92 lines
4.4 KiB
Diff
92 lines
4.4 KiB
Diff
From f1c00a3823751d3fccaba3c98be86eba2b16930c Mon Sep 17 00:00:00 2001
|
|
From: Petr Stodulka <xstodu05@gmail.com>
|
|
Date: Sat, 26 Nov 2022 12:27:46 +0100
|
|
Subject: [PATCH 34/37] targetuserspacecreator: improve copy of /etc/pki
|
|
(rpm-gpg)
|
|
|
|
The original solution copied /etc/pki from the host into the
|
|
target userspace container if the upgrade has been performed with
|
|
RHSM, which causes several negative impacts:
|
|
|
|
a) certificates are missing inside the container when upgrading
|
|
without RHSM (still issue)
|
|
- Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2040706
|
|
b) the target OS certificates are replaced by the original OS
|
|
certificates when upgrading with RHSM (partially fixed)
|
|
|
|
This commit partially fixes the case b), so we preserve target
|
|
certificates inside the container only from the /etc/pki/rpm-gpg
|
|
directory when upgrading with RHSM. If files or directories with
|
|
the same name exists inside, prefered are those from the target OS.
|
|
|
|
For the full fix of this case. The full fix should preserve
|
|
all certificates owned by packages inside the container, and only
|
|
"new files" from the host should be applied. This is also prerequisite
|
|
to be able to fix the case a).
|
|
|
|
To be able to fix the case a) we would need to make this behaviour
|
|
unconditional (not dependent on the use of RHSM). Which most likely
|
|
should resolve the bug 2040706. Which needs the full fix of the case
|
|
b) first, as described above. The unconditional copy of /etc/pki
|
|
currently breaks upgrades on systems using RHUI (at least on
|
|
Azure for IPU 8 -> 9, other clouds could be affected also).
|
|
So postponing the sollution to a followup PR.
|
|
---
|
|
.../libraries/userspacegen.py | 32 +++++++++++++++++--
|
|
1 file changed, 30 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
|
index 5a6a80f2..0415f0fe 100644
|
|
--- a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
|
+++ b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
|
@@ -235,6 +235,33 @@ def _get_files_owned_by_rpms(context, dirpath, pkgs=None):
|
|
return files_owned_by_rpms
|
|
|
|
|
|
+def _copy_certificates(context, target_userspace):
|
|
+ """
|
|
+ Copy the needed cetificates into the container, but preserve original ones
|
|
+
|
|
+ Some certificates are already installed in the container and those are
|
|
+ default certificates for the target OS. We know we should preserve at
|
|
+ least certificates located at rpm-gpg directory. So preserve these for
|
|
+ now at least.
|
|
+ """
|
|
+ target_pki = os.path.join(target_userspace, 'etc', 'pki')
|
|
+ backup_pki = os.path.join(target_userspace, 'etc', 'pki.backup')
|
|
+
|
|
+ # FIXME(pstodulk): search for all files owned by RPMs inside the container
|
|
+ # before the mv, and all such files restore
|
|
+ # - this is requirement to not break IPU with RHUI when making the copy
|
|
+ # of certificates unconditional
|
|
+ run(['mv', target_pki, backup_pki])
|
|
+ context.copytree_from('/etc/pki', target_pki)
|
|
+
|
|
+ # TODO(pstodulk): restore the files owned by rpms instead of the code below
|
|
+ for fname in os.listdir(os.path.join(backup_pki, 'rpm-gpg')):
|
|
+ src_path = os.path.join(backup_pki, 'rpm-gpg', fname)
|
|
+ dst_path = os.path.join(target_pki, 'rpm-gpg', fname)
|
|
+ run(['rm', '-rf', dst_path])
|
|
+ run(['cp', '-a', src_path, dst_path])
|
|
+
|
|
+
|
|
def _prep_repository_access(context, target_userspace):
|
|
"""
|
|
Prepare repository access by copying all relevant certificates and configuration files to the userspace
|
|
@@ -243,9 +270,10 @@ def _prep_repository_access(context, target_userspace):
|
|
target_yum_repos_d = os.path.join(target_etc, 'yum.repos.d')
|
|
backup_yum_repos_d = os.path.join(target_etc, 'yum.repos.d.backup')
|
|
if not rhsm.skip_rhsm():
|
|
- run(['rm', '-rf', os.path.join(target_etc, 'pki')])
|
|
+ # TODO: make the _copy_certificates unconditional. keeping it conditional
|
|
+ # due to issues causing on RHUI
|
|
+ _copy_certificates(context, target_userspace)
|
|
run(['rm', '-rf', os.path.join(target_etc, 'rhsm')])
|
|
- context.copytree_from('/etc/pki', os.path.join(target_etc, 'pki'))
|
|
context.copytree_from('/etc/rhsm', os.path.join(target_etc, 'rhsm'))
|
|
# NOTE: we cannot just remove the original target yum.repos.d dir
|
|
# as e.g. in case of RHUI a special RHUI repofiles are installed by a pkg
|
|
--
|
|
2.38.1
|
|
|