Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14224

Stop replacing /etc/rhsm-host/ca to /etc/rhsm-host-host/ca if ca cert dir is already under /etc/rhsm-host

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • rhel-9.4
    • rhel-9.2.0.z
    • librhsm
    • None
    • librhsm-0.0.3-8.el9
    • None
    • Moderate
    • ZStream
    • rhel-sst-cs-software-management
    • ssg_core_services
    • 20
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Approved Blocker
    • Hide
      • If empty /etc/rhsm-host directory exists, rhsm_context_get_ca_cert_dir() will return "/etc/rhsm-host/ca".
      • If /etc/rhsm-host/rhsm.conf configuration file specifies "ca_cert_dir" value with "/etc/rhsm/" prefix in "rhsm" section, rhsm_context_get_ca_cert_dir() will return that value with the prefix substituted to "/etc/rhsm-host/".
      • If /etc/rhsm-host/rhsm.conf configuration file specifies "ca_cert_dir" value with a prefix different from "/etc/rhsm/" in "rhsm" section, rhsm_context_get_ca_cert_dir() will return that value intact.
      • rhsm_context_get_repo_ca_cert() call will behave alike.
      Show
      If empty /etc/rhsm-host directory exists, rhsm_context_get_ca_cert_dir() will return "/etc/rhsm-host/ca". If /etc/rhsm-host/rhsm.conf configuration file specifies "ca_cert_dir" value with "/etc/rhsm/" prefix in "rhsm" section, rhsm_context_get_ca_cert_dir() will return that value with the prefix substituted to "/etc/rhsm-host/". If /etc/rhsm-host/rhsm.conf configuration file specifies "ca_cert_dir" value with a prefix different from "/etc/rhsm/" in "rhsm" section, rhsm_context_get_ca_cert_dir() will return that value intact. rhsm_context_get_repo_ca_cert() call will behave alike.
    • Pass
    • Enabled
    • Automated
    • Bug Fix
    • Hide
      .The `librhsm` library now returns the correct `/etc/rhsm-host` prefix if `librhsm` is run in a container

      The `librhsm` library rewrites path prefixes to CA certificates from the `/etc/rhsm` to `/etc/rhsm-host` path if `librhsm` is run in a container. Previously, `librhsm` returned the wrong `/etc/rhsm-host-host` prefix because of a string manipulation mistake. With this update, the issue has been fixed, and the `librhsm` library now returns the correct `/etc/rhsm-host` prefix.
      Show
      .The `librhsm` library now returns the correct `/etc/rhsm-host` prefix if `librhsm` is run in a container The `librhsm` library rewrites path prefixes to CA certificates from the `/etc/rhsm` to `/etc/rhsm-host` path if `librhsm` is run in a container. Previously, `librhsm` returned the wrong `/etc/rhsm-host-host` prefix because of a string manipulation mistake. With this update, the issue has been fixed, and the `librhsm` library now returns the correct `/etc/rhsm-host` prefix.
    • Done
    • All
    • None

      What were you trying to do that didn't work?

      When running entitled builds using SharedSecret objects according to https://docs.openshift.com/container-platform/4.13/cicd/builds/running-entitled-builds.html#builds-running-entitled-builds-with-sharedsecret-objects_running-entitled-builds with rhcos container, rpm-ostree can not access to the repos. The workaround is remove /etc/rhsm-host.

      Please provide the package NVR for which bug is seen:

      librhsm-0.0.3-7.el9.x86_64

      How reproducible:

      100%

      Steps to reproduce

      1. Create 4.13.1 cluster
      2. Enable TechPreviewNoUpgrade FeatureGate featureset refer to doc

      $ oc get FeatureGate cluster -ojson | jq '.spec'
{
  "featureSet": "TechPreviewNoUpgrade"
}

      Check etc-pki-entitlement secret was created

      $ oc get secret --namespace openshift-config-managed
etc-pki-entitlement                       Opaque                                2      6m16s

      3. Create test namespace

      $ oc new-project entitlement-test
$ oc project
Using project "entitlement-test" on server "https://api.ci-ln-v6y7jf2-76ef8.aws-2.ci.openshift.org:6443".

      4. Create SharedSecret

      # cat my-entitlement.yaml 
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
  name: my-entitlement
spec:
  secretRef:
    name: etc-pki-entitlement
    namespace: openshift-config-managed

$ oc apply -f my-entitlement.yaml
$ oc get sharedsecret
NAME             AGE
my-entitlement   18s

      5. Create Role and RoleBinding

      # cat my-role-shared.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: shared-resource-my-share
  namespace: entitlement-test
rules:
  - apiGroups:
      - sharedresource.openshift.io
    resources:
      - sharedsecrets
    resourceNames:
      - my-entitlement
    verbs:
      - use
$ oc apply -f my-role-shared.yaml
$ oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=entitlement-test:builder
rolebinding.rbac.authorization.k8s.io/shared-resource-my-share created

      6. Create BuildConfig

      $ cat my-csi-bc-coreos.yaml 
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: my-csi-bc-coreos
  namespace: entitlement-test
spec:
  runPolicy: Serial
  source:
    dockerfile: |
      # oc adm release info 4.13.1 --image-for=rhel-coreos 
      FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2aa8899d6ec5cd40bbe7b843027148b768f0a5b8ab091aa46958c4893814306
      RUN ls -la /etc/pki/entitlement/
      RUN sleep infinity
      RUN rpm-ostree install libreswan
  strategy:
    type: Docker
    dockerStrategy:
      volumes:
        - mounts:
            - destinationPath: "/etc/pki/entitlement"
          name: entitlement-pv
          source:
            csi:
              driver: csi.sharedresource.openshift.io
              readOnly: true
              volumeAttributes:
                sharedSecret: my-entitlement
            type: CSI

$ oc apply -f my-csi-bc-coreos.yaml
buildconfig.build.openshift.io/my-csi-bc-coreos created

$ oc start-build my-csi-bc-coreos -F

      Expected results

      Entitled builds can access the repo successfully.

      Actual results

      Entitled builds can not access the repo with error:

      bash-5.1# rpm-ostree install libreswan
...
Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error setting certificate file: /etc/rhsm-host-host/ca/redhat-uep.pem]

        1. test-1.c
          0.5 kB

              rhn-support-ppisar Petr Pisar
              hhei@redhat.com Huijing Hei
              packaging-team-maint packaging-team-maint
              Eva Mrakova Eva Mrakova
              Mariya Pershina Mariya Pershina
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: