Project

General

Profile

Bug #15932

capsule-certs-generate failed to increment release number when generating certificate rpm for foreman-proxy

Added by Stephen Benjamin almost 4 years ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
medium
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1300211
Description of problem:
capsule-certs-generate failed to increment release number when generating certificate rpm for foreman-proxy

Version-Release number of selected component (if applicable):
Satellite 6.1.4

How reproducible:
100%

Steps to Reproduce:
1. Execute capsule-certs-generate command for the fist time and extract the contents of the # capsule-certs-generate --capsule-fqdn capsule.example.com --certs-tar /tmp/capsule.tar.gz # tar -xvzf /tmp/capsule.tar.gz
ssl-build/katello-default-ca-1.0-1.noarch.rpm
ssl-build/katello-server-ca-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-apache-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-apache-1.0-2.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-foreman-client-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-foreman-proxy-1.0-2.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-foreman-proxy-client-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-puppet-client-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-qpid-broker-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-qpid-client-cert-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-qpid-router-client-1.0-1.noarch.rpm
ssl-build/capsule.example.com/capsule.example.com-qpid-router-server-1.0-1.noarch.rpm

2. Re-run the capsule installer with the --certs-update-server option Which would only update the apache package, but not the foreman-proxy

  1. capsule-certs-generate --capsule-fqdn capsule.example.com --certs-tar /tmp/capsule.tar.gz --certs-update-server
  2. tar -xvzf capsule.tar.gz
    ssl-build/katello-default-ca-1.0-1.noarch.rpm
    ssl-build/katello-server-ca-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-apache-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-apache-1.0-3.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-foreman-client-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-foreman-proxy-1.0-2.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-foreman-proxy-client-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-puppet-client-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-qpid-broker-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-qpid-client-cert-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-qpid-router-client-1.0-1.noarch.rpm
    ssl-build/capsule.example.com/capsule.example.com-qpid-router-server-1.0-1.noarch.rpm

Actual results:
foreman-proxy related RPMs gets updated correctly with the new CA, but fails to update the version that gets appended to the RPM causing the confusion.

Expected results:
RPMs should be appened with correct version

Additional info:
Problem seems to from the code of /bin/katello-ssl-tool
#find RPMs in the directory as well.
filenames = glob.glob("%s-*.noarch.rpm" % server_rpm)
if filenames:
filename = sortRPMs(filenames)[-1]
h = get_package_header(filename)
if hdr is None:
hdr = h
else:
comp = hdrLabelCompare(h, hdr)
if comp > 0:
hdr = h

It grabs rpms like this "capsule.example.com-foreman-proxy-*.noarch.rpm" in that dir, sort it, and reckons the last one is the latest one.

But the satellite also has a rpm called "capsule.example.com-foreman-proxy-client-1.0-*.noarch.rpm" in the same directory!!

glob.glob("%s-*.noarch.rpm" % server_rpm) matches that perfectly as well. Since it always sits at the bottom of the sorted list:

(i.e.)
...
xxx-foreman-proxy-1.xxx
xxx-foreman-proxy-client-1.xxx

the release # the code fetched is always wrong.

As a result, the capsule.example.com-foreman-proxy rpm is generated with the right content, but wrong release number.

Since we have a capsule.example.com-foreman-proxy-client-1.0-1.noarch.rpm in the same folder, the generated capsule.example.com-foreman-proxy rpm will always be 1.0-2.

Associated revisions

Revision 1e855f29 (diff)
Added by Ewoud Kohl van Wijngaarden 4 days ago

Fixes #15932 - Stricter check on file globs

When creating a certificate named foreman-proxy-client and then one for
foreman-proxy meant that the glob would match the client. This meant it
created foreman-proxy-client-1.0-1 and then foreman-proxy-1.0-2 even
though there never was a foreman-proxy-1.0-1.

By matching on a number, this can still happen if the user requested a
certificate where the package name included a number. However, this is
currently not the case in Satellite which is the only known consumer of
this package.

A better version would actually use the name from the RPM.

History

#1 Updated by Justin Sherrill almost 4 years ago

  • Legacy Backlogs Release (now unused) set to 114
  • Difficulty set to medium

#2 Updated by Ewoud Kohl van Wijngaarden 3 days ago

  • Triaged set to No
  • Target version changed from Katello Backlog to Katello 4.0.0
  • Status changed from New to Closed

Not quite sure why it wasn't closed automatically.

Also available in: Atom PDF