Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19265

Impossible to remove md5 from allowed_content_checksums without breaking the satellite-installer execution

XMLWordPrintable

    • 0
    • False
    • Important
    • sat-rocket
    • None
    • None
    • None
    • Manual

      Description of problem:

      Satellite by default configures pulp to have these checksums allowed.

      1. grep CHECKSUM /etc/pulp/settings.py
        ALLOWED_CONTENT_CHECKSUMS = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]

      One must be able to opt md5 out of it as it's only used as a content_checksum for some older repos but doing so, breaks the satellite-installer completely.

      Version-Release number of selected component (if applicable):

      Satellite 6.13.1 ( probably 6.12 as well )

      How reproducible:

      100%

      Steps to Reproduce and Actual Results:

      -----------
      Scenario 1:
      -----------

        1. Break ###

      1. Notice the current values of installer options":

      1. satellite-installer -S satellite --full-help | grep checksum

      --foreman-proxy-content-pulpcore-allowed-content-checksums List of checksums to use for pulpcore content operations (current: ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"])

      --reset-foreman-proxy-content-pulpcore-allowed-content-checksums Reset pulpcore_allowed_content_checksums to the default value (["sha1", "sha224", "sha256", "sha384", "sha512"])

      2. Run "satellite-installer --reset-foreman-proxy-content-pulpcore-allowed-content-checksums" to get rid of md5 from the list.

      3. Installer fails on :
      ~~
      2023-07-14 09:32:44 [NOTICE] [configure] 1250 configuration steps out of 1590 steps complete.
      2023-07-14 09:33:45 [ERROR ] [configure] 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
      2023-07-14 09:33:45 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: change from 'notrun' to ['0'] failed: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
      2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: Failed to call refresh: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]
      2023-07-14 09:33:52 [ERROR ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]: 'pulpcore-manager reset-admin-password --random' returned 1 instead of one of [0]

      ~~

      4. Reason\Traceback:
      ~~
      2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: raise e
      2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: File "/usr/lib/python3.9/site-packages/pulpcore
      /app/settings.py", line 428, in <module>
      2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: raise ImproperlyConfigured(
      2023-07-14 09:33:45 [INFO ] [configure] /Stage[main]/Pulpcore::Database/Pulpcore::Admin[reset-admin-password --random]/Exec[pulpcore-manager reset-admin-password --random]/returns: django.core.exceptions.ImproperlyConfigured: Ther
      e have been identified artifacts with forbidden checksum 'md5'. Run 'pulpcore-manager handle-artifact-checksums' first to unset forbidden checksums.

      ~~

        1. Rollback ##
        • Either use satellite-installer itself or edit /etc/foreman-installer/scenarios.d/satellite-answers.yaml file and add back "md5" in the list of "pulpcore_allowed_content_checksums"
        • Re-run satellite-installer if answer file was modified.
        • Result:
      • Installer successfully completes.
      • We are back to the old value for ALLOWED_CONTENT_CHECKSUMS which includes md5

      -----------
      Scenario 2:
      -----------

        1. Break ###

      A) Repeat Step 1 2 and 3 from Scenario 1.

      B) Run

      1. PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp – pulpcore-manager handle-artifact-checksums

      C) Re-run satellite-installer and it will fail on the exact same step.

      D) Try to revert back i.e. include back md5 but still it fails on the same step.

        1. Rollback ##
        • Once again run handle-artifact-checksums so that whatever was removed in the first run, would be recalculated and added back in the second run w.r.t md5 checksum of content artifacts
      1. PULP_SETTINGS=/etc/pulp/settings.py runuser -u pulp – pulpcore-manager handle-artifact-checksums
        • Re-run the installer and it will be successfully completed.

      Expected results:

      • No such issues should happen
      • Installer should allow removing md5 from the list of ALLOWED_CONTENT_CHECKSUMS

      Additional info:

      The end-user is afraid that, on their FIPS-enabled Satellite 6.13, since they cannot remove md5 from the ALLOWED_CONTENT_CHECKSUMS list, That is immediately marking the satellite non-compliant to FIPS-140-2 standards.

              Unassigned Unassigned
              rhn-support-saydas Sayan Das
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: