From f1c00a3823751d3fccaba3c98be86eba2b16930c Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Sat, 26 Nov 2022 12:27:46 +0100 Subject: [PATCH 34/37] targetuserspacecreator: improve copy of /etc/pki (rpm-gpg) The original solution copied /etc/pki from the host into the target userspace container if the upgrade has been performed with RHSM, which causes several negative impacts: a) certificates are missing inside the container when upgrading without RHSM (still issue) - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2040706 b) the target OS certificates are replaced by the original OS certificates when upgrading with RHSM (partially fixed) This commit partially fixes the case b), so we preserve target certificates inside the container only from the /etc/pki/rpm-gpg directory when upgrading with RHSM. If files or directories with the same name exists inside, prefered are those from the target OS. For the full fix of this case. The full fix should preserve all certificates owned by packages inside the container, and only "new files" from the host should be applied. This is also prerequisite to be able to fix the case a). To be able to fix the case a) we would need to make this behaviour unconditional (not dependent on the use of RHSM). Which most likely should resolve the bug 2040706. Which needs the full fix of the case b) first, as described above. The unconditional copy of /etc/pki currently breaks upgrades on systems using RHUI (at least on Azure for IPU 8 -> 9, other clouds could be affected also). So postponing the sollution to a followup PR. --- .../libraries/userspacegen.py | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py index 5a6a80f2..0415f0fe 100644 --- a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py +++ b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py @@ -235,6 +235,33 @@ def _get_files_owned_by_rpms(context, dirpath, pkgs=None): return files_owned_by_rpms +def _copy_certificates(context, target_userspace): + """ + Copy the needed cetificates into the container, but preserve original ones + + Some certificates are already installed in the container and those are + default certificates for the target OS. We know we should preserve at + least certificates located at rpm-gpg directory. So preserve these for + now at least. + """ + target_pki = os.path.join(target_userspace, 'etc', 'pki') + backup_pki = os.path.join(target_userspace, 'etc', 'pki.backup') + + # FIXME(pstodulk): search for all files owned by RPMs inside the container + # before the mv, and all such files restore + # - this is requirement to not break IPU with RHUI when making the copy + # of certificates unconditional + run(['mv', target_pki, backup_pki]) + context.copytree_from('/etc/pki', target_pki) + + # TODO(pstodulk): restore the files owned by rpms instead of the code below + for fname in os.listdir(os.path.join(backup_pki, 'rpm-gpg')): + src_path = os.path.join(backup_pki, 'rpm-gpg', fname) + dst_path = os.path.join(target_pki, 'rpm-gpg', fname) + run(['rm', '-rf', dst_path]) + run(['cp', '-a', src_path, dst_path]) + + def _prep_repository_access(context, target_userspace): """ Prepare repository access by copying all relevant certificates and configuration files to the userspace @@ -243,9 +270,10 @@ def _prep_repository_access(context, target_userspace): target_yum_repos_d = os.path.join(target_etc, 'yum.repos.d') backup_yum_repos_d = os.path.join(target_etc, 'yum.repos.d.backup') if not rhsm.skip_rhsm(): - run(['rm', '-rf', os.path.join(target_etc, 'pki')]) + # TODO: make the _copy_certificates unconditional. keeping it conditional + # due to issues causing on RHUI + _copy_certificates(context, target_userspace) run(['rm', '-rf', os.path.join(target_etc, 'rhsm')]) - context.copytree_from('/etc/pki', os.path.join(target_etc, 'pki')) context.copytree_from('/etc/rhsm', os.path.join(target_etc, 'rhsm')) # NOTE: we cannot just remove the original target yum.repos.d dir # as e.g. in case of RHUI a special RHUI repofiles are installed by a pkg -- 2.38.1