-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-8.5.0
-
None
-
Critical
-
rhel-sst-image-builder
-
ssg_front_door
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
Description of problem:
This bug was originally described in:
https://bugzilla.redhat.com/show_bug.cgi?id=1945670
But the customer is still encountering the issue after applying the below errata, fixing rhbz#1896185:
https://access.redhat.com/errata/RHBA-2021:4273
Version-Release number of selected component (if applicable):
osbuild-composer-33.2-1.el8.x86_64
osbuild-35-3.el8.noarch
How reproducible:
Always
Steps to Reproduce:
See the reproducer in the original BZ, multiple custom Satellite being required.
Use the below procedure to setup the overrides:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/composing_a_customized_rhel_system_image/managing-repositories_composing-a-customized-rhel-system-image#overriding-a-system-repository_managing-repositories
In the outlines, they followed the steps below:
- mkdir -p /etc/osbuild-composer/repositories
- cp /usr/share/osbuild-composer/repositories/rhel-85.json /etc/osbuild-composer/repositories/
- URL=$(dnf repolist -v 2>&1 | awk '/baseurl/
{print $3}
' | grep baseos/os | head -n1 | sed 's|dist/.*||')
- sed -i "s|https://cdn.redhat.com/content/|$URL|" /etc/osbuild-composer/repositories/rhel-85.json
- sed -i "s|rhel8/8.5|rhel8/8|" /etc/osbuild-composer/repositories/rhel-85.json ### if needed
- rm -rf /var/cache/osbuild-composer/*
- cd /etc/rhsm/ca
- mv redhat-uep.pem redhat-uep.pem.bak
- ln -s katello-server-ca.pem redhat-uep.pem
- systemctl restart osbuild-composer
Note the Satellite CACert has been symlinked from the CDN one (redhat-uep.pem) because the composer was always looking for this file.
Actual results:
From the journal:
Nov 18 17:02:16 <HOSTNAME> osbuild-composer[27834]: 2021/11/18 17:02:16 GET /api/v1/blueprints/depsolve/MyImage1
Nov 18 17:02:16 <HOSTNAME> osbuild-composer[27834]: Errors during downloading metadata for repository '0':
Nov 18 17:02:16 <HOSTNAME> osbuild-composer[27834]: - Status code: 403 for https://<CUSTOM_SAT_URL>/content/dist/rhel8/8/x86_64/baseos/os/repodata/repomd.xml (IP: <CUSTOM_IP>)
From the strace:
$ grep openat(.*pem 0100-sat-composer.tgz/tmp/composer.strace | grep -v ENOENT
27917 17:02:16.812477 openat(AT_FDCWD, "/etc/pki/entitlement/3665926663619286915.pem", O_RDONLY) = 10</etc/pki/entitlement/3665926663619286915.pem> <0.000065>
27917 17:02:16.813055 openat(AT_FDCWD, "/etc/pki/entitlement/3665926663619286915-key.pem", O_RDONLY) = 10</etc/pki/entitlement/3665926663619286915-key.pem> <0.000029>
27917 17:02:16.813455 openat(AT_FDCWD, "/etc/rhsm/ca/redhat-uep.pem", O_RDONLY) = 10</etc/rhsm/ca/katello-server-ca.pem> <0.000133>
From redhat.repo:
[rhel-8-for-x86_64-baseos-rpms]
name = Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
baseurl = https://<CUSTOM_SAT_URL>/content/dist/rhel8/$releasever/x86_64/baseos/os
:
sslcacert = /etc/rhsm/ca/katello-server-ca.pem
sslclientkey = /etc/pki/entitlement/6874917509862528732-key.pem
sslclientcert = /etc/pki/entitlement/6874917509862528732.pem
Expected results:
The right key/pair corresponding to baseos/appstream is used.
Additional info:
- grep rhsm /etc/osbuild-composer/repositories/rhel-85.json | sort -u
"rhsm": true,
- composer-cli sources info baseos
[baseos]
name = "baseos"
type = "yum-baseurl"
url = "https://<CUSTOM_SAT_URL>/dist/rhel8/8/x86_64/baseos/os"
check_gpg = true
check_ssl = true
system = true
rhsm = false <===
- external trackers
