I have opened https://github.com/uyuni-project/uyuni/issues/6021 for this issue. -----Original Message----- From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Sent: Tuesday, October 11, 2022 4:56 PM To: General discussion related to the openSUSE Uyuni project <users@lists.uyuni-project.org> Cc: Paul-Andre Panon <ppanon@sierrawireless.com> Subject: RE: CentOS 7 channel selection issue It seems that it's the mgrchannels_repo state (or a common API that it calls) that is breaking the configuration file. We had manually fixed up the yum config file to remove the extra entries and that state broke it again when trying to apply the high state. This is breaking all our CentOS patching. I also tried to see if it might be something wrong with the bootstrap repo that might be loading the wrong rpm package somehow. I tried to use both server.susemanager.bootstrap_repo_flush = 1 and mgr-create-bootstrap-repo -f -c centos-7-x86_64-uyuni to rebuild it with only the latest package versions, but I still see old package versions left in /srv/www/htdocs/pub/repositories/centos/7/bootstrap/x86_64/ ---------- ID: mgrchannels_repo Function: file.managed Name: /etc/yum.repos.d/susemanager:channels.repo Result: True Comment: File /etc/yum.repos.d/susemanager:channels.repo updated Started: 11:30:25.640710 Duration: 85.16 ms Changes: ---------- diff: --- +++ @@ -1,13 +1,12 @@ # Channels managed by SUSE Manager # Do not edit this file, changes will be overwritten -# -##gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key # [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -18,7 +17,8 @@ [susemanager:epel7-centos7-x86_64] name=EPEL 7 for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.fe... +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/epel7-centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -29,7 +29,8 @@ [susemanager:centos7-x86_64-updates] name=CentOS 7 Updates (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64-updates susemanager_token=<longtokenstring>mnYkYefG_LMTe3wjiTuvtc gpgcheck=1 @@ -40,7 +41,8 @@ [susemanager:centos7-uyuni-client-x86_64] name=Uyuni Client Tools for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-uyuni-client-x86_64 susemanager_token=<longtokenstring>_k gpgcheck=1 ---------- That seems to be based on /usr/share/susemanager/salt/channels/init.sls which appears to regenerate the file with the /usr/share/susemanager/salt/channels/channels.repo jinja template. The relevant lines being {%- if grains['os_family'] == 'Debian' %} <stuff for Debian> {%- else %} [{{ args['alias'] }}] name={{ args['name'] }} enabled={{ args['enabled'] }} {%- if args['gpgkeyurl'] is defined %} gpgkey={{ args['gpgkeyurl'] }} {%- if salt['pillar.get']('mgr_metadata_signing_enabled', false) %} file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- elif salt['pillar.get']('mgr_metadata_signing_enabled', false) %} gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- if grains['os_family'] == 'RedHat' %} <more template for the other lines we see in the actual file> {%- else %} <non-redhat/centOS stuff> {%- endif %} type={{ args['type'] }} {%- endif %} The problem appears to be that gpgkeyurl is defined and 'mgr_metadata_signing_enabled' is false so we get both those lines. Since that makes it possible to have both those lines and that breaks the config, that would appear to be a bug. I'm not quite sure what it should look like though. Thanks, Paul-Andre Panon From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Sent: Wednesday, September 28, 2022 11:01 AM To: Uyuni Users <users@lists.uyuni-project.org> Cc: Paul-Andre Panon <ppanon@sierrawireless.com> Subject: CentOS 7 channel selection issue Hi, I've been running into an issue with our CentOS 7 clients. We didn't have this problem before but seem to have it with recent client additions. When trying to change the base and child channels for a CentOS 7 system, the change fails and corrupts the client repo config file at /etc/yum.repos.d/susemanager:channels.repo. The gpgkey= lines somehow have the non-Uyuni repo signing keys still in there, with the Uyuni key on a separate line immediately after. For example [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTUyNDgzNzEsImlhdCI6MTY2MzcxMjM3MSwibmJmIjoxNjYzNzEyMjUxLCJqdGkiOiI0UkhWYWUzU0VnTngwRk1yaXFsWG13Iiwib3JnIjoxLCJvbmx5Q2hhbm5lbHMiOlsiY2VudG9zNy14ODZfNjQiXX0.EoqL2bHAZ4li3FGsXuatKny5BU0qJ1aDbdJifTD_Gkw gpgcheck=1 repo_gpgcheck=1 type=rpm-md Instead that gpgkey line should just look like gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key It currently only seems to happen with the CentOS 7 clients. Is this a bug in a recent CentOS client update, or a database issue? Cheers, Paul-Andre Panon