Hi, I've been running into an issue with our CentOS 7 clients. We didn't have this problem before but seem to have it with recent client additions. When trying to change the base and child channels for a CentOS 7 system, the change fails and corrupts the client repo config file at /etc/yum.repos.d/susemanager:channels.repo. The gpgkey= lines somehow have the non-Uyuni repo signing keys still in there, with the Uyuni key on a separate line immediately after. For example [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://carmd-nv-uyuni1.sierrawireless.local:443/rhn/manager/download/centos... susemanager_token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTUyNDgzNzEsImlhdCI6MTY2MzcxMjM3MSwibmJmIjoxNjYzNzEyMjUxLCJqdGkiOiI0UkhWYWUzU0VnTngwRk1yaXFsWG13Iiwib3JnIjoxLCJvbmx5Q2hhbm5lbHMiOlsiY2VudG9zNy14ODZfNjQiXX0.EoqL2bHAZ4li3FGsXuatKny5BU0qJ1aDbdJifTD_Gkw gpgcheck=1 repo_gpgcheck=1 type=rpm-md Instead that gpgkey line should just look like gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key It currently only seems to happen with the CentOS 7 clients. Is this a bug in a recent CentOS client update, or a database issue? Cheers, Paul-Andre Panon
Hi Am Mittwoch, 28. September 2022, 20:01:16 CEST schrieb Paul-Andre Panon via Uyuni Users:
Hi,
I've been running into an issue with our CentOS 7 clients. We didn't have this problem before but seem to have it with recent client additions. When trying to change the base and child channels for a CentOS 7 system, the change fails and corrupts the client repo config file at /etc/yum.repos.d/susemanager:channels.repo. The gpgkey= lines somehow have the non-Uyuni repo signing keys still in there, with the Uyuni key on a separate line immediately after. For example [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://carmd-nv-uyuni1.sierrawireless.local:443/rhn/manager/download/centos... susemanager_token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTUyNDgzNzEsImlhdCI6MTY2MzcxMjM3MSwibmJmIjoxNjYzNzEyMjUxLCJqdGkiOiI0UkhWYWUzU0VnTngwRk1yaXFsWG13Iiwib3JnIjoxLCJvbmx5Q2hhbm5lbHMiOlsiY2VudG9zNy14ODZfNjQiXX0.EoqL2bHAZ4li3FGsXuatKny5BU0qJ1aDbdJifTD_Gkw gpgcheck=1 repo_gpgcheck=1 type=rpm-md
Instead that gpgkey line should just look like gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key
It currently only seems to happen with the CentOS 7 clients. Is this a bug in a recent CentOS client update, or a database issue?
No, I think this is ok and also from the syntax it should work, if the man page is correct ------------------------------------------------------ yum.conf(5) - Linux man page ... gpgkey A URL pointing to the ASCII-armored GPG key file for the repository. This option is used if yum needs a public key to verify a package and the required key hasn't been imported into the RPM database. If this option is set, yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless the assumeyes option is set. Multiple URLs may be specified here in the same manner as the baseurl option (above). If a GPG key is required to install a package from a repository, all keys specified for that repository will be installed. ... baseurl Must be a URL to the directory where the yum repository's 'repodata' directory lives. Can be an http://, ftp:// or file:// URL. You can specify multiple URLs in one baseurl statement. The best way to do this is like this: [repositoryid] name=Some name for this repository baseurl=url://server1/path/to/repository/ url://server2/path/to/repository/ url://server3/path/to/repository/ If you list more than one baseurl= statement in a repository you will find yum will ignore the earlier ones and probably act bizarrely. Don't do this, you've been warned. You can use HTTP basic auth by prepending "user:password@" to the server name in the baseurl line. For example: "baseurl=http://user:passwd@example.com/". ------------------------------------------------------ I would say, both keys should be used if you refresh and install from this repo. -- Regards Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE Software Solutions Germany GmbH, Frankenstraße 146, D-90461 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE Software Solutions Germany GmbH, GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman (HRB 36809, AG Nürnberg)
It seems that it's the mgrchannels_repo state (or a common API that it calls) that is breaking the configuration file. We had manually fixed up the yum config file to remove the extra entries and that state broke it again when trying to apply the high state. This is breaking all our CentOS patching. I also tried to see if it might be something wrong with the bootstrap repo that might be loading the wrong rpm package somehow. I tried to use both server.susemanager.bootstrap_repo_flush = 1 and mgr-create-bootstrap-repo -f -c centos-7-x86_64-uyuni to rebuild it with only the latest package versions, but I still see old package versions left in /srv/www/htdocs/pub/repositories/centos/7/bootstrap/x86_64/ ---------- ID: mgrchannels_repo Function: file.managed Name: /etc/yum.repos.d/susemanager:channels.repo Result: True Comment: File /etc/yum.repos.d/susemanager:channels.repo updated Started: 11:30:25.640710 Duration: 85.16 ms Changes: ---------- diff: --- +++ @@ -1,13 +1,12 @@ # Channels managed by SUSE Manager # Do not edit this file, changes will be overwritten -# -##gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key # [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -18,7 +17,8 @@ [susemanager:epel7-centos7-x86_64] name=EPEL 7 for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/epel7-centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -29,7 +29,8 @@ [susemanager:centos7-x86_64-updates] name=CentOS 7 Updates (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64-updates susemanager_token=<longtokenstring>mnYkYefG_LMTe3wjiTuvtc gpgcheck=1 @@ -40,7 +41,8 @@ [susemanager:centos7-uyuni-client-x86_64] name=Uyuni Client Tools for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-uyuni-client-x86_64 susemanager_token=<longtokenstring>_k gpgcheck=1 ---------- That seems to be based on /usr/share/susemanager/salt/channels/init.sls which appears to regenerate the file with the /usr/share/susemanager/salt/channels/channels.repo jinja template. The relevant lines being {%- if grains['os_family'] == 'Debian' %} <stuff for Debian> {%- else %} [{{ args['alias'] }}] name={{ args['name'] }} enabled={{ args['enabled'] }} {%- if args['gpgkeyurl'] is defined %} gpgkey={{ args['gpgkeyurl'] }} {%- if salt['pillar.get']('mgr_metadata_signing_enabled', false) %} file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- elif salt['pillar.get']('mgr_metadata_signing_enabled', false) %} gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- if grains['os_family'] == 'RedHat' %} <more template for the other lines we see in the actual file> {%- else %} <non-redhat/centOS stuff> {%- endif %} type={{ args['type'] }} {%- endif %} The problem appears to be that gpgkeyurl is defined and 'mgr_metadata_signing_enabled' is false so we get both those lines. Since that makes it possible to have both those lines and that breaks the config, that would appear to be a bug. I'm not quite sure what it should look like though. Thanks, Paul-Andre Panon From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Sent: Wednesday, September 28, 2022 11:01 AM To: Uyuni Users <users@lists.uyuni-project.org> Cc: Paul-Andre Panon <ppanon@sierrawireless.com> Subject: CentOS 7 channel selection issue Hi, I've been running into an issue with our CentOS 7 clients. We didn't have this problem before but seem to have it with recent client additions. When trying to change the base and child channels for a CentOS 7 system, the change fails and corrupts the client repo config file at /etc/yum.repos.d/susemanager:channels.repo. The gpgkey= lines somehow have the non-Uyuni repo signing keys still in there, with the Uyuni key on a separate line immediately after. For example [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTUyNDgzNzEsImlhdCI6MTY2MzcxMjM3MSwibmJmIjoxNjYzNzEyMjUxLCJqdGkiOiI0UkhWYWUzU0VnTngwRk1yaXFsWG13Iiwib3JnIjoxLCJvbmx5Q2hhbm5lbHMiOlsiY2VudG9zNy14ODZfNjQiXX0.EoqL2bHAZ4li3FGsXuatKny5BU0qJ1aDbdJifTD_Gkw gpgcheck=1 repo_gpgcheck=1 type=rpm-md Instead that gpgkey line should just look like gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key It currently only seems to happen with the CentOS 7 clients. Is this a bug in a recent CentOS client update, or a database issue? Cheers, Paul-Andre Panon
I have opened https://github.com/uyuni-project/uyuni/issues/6021 for this issue. -----Original Message----- From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Sent: Tuesday, October 11, 2022 4:56 PM To: General discussion related to the openSUSE Uyuni project <users@lists.uyuni-project.org> Cc: Paul-Andre Panon <ppanon@sierrawireless.com> Subject: RE: CentOS 7 channel selection issue It seems that it's the mgrchannels_repo state (or a common API that it calls) that is breaking the configuration file. We had manually fixed up the yum config file to remove the extra entries and that state broke it again when trying to apply the high state. This is breaking all our CentOS patching. I also tried to see if it might be something wrong with the bootstrap repo that might be loading the wrong rpm package somehow. I tried to use both server.susemanager.bootstrap_repo_flush = 1 and mgr-create-bootstrap-repo -f -c centos-7-x86_64-uyuni to rebuild it with only the latest package versions, but I still see old package versions left in /srv/www/htdocs/pub/repositories/centos/7/bootstrap/x86_64/ ---------- ID: mgrchannels_repo Function: file.managed Name: /etc/yum.repos.d/susemanager:channels.repo Result: True Comment: File /etc/yum.repos.d/susemanager:channels.repo updated Started: 11:30:25.640710 Duration: 85.16 ms Changes: ---------- diff: --- +++ @@ -1,13 +1,12 @@ # Channels managed by SUSE Manager # Do not edit this file, changes will be overwritten -# -##gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key # [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -18,7 +17,8 @@ [susemanager:epel7-centos7-x86_64] name=EPEL 7 for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.fe... +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/epel7-centos7-x86_64 susemanager_token=<longtokenstring> gpgcheck=1 @@ -29,7 +29,8 @@ [susemanager:centos7-x86_64-updates] name=CentOS 7 Updates (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64-updates susemanager_token=<longtokenstring>mnYkYefG_LMTe3wjiTuvtc gpgcheck=1 @@ -40,7 +41,8 @@ [susemanager:centos7-uyuni-client-x86_64] name=Uyuni Client Tools for CentOS 7 (x86_64) enabled=1 -gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key +gpgkey=file:///etc/pki/rpm-gpg/uyuni-tools-gpg-pubkey-0d20833e.key +file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-uyuni-client-x86_64 susemanager_token=<longtokenstring>_k gpgcheck=1 ---------- That seems to be based on /usr/share/susemanager/salt/channels/init.sls which appears to regenerate the file with the /usr/share/susemanager/salt/channels/channels.repo jinja template. The relevant lines being {%- if grains['os_family'] == 'Debian' %} <stuff for Debian> {%- else %} [{{ args['alias'] }}] name={{ args['name'] }} enabled={{ args['enabled'] }} {%- if args['gpgkeyurl'] is defined %} gpgkey={{ args['gpgkeyurl'] }} {%- if salt['pillar.get']('mgr_metadata_signing_enabled', false) %} file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- elif salt['pillar.get']('mgr_metadata_signing_enabled', false) %} gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key {%- endif %} {%- if grains['os_family'] == 'RedHat' %} <more template for the other lines we see in the actual file> {%- else %} <non-redhat/centOS stuff> {%- endif %} type={{ args['type'] }} {%- endif %} The problem appears to be that gpgkeyurl is defined and 'mgr_metadata_signing_enabled' is false so we get both those lines. Since that makes it possible to have both those lines and that breaks the config, that would appear to be a bug. I'm not quite sure what it should look like though. Thanks, Paul-Andre Panon From: Paul-Andre Panon via Uyuni Users <users@lists.uyuni-project.org> Sent: Wednesday, September 28, 2022 11:01 AM To: Uyuni Users <users@lists.uyuni-project.org> Cc: Paul-Andre Panon <ppanon@sierrawireless.com> Subject: CentOS 7 channel selection issue Hi, I've been running into an issue with our CentOS 7 clients. We didn't have this problem before but seem to have it with recent client additions. When trying to change the base and child channels for a CentOS 7 system, the change fails and corrupts the client repo config file at /etc/yum.repos.d/susemanager:channels.repo. The gpgkey= lines somehow have the non-Uyuni repo signing keys still in there, with the Uyuni key on a separate line immediately after. For example [susemanager:centos7-x86_64] name=CentOS 7 (x86_64) enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 file:///etc/pki/rpm-gpg/mgr-gpg-pub.key baseurl=https://<server.fqdn>:443/rhn/manager/download/centos7-x86_64 susemanager_token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTUyNDgzNzEsImlhdCI6MTY2MzcxMjM3MSwibmJmIjoxNjYzNzEyMjUxLCJqdGkiOiI0UkhWYWUzU0VnTngwRk1yaXFsWG13Iiwib3JnIjoxLCJvbmx5Q2hhbm5lbHMiOlsiY2VudG9zNy14ODZfNjQiXX0.EoqL2bHAZ4li3FGsXuatKny5BU0qJ1aDbdJifTD_Gkw gpgcheck=1 repo_gpgcheck=1 type=rpm-md Instead that gpgkey line should just look like gpgkey=file:///etc/pki/rpm-gpg/mgr-gpg-pub.key It currently only seems to happen with the CentOS 7 clients. Is this a bug in a recent CentOS client update, or a database issue? Cheers, Paul-Andre Panon
participants (2)
-
Michael Calmer -
Paul-Andre Panon