================================
Removing:
 unittest    x86_64    0.50-62.6.el6       @rhel-6-server-cf-ce-1-rpms    141 k

Transaction Summary
================================================================================
Remove        1 Package(s)

Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing    : unittest-0.50-62.6.el6.x86_64                                1/1 
  Verifying  : unittest-0.50-62.6.el6.x86_64                                1/1 

Removed:
  unittest.x86_64 0:0.50-62.6.el6                                               

Complete!
[root@rhsm-compat-rhel64 ~]# cat /var/lib/rhsm/productid.js
{
  "69": [
    "anaconda-RedHatEnterpriseLinux-201301162040.x86_64", 
    "rhel-6-server-cf-tools-1-rpms", 
    "rhel-6-server-rhev-agent-rpms", 
    "rhel-6-server-rpms"
  ], 
  "167": [
    "rhel-6-server-cf-ce-1-rpms"
  ], 
  "83": [
    "rhel-ha-for-rhel-6-server-rpms"
  ]
}
[root@rhsm-compat-rhel64 ~]# ls /etc/pki/product
167.pem  69.pem  83.pem
[root@rhsm-compat-rhel64 ~]# 

BANG! Despite the fact that we removed the only package (unittest) remaining from repo rhel-6-server-cf-ce-1-rpms whose original installation gave us product cert 167 (which does NOT provide "rhel*" tags), product cert 167 remains installed on the system.  I believe this is wrong.  I believe product cert 167 should have been removed.

Comment 1 Adrian Likins 2013-06-10 14:37:45 UTC

This seems to be working for me:

<subscribe to cloud forms steps>
[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js 
total 12
-rw-r--r--.  1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
drwxr-xr-x.  2 root root 4096 Jun 10 10:28 .
{
  "69": [
    "anaconda-RedHatEnterpriseLinux-201301150237.x86_64", 
    "rhel-6-server-cf-tools-1-rpms", 
    "rhel-6-server-rpms", 
    "rhel-nightly"
  ], 
  "92": [
    "rhel-scalefs-for-rhel-6-server-rpms"
  ]



[]$ sudo yum install unittest --enablerepo=rhel-6-server-cf-ce-1-rpms
Loaded plugins: auto-update-debuginfo, product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-cf-ce-1-rpms                                                                                 | 3.1 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================
 Package                  Arch                   Version                         Repository                                  Size
==================================================================================================================================
Installing:
 unittest                 x86_64                 0.50-62.6.el6                   rhel-6-server-cf-ce-1-rpms                  37 k

Transaction Summary
==================================================================================================================================
Install       1 Package(s)

Total download size: 37 k
Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
unittest-0.50-62.6.el6.x86_64.rpm                                                                          |  37 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : unittest-0.50-62.6.el6.x86_64                                                                                  1/1 
  Verifying  : unittest-0.50-62.6.el6.x86_64                                                                                  1/1 

Installed:
  unittest.x86_64 0:0.50-62.6.el6                                                                                                 

Complete!




[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js 
total 16
-rw-r--r--.  1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
-rw-r--r--.  1 root root 2122 Jun 10 10:31 167.pem
drwxr-xr-x.  2 root root 4096 Jun 10 10:31 .
{
  "69": [
    "anaconda-RedHatEnterpriseLinux-201301150237.x86_64", 
    "rhel-6-server-cf-tools-1-rpms", 
    "rhel-6-server-rpms", 
    "rhel-nightly"
  ], 
  "167": [
    "rhel-6-server-cf-ce-1-rpms"
  ], 
  "92": [
    "rhel-scalefs-for-rhel-6-server-rpms"
  ]



[]$ yum list installed | grep rhel-6-server-cf-ce-1-rpms
unittest.x86_64                    0.50-62.6.el6         @rhel-6-server-cf-ce-1-rpms



[]$ sudo yum remove unittest
Loaded plugins: auto-update-debuginfo, product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package unittest.x86_64 0:0.50-62.6.el6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================
 Package                  Arch                   Version                        Repository                                   Size
==================================================================================================================================
Removing:
 unittest                 x86_64                 0.50-62.6.el6                  @rhel-6-server-cf-ce-1-rpms                 141 k

Transaction Summary
==================================================================================================================================
Remove        1 Package(s)

Installed size: 141 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing    : unittest-0.50-62.6.el6.x86_64                                                                                  1/1 
  Verifying  : unittest-0.50-62.6.el6.x86_64                                                                                  1/1 

Removed:
  unittest.x86_64 0:0.50-62.6.el6                                                                                                 

Complete!


[]$ ls -lart /etc/pki/product/; cat /var/lib/rhsm/productid.js 
total 12
-rw-r--r--.  1 root root 2159 Jun 10 10:04 69.pem
drwxr-xr-x. 13 root root 4096 Jun 10 10:05 ..
drwxr-xr-x.  2 root root 4096 Jun 10 10:34 .
{
  "69": [
    "anaconda-RedHatEnterpriseLinux-201301150237.x86_64", 
    "rhel-6-server-cf-tools-1-rpms", 
    "rhel-6-server-rpms", 
    "rhel-nightly"
  ], 
  "92": [
    "rhel-scalefs-for-rhel-6-server-rpms"
  ]


From /var/log/rhsm/rhsm.log:
2013-06-10 10:34:07,101 [INFO]  @productid.py:407 - product cert 167 for 167 is being deleted
2013-06-10 10:34:07,101 [INFO]  @productid.py:407 - product cert 167 for 167 is being deleted
2013-06

(aside, not the double entries, probably another bug in that...)

Comment 2 John Sefler 2013-09-06 21:28:05 UTC

Restesting on RHEL65 with version...
[root@jsefler-6 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: Unknown
subscription-manager: 1.9.5-1.el6
python-rhsm: 1.9.4-1.el6

The scenario in comment 0 continues to fail for me.

Comment 3 Adrian Likins 2014-01-30 21:56:10 UTC

Just tried this again, and it still works for me.

For a system that this fails on, what repo's are enabled? Wondering if there
is another repo enabled that has 'unittest' in it. (I know epel does, but that
shouldn't matter). What does "yum list available --enablerepo=rhel-6-server-cf-ce-1-rpms | grep unittest" show?

Comment 4 Adrian Likins 2014-01-30 22:04:18 UTC

Actually, what other repos are setup? 

If it tries to get repodata from a repo that fails, that can cause
it to skip deleting the cert.

Any msgs in the logs about repo meta data errors?

Comment 5 Adrian Likins 2014-02-03 14:58:54 UTC

Looking at some of the tests systems...

The '167' product cert isn't being removed because the productid code thinks
the repo associated with it 'rhel-6-server-cf-ce-1-rpms' is still 'active'.

'active' is supposed to mean "there are packages from this repo installed".

What seems to be happening is that the system has a 'rubygems' package installed from the base rhel repo. 'rubygems' (of a different version) is also available in the 'rhel-6-server-cf-ce-1-rpms' repos.

Then it is hitting the code:

# if a pkg is in multiple repo's, this will consider
# all the repo's with the pkg "active".
db_pkg = yb.rpmdb.searchNevra(name=p.name, arch=p.arch)

And since it is finding that a package available from the 'rhel-6-server-cf-ce-1-rpms' repo ('rubygems') is installed, it's counting that repo as active and not
removing the product info.

That seems to be intentional, but I'm not sure it's correct.

Comment 6 Adrian Likins 2014-02-03 15:06:09 UTC

The history of why that change is included is kind of fuzzy, it seems to have gotten included as part of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=709754

But I'm not entirely sure that was intentional or related.

Comment 7 Adrian Likins 2014-02-03 17:41:34 UTC

Been discussing this with dgoodwin, and I think I've decided this is working as designed.

Basically, in the case outlined in comment 1, the system has 'rubygems' installed, originally from a rhel6 repo[1].

The rhel-6-server-cf-ce-1-rpms contains 'unittest', but also a newer version of
'rubygems'.

Since a version of 'rubygems' is installed, and rhel-6-server-cf-ce-1-rpms provides rubygems, rhel-6-server-cf-ce-1-rpms is considered an active repo.
That makes more sense if you think about doing a yum update in that case, in
which the system would get the newer content from rhel-6-server-cf-ce-1-rpms.
So even though that particular installed version isn't from rhel-6-server-cf-ce-1-rpms, the rhel-6-server-cf-ce-1-rpms does provide available and enabled updates.

To count as not active, the system would have to remove all packages that are
also provided by rhel-6-server-cf-ce-1-rpms.


We do know the repoid the installed packaged was installed from, but we
can't particularly trust that. The installed repo is likely to be an 'anaconda-repo', or an RHN channel, or a pulp provided repo, etc. [2]

To avoid deleting certs installed from a different repoid, we don't enforce a matching repoid. This also supports repoids changing.

To keep that working, I think we need to leave this alone and consider it working.




[1] in this case, a repo pointing to dev trees, but it could just as easily be an rhsm repo with the rhel6 product id in it.

[2] A potential improvement for this case would to be consider the product ids associated with repos in the comparison. Instead of just checking if an installed package from repo FOO is also available in some enabled repo (BAR), 
we would follow the productid->repo map, and require the productid is the same.

ie, a package installed from base rhel should have a repoid associated with it of some-base-rhel-server-repo which productid.js would map to product id 69. If the enabled repo that also provides that package also maps to productid 69, we would count that as 'active'. If the available enabled repo maps to a different product id (ie, "167"->"rhel-6-server-cf-ce-1-rpms"), we wouldn't consider that repo as 'active.

Note however, for the case in comment 1, this wouldn't help, since the repoid the 'rubygems' packages has, is not in productid.js, so we couldn't compare product ids.


tl;dr: It's weird, but I think it's doing the right thing. notabug.

Comment 8 Adrian Likins 2014-02-03 18:08:46 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1060838 
( [RFE] Consider productid->repoid mapping when calculating active repos )
file based on [2] in comment 7

Comment 9 Adrian Likins 2014-02-03 21:50:35 UTC

Moving to NOTABUG

Note You need to log in before you can comment on or make changes to this bug.