ykohut/leapp-repository
1
0
Fork 0
forked from rpms/leapp-repository
Code Pull Requests Activity

import leapp-repository-0.16.0-8.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-06-23 17:24:45 +00:00 committed by Stepan Oksanichenko
parent 90f337e5a7
commit 1203d6cfa5
49 changed files with 19450 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
SOURCES/0001-Update-welcome-message.patch Normal file
View File

@ -0,0 +1,39 @@
From 7c9ea115a68530eb25f5c23d3fcadd60c501bf78 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Wed, 23 Mar 2022 12:23:59 +0100
Subject: [PATCH 01/39] Update welcome message
A necessary change that should finally represent the changes of
the previous quarters: several jobs disablement and new CI
introduction.
No more e2e and internal copr build jobs, /rerun command finally
documented.
OAMG-5822
---
.github/workflows/pr-welcome-msg.yml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/pr-welcome-msg.yml b/.github/workflows/pr-welcome-msg.yml
index 40f8bba6..a259dc55 100644
--- a/.github/workflows/pr-welcome-msg.yml
+++ b/.github/workflows/pr-welcome-msg.yml
@@ -20,9 +20,13 @@ jobs:
body: |
## **Thank you for contributing to the Leapp project!**
Please note that every PR needs to comply with the [Leapp Guidelines](https://leapp.readthedocs.io/en/latest/contributing.html#) and must pass all tests in order to be mergable.
- If you want to re-run tests or request review, you can use following commands as a comment:
- - **leapp-ci build** to run copr build and e2e tests in **OAMG CI**
+ If you want to request a review or rebuild a package in copr, you can use following commands as a comment:
- **review please** to notify leapp developers of review request
+ - **/packit copr-build** to submit a public copr build using packit
+
+ To launch regression testing public members of oamg organization can leave the following comment:
+ - **/rerun** to schedule tests using this pr build and leapp*master* as artifacts
+ - **/rerun 42** to schedule tests using this pr build and leapp*PR42* as artifacts
Please [open ticket](https://url.corp.redhat.com/oamg-ci-issue) in case you experience technical problem with the CI. (RH internal only)
--
2.35.3

116
SOURCES/0002-Fix-linting-violations.patch Normal file
View File

@ -0,0 +1,116 @@
From 44af150b6112cfd4a6d09757e0d7df64f31e8527 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 29 Mar 2022 15:09:20 +0200
Subject: [PATCH 02/39] Fix linting violations
used-before-assignment is a nice check worth keeping, so let's
fix occurencies in commands.upgrade.util code and vstpdconfigread.
As is the modified-iterating-list, so this patch fixes appropriately
cupsscanner actor's included_directive_check.
---
commands/upgrade/util.py | 2 +-
.../cupsscanner/libraries/cupsscanner.py | 18 +++++++++++++-----
.../libraries/config_parser.py | 10 +++++-----
.../test_config_parser_vsftpdconfigread.py | 8 ++++++--
4 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/commands/upgrade/util.py b/commands/upgrade/util.py
index 75ffa6a6..22466ab7 100644
--- a/commands/upgrade/util.py
+++ b/commands/upgrade/util.py
@@ -20,8 +20,8 @@ def disable_database_sync():
def disable_db_sync_decorator(f):
@functools.wraps(f)
def wrapper(*args, **kwargs):
+ saved = os.environ.get('LEAPP_DEVEL_DATABASE_SYNC_OFF', None)
try:
- saved = os.environ.get('LEAPP_DEVEL_DATABASE_SYNC_OFF', None)
os.environ['LEAPP_DEVEL_DATABASE_SYNC_OFF'] = '1'
return f(*args, **kwargs)
finally:
diff --git a/repos/system_upgrade/el7toel8/actors/cupsscanner/libraries/cupsscanner.py b/repos/system_upgrade/el7toel8/actors/cupsscanner/libraries/cupsscanner.py
index 742d1e44..bc65c458 100644
--- a/repos/system_upgrade/el7toel8/actors/cupsscanner/libraries/cupsscanner.py
+++ b/repos/system_upgrade/el7toel8/actors/cupsscanner/libraries/cupsscanner.py
@@ -93,21 +93,29 @@ def include_directive_check(read_func=_read_file):
included_files = ['/etc/cups/cupsd.conf']
error_list = []
- for included_file in included_files:
+ vetted_included_files = []
+ while included_files:
+ # NOTE(ivasilev) Will be using stack to process last encountered include directives first
+ included_file = included_files.pop(-1)
try:
lines = read_func(included_file)
except IOError:
error_list.append('Error during reading file {}: file not'
' found'.format(included_file))
- included_files.remove(included_file)
continue
-
+ # Append to the resulting list of vetted files if exception wasn't raised
+ vetted_included_files.append(included_file)
+ # Mark any other included file you find as need-to-be-validated
+ includes_to_process = []
for line in lines:
value = get_directive_value('Include', line)
if value:
- included_files.append(value)
+ includes_to_process.append(value)
+ # NOTE(ivasilev) Add discovered Include directives to the stack in reversed order, so that they are processed
+ # in the same order they appeared in the file
+ included_files.extend(reversed(includes_to_process))
- return (included_files, error_list)
+ return (vetted_included_files, error_list)
def digest_directive_check(path, read_func=_read_file):
diff --git a/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/libraries/config_parser.py b/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/libraries/config_parser.py
index 395786f2..a7a6c179 100644
--- a/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/libraries/config_parser.py
+++ b/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/libraries/config_parser.py
@@ -94,9 +94,9 @@ class VsftpdConfigParser(object):
def _parse_config(self, contents):
res = {}
- try:
- for (ix, line) in enumerate(contents.split('\n')):
+ for (ix, line) in enumerate(contents.split('\n')):
+ try:
self._parse_config_line(line, res)
- return res
- except ParsingError as e:
- raise ParsingError("Syntax error on line %d: %s" % (ix + 1, e))
+ except ParsingError as e:
+ raise ParsingError("Syntax error on line %d: %s" % (ix + 1, e))
+ return res
diff --git a/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/tests/test_config_parser_vsftpdconfigread.py b/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/tests/test_config_parser_vsftpdconfigread.py
index 52ee9043..b10ec4c9 100644
--- a/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/tests/test_config_parser_vsftpdconfigread.py
+++ b/repos/system_upgrade/el7toel8/actors/vsftpdconfigread/tests/test_config_parser_vsftpdconfigread.py
@@ -1,7 +1,6 @@
import pytest
-from leapp.libraries.actor.config_parser import ParsingError, VsftpdConfigOptionParser, \
- VsftpdConfigParser
+from leapp.libraries.actor.config_parser import ParsingError, VsftpdConfigOptionParser, VsftpdConfigParser
def test_VsftpdConfigOptionParser_invalid_syntax():
@@ -66,6 +65,11 @@ def test_VsftpdConfigParser_invalid_syntax():
with pytest.raises(ParsingError):
VsftpdConfigParser('anonymous_enable')
+ # Make sure that line num is properly shown
+ with pytest.raises(ParsingError) as err:
+ VsftpdConfigParser('background=0\n#andthislineisalso=fine\nError on line 3')
+ assert "Syntax error on line 3" in str(err.value)
+
def test_VsftpdConfigParser_empty_config():
parser = VsftpdConfigParser('')
--
2.35.3

81
SOURCES/0003-Enable-building-leapp-repository-for-specific-chroot.patch Normal file
View File

@ -0,0 +1,81 @@
From 8c3c946501a50939b91066b772e896ca55dd4084 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 29 Mar 2022 14:58:25 +0200
Subject: [PATCH 03/39] Enable building leapp-repository for specific chroots
only
Instead of building for all project chroots use -r/--chroot
option to specify chroots.
Tmt-tests workflow and copr-build workflow will be passing proper
chroots now via COPR_CHROOT env var.
Also some refactoring has been done to the workflows to move all
magic constants to env section.
OAMG-6735
---
.github/workflows/copr-build.yml | 3 +--
.github/workflows/tmt-tests.yml | 14 ++++++++++----
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/copr-build.yml b/.github/workflows/copr-build.yml
index c2c04a26..8252e327 100644
--- a/.github/workflows/copr-build.yml
+++ b/.github/workflows/copr-build.yml
@@ -32,5 +32,4 @@ jobs:
EOF
pip install copr-cli
- make copr_build
-
+ COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 93c1dd2f..15e8a488 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -37,8 +37,11 @@ jobs:
- name: Trigger copr build
id: copr_build
+ env:
+ COPR_CONFIG: "copr_fedora.conf"
+ COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
run: |
- cat << EOF > copr_fedora.conf
+ cat << EOF > $COPR_CONFIG
[copr-cli]
login = ${{ secrets.FEDORA_COPR_LOGIN }}
username = @oamg
@@ -48,7 +51,7 @@ jobs:
EOF
pip install copr-cli
- PR=${{ steps.pr_nr.outputs.pr_nr }} COPR_CONFIG=copr_fedora.conf make copr_build | tee copr.log
+ PR=${{ steps.pr_nr.outputs.pr_nr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
echo "::set-output name=copr_url::${COPR_URL}"
@@ -99,8 +102,11 @@ jobs:
- name: Trigger copr build for leapp
id: copr_build_leapp
if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ env:
+ COPR_CONFIG: "copr_fedora.conf"
+ COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
run: |
- cat << EOF > copr_fedora.conf
+ cat << EOF > $COPR_CONFIG
[copr-cli]
login = ${{ secrets.FEDORA_COPR_LOGIN }}
username = @oamg
@@ -110,7 +116,7 @@ jobs:
EOF
pip install copr-cli
- PR=${{ steps.leapp_pr.outputs.leapp_pr }} COPR_CONFIG=copr_fedora.conf make copr_build | tee copr.log
+ PR=${{ steps.leapp_pr.outputs.leapp_pr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
echo "::set-output name=copr_url::${COPR_URL}"
--
2.35.3

23
SOURCES/0004-Enforce-the-removal-of-rubygem-irb-do-not-install-it.patch
View File

@ -1,23 +0,0 @@
From 496abd1775779054377c5e35ae96fa4d390bab42 Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Tue, 19 Apr 2022 21:51:03 +0200
Subject: [PATCH] Enforce the removal of rubygem-irb (do not install it)
---
etc/leapp/transaction/to_remove | 3 +++
1 file changed, 3 insertions(+)
diff --git a/etc/leapp/transaction/to_remove b/etc/leapp/transaction/to_remove
index 0feb782..07c6864 100644
--- a/etc/leapp/transaction/to_remove
+++ b/etc/leapp/transaction/to_remove
@@ -1,3 +1,6 @@
### List of packages (each on new line) to be removed from the upgrade transaction
# Removing initial-setup package to avoid it asking for EULA acceptance during upgrade - OAMG-1531
initial-setup
+
+# temporary workaround for the file conflict symlink <-> dir (#2030627)
+rubygem-irb
--
2.35.1

99
SOURCES/0004-Switch-to-the-official-composite-action-for-tft.patch Normal file
View File

@ -0,0 +1,99 @@
From 9e95311904fb90615e8473cc8bf96c2d544f8428 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Wed, 30 Mar 2022 11:46:30 +0200
Subject: [PATCH 04/39] Switch to the official composite action for tft
Looks like phracek's github action is mature enough
https://github.com/sclorg/testing-farm-as-github-action to
perform that switch. Status update enablement is not part
of this patch.
In order to enable wait-for-result functionality the single
tmt-tests workflow will have to be split into 2 distinct
7to8 and 8to9 workflows (to be done in following commits).
This will cause massive refactoring, probably
involving moving artifacts preparation into one workflow and
creating a specific repository_dispatch event to trigger
7to8 and 8to9 with test artifacts as inputs.
OAMG-6493
---
.github/workflows/tmt-tests.yml | 46 ++++++++++++++++++++++-----------
1 file changed, 31 insertions(+), 15 deletions(-)
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 15e8a488..5cf21e0b 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -140,37 +140,53 @@ jobs:
id: run_test_7to8
env:
ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0},{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: oamg/testing-farm-service-action@main
+ uses: sclorg/testing-farm-as-github-action@v1.2.9
with:
# required
- tft_server: ${{ secrets.TF_ENDPOINT }}
- tft_token: ${{ secrets.TF_API_KEY }}
- compose: ${{ secrets.COMPOSE_RHEL79 }}
- artifacts: ${{ env.ARTIFACTS }}
+ api_url: ${{ secrets.TF_ENDPOINT }}
+ api_key: ${{ secrets.TF_API_KEY }}
+ git_url: 'https://gitlab.cee.redhat.com/oamg/tmt-plans'
+ github_token: ${{ secrets.GITHUB_TOKEN }}
# optional
- tests_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)"
+ tf_scope: 'private'
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)"
+ compose: ${{ secrets.COMPOSE_RHEL79 }}
arch: 'x86_64'
copr: 'epel-7-x86_64'
+ copr_artifacts: ${{ env.ARTIFACTS }}
debug: ${{ secrets.ACTIONS_STEP_DEBUG }}
- test_name: '7to8'
tmt_context: 'distro=rhel-7'
+ pull_request_status_name: '7to8'
+ create_issue_comment: 'true'
+ # NOTE(ivasilev) In order to update pr status this workflow has to be massively refactored with artifacts
+ # preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
+ # triggered on a specific repository dispatch event.
+ update_pull_request_status: 'false'
- name: Schedule regression testing for 8to9
id: run_test_8to9
env:
ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0},{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: oamg/testing-farm-service-action@main
+ uses: sclorg/testing-farm-as-github-action@v1.2.9
with:
# required
- tft_server: ${{ secrets.TF_ENDPOINT }}
- tft_token: ${{ secrets.TF_API_KEY }}
- compose: ${{ secrets.COMPOSE_RHEL86 }}
- artifacts: ${{ env.ARTIFACTS }}
+ api_url: ${{ secrets.TF_ENDPOINT }}
+ api_key: ${{ secrets.TF_API_KEY }}
+ git_url: 'https://gitlab.cee.redhat.com/oamg/tmt-plans'
+ github_token: ${{ secrets.GITHUB_TOKEN }}
# optional
- tests_regex: "^(?!.*c2r)(?!.*sap)(?!.*7to8)"
+ tf_scope: 'private'
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*7to8)"
+ compose: ${{ secrets.COMPOSE_RHEL86 }}
arch: 'x86_64'
copr: 'epel-8-x86_64'
+ copr_artifacts: ${{ env.ARTIFACTS }}
debug: ${{ secrets.ACTIONS_STEP_DEBUG }}
- test_name: '8to9'
- env_vars: 'TARGET_RELEASE=9.0;TARGET_KERNEL=el9;RHSM_SKU=RH00069;RHSM_REPOS=rhel-8-for-x86_64-appstream-beta-rpms,rhel-8-for-x86_64-baseos-beta-rpms;LEAPP_EXEC_ENV_VARS=LEAPP_DEVEL_TARGET_PRODUCT_TYPE=beta'
+ variables: 'TARGET_RELEASE=9.0;TARGET_KERNEL=el9;RHSM_SKU=RH00069;RHSM_REPOS=rhel-8-for-x86_64-appstream-beta-rpms,rhel-8-for-x86_64-baseos-beta-rpms;LEAPP_EXEC_ENV_VARS=LEAPP_DEVEL_TARGET_PRODUCT_TYPE=beta'
tmt_context: 'distro=rhel-8'
+ pull_request_status_name: '8to9'
+ create_issue_comment: 'true'
+ # NOTE(ivasilev) In order to update pr status this workflow has to be massively refactored with artifacts
+ # preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
+ # triggered on a specific repository dispatch event.
+ update_pull_request_status: 'false'
--
2.35.3

36
SOURCES/0005-Switch-to-semicolon-build-separator-in-tmt-tests-873.patch Normal file
View File

@ -0,0 +1,36 @@
From 3862be2a250964e5459eda6538b2fdb8ae1b9c39 Mon Sep 17 00:00:00 2001
From: ina vasilevskaya <ivasilev@redhat.com>
Date: Fri, 1 Apr 2022 14:16:12 +0200
Subject: [PATCH 05/39] Switch to semicolon build separator in tmt-tests (#873)
Official github action separates test artifacts string by ; only,
so in order to test multiple artifacts this has to land.
---
.github/workflows/tmt-tests.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 5cf21e0b..ef68830e 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -139,7 +139,7 @@ jobs:
- name: Schedule regression testing for 7to8
id: run_test_7to8
env:
- ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0},{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
+ ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
uses: sclorg/testing-farm-as-github-action@v1.2.9
with:
# required
@@ -166,7 +166,7 @@ jobs:
- name: Schedule regression testing for 8to9
id: run_test_8to9
env:
- ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0},{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
+ ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
uses: sclorg/testing-farm-as-github-action@v1.2.9
with:
# required
--
2.35.3

6
SOURCES/0001-pcidevicesscanner-Also-match-deprecation-data-agains.patch1 → SOURCES/0006-pcidevicesscanner-Also-match-deprecation-data-agains.patch
View File

@ -1,8 +1,8 @@
From b4fc2e0ae62e68dd246ed2eedda0df2a3ba90633 Mon Sep 17 00:00:00 2001 From b4fc2e0ae62e68dd246ed2eedda0df2a3ba90633 Mon Sep 17 00:00:00 2001
From: Vinzenz Feenstra <vfeenstr@redhat.com> From: Vinzenz Feenstra <vfeenstr@redhat.com>
Date: Fri, 1 Apr 2022 15:13:51 +0200 Date: Fri, 1 Apr 2022 15:13:51 +0200
Subject: [PATCH] pcidevicesscanner: Also match deprecation data against kernel Subject: [PATCH 06/39] pcidevicesscanner: Also match deprecation data against
modules kernel modules
Previously when the deprecation data got introduced the kernel drivers Previously when the deprecation data got introduced the kernel drivers
reported to be used by lspci have not been checked. reported to be used by lspci have not been checked.
@ -66,5 +66,5 @@ index 146f1a33..0f02bd02 100644
+ produce_detected_drivers(devices) + produce_detected_drivers(devices)
produce_pci_devices(producer, devices) produce_pci_devices(producer, devices)
-- --
2.35.1 2.35.3

28
SOURCES/0007-Fix-krb5-config-not-found-error.patch Normal file
View File

@ -0,0 +1,28 @@
From 787c7144850fd4664c31b88ac734ac8bf75f4b1b Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Thu, 7 Apr 2022 11:55:53 +0200
Subject: [PATCH 07/39] Fix krb5-config not found error
copr-cli installation started failing on missing this dependency.
---
.github/workflows/tmt-tests.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index ef68830e..75768e51 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -15,6 +15,10 @@ jobs:
&& contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)
runs-on: ubuntu-20.04
steps:
+ - name: Install necessary deps
+ id: deps_install
+ run: sudo apt-get install -y libkrb5-dev
+
- name: Get pull request number
id: pr_nr
run: |
--
2.35.3

4
SOURCES/0002-pciscanner-Fix-2-issues-in-regards-to-pci-address-ha.patch → SOURCES/0008-pciscanner-Fix-2-issues-in-regards-to-pci-address-ha.patch
View File

@ -1,7 +1,7 @@
From 53ceded213ae17ca5d27268bc496e736dfea7e64 Mon Sep 17 00:00:00 2001 From 53ceded213ae17ca5d27268bc496e736dfea7e64 Mon Sep 17 00:00:00 2001
From: Vinzenz Feenstra <vfeenstr@redhat.com> From: Vinzenz Feenstra <vfeenstr@redhat.com>
Date: Thu, 14 Apr 2022 14:50:07 +0200 Date: Thu, 14 Apr 2022 14:50:07 +0200
Subject: [PATCH 2/3] pciscanner: Fix 2 issues in regards to pci address Subject: [PATCH 08/39] pciscanner: Fix 2 issues in regards to pci address
handling handling
In a previous patch, the introduction of the new handling of deprecation In a previous patch, the introduction of the new handling of deprecation
@ -40,5 +40,5 @@ index 0f02bd02..eb063abb 100644
drivers = {device.driver for device in devices if device.driver in entry_lookup} drivers = {device.driver for device in devices if device.driver in entry_lookup}
-- --
2.35.1 2.35.3

4
SOURCES/0003-Ensure-the-right-repositories-are-enabled-on-Satelli.patch → SOURCES/0009-Ensure-the-right-repositories-are-enabled-on-Satelli.patch
View File

@ -1,7 +1,7 @@
From a1fdabea9c00a96ffc1504577f12733e1c1830ee Mon Sep 17 00:00:00 2001 From a1fdabea9c00a96ffc1504577f12733e1c1830ee Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de> From: Evgeni Golov <evgeni@golov.de>
Date: Thu, 7 Apr 2022 14:56:18 +0200 Date: Thu, 7 Apr 2022 14:56:18 +0200
Subject: [PATCH 3/3] Ensure the right repositories are enabled on Satellite Subject: [PATCH 09/39] Ensure the right repositories are enabled on Satellite
Capsules Capsules
--- ---
@ -74,5 +74,5 @@ index 5c8e79ff..e77b7b58 100644
+ assert 'satellite-6.11-for-rhel-8-x86_64-rpms' not in rpmmessage.to_enable + assert 'satellite-6.11-for-rhel-8-x86_64-rpms' not in rpmmessage.to_enable
+ assert 'satellite-capsule-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable + assert 'satellite-capsule-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
-- --
2.35.1 2.35.3

4
SOURCES/0005-IPU-8-9-Migrate-blacklisted-CAs-hotfix.patch → SOURCES/0010-IPU-8-9-Migrate-blacklisted-CAs-hotfix.patch
View File

@ -1,7 +1,7 @@
From eeb4f99f57c67937ea562fce11fd5607470ae0a6 Mon Sep 17 00:00:00 2001 From eeb4f99f57c67937ea562fce11fd5607470ae0a6 Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com> From: Petr Stodulka <pstodulk@redhat.com>
Date: Fri, 22 Apr 2022 00:20:15 +0200 Date: Fri, 22 Apr 2022 00:20:15 +0200
Subject: [PATCH] [IPU 8 -> 9] Migrate blacklisted CAs (hotfix) Subject: [PATCH 10/39] [IPU 8 -> 9] Migrate blacklisted CAs (hotfix)
Preserve blacklisted certificates during the IPU 8 -> 9 Preserve blacklisted certificates during the IPU 8 -> 9
@ -205,5 +205,5 @@ index 00000000..970dcb97
+ monkeypatch.setattr(migrateblacklistca, 'run', lambda dummy: dummy) + monkeypatch.setattr(migrateblacklistca, 'run', lambda dummy: dummy)
+ assert not mocked_files.called + assert not mocked_files.called
-- --
2.35.1 2.35.3

4
SOURCES/0006-Skip-comment-lines-when-parsing-grub-configuration-f.patch → SOURCES/0011-Skip-comment-lines-when-parsing-grub-configuration-f.patch
View File

@ -1,7 +1,7 @@
From 32702c7c7d1c445b9ab95e0d1bbdfdf8f06d4303 Mon Sep 17 00:00:00 2001 From 32702c7c7d1c445b9ab95e0d1bbdfdf8f06d4303 Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com> From: Petr Stodulka <pstodulk@redhat.com>
Date: Wed, 27 Apr 2022 11:25:40 +0200 Date: Wed, 27 Apr 2022 11:25:40 +0200
Subject: [PATCH] Skip comment lines when parsing grub configuration file Subject: [PATCH 11/39] Skip comment lines when parsing grub configuration file
Added simple unit-test for default grub info to see the valid lines Added simple unit-test for default grub info to see the valid lines
can be parsed as expected. can be parsed as expected.
@ -104,5 +104,5 @@ index 00000000..08552771
+ assert mocked_run.called + assert mocked_run.called
+ assert not expected_result + assert not expected_result
-- --
2.35.1 2.35.3

115
SOURCES/0012-Add-actor-that-checks-for-obsolete-.NET-versions.patch Normal file
View File

@ -0,0 +1,115 @@
From 8a3a44457524f56daf0ee4b3db7dd7be9d4237c4 Mon Sep 17 00:00:00 2001
From: Tom Deseyn <tom.deseyn@gmail.com>
Date: Tue, 29 Mar 2022 11:44:28 +0200
Subject: [PATCH 12/39] Add actor that checks for obsolete .NET versions.
The actor checks for versions of .NET that are installed on the system,
and which are no longer available after the upgrade.
The unsupported versions are reported to the user.
This actor does not inhibit the upgrade.
---
.../el8toel9/actors/dotnet/actor.py | 40 +++++++++++++++++
.../actors/dotnet/tests/test_dotnet.py | 43 +++++++++++++++++++
2 files changed, 83 insertions(+)
create mode 100644 repos/system_upgrade/el8toel9/actors/dotnet/actor.py
create mode 100644 repos/system_upgrade/el8toel9/actors/dotnet/tests/test_dotnet.py
diff --git a/repos/system_upgrade/el8toel9/actors/dotnet/actor.py b/repos/system_upgrade/el8toel9/actors/dotnet/actor.py
new file mode 100644
index 00000000..d6e3e465
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/dotnet/actor.py
@@ -0,0 +1,40 @@
+from leapp import reporting
+from leapp.actors import Actor
+from leapp.libraries.common.rpms import has_package
+from leapp.models import InstalledRedHatSignedRPM, Report
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+UNSUPPORTED_VERSIONS = ['2.1', '3.0', '3.1', '5.0']
+
+
+class DotnetUnsupportedVersionsCheck(Actor):
+ """
+ Check for installed .NET versions that are no longer supported.
+ """
+
+ name = 'dotnet_unsupported_versions_check'
+ consumes = (InstalledRedHatSignedRPM,)
+ produces = (Report,)
+ tags = (ChecksPhaseTag, IPUWorkflowTag)
+
+ def process(self):
+ unsupported_versions_report_text = ''
+
+ for unsupported_version in UNSUPPORTED_VERSIONS:
+ runtime_package = f'dotnet-runtime-{unsupported_version}'
+ if has_package(InstalledRedHatSignedRPM, runtime_package):
+ unsupported_versions_report_text += '{0}{1}'.format('\n - ', unsupported_version)
+
+ if unsupported_versions_report_text:
+ reporting.create_report([
+ reporting.Title('Unsupported .NET versions installed on the system.'),
+ reporting.Summary(
+ (
+ 'The following versions of .NET are no longer supported :{0}\n'
+ 'Applications that use these runtimes will no longer work\n'
+ 'and must be updated to target a newer version of .NET.'
+ ).format(
+ unsupported_versions_report_text
+ )
+ ),
+ reporting.Severity(reporting.Severity.HIGH)])
diff --git a/repos/system_upgrade/el8toel9/actors/dotnet/tests/test_dotnet.py b/repos/system_upgrade/el8toel9/actors/dotnet/tests/test_dotnet.py
new file mode 100644
index 00000000..744a4e0b
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/dotnet/tests/test_dotnet.py
@@ -0,0 +1,43 @@
+import pytest
+
+from leapp.models import InstalledRedHatSignedRPM, Report, RPM
+
+
+def _generate_rpm_with_name(name):
+ return RPM(name=name,
+ version='0.1',
+ release='1.sm01',
+ epoch='1',
+ pgpsig='RSA/SHA256, Mon 01 Jan 1970 00:00:00 AM -03, Key ID 199e2f91fd431d51',
+ packager='Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>',
+ arch='noarch')
+
+
+@pytest.mark.parametrize('unsupported_versions', [
+ ([]), # No unsupported versions
+ ([2.1]), # Single unsupported version
+ ([3.0]), # Other unsupported version
+ ([2.1, 3.0]), # Multiple unsupported versions
+])
+def test_actor_execution(monkeypatch, current_actor_context, unsupported_versions):
+ """
+ Install one or more dotnet-runtime packages for unsupported versions
+ and verify a report is generated.
+ """
+
+ # Couple of random packages
+ rpms = [_generate_rpm_with_name('sed'),
+ _generate_rpm_with_name('htop')]
+
+ # dotnet-runtime-{version} packages
+ for version in unsupported_versions:
+ rpms += [_generate_rpm_with_name(f'dotnet-runtime-{version}')]
+
+ # Executed actor feeded with fake RPMs
+ current_actor_context.feed(InstalledRedHatSignedRPM(items=rpms))
+ current_actor_context.run()
+
+ if unsupported_versions:
+ assert current_actor_context.consume(Report)
+ else:
+ assert not current_actor_context.consume(Report)
--
2.35.3

36
SOURCES/0013-Move-OpenSSH-server-config-Scanner-and-related-model.patch Normal file
View File

@ -0,0 +1,36 @@
From f41767195b7515c86c6070c0b65db035112c6d17 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 9 Mar 2022 17:10:20 +0100
Subject: [PATCH 13/39] Move OpenSSH server config Scanner and related model to
the common repository
---
.../{el7toel8 => common}/actors/opensshconfigscanner/actor.py | 0
.../actors/opensshconfigscanner/libraries/readopensshconfig.py | 0
.../tests/test_readopensshconfig_opensshconfigscanner.py | 0
repos/system_upgrade/{el7toel8 => common}/models/opensshconfig.py | 0
4 files changed, 0 insertions(+), 0 deletions(-)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshconfigscanner/actor.py (100%)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshconfigscanner/libraries/readopensshconfig.py (100%)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py (100%)
rename repos/system_upgrade/{el7toel8 => common}/models/opensshconfig.py (100%)
diff --git a/repos/system_upgrade/el7toel8/actors/opensshconfigscanner/actor.py b/repos/system_upgrade/common/actors/opensshconfigscanner/actor.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshconfigscanner/actor.py
rename to repos/system_upgrade/common/actors/opensshconfigscanner/actor.py
diff --git a/repos/system_upgrade/el7toel8/actors/opensshconfigscanner/libraries/readopensshconfig.py b/repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshconfigscanner/libraries/readopensshconfig.py
rename to repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py
diff --git a/repos/system_upgrade/el7toel8/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py b/repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
rename to repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
diff --git a/repos/system_upgrade/el7toel8/models/opensshconfig.py b/repos/system_upgrade/common/models/opensshconfig.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/models/opensshconfig.py
rename to repos/system_upgrade/common/models/opensshconfig.py
--
2.35.3

175
SOURCES/0014-Add-actor-for-updating-OpenSSH-configuration-to-RHEL.patch Normal file
View File

@ -0,0 +1,175 @@
From ce1b83fafbbf3b323874fbb363e85a2e5abab4e2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 16 Mar 2022 21:48:04 +0100
Subject: [PATCH 14/39] Add actor for updating OpenSSH configuration to RHEL9
---
.../actors/opensshdropindirectory/actor.py | 29 ++++++++
.../libraries/opensshdropindirectory.py | 67 +++++++++++++++++++
.../test_opensshdropindirectory_prepend.py | 44 ++++++++++++
3 files changed, 140 insertions(+)
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshdropindirectory/actor.py
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshdropindirectory/libraries/opensshdropindirectory.py
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshdropindirectory/tests/test_opensshdropindirectory_prepend.py
diff --git a/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/actor.py b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/actor.py
new file mode 100644
index 00000000..17a0c01a
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/actor.py
@@ -0,0 +1,29 @@
+from leapp.actors import Actor
+from leapp.libraries.actor import opensshdropindirectory
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig
+from leapp.tags import ApplicationsPhaseTag, IPUWorkflowTag
+
+
+class OpenSshDropInDirectory(Actor):
+ """
+ The RHEL 9 provides default configuration file with an Include directive.
+
+ If the configuration file was modified, it will not be replaced by the update
+ and we need to do couple of tweaks:
+
+ * Insert Include directive as expected by the rest of the OS
+ * Verify the resulting configuration is valid
+ * The only potentially problematic option is "Subsystem", but it is kept in the
+ main sshd_config even in RHEL9 so there is no obvious upgrade path where it
+ could cause issues (unlike the Debian version).
+
+ [1] https://bugzilla.mindrot.org/show_bug.cgi?id=3236
+ """
+
+ name = 'open_ssh_drop_in_directory'
+ consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
+ produces = ()
+ tags = (IPUWorkflowTag, ApplicationsPhaseTag,)
+
+ def process(self):
+ opensshdropindirectory.process(self.consume(OpenSshConfig))
diff --git a/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/libraries/opensshdropindirectory.py b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/libraries/opensshdropindirectory.py
new file mode 100644
index 00000000..d55eee1c
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/libraries/opensshdropindirectory.py
@@ -0,0 +1,67 @@
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.common.rpms import has_package
+from leapp.libraries.stdlib import api
+from leapp.models import InstalledRedHatSignedRPM
+
+# The main SSHD configuration file
+SSHD_CONFIG = '/etc/ssh/sshd_config'
+
+# The include directive needed, taken from RHEL9 sshd_config with leapp comment
+INCLUDE = 'Include /etc/ssh/sshd_config.d/*.conf'
+INCLUDE_BLOCK = ''.join(('# Added by leapp during upgrade from RHEL8 to RHEL9\n', INCLUDE, '\n'))
+
+
+def prepend_string_if_not_present(f, content, check_string):
+ """
+ This reads the open file descriptor and checks for presense of the `check_string`.
+ If not present, the `content` is prepended to the original content of the file and
+ result is written.
+ Note, that this requires opened file for both reading and writing, for example with:
+
+ with open(path, r+') as f:
+ """
+ lines = f.readlines()
+ for line in lines:
+ if line.lstrip().startswith(check_string):
+ # The directive is present
+ return
+
+ # prepend it otherwise, also with comment
+ f.seek(0)
+ f.write(''.join((content, ''.join(lines))))
+
+
+def process(openssh_messages):
+ """
+ The main logic of the actor:
+ * read the configuration file message
+ * skip if no action is needed
+ * package not installed
+ * the configuration file was not modified
+ * insert the include directive if it is not present yet
+ """
+ config = next(openssh_messages, None)
+ if list(openssh_messages):
+ api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
+ if not config:
+ raise StopActorExecutionError(
+ 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
+ )
+
+ # If the package is not installed, there is no need to do anything
+ if not has_package(InstalledRedHatSignedRPM, 'openssh-server'):
+ return
+
+ # If the configuration file was not modified, the rpm update will bring the new
+ # changes by itself
+ if not config.modified:
+ return
+
+ # otherwise prepend the Include directive to the main sshd_config
+ api.current_logger().debug('Adding the Include directive to {}.'
+ .format(SSHD_CONFIG))
+ try:
+ with open(SSHD_CONFIG, 'r+') as f:
+ prepend_string_if_not_present(f, INCLUDE_BLOCK, INCLUDE)
+ except (OSError, IOError) as error:
+ api.current_logger().error('Failed to modify the file {}: {} '.format(SSHD_CONFIG, error))
diff --git a/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/tests/test_opensshdropindirectory_prepend.py b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/tests/test_opensshdropindirectory_prepend.py
new file mode 100644
index 00000000..bccadf4b
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshdropindirectory/tests/test_opensshdropindirectory_prepend.py
@@ -0,0 +1,44 @@
+import pytest
+
+from leapp.libraries.actor.opensshdropindirectory import prepend_string_if_not_present
+
+
+class MockFile(object):
+ def __init__(self, path, content=None):
+ self.path = path
+ self.content = content
+ self.error = False
+
+ def readlines(self):
+ return self.content.splitlines(True)
+
+ def seek(self, n):
+ self.content = ''
+
+ def write(self, content):
+ self.content = content
+
+
+testdata = (
+ ('', 'Prepend', 'Prepend',
+ 'Prepend'), # only prepend
+ ('Text', '', '',
+ 'Text'), # only text
+ ('Text', 'Prepend', 'Prepend',
+ 'PrependText'), # prepended text
+ ('Prepend\nText\n', 'Prepend', 'Prepend',
+ 'Prepend\nText\n'), # already present
+ ('Text\n', '# Comment\nPrepend\n', 'Prepend',
+ '# Comment\nPrepend\nText\n'), # different prepend than check string
+ ('Prepend\nText\n', '# Comment\nPrepend\n', 'Prepend',
+ 'Prepend\nText\n'), # different prepend than check string, already present
+)
+
+
+@pytest.mark.parametrize('file_content,prepend,check_string,expected', testdata)
+def test_prepend_string_if_not_present(file_content, prepend, check_string, expected):
+ f = MockFile('/etc/ssh/sshd_config', file_content)
+
+ prepend_string_if_not_present(f, prepend, check_string)
+
+ assert f.content == expected
--
2.35.3

84
SOURCES/0015-Add-OpenSSH-Drop-in-directory-check-to-emit-info-rep.patch Normal file
View File

@ -0,0 +1,84 @@
From 25eff3169450888e4afa33df2c4a455f58671fe5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 30 Mar 2022 14:30:07 +0200
Subject: [PATCH 15/39] Add OpenSSH Drop-in directory check to emit info report
about modifying sshd_config
---
.../opensshdropindirectorycheck/actor.py | 64 +++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
diff --git a/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py b/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
new file mode 100644
index 00000000..e8b0385a
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshdropindirectorycheck/actor.py
@@ -0,0 +1,64 @@
+from leapp import reporting
+from leapp.actors import Actor
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.common.rpms import has_package
+from leapp.libraries.stdlib import api
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig, Report
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+
+class OpenSshDropInDirectoryCheck(Actor):
+ """
+ Trigger a notice that the main sshd_config will be updated to contain
+ the Include directive so the other configuration files dropped by the
+ RHEL9 packages are effective.
+
+ This might change the sshd behavior so it is advised to verify by the
+ customer that the updated system behaves as expected.
+ """
+
+ name = 'open_ssh_drop_in_directory_check'
+ consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
+ produces = (Report,)
+ tags = (IPUWorkflowTag, ChecksPhaseTag,)
+
+ def process(self):
+ openssh_messages = self.consume(OpenSshConfig)
+ config = next(openssh_messages, None)
+ if list(openssh_messages):
+ api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
+ if not config:
+ raise StopActorExecutionError(
+ 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
+ )
+
+ # If the package is not installed, there is no need to do anything
+ if not has_package(InstalledRedHatSignedRPM, 'openssh-server'):
+ return
+
+ # If the configuration file was not modified, the rpm update will bring the new
+ # changes by itself
+ if not config.modified:
+ return
+
+ # otherwise we will prepend the Include directive to the main sshd_config
+ resources = [
+ reporting.RelatedResource('package', 'openssh-server'),
+ reporting.RelatedResource('file', '/etc/ssh/sshd_config')
+ ]
+ reporting.create_report([
+ reporting.Title('The upgrade will prepend the Incude directive to OpenSSH sshd_config'),
+ reporting.Summary(
+ 'OpenSSH server configuration needs to be modified to contain Include directive '
+ 'for the RHEL9 to work properly and integrate with the other parts of the OS. '
+ 'The following snippet will be added to the /etc/ssh/sshd_config during the '
+ 'ApplicationsPhase: `Include /etc/ssh/sshd_config.d/*.conf`'
+ ),
+ reporting.Severity(reporting.Severity.INFO),
+ reporting.Tags([
+ reporting.Tags.AUTHENTICATION,
+ reporting.Tags.SECURITY,
+ reporting.Tags.NETWORK,
+ reporting.Tags.SERVICES
+ ]),
+ ] + resources)
--
2.35.3

165
SOURCES/0016-OpenSSH-Config-Scanner-Record-the-presence-of-subsys.patch Normal file
View File

@ -0,0 +1,165 @@
From 3217ead5c28a55d8eedc400957e05735e0f94db6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 9 Mar 2022 20:53:08 +0100
Subject: [PATCH 16/39] OpenSSH Config Scanner: Record the presence of
subsystem option
---
.../common/actors/opensshconfigscanner/actor.py | 1 +
.../libraries/readopensshconfig.py | 6 ++++++
...test_readopensshconfig_opensshconfigscanner.py | 15 +++++++++++++++
.../system_upgrade/common/models/opensshconfig.py | 7 +++++--
4 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/repos/system_upgrade/common/actors/opensshconfigscanner/actor.py b/repos/system_upgrade/common/actors/opensshconfigscanner/actor.py
index df194559..4553f3e8 100644
--- a/repos/system_upgrade/common/actors/opensshconfigscanner/actor.py
+++ b/repos/system_upgrade/common/actors/opensshconfigscanner/actor.py
@@ -15,6 +15,7 @@ class OpenSshConfigScanner(Actor):
* Protocol
* Ciphers
* MACs
+ * Subsystem sftp
"""
diff --git a/repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py b/repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py
index 3b70486a..4a8df194 100644
--- a/repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py
+++ b/repos/system_upgrade/common/actors/opensshconfigscanner/libraries/readopensshconfig.py
@@ -61,6 +61,12 @@ def parse_config(config):
if not ret.macs:
ret.macs = value
+ elif el[0].lower() == 'subsystem':
+ # Record only first occurence, which is effective
+ if el[1].lower() == 'sftp' and len(el) > 2 and not ret.subsystem_sftp:
+ # here we need to record all remaining items as command and arguments
+ ret.subsystem_sftp = ' '.join(el[2:])
+
elif el[0].lower() in DEPRECATED_DIRECTIVES:
# Filter out duplicit occurences of the same deprecated directive
if el[0].lower() not in ret.deprecated_directives:
diff --git a/repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py b/repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
index 8fa5837b..48d24b28 100644
--- a/repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
+++ b/repos/system_upgrade/common/actors/opensshconfigscanner/tests/test_readopensshconfig_opensshconfigscanner.py
@@ -24,6 +24,8 @@ def test_parse_config():
"hostkey /etc/ssh/ssh_host_ed25519_key",
"ciphers aes128-ctr",
"macs hmac-md5",
+ "subsystem sftp internal-sftp",
+ "subsystem other internal-other", # this is ignored
]
output = parse_config(config)
@@ -34,6 +36,7 @@ def test_parse_config():
assert output.protocol == "2"
assert output.ciphers == "aes128-ctr"
assert output.macs == "hmac-md5"
+ assert output.subsystem_sftp == "internal-sftp"
def test_parse_config_case():
@@ -41,6 +44,7 @@ def test_parse_config_case():
"PermitRootLogin prohibit-password",
"UsePrivilegeSeparation yes",
"Protocol 1",
+ "SubSystem sftp sftp-server",
]
output = parse_config(config)
@@ -49,6 +53,7 @@ def test_parse_config_case():
assert output.permit_root_login[0].value == "prohibit-password"
assert output.use_privilege_separation == "yes"
assert output.protocol == "1"
+ assert output.subsystem_sftp == "sftp-server"
def test_parse_config_multiple():
@@ -58,6 +63,8 @@ def test_parse_config_multiple():
"PermitRootLogin yes",
"Ciphers aes128-cbc",
"Ciphers aes256-cbc",
+ "subsystem sftp internal-sftp",
+ "subsystem sftp internal-sftp2",
]
output = parse_config(config)
@@ -69,6 +76,7 @@ def test_parse_config_multiple():
assert output.use_privilege_separation is None
assert output.protocol is None
assert output.ciphers == 'aes128-cbc'
+ assert output.subsystem_sftp == 'internal-sftp'
def test_parse_config_commented():
@@ -76,6 +84,7 @@ def test_parse_config_commented():
"#PermitRootLogin no",
"#UsePrivilegeSeparation no",
"#Protocol 12",
+ "#SubSystem sftp internal-sftp",
]
output = parse_config(config)
@@ -83,6 +92,7 @@ def test_parse_config_commented():
assert not output.permit_root_login
assert output.use_privilege_separation is None
assert output.protocol is None
+ assert output.subsystem_sftp is None
def test_parse_config_missing_argument():
@@ -90,6 +100,8 @@ def test_parse_config_missing_argument():
"PermitRootLogin",
"UsePrivilegeSeparation",
"Protocol"
+ "SubSystem"
+ "SubSystem sftp"
]
output = parse_config(config)
@@ -97,6 +109,7 @@ def test_parse_config_missing_argument():
assert not output.permit_root_login
assert output.use_privilege_separation is None
assert output.protocol is None
+ assert output.subsystem_sftp is None
def test_parse_config_match():
@@ -174,6 +187,7 @@ def test_produce_config():
use_privilege_separation="yes",
protocol="1",
deprecated_directives=[],
+ subsystem_sftp="internal-sftp",
)
produce_config(fake_producer, config)
@@ -183,6 +197,7 @@ def test_produce_config():
assert cfg.permit_root_login[0].value == "no"
assert cfg.use_privilege_separation == "yes"
assert cfg.protocol == '1'
+ assert cfg.subsystem_sftp == 'internal-sftp'
def test_actor_execution(current_actor_context):
diff --git a/repos/system_upgrade/common/models/opensshconfig.py b/repos/system_upgrade/common/models/opensshconfig.py
index 934c9da3..e94c6881 100644
--- a/repos/system_upgrade/common/models/opensshconfig.py
+++ b/repos/system_upgrade/common/models/opensshconfig.py
@@ -34,7 +34,10 @@ class OpenSshConfig(Model):
""" Value of the Ciphers directive, if present. Ciphers separated by comma. """
macs = fields.Nullable(fields.String())
""" Value of the MACs directive, if present. """
- modified = fields.Boolean(default=False)
- """ True if the configuration file was modified. """
deprecated_directives = fields.List(fields.String())
""" Configuration directives that were deprecated in the new version of openssh. """
+ subsystem_sftp = fields.Nullable(fields.String())
+ """ The "Subsystem sftp" configuration option, if present """
+
+ modified = fields.Boolean(default=False)
+ """ True if the configuration file was modified. """
--
2.35.3

137
SOURCES/0017-Warn-if-the-SSHD-is-not-configured-to-use-SFTP-serve.patch Normal file
View File

@ -0,0 +1,137 @@
From 85e1bd3c9366c6e15f53097ff0cd846739beb611 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 17 Mar 2022 16:01:12 +0100
Subject: [PATCH 17/39] Warn if the SSHD is not configured to use SFTP server
---
.../actors/opensshsubsystemsftp/actor.py | 22 +++++++++
.../libraries/opensshsubsystemsftp.py | 47 +++++++++++++++++++
.../tests/test_opensshsubsystemsftp.py | 33 +++++++++++++
3 files changed, 102 insertions(+)
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
new file mode 100644
index 00000000..14d8b882
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
@@ -0,0 +1,22 @@
+from leapp.actors import Actor
+from leapp.libraries.actor import opensshsubsystemsftp
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig
+from leapp.reporting import Report
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+
+class OpenSshSubsystemSftp(Actor):
+ """
+ The RHEL9 changes the SCP to use SFTP protocol internally. The both RHEL8 and RHEL9
+ enable SFTP server by default, but if the user disabled the SFTP for some reason,
+ it might make sense to warn that some previously working SCP operations could stop
+ working.
+ """
+
+ name = 'open_ssh_subsystem_sftp'
+ consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
+ produces = (Report,)
+ tags = (IPUWorkflowTag, ChecksPhaseTag)
+
+ def process(self):
+ opensshsubsystemsftp.process(self.consume(OpenSshConfig))
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
new file mode 100644
index 00000000..b60c08ca
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
@@ -0,0 +1,47 @@
+from leapp import reporting
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.stdlib import api
+
+
+def process(openssh_messages):
+ config = next(openssh_messages, None)
+ if list(openssh_messages):
+ api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
+ if not config:
+ raise StopActorExecutionError(
+ 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
+ )
+
+ # not modified configuration will get updated by RPM automatically
+ if not config.modified:
+ return
+
+ if not config.subsystem_sftp:
+ resources = [
+ reporting.RelatedResource('package', 'openssh-server'),
+ reporting.RelatedResource('file', '/etc/ssh/sshd_config'),
+ reporting.ExternalLink(
+ title="SCP support in RHEL",
+ url="https://access.redhat.com/articles/5284081",
+ ),
+ # TODO provide a link to documentation or blog post
+ ]
+ reporting.create_report([
+ reporting.Title('OpenSSH configured without SFTP subsystem'),
+ reporting.Summary(
+ 'The RHEL9 is changing the default SCP behaviour to use SFTP internally '
+ 'so not having SFTP server enabled can prevent interoperability and break existing '
+ 'scripts on other systems updated to RHEL9 to copy files to or from this machine.'
+ ),
+ reporting.Remediation(
+ hint='Add the following line to the /etc/ssh/sshd_config to enable SFTP server: '
+ 'Subsystem sftp /usr/libexec/openssh/sftp-server'
+ ),
+ reporting.Severity(reporting.Severity.MEDIUM),
+ reporting.Tags([
+ reporting.Tags.AUTHENTICATION,
+ reporting.Tags.SECURITY,
+ reporting.Tags.NETWORK,
+ reporting.Tags.SERVICES
+ ]),
+ ] + resources)
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
new file mode 100644
index 00000000..4e3c2ace
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
@@ -0,0 +1,33 @@
+import pytest
+
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.actor import opensshsubsystemsftp
+from leapp.models import OpenSshConfig, Report
+
+
+def test_no_config(current_actor_context):
+ with pytest.raises(StopActorExecutionError):
+ opensshsubsystemsftp.process(iter([]))
+
+
+@pytest.mark.parametrize('modified,subsystem,expected_report', [
+ (False, None, False), # should not happen
+ (False, '/usr/libexec/openssh/sftp-server', False), # Defaults
+ (True, None, True),
+ (True, 'internal-sftp', False),
+ (True, '/usr/libexec/openssh/sftp-server', False)
+])
+def test_subsystem(current_actor_context, modified, subsystem, expected_report):
+ conf = OpenSshConfig(
+ modified=modified,
+ permit_root_login=[],
+ deprecated_directives=[]
+ )
+ if subsystem is not None:
+ conf.subsystem_sftp = subsystem
+ current_actor_context.feed(conf)
+ current_actor_context.run()
+ if expected_report:
+ assert current_actor_context.consume(Report)
+ else:
+ assert not current_actor_context.consume(Report)
--
2.35.3

41
SOURCES/0018-Fix-actor-tracebacks-for-non-default-lang.patch Normal file
View File

@ -0,0 +1,41 @@
From e4f733297937847522ecf4b306182c2bcb293676 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Wed, 4 May 2022 13:39:41 +0200
Subject: [PATCH 18/39] Fix actor tracebacks for non-default lang
This should fix tracebacks in actors when LANGUAGE
environment variable is set to non utf-8 in test env.
OAMG-6750
---
commands/preupgrade/__init__.py | 1 +
commands/upgrade/__init__.py | 1 +
2 files changed, 2 insertions(+)
diff --git a/commands/preupgrade/__init__.py b/commands/preupgrade/__init__.py
index 92038bb6..46812b36 100644
--- a/commands/preupgrade/__init__.py
+++ b/commands/preupgrade/__init__.py
@@ -62,6 +62,7 @@ def preupgrade(args, breadcrumbs):
logger.info('Executing workflow until phase: %s', until_phase)
# Set the locale, so that the actors parsing command outputs that might be localized will not fail
+ os.environ['LANGUAGE'] = 'en_US.UTF-8'
os.environ['LC_ALL'] = 'en_US.UTF-8'
os.environ['LANG'] = 'en_US.UTF-8'
workflow.run(context=context, until_phase=until_phase, skip_dialogs=True)
diff --git a/commands/upgrade/__init__.py b/commands/upgrade/__init__.py
index c9c2741c..b64e4d77 100644
--- a/commands/upgrade/__init__.py
+++ b/commands/upgrade/__init__.py
@@ -91,6 +91,7 @@ def upgrade(args, breadcrumbs):
workflow.load_answers(answerfile_path, userchoices_path)
# Set the locale, so that the actors parsing command outputs that might be localized will not fail
+ os.environ['LANGUAGE'] = 'en_US.UTF-8'
os.environ['LC_ALL'] = 'en_US.UTF-8'
os.environ['LANG'] = 'en_US.UTF-8'
workflow.run(context=context, skip_phases_until=skip_phases_until, skip_dialogs=True,
--
2.35.3

31
SOURCES/0019-Move-the-OpenSSH-PermitRootLogin-check-to-common-rep.patch Normal file
View File

@ -0,0 +1,31 @@
From 634cf9e3e336779b2300ce4fc09f7e4740005608 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 21 Mar 2022 18:54:56 +0100
Subject: [PATCH 19/39] Move the OpenSSH PermitRootLogin check to common
repository
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../actors/opensshpermitrootlogincheck/actor.py | 0
.../libraries/opensshpermitrootlogincheck.py | 0
.../tests/test_library_opensshpermitrootlogincheck.py | 0
3 files changed, 0 insertions(+), 0 deletions(-)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshpermitrootlogincheck/actor.py (100%)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py (100%)
rename repos/system_upgrade/{el7toel8 => common}/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py (100%)
diff --git a/repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/actor.py
rename to repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
diff --git a/repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
rename to repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
diff --git a/repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
similarity index 100%
rename from repos/system_upgrade/el7toel8/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
rename to repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
--
2.35.3

268
SOURCES/0020-PermitRootLogin-check-add-new-use-cases-for-8to9.patch Normal file
View File

@ -0,0 +1,268 @@
From 1052277e4525b139d24065db576f8bd750b8da36 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 21 Mar 2022 20:17:52 +0100
Subject: [PATCH 20/39] PermitRootLogin check: add new use cases for 8to9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../opensshpermitrootlogincheck/actor.py | 79 +++++++++++++++++--
.../libraries/opensshpermitrootlogincheck.py | 8 ++
...est_library_opensshpermitrootlogincheck.py | 26 +++++-
3 files changed, 104 insertions(+), 9 deletions(-)
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
index f13a7672..f7ee61da 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
@@ -1,7 +1,8 @@
from leapp import reporting
from leapp.actors import Actor
from leapp.exceptions import StopActorExecutionError
-from leapp.libraries.actor.opensshpermitrootlogincheck import semantics_changes
+from leapp.libraries.actor.opensshpermitrootlogincheck import global_value, semantics_changes
+from leapp.libraries.common.config.version import get_source_major_version
from leapp.libraries.stdlib import api
from leapp.models import OpenSshConfig, Report
from leapp.reporting import create_report
@@ -14,13 +15,21 @@ COMMON_REPORT_TAGS = [
reporting.Tags.SERVICES
]
+COMMON_RESOURCES = [
+ reporting.RelatedResource('package', 'openssh-server'),
+ reporting.RelatedResource('file', '/etc/ssh/sshd_config')
+]
+
class OpenSshPermitRootLoginCheck(Actor):
"""
OpenSSH no longer allows root logins with password.
Check the values of PermitRootLogin in OpenSSH server configuration file
- and warn about potential issues after update.
+ and warn about potential issues after upgrade to the next major version of RHEL.
+
+ The RHEL8 still provided default configuration that allowed root logins,
+ which can lead to possible unwanted changes during the upgrade
"""
name = 'openssh_permit_root_login'
consumes = (OpenSshConfig, )
@@ -37,10 +46,15 @@ class OpenSshPermitRootLoginCheck(Actor):
'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
)
- resources = [
- reporting.RelatedResource('package', 'openssh-server'),
- reporting.RelatedResource('file', '/etc/ssh/sshd_config')
- ]
+ if get_source_major_version() == '7':
+ self.process7to8(config)
+ elif get_source_major_version() == '8':
+ self.process8to9(config)
+ else:
+ api.current_logger().warning('Unknown source major version: {} (expecting 7 or 8)'
+ .format(get_source_major_version()))
+
+ def process7to8(self, config):
# When the configuration does not contain the PermitRootLogin directive and
# the configuration file was locally modified, it will not get updated by
# RPM and the user might be locked away from the server. Warn the user here.
@@ -61,7 +75,7 @@ class OpenSshPermitRootLoginCheck(Actor):
'"PermitRootLogin yes" to sshd_config.'
),
reporting.Flags([reporting.Flags.INHIBITOR])
- ] + resources)
+ ] + COMMON_RESOURCES)
# Check if there is at least one PermitRootLogin other than "no"
# in match blocks (other than Match All).
@@ -87,4 +101,53 @@ class OpenSshPermitRootLoginCheck(Actor):
'in global context if desired.'
),
reporting.Flags([reporting.Flags.INHIBITOR])
- ] + resources)
+ ] + COMMON_RESOURCES)
+
+ def process8to9(self, config):
+ # RHEL8 default sshd configuration file is not modified: It will get replaced by rpm and
+ # root will no longer be able to connect through ssh. This will probably result in many
+ # false positives so it will have to be waived a lot
+ if not config.modified:
+ create_report([
+ reporting.Title('Possible problems with remote login using root account'),
+ reporting.Summary(
+ 'OpenSSH configuration file will get updated to RHEL9 '
+ 'version, no longer allowing root login with password. '
+ 'It is a good practice to use non-root administrative '
+ 'user and non-password authentications, but if you rely '
+ 'on the remote root login, this change can lock you out '
+ 'of this system.'
+ ),
+ reporting.Severity(reporting.Severity.HIGH),
+ reporting.Tags(COMMON_REPORT_TAGS),
+ reporting.Remediation(
+ hint='If you depend on remote root logins using passwords, '
+ 'consider setting up a different user for remote '
+ 'administration or adding a comment into the '
+ 'sshd_config next to the "PermitRootLogin yes" directive '
+ 'to prevent rpm replacing it during the upgrade.'
+ ),
+ reporting.Flags([reporting.Flags.INHIBITOR])
+ ] + COMMON_RESOURCES)
+ # If the configuration is modified and contains any directive allowing
+ # root login (which is in default configuration), we are upgrading to
+ # RHEL9 keeping the old "security policy", which might keep the root
+ # login unexpectedly open. This might be just high priority warning
+ if global_value(config, 'prohibit-password') == 'yes':
+ create_report([
+ reporting.Title('Remote root logins globally allowed using password'),
+ reporting.Summary(
+ 'RHEL9 no longer allows remote root logins, but the '
+ 'server configuration explicitly overrides this default. '
+ 'The configuration file will not be updated and root is '
+ 'still going to be allowed to login with password. '
+ 'This is not recommended and considered as a security risk.'
+ ),
+ reporting.Severity(reporting.Severity.HIGH),
+ reporting.Tags(COMMON_REPORT_TAGS),
+ reporting.Remediation(
+ hint='If you depend on remote root logins using passwords, '
+ 'consider setting up a different user for remote '
+ 'administration. Otherwise you can ignore this message.'
+ )
+ ] + COMMON_RESOURCES)
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
index 0cb90819..d247b220 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
@@ -1,8 +1,16 @@
+def global_value(config, default):
+ for opt in config.permit_root_login:
+ if (opt.in_match is None or opt.in_match[0].lower() == 'all'):
+ return opt.value
+ return default
def semantics_changes(config):
globally_enabled = False
in_match_disabled = False
+ if not config.permit_root_login:
+ return True
+
for opt in config.permit_root_login:
if opt.value != "yes" and opt.in_match is not None \
and opt.in_match[0].lower() != 'all':
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
index 23110839..6ccd5851 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/tests/test_library_opensshpermitrootlogincheck.py
@@ -1,7 +1,20 @@
-from leapp.libraries.actor.opensshpermitrootlogincheck import semantics_changes
+from leapp.libraries.actor.opensshpermitrootlogincheck import global_value, semantics_changes
from leapp.models import OpenSshConfig, OpenSshPermitRootLogin
+def test_empty_file():
+ """ Empty file
+ """
+ config = OpenSshConfig(
+ permit_root_login=[
+ ],
+ deprecated_directives=[]
+ )
+
+ assert semantics_changes(config)
+ assert global_value(config, "default") == "default"
+
+
def test_globally_enabled():
""" Configuration file in this format:
@@ -17,6 +30,7 @@ def test_globally_enabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "yes"
def test_globally_disabled():
@@ -34,6 +48,7 @@ def test_globally_disabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "no"
def test_globally_disabled_password():
@@ -51,6 +66,7 @@ def test_globally_disabled_password():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "prohibit-password"
def test_in_match_disabled():
@@ -70,6 +86,7 @@ def test_in_match_disabled():
)
assert semantics_changes(config)
+ assert global_value(config, "default") == "default"
def test_in_match_disabled_password():
@@ -89,6 +106,7 @@ def test_in_match_disabled_password():
)
assert semantics_changes(config)
+ assert global_value(config, "default") == "default"
def test_in_match_enabled():
@@ -109,6 +127,7 @@ def test_in_match_enabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "default"
def test_in_match_all_disabled():
@@ -128,6 +147,7 @@ def test_in_match_all_disabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "no"
def test_in_match_all_disabled_password():
@@ -147,6 +167,7 @@ def test_in_match_all_disabled_password():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "prohibit-password"
def test_in_match_all_enabled():
@@ -166,6 +187,7 @@ def test_in_match_all_enabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "yes"
def test_in_match_enabled_globally_disabled():
@@ -188,6 +210,7 @@ def test_in_match_enabled_globally_disabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "no"
def test_in_match_disabled_globally_enabled():
@@ -210,3 +233,4 @@ def test_in_match_disabled_globally_enabled():
)
assert not semantics_changes(config)
+ assert global_value(config, "default") == "yes"
--
2.35.3

41
SOURCES/0021-If-the-config-is-not-modified-leave-it-up-to-RPM.patch Normal file
View File

@ -0,0 +1,41 @@
From f6588061b85c5b6862ff424fbdab2dc29266c506 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 5 May 2022 20:06:51 +0200
Subject: [PATCH 21/39] If the config is not modified, leave it up to RPM
Neither of the inhibitor are useful if the configuration file was not
modified and the upgrade of the file will be handled by RPM, keeping the
root logins enabled by pulling the new configuration file from new
package.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../actors/opensshpermitrootlogincheck/actor.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
index f7ee61da..ae3b4586 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
@@ -55,10 +55,15 @@ class OpenSshPermitRootLoginCheck(Actor):
.format(get_source_major_version()))
def process7to8(self, config):
- # When the configuration does not contain the PermitRootLogin directive and
+ # when the config was not modified, we can pass this check and let the
+ # rpm handle the configuration file update
+ if not config.modified:
+ return
+
+ # When the configuration does not contain *any* PermitRootLogin directive and
# the configuration file was locally modified, it will not get updated by
- # RPM and the user might be locked away from the server. Warn the user here.
- if not config.permit_root_login and config.modified:
+ # RPM and the user might be locked away from the server with new default
+ if not config.permit_root_login:
create_report([
reporting.Title('Possible problems with remote login using root account'),
reporting.Summary(
--
2.35.3

43
SOURCES/0022-Improve-remediation-do-not-trigger-second-inhibitor.patch Normal file
View File

@ -0,0 +1,43 @@
From 32605051864e5e7ba16e7582d1a75459c826ef59 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 5 May 2022 20:08:59 +0200
Subject: [PATCH 22/39] Improve remediation, do not trigger second inhibitor
In the past, both of the inhibitors were triggered when the
configuration file did not contain any PermitRootLogin configuration
option. But this really does not make any sense to report the second
inhibitor if the first one is already raised.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../actors/opensshpermitrootlogincheck/actor.py | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
index ae3b4586..4cc4cbc2 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
@@ -74,13 +74,16 @@ class OpenSshPermitRootLoginCheck(Actor):
reporting.Severity(reporting.Severity.HIGH),
reporting.Tags(COMMON_REPORT_TAGS),
reporting.Remediation(
- hint='If you depend on remote root logins using '
- 'passwords, consider setting up a different '
- 'user for remote administration or adding '
- '"PermitRootLogin yes" to sshd_config.'
+ hint='If you depend on remote root logins using passwords, consider '
+ 'setting up a different user for remote administration or adding '
+ '"PermitRootLogin yes" to sshd_config. '
+ 'If this change is ok for you, add explicit '
+ '"PermitRootLogin prohibit-password" to your sshd_config '
+ 'to ignore this inhibitor'
),
reporting.Flags([reporting.Flags.INHIBITOR])
] + COMMON_RESOURCES)
+ return
# Check if there is at least one PermitRootLogin other than "no"
# in match blocks (other than Match All).
--
2.35.3

77
SOURCES/0023-Add-doc-strings-and-improve-code-readability.patch Normal file
View File

@ -0,0 +1,77 @@
From 5862f8b67f02fad30ec6a067318c876b4dba396f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 5 May 2022 20:09:50 +0200
Subject: [PATCH 23/39] Add doc strings and improve code readability
The original code was quite confusing. This reuses the global_value
function and checks for the only rare corner case we want to consider
allowing without inhibiting the upgrade.
The test coverage is still passing with the new code.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../libraries/opensshpermitrootlogincheck.py | 40 ++++++++++++++-----
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
index d247b220..c2237571 100644
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
@@ -1,4 +1,11 @@
def global_value(config, default):
+ """
+ Find the global value for PermitRootLogin option in sshd_config.
+
+ OpenSSH is using the first value found in configuration file, that is not
+ in match block other than "all". If there is no such option, the argument
+ "default" will be returned.
+ """
for opt in config.permit_root_login:
if (opt.in_match is None or opt.in_match[0].lower() == 'all'):
return opt.value
@@ -6,18 +13,31 @@ def global_value(config, default):
def semantics_changes(config):
- globally_enabled = False
- in_match_disabled = False
+ """
+ Check if the current configuration changes semantics if upgraded from RHEL7 to RHEL8
+
+ The case where the configuration does not contain *any* PermitRootLogin option is
+ already covered in the actor and does not need to be handled here.
+
+ This tries to capture the case, where the root login is enabled in at least one
+ match block. The global default changes so the new configurations will not allow
+ all password root logins, but there is at least some chance to access the system as
+ root with password.
+
+ Examples:
+ * If the root login is globally set (enabled or disabled), the semantics stays the same.
+ * If the root login is enabled only in match blocks, the semantics changes, but the
+ machine stays accessible at least for clients matching this block.
+
+ """
+ config_global_value = global_value(config, None)
+ in_match_enabled = False
if not config.permit_root_login:
return True
for opt in config.permit_root_login:
- if opt.value != "yes" and opt.in_match is not None \
- and opt.in_match[0].lower() != 'all':
- in_match_disabled = True
-
- if opt.value == "yes" and (opt.in_match is None or
- opt.in_match[0].lower() == 'all'):
- globally_enabled = True
+ if opt.value == "yes" and opt.in_match is not None and \
+ opt.in_match[0].lower() != 'all':
+ in_match_enabled = True
- return not globally_enabled and in_match_disabled
+ return config_global_value is None and not in_match_enabled
--
2.35.3

33
SOURCES/0024-Pass-enable-root-auth-post-install-script.patch Normal file
View File

@ -0,0 +1,33 @@
From 2bc5a6822b9854eba001df435832a4d240cfe641 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Thu, 28 Apr 2022 11:40:07 +0200
Subject: [PATCH 24/39] Pass enable root auth post-install-script
This should allow root auth on every guest, even those that
don't have it enabled by default.
OAMG-6748
---
.github/workflows/tmt-tests.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 75768e51..2b10571d 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -166,6 +166,7 @@ jobs:
# preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
# triggered on a specific repository dispatch event.
update_pull_request_status: 'false'
+ environment_settings: '{"provisioning": {"post_install_script": "#!/bin/sh\nsudo sed -i s/.*ssh-rsa/ssh-rsa/ /root/.ssh/authorized_keys"}}'
- name: Schedule regression testing for 8to9
id: run_test_8to9
@@ -194,3 +195,4 @@ jobs:
# preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
# triggered on a specific repository dispatch event.
update_pull_request_status: 'false'
+ environment_settings: '{"provisioning": {"post_install_script": "#!/bin/sh\nsudo sed -i s/.*ssh-rsa/ssh-rsa/ /root/.ssh/authorized_keys"}}'
--
2.35.3

36
SOURCES/0025-Pin-version-to-1.2.10.patch Normal file
View File

@ -0,0 +1,36 @@
From 85e0cea9d871be12e29c05dcbb485b051325ff98 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Thu, 28 Apr 2022 14:02:27 +0200
Subject: [PATCH 25/39] Pin version to 1.2.10
This version of tft github action should have the support for
environment_settings parameter.
---
.github/workflows/tmt-tests.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 2b10571d..24334978 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -144,7 +144,7 @@ jobs:
id: run_test_7to8
env:
ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: sclorg/testing-farm-as-github-action@v1.2.9
+ uses: sclorg/testing-farm-as-github-action@v1.2.10
with:
# required
api_url: ${{ secrets.TF_ENDPOINT }}
@@ -172,7 +172,7 @@ jobs:
id: run_test_8to9
env:
ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: sclorg/testing-farm-as-github-action@v1.2.9
+ uses: sclorg/testing-farm-as-github-action@v1.2.10
with:
# required
api_url: ${{ secrets.TF_ENDPOINT }}
--
2.35.3

168
SOURCES/0026-Drop-the-checkcpu-actor-from-the-el8toel9-repo.patch Normal file
View File

@ -0,0 +1,168 @@
From f5adf078b700d60e5863e03cb71401e546789f2f Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Wed, 18 May 2022 10:34:36 +0200
Subject: [PATCH 26/39] Drop the checkcpu actor from the el8toel9 repo
The actor has been supposed to be removed a time ago already
as this functionality is handled in generic way by
common/actors/checkdetecteddevicesanddrivers
As this actor still exists it breaks the expectation the CPU check
is driven by the `device_driver_deprecation_data.json` file. Regarding
that, we cannot dynamically react to changes around supported CPUs
on s390x (IBM Z) architecture for IPU 8 -> 9.
This relates to BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2087664
The bz is reported for IPU 7 -> 8, however the problem is on IPU 8 -> 9
as well and we cannot handle via data files due to this actor.
So dropping it.
---
.../el8toel9/actors/checkcpu/actor.py | 23 --------
.../el8toel9/actors/checkcpu/libraries/cpu.py | 41 -------------
.../actors/checkcpu/tests/test_checkcpu.py | 57 -------------------
3 files changed, 121 deletions(-)
delete mode 100644 repos/system_upgrade/el8toel9/actors/checkcpu/actor.py
delete mode 100644 repos/system_upgrade/el8toel9/actors/checkcpu/libraries/cpu.py
delete mode 100644 repos/system_upgrade/el8toel9/actors/checkcpu/tests/test_checkcpu.py
diff --git a/repos/system_upgrade/el8toel9/actors/checkcpu/actor.py b/repos/system_upgrade/el8toel9/actors/checkcpu/actor.py
deleted file mode 100644
index 7b61bd34..00000000
--- a/repos/system_upgrade/el8toel9/actors/checkcpu/actor.py
+++ /dev/null
@@ -1,23 +0,0 @@
-from leapp.actors import Actor
-from leapp.libraries.actor import cpu
-from leapp.models import CPUInfo, Report
-from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
-
-
-class CheckCPU(Actor):
- """
- Check whether the CPU is supported by the target system. Inhibit upgrade if not.
-
- Currently we know just about cases with s390x where the set of CPUs supported
- by RHEL 9 is subset of CPUs supported on RHEL 8. We can detect such cases based
- on the machine field inside the /proc/cpuinfo file. expected values of the
- field on supported machines are: 3906, 3907, 8561, 8562.
- """
-
- name = "checkcpu"
- consumes = (CPUInfo,)
- produces = (Report,)
- tags = (ChecksPhaseTag, IPUWorkflowTag,)
-
- def process(self):
- cpu.process()
diff --git a/repos/system_upgrade/el8toel9/actors/checkcpu/libraries/cpu.py b/repos/system_upgrade/el8toel9/actors/checkcpu/libraries/cpu.py
deleted file mode 100644
index 79682247..00000000
--- a/repos/system_upgrade/el8toel9/actors/checkcpu/libraries/cpu.py
+++ /dev/null
@@ -1,41 +0,0 @@
-
-from leapp import reporting
-from leapp.exceptions import StopActorExecutionError
-from leapp.libraries.common.config import architecture
-from leapp.libraries.stdlib import api
-from leapp.models import CPUInfo
-
-SUPPORTED_MACHINE_TYPES = [3906, 3907, 8561, 8562]
-
-
-def process():
- if not architecture.matches_architecture(architecture.ARCH_S390X):
- return
- cpuinfo = next(api.consume(CPUInfo), None)
- if cpuinfo is None:
- raise StopActorExecutionError(message=("Missing information about CPU."))
-
- if not cpuinfo.machine_type:
- # this is not expected to happen, but in case...
- api.current_logger().warning("The machine (CPU) type is empty.")
-
- if cpuinfo.machine_type not in SUPPORTED_MACHINE_TYPES:
- summary = ("The system is not possible to upgrade because of unsupported"
- " type of the processor. Based on the official documentation,"
- " z14 and z15 processors are supported on the Red Hat Enterprise"
- " Linux 9 system for the IBM Z architecture. The supported processors"
- " have machine types {}. The detected machine type of the CPU is '{}'."
- .format(", ".join([str(i) for i in SUPPORTED_MACHINE_TYPES]), cpuinfo.machine_type))
- report = [
- reporting.Title("The processor is not supported by the target system."),
- reporting.Summary(summary),
- reporting.Severity(reporting.Severity.HIGH),
- reporting.Tags([reporting.Tags.SANITY]),
- reporting.Flags([reporting.Flags.INHIBITOR]),
- reporting.ExternalLink(
- title="Considerations in adopting RHEL 8",
- url=("https://access.redhat.com/ecosystem/hardware/#/search?p=1&"
- "c_version=Red%20Hat%20Enterprise%20Linux%208&ch_architecture=s390x"))
- ]
- # FIXME(dhorak): update the URL to the document once it exists
- reporting.create_report(report)
diff --git a/repos/system_upgrade/el8toel9/actors/checkcpu/tests/test_checkcpu.py b/repos/system_upgrade/el8toel9/actors/checkcpu/tests/test_checkcpu.py
deleted file mode 100644
index 9cb11986..00000000
--- a/repos/system_upgrade/el8toel9/actors/checkcpu/tests/test_checkcpu.py
+++ /dev/null
@@ -1,57 +0,0 @@
-import logging
-
-import pytest
-
-from leapp import reporting
-from leapp.exceptions import StopActorExecutionError
-from leapp.libraries.actor import cpu
-from leapp.libraries.common import testutils
-from leapp.libraries.common.config import architecture
-from leapp.libraries.common.testutils import CurrentActorMocked
-from leapp.libraries.stdlib import api
-from leapp.models import CPUInfo
-
-
-def test_non_ibmz_arch(monkeypatch):
- monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(architecture.ARCH_X86_64))
- monkeypatch.setattr(reporting, "create_report", testutils.create_report_mocked())
- cpu.process()
- assert not reporting.create_report.called
-
-
-def test_ibmz_arch_missing_cpuinfo(monkeypatch):
- monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(architecture.ARCH_S390X))
- monkeypatch.setattr(reporting, "create_report", testutils.create_report_mocked())
- monkeypatch.setattr(api, 'consume', lambda x: iter([]))
- with pytest.raises(StopActorExecutionError):
- cpu.process()
- assert not reporting.create_report.called
-
-
-def test_ibmz_cpu_supported(monkeypatch):
- monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(architecture.ARCH_S390X))
- monkeypatch.setattr(reporting, "create_report", testutils.create_report_mocked())
- for sup_arch in cpu.SUPPORTED_MACHINE_TYPES:
- monkeypatch.setattr(api, 'consume', lambda x: iter([CPUInfo(machine_type=sup_arch)]))
- cpu.process()
- assert not reporting.create_report.called
-
-
-def test_ibmz_cpu_unsupported(monkeypatch):
- title_msg = 'The processor is not supported by the target system.'
- monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(architecture.ARCH_S390X))
- monkeypatch.setattr(api, 'consume', lambda x: iter([CPUInfo(machine_type=666)]))
- monkeypatch.setattr(reporting, "create_report", testutils.create_report_mocked())
- cpu.process()
- assert reporting.create_report.called
- assert title_msg == reporting.create_report.report_fields['title']
- assert reporting.Flags.INHIBITOR in reporting.create_report.report_fields['flags']
-
-
-def test_ibmz_cpu_is_empty(monkeypatch, caplog):
- monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(architecture.ARCH_S390X))
- monkeypatch.setattr(reporting, "create_report", testutils.create_report_mocked())
- monkeypatch.setattr(api, 'consume', lambda x: iter([CPUInfo(machine_type=None)]))
- with caplog.at_level(logging.DEBUG):
- cpu.process()
- assert 'The machine (CPU) type is empty.' in caplog.text
--
2.35.3

51
SOURCES/0027-BZ-2087144-do-not-enable-Ansible-repository-when-upg.patch Normal file
View File

@ -0,0 +1,51 @@
From ce02fa83a2f3cff089133ed9bb05dbdd6755132d Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Tue, 17 May 2022 15:01:23 +0200
Subject: [PATCH 27/39] BZ#2087144 - do not enable Ansible repository when
upgrading Satellite
Having it enabled, confuses the upgrade as there is now also
ansible-core in RHEL 8.6 and we need to upgrade to that instead of
legacy Ansible from the dedicated repository.
---
.../el7toel8/actors/satellite_upgrade_facts/actor.py | 3 +--
.../tests/unit_test_satellite_upgrade_facts.py | 2 --
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
index fb83107e..12c0fa53 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
@@ -129,8 +129,7 @@ class SatelliteUpgradeFacts(Actor):
modules_to_enable=modules_to_enable
)
)
- repositories_to_enable = ['ansible-2.9-for-rhel-8-x86_64-rpms',
- 'satellite-maintenance-6.11-for-rhel-8-x86_64-rpms']
+ repositories_to_enable = ['satellite-maintenance-6.11-for-rhel-8-x86_64-rpms']
if has_package(InstalledRPM, 'foreman'):
repositories_to_enable.append('satellite-6.11-for-rhel-8-x86_64-rpms')
else:
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
index e77b7b58..28b9f44b 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
@@ -103,7 +103,6 @@ def test_enables_right_repositories_on_satellite(current_actor_context):
rpmmessage = current_actor_context.consume(RepositoriesSetupTasks)[0]
- assert 'ansible-2.9-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
assert 'satellite-maintenance-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
assert 'satellite-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
assert 'satellite-capsule-6.11-for-rhel-8-x86_64-rpms' not in rpmmessage.to_enable
@@ -115,7 +114,6 @@ def test_enables_right_repositories_on_capsule(current_actor_context):
rpmmessage = current_actor_context.consume(RepositoriesSetupTasks)[0]
- assert 'ansible-2.9-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
assert 'satellite-maintenance-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
assert 'satellite-6.11-for-rhel-8-x86_64-rpms' not in rpmmessage.to_enable
assert 'satellite-capsule-6.11-for-rhel-8-x86_64-rpms' in rpmmessage.to_enable
--
2.35.3

135
SOURCES/0028-call-Satellite-installer-with-disable-system-checks-.patch Normal file
View File

@ -0,0 +1,135 @@
From f858a2a87edc602c976342e22538bf44249f9d1e Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 4 Apr 2022 09:10:45 +0200
Subject: [PATCH 28/39] call Satellite installer with --disable-system-checks
if possible
The installer has a set of checks to verify whether the current system
is suitable for running Satellite. The administrator of the system can
choose to ignore those checks with `--disable-system-checks`.
As the installer invocation inside LEAPP is non-interactive, we should
err on the side of not running checks, so that the upgrade doesn't abort
in the case where the administrator has chosen to ignore the warnings.
This is in line with other non-interactive invocations of the installer
that other tools (like foreman-maintain) do.
The "if katello installer" logic is needed, as the checks and the cli
parameter is only present in Katello installations, not plain Foreman.
---
.../actors/satellite_upgrade_facts/actor.py | 3 +++
.../tests/unit_test_satellite_upgrade_facts.py | 15 +++++++++++++++
.../el7toel8/actors/satellite_upgrader/actor.py | 6 +++++-
.../tests/unit_test_satellite_upgrader.py | 11 +++++++++++
repos/system_upgrade/el7toel8/models/satellite.py | 2 ++
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
index 12c0fa53..c837b449 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
@@ -32,6 +32,8 @@ class SatelliteUpgradeFacts(Actor):
if not has_foreman:
return
+ has_katello_installer = has_package(InstalledRPM, 'foreman-installer-katello')
+
local_postgresql = has_package(InstalledRPM, 'rh-postgresql12-postgresql-server')
postgresql_contrib = has_package(InstalledRPM, 'rh-postgresql12-postgresql-contrib')
postgresql_evr = has_package(InstalledRPM, 'rh-postgresql12-postgresql-evr')
@@ -114,6 +116,7 @@ class SatelliteUpgradeFacts(Actor):
self.produce(SatelliteFacts(
has_foreman=has_foreman,
+ has_katello_installer=has_katello_installer,
postgresql=SatellitePostgresqlFacts(
local_postgresql=local_postgresql,
old_var_lib_pgsql_data=old_pgsql_data,
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
index 28b9f44b..fceda925 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
@@ -21,6 +21,7 @@ def fake_package(pkg_name):
FOREMAN_RPM = fake_package('foreman')
FOREMAN_PROXY_RPM = fake_package('foreman-proxy')
+KATELLO_INSTALLER_RPM = fake_package('foreman-installer-katello')
KATELLO_RPM = fake_package('katello')
POSTGRESQL_RPM = fake_package('rh-postgresql12-postgresql-server')
@@ -46,6 +47,20 @@ def test_satellite_capsule_present(current_actor_context):
assert message.has_foreman
+def test_no_katello_installer_present(current_actor_context):
+ current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
+ current_actor_context.run()
+ message = current_actor_context.consume(SatelliteFacts)[0]
+ assert not message.has_katello_installer
+
+
+def test_katello_installer_present(current_actor_context):
+ current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM, KATELLO_INSTALLER_RPM]))
+ current_actor_context.run()
+ message = current_actor_context.consume(SatelliteFacts)[0]
+ assert message.has_katello_installer
+
+
def test_enables_ruby_module(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
current_actor_context.run()
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrader/actor.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrader/actor.py
index 28d5edd9..bd1a5d68 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrader/actor.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrader/actor.py
@@ -19,9 +19,13 @@ class SatelliteUpgrader(Actor):
if not facts or not facts.has_foreman:
return
+ installer_cmd = ['foreman-installer']
+ if facts.has_katello_installer:
+ installer_cmd.append('--disable-system-checks')
+
api.current_actor().show_message('Running the installer. This can take a while.')
try:
- run(['foreman-installer'])
+ run(installer_cmd)
except OSError as e:
api.current_logger().error('Failed to run `foreman-installer`: {}'.format(str(e)))
except CalledProcessError:
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrader/tests/unit_test_satellite_upgrader.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrader/tests/unit_test_satellite_upgrader.py
index 886d6879..d62815ca 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrader/tests/unit_test_satellite_upgrader.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrader/tests/unit_test_satellite_upgrader.py
@@ -21,4 +21,15 @@ def test_run_installer(monkeypatch, current_actor_context):
current_actor_context.run()
assert mocked_run.commands
assert len(mocked_run.commands) == 1
+ assert mocked_run.commands[0] == ['foreman-installer', '--disable-system-checks']
+
+
+def test_run_installer_without_katello(monkeypatch, current_actor_context):
+ mocked_run = MockedRun()
+ monkeypatch.setattr('leapp.libraries.stdlib.run', mocked_run)
+ current_actor_context.feed(SatelliteFacts(has_foreman=True, has_katello_installer=False,
+ postgresql=SatellitePostgresqlFacts()))
+ current_actor_context.run()
+ assert mocked_run.commands
+ assert len(mocked_run.commands) == 1
assert mocked_run.commands[0] == ['foreman-installer']
diff --git a/repos/system_upgrade/el7toel8/models/satellite.py b/repos/system_upgrade/el7toel8/models/satellite.py
index 9f962c7f..b4282790 100644
--- a/repos/system_upgrade/el7toel8/models/satellite.py
+++ b/repos/system_upgrade/el7toel8/models/satellite.py
@@ -22,5 +22,7 @@ class SatelliteFacts(Model):
has_foreman = fields.Boolean(default=False)
"""Whether or not foreman is installed on this system"""
+ has_katello_installer = fields.Boolean(default=True)
+ """Whether or not the installer supports Katello additions"""
postgresql = fields.Model(SatellitePostgresqlFacts)
""" Foreman related PostgreSQL facts """
--
2.35.3

84
SOURCES/0029-Allow-specifying-report-schema-1.2.0.patch Normal file
View File

@ -0,0 +1,84 @@
From 87048e486fd7b89609907fce9732d525932f0912 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Fri, 1 Apr 2022 12:40:02 +0200
Subject: [PATCH 29/39] Allow specifying --report-schema 1.2.0
This version will display actors' tags and flags as
groups in the final leapp report.
OAMG-1429
---
commands/preupgrade/__init__.py | 7 ++++---
commands/upgrade/__init__.py | 7 ++++---
commands/upgrade/util.py | 8 --------
3 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/commands/preupgrade/__init__.py b/commands/preupgrade/__init__.py
index 46812b36..be2c7be8 100644
--- a/commands/preupgrade/__init__.py
+++ b/commands/preupgrade/__init__.py
@@ -27,8 +27,8 @@ from leapp.utils.output import beautify_actor_exception, report_errors, report_i
@command_opt('target', choices=command_utils.get_supported_target_versions(),
help='Specify RHEL version to upgrade to for {} detected upgrade flavour'.format(
command_utils.get_upgrade_flavour()))
-@command_opt('report-schema', help='Specify report schema version for leapp-report.json', choices=['1.0.0', '1.1.0'],
- default=get_config().get('report', 'schema'))
+@command_opt('report-schema', help='Specify report schema version for leapp-report.json',
+ choices=['1.0.0', '1.1.0', '1.2.0'], default=get_config().get('report', 'schema'))
@breadcrumbs.produces_breadcrumbs
def preupgrade(args, breadcrumbs):
util.disable_database_sync()
@@ -38,7 +38,8 @@ def preupgrade(args, breadcrumbs):
configuration = util.prepare_configuration(args)
answerfile_path = cfg.get('report', 'answerfile')
userchoices_path = cfg.get('report', 'userchoices')
- report_schema = util.process_report_schema(args, cfg)
+ # NOTE(ivasilev) argparse choices and defaults in enough for validation
+ report_schema = args.report_schema
if os.getuid():
raise CommandError('This command has to be run under the root user.')
diff --git a/commands/upgrade/__init__.py b/commands/upgrade/__init__.py
index b64e4d77..39bfd525 100644
--- a/commands/upgrade/__init__.py
+++ b/commands/upgrade/__init__.py
@@ -33,8 +33,8 @@ from leapp.utils.output import beautify_actor_exception, report_errors, report_i
@command_opt('target', choices=command_utils.get_supported_target_versions(),
help='Specify RHEL version to upgrade to for {} detected upgrade flavour'.format(
command_utils.get_upgrade_flavour()))
-@command_opt('report-schema', help='Specify report schema version for leapp-report.json', choices=['1.0.0', '1.1.0'],
- default=get_config().get('report', 'schema'))
+@command_opt('report-schema', help='Specify report schema version for leapp-report.json',
+ choices=['1.0.0', '1.1.0', '1.2.0'], default=get_config().get('report', 'schema'))
@breadcrumbs.produces_breadcrumbs
def upgrade(args, breadcrumbs):
skip_phases_until = None
@@ -49,7 +49,8 @@ def upgrade(args, breadcrumbs):
only_with_tags = args.only_with_tags if 'only_with_tags' in args else None
resume_context = args.resume_context if 'resume_context' in args else None
- report_schema = util.process_report_schema(args, cfg)
+ # NOTE(ivasilev) argparse choices and defaults in enough for validation
+ report_schema = args.report_schema
if os.getuid():
raise CommandError('This command has to be run under the root user.')
diff --git a/commands/upgrade/util.py b/commands/upgrade/util.py
index 22466ab7..ce0b5433 100644
--- a/commands/upgrade/util.py
+++ b/commands/upgrade/util.py
@@ -228,11 +228,3 @@ def process_whitelist_experimental(repositories, workflow, configuration, logger
if logger:
logger.error(msg)
raise CommandError(msg)
-
-
-def process_report_schema(args, configuration):
- default_report_schema = configuration.get('report', 'schema')
- if args.report_schema and args.report_schema > default_report_schema:
- raise CommandError('--report-schema version can not be greater that the '
- 'actual {} one.'.format(default_report_schema))
- return args.report_schema or default_report_schema
--
2.35.3

113
SOURCES/0030-restrict-Satellite-upgrades-to-x86_64.patch Normal file
View File

@ -0,0 +1,113 @@
From d239a9f64462c7af8aa1d4c9e3484ac647054a4c Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Fri, 8 Apr 2022 09:15:52 +0200
Subject: [PATCH 30/39] restrict Satellite upgrades to x86_64
---
.../actors/satellite_upgrade_facts/actor.py | 4 ++++
.../unit_test_satellite_upgrade_facts.py | 22 +++++++++++++------
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
index c837b449..8b1f5625 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/actor.py
@@ -1,6 +1,7 @@
import os
from leapp.actors import Actor
+from leapp.libraries.common.config import architecture
from leapp.libraries.common.rpms import has_package
from leapp.libraries.stdlib import run
from leapp.models import (
@@ -28,6 +29,9 @@ class SatelliteUpgradeFacts(Actor):
tags = (IPUWorkflowTag, FactsPhaseTag)
def process(self):
+ if not architecture.matches_architecture(architecture.ARCH_X86_64):
+ return
+
has_foreman = has_package(InstalledRPM, 'foreman') or has_package(InstalledRPM, 'foreman-proxy')
if not has_foreman:
return
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
index fceda925..0b6f6c1d 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
@@ -1,5 +1,6 @@
import os
+from leapp.libraries.common.config import mock_configs
from leapp.models import (
DNFWorkaround,
InstalledRPM,
@@ -28,21 +29,28 @@ POSTGRESQL_RPM = fake_package('rh-postgresql12-postgresql-server')
def test_no_satellite_present(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(SatelliteFacts)
assert not message
def test_satellite_present(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(SatelliteFacts)[0]
assert message.has_foreman
+def test_wrong_arch(current_actor_context):
+ current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
+ current_actor_context.run(config_model=mock_configs.CONFIG_S390X)
+ message = current_actor_context.consume(SatelliteFacts)
+ assert not message
+
+
def test_satellite_capsule_present(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_PROXY_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(SatelliteFacts)[0]
assert message.has_foreman
@@ -63,14 +71,14 @@ def test_katello_installer_present(current_actor_context):
def test_enables_ruby_module(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(RpmTransactionTasks)[0]
assert Module(name='ruby', stream='2.7') in message.modules_to_enable
def test_enables_pki_modules(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM, KATELLO_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(RpmTransactionTasks)[0]
assert Module(name='pki-core', stream='10.6') in message.modules_to_enable
assert Module(name='pki-deps', stream='10.6') in message.modules_to_enable
@@ -88,7 +96,7 @@ def test_detects_local_postgresql(monkeypatch, current_actor_context):
monkeypatch.setattr("os.stat", mock_stat())
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM, POSTGRESQL_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
rpmmessage = current_actor_context.consume(RpmTransactionTasks)[0]
assert Module(name='postgresql', stream='12') in rpmmessage.modules_to_enable
@@ -101,7 +109,7 @@ def test_detects_local_postgresql(monkeypatch, current_actor_context):
def test_detects_remote_postgresql(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
rpmmessage = current_actor_context.consume(RpmTransactionTasks)[0]
assert Module(name='postgresql', stream='12') not in rpmmessage.modules_to_enable
--
2.35.3

30
SOURCES/0031-Add-missing-documentation-link-to-the-SFTP-deprecati.patch Normal file
View File

@ -0,0 +1,30 @@
From ef967d029a8d3724d187ca4cd558bf4f52f8a295 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 18 May 2022 12:26:57 +0200
Subject: [PATCH 31/39] Add missing documentation link to the SFTP deprecation
Related: #863
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
.../opensshsubsystemsftp/libraries/opensshsubsystemsftp.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
index b60c08ca..20af2b39 100644
--- a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
@@ -24,7 +24,10 @@ def process(openssh_messages):
title="SCP support in RHEL",
url="https://access.redhat.com/articles/5284081",
),
- # TODO provide a link to documentation or blog post
+ reporting.ExternalLink(
+ title="OpenSSH SCP deprecation in RHEL 9: What you need to know ",
+ url="https://www.redhat.com/en/blog/openssh-scp-deprecation-rhel-9-what-you-need-know",
+ ),
]
reporting.create_report([
reporting.Title('OpenSSH configured without SFTP subsystem'),
--
2.35.3

53
SOURCES/0032-Fix-satellite-actor-due-to-some-oversight-of-a-missi.patch Normal file
View File

@ -0,0 +1,53 @@
From 2d41d5f9186b642396bbad57ce7e11ebbdf1c52c Mon Sep 17 00:00:00 2001
From: Vinzenz Feenstra <vfeenstr@redhat.com>
Date: Thu, 19 May 2022 13:05:03 +0200
Subject: [PATCH 32/39] Fix satellite actor due to some oversight of a missing
parameter
Signed-off-by: Vinzenz Feenstra <vfeenstr@redhat.com>
---
.../tests/unit_test_satellite_upgrade_facts.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
index 0b6f6c1d..e70554a4 100644
--- a/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
+++ b/repos/system_upgrade/el7toel8/actors/satellite_upgrade_facts/tests/unit_test_satellite_upgrade_facts.py
@@ -57,14 +57,14 @@ def test_satellite_capsule_present(current_actor_context):
def test_no_katello_installer_present(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(SatelliteFacts)[0]
assert not message.has_katello_installer
def test_katello_installer_present(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM, KATELLO_INSTALLER_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
message = current_actor_context.consume(SatelliteFacts)[0]
assert message.has_katello_installer
@@ -122,7 +122,7 @@ def test_detects_remote_postgresql(current_actor_context):
def test_enables_right_repositories_on_satellite(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
rpmmessage = current_actor_context.consume(RepositoriesSetupTasks)[0]
@@ -133,7 +133,7 @@ def test_enables_right_repositories_on_satellite(current_actor_context):
def test_enables_right_repositories_on_capsule(current_actor_context):
current_actor_context.feed(InstalledRPM(items=[FOREMAN_PROXY_RPM]))
- current_actor_context.run()
+ current_actor_context.run(config_model=mock_configs.CONFIG)
rpmmessage = current_actor_context.consume(RepositoriesSetupTasks)[0]
--
2.35.3

59
SOURCES/0033-Drop-the-obsoleted-copr-build-job.patch Normal file
View File

@ -0,0 +1,59 @@
From 9049c65f73524c34f40f4da0a1f07b3d58d09f60 Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Thu, 28 Apr 2022 14:28:14 +0200
Subject: [PATCH 33/39] Drop the obsoleted copr-build job
This job is already obsoleted as nowadays the builds are delivered
by Packit.
Also this is only failing recent month. So it seems there is no need
for this.
---
.github/workflows/copr-build.yml | 35 --------------------------------
1 file changed, 35 deletions(-)
delete mode 100644 .github/workflows/copr-build.yml
diff --git a/.github/workflows/copr-build.yml b/.github/workflows/copr-build.yml
deleted file mode 100644
index 8252e327..00000000
--- a/.github/workflows/copr-build.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: copr-build
-
-on:
- push:
- branches:
- - master
-
-jobs:
- copr_build:
- name: Create copr build
- runs-on: ubuntu-20.04
- if: github.repository_owner == 'oamg'
- steps:
- - name: Checkout
- id: checkout
- uses: actions/checkout@v2
- with:
- ref: "refs/heads/master"
-
- - name: Trigger fedora copr build
- id: trigger_fedora_build
- env:
- COPR_CONFIG: "copr_fedora.conf"
- COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
- run: |
- cat << EOF > $COPR_CONFIG
- [copr-cli]
- login = ${{ secrets.FEDORA_COPR_LOGIN }}
- username = @oamg
- token = ${{ secrets.FEDORA_COPR_TOKEN }}
- copr_url = https://copr.fedorainfracloud.org
- EOF
-
- pip install copr-cli
- COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build
--
2.35.3

701
SOURCES/0034-Add-prod-certs-for-8.7-9.1-Beta-GA.patch Normal file
View File

@ -0,0 +1,701 @@
From 2f747a9baf0ff69e2f1be3809edb2f92e4aba35f Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Tue, 17 May 2022 16:21:22 +0200
Subject: [PATCH 34/39] Add prod certs for 8.7 & 9.1 (Beta + GA)
---
.../common/files/prod-certs/8.7/279.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/362.pem | 36 +++++++++++++++++++
.../common/files/prod-certs/8.7/363.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/419.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/433.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/479.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/486.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/8.7/72.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/279.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/362.pem | 36 +++++++++++++++++++
.../common/files/prod-certs/9.1/363.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/419.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/433.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/479.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/486.pem | 35 ++++++++++++++++++
.../common/files/prod-certs/9.1/72.pem | 35 ++++++++++++++++++
16 files changed, 562 insertions(+)
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/279.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/362.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/363.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/419.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/433.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/479.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/486.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/8.7/72.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/279.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/362.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/363.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/419.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/433.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/479.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/486.pem
create mode 100644 repos/system_upgrade/common/files/prod-certs/9.1/72.pem
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/279.pem b/repos/system_upgrade/common/files/prod-certs/8.7/279.pem
new file mode 100644
index 00000000..c4ce4d7f
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/279.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJTCCBA2gAwIBAgIJALDxRLt/tU7bMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDI0NVoXDTQyMDEw
+NTEwMDI0NVowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFs2ZmYyMjVj
+ZC02YjgwLTRlMzEtODNkOC02ZTM4MzY5MmU4OGNdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrjCBqzAJBgNVHRMEAjAAMEMGDCsGAQQBkggJAYIXAQQzDDFSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIFBvd2VyLCBsaXR0bGUgZW5kaWFuMBUGDCsG
+AQQBkggJAYIXAgQFDAM4LjcwGQYMKwYBBAGSCAkBghcDBAkMB3BwYzY0bGUwJwYM
+KwYBBAGSCAkBghcEBBcMFXJoZWwtOCxyaGVsLTgtcHBjNjRsZTANBgkqhkiG9w0B
+AQsFAAOCAgEAYvHRG1AeXwUHoGeqzzMz9Oo5a/YlWAsc5JIj72Hjggrs1dpvjO1r
+cs2aMNSYjki6QYLrSrJRbhhVT56JtpBSoBtVeh6SncLLzqe9jJsuFRDTPi99vtFL
+9Bo6BqEUgrO9jKEnUmd6Gdntj74CfCJ/QxqgJ/q6uKVKR5YjjfHa8eNcshq12mr7
+kvjQctWkbUYDkQAwtM7jw62DuOdkHUdvXRr2Uexs98XN41gNrIzMg0yNQpf/rKq5
+w2oqDr45nNrHkmWtEAAqCQ+gDrZBALpbtrd4CDx/65zj3+ABp8oIZP/hMxV9xf86
++npHiCtHj6hIXy4zwFMIKCna7w29OZUcTjOZ94dHe7IjO6HLuPdJvnJBgS4mba+C
+zylck/qLyuhT+tO9rb1WhI29oq8elIVpjte1mGqtcaLnLTEBwZ4n8jhIk0Q705UX
+DUhFV+xiD+asQmdeAWO+xzUXYVrJE2tiYfPtY+apLZlW2W6vTvfGhsI28kl7INC4
+umMiNnRB32bMiIr0wH/zqaqpUUXWlj8zitX2ZUEAaHBhKCpr+etO9oATu/RKz6Io
+OsHXLkBn6l7G3/nPXp3LVJU4D7UgSzY112GFjMibRIHX0L+d7OeP5vxevWaXMnEV
+OnVCsQNu6/haEvADf9IYkPFtS19RCKxkGsGsWrMXeyxF/4CqffjabVA=
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/362.pem b/repos/system_upgrade/common/files/prod-certs/8.7/362.pem
new file mode 100644
index 00000000..322c85ca
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/362.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGNDCCBBygAwIBAgIJALDxRLt/tU7xMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDgwNFoXDTQyMDEw
+NTEwMDgwNFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFswYjFjZDBm
+My0xMzEwLTQ0ZGItYTNmNS1jNzY4OWE4ZTQyMTBdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBvTCBujAJBgNVHRMEAjAAMEgGDCsGAQQBkggJAYJqAQQ4DDZSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIFBvd2VyLCBsaXR0bGUgZW5kaWFuIEJldGEw
+GgYMKwYBBAGSCAkBgmoCBAoMCDguNyBCZXRhMBkGDCsGAQQBkggJAYJqAwQJDAdw
+cGM2NGxlMCwGDCsGAQQBkggJAYJqBAQcDBpyaGVsLTgscmhlbC04LWJldGEtcHBj
+NjRsZTANBgkqhkiG9w0BAQsFAAOCAgEAnf5WpzbOMFMIAh05C6hjWdEdF24jdSCZ
+z9tdf1VXgYwjVENO3rQqPSSFNOJi7VcCbWZ9IZQKJI+Zb06hdSn1IIVNabWs8jZT
+R+oAjjPmIulnqlnTh17JlF3cecty+GnbjitAW/AeYlql3Y1Lzy+GaAS2kERvCcCA
+yFfc7h0odQDtIyhSCB2MewDX5pVnY8e4SybIvjTSMUOzPKdUs4o0IifqoL/MvvB6
+3tLt9ezkqoIUWGF/LbEpuvrAa7cx5Fh2JnNQGdsI8071Y8YyL0kjUMtoNf5NBI3l
+1gaFT5U2AzgnoRSlWGF/qCS3NuNZi2j6cvrUEWABrTAQlVi91Oqxhoib+KDFCZkj
+73Xuyg+wFRUiOF+WL0/Jhe3spbynXtHb8PC4E2rRXUioCUZwkqgSo13b/xgcJDML
+FRaUwARNZWfjmc+4Xxt7shzqFheshaHG7WPq8kxE6en4/yoO0imIk03ESSJSx2lB
+CWUHZpFTmIZyjYgXjoeHW0FEeS8E8sQGfoT320McEUN5FS5NX/vYgmFQUOGqniPC
+oiy07G/zdcBPTzxgcAU2CoFfXXYbEebcH14k3YbAeEOva38c+rBUa8siIozrYGyf
+cFXfbyURcRw33M322KfvLesxUhfVaTNMapVR8AbdBYmQXwLZHBmL9dC+CY7kg3W9
+AcQ+oHoM+eE=
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/363.pem b/repos/system_upgrade/common/files/prod-certs/8.7/363.pem
new file mode 100644
index 00000000..24c23cf8
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/363.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJjCCBA6gAwIBAgIJALDxRLt/tU7wMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDgwMFoXDTQyMDEw
+NTEwMDgwMFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFswOTVkNzhj
+OS03NTM0LTQ1YWItOGE0NC04NzA0OWZiOWJiNGJdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrzCBrDAJBgNVHRMEAjAAMDoGDCsGAQQBkggJAYJrAQQqDChSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIEFSTSA2NCBCZXRhMBoGDCsGAQQBkggJAYJr
+AgQKDAg4LjcgQmV0YTAZBgwrBgEEAZIICQGCawMECQwHYWFyY2g2NDAsBgwrBgEE
+AZIICQGCawQEHAwacmhlbC04LHJoZWwtOC1iZXRhLWFhcmNoNjQwDQYJKoZIhvcN
+AQELBQADggIBAB8682pIKA5WtH83Hb8qNnT2URChEilvPcrFpSlJqtc8BWmcUpMq
+MRB4z3biDaWoXpHMT5FeipOuEtOLANrEcjhbd1tQqgHvlDmkbxD9fT4/aSuABikB
+14oF7o57Ys4s3NqQZ4Dl5DH4LcP9Z3WCBBcqH4SNVbeAT49QdxwI9E3Z4+HgvOgQ
+LtKqiwzOyUsYPUpPXOOOEzCbRAnaWeGX/fIH6PTusM2T/SRScHrsKDidrrobrUVq
+Rnim68FZ1bAxv7g6RHDi0S447CX4Gzy0tRFJTKdivUk9cF32AH7Q1v3cEiaImGYS
+VaznFmOdRg/gU9mV/QPy+N1hhNYf888oDprF2OPzc2tdmbBOUdZdkA5J3CXHZ+f9
+Q5WuLsZEBeuetwk9LQA+v0gPYCXJfZAsvhdM0mQpUDW9gp2ucnu45Wm8iDmA59zM
+/uhJLRv2z9UtqEySt6OYJEd0linv0RvEwKwBPCZA3L8FKvosuIwcV+x4XTHb9f0E
+kwqRFboioJaER/K5oX0kkCaVlD/8xpuS3Qc8pN3FXD3ZiK3u2plLZh+7LWd6id+E
+VMIUej+kPAfwiXf8MDR/GZZJeIHI27C84thoq6C0AcseaO5LTUSLMaqGSSvU5yoV
+8TJr9HIJw9bFmHroWKPdtLGFCCYO7GhC25+jZn+dUYOCRCsRCaE/J4d0
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/419.pem b/repos/system_upgrade/common/files/prod-certs/8.7/419.pem
new file mode 100644
index 00000000..88315387
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/419.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFzCCA/+gAwIBAgIJALDxRLt/tU7aMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDI0MFoXDTQyMDEw
+NTEwMDI0MFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFs3NDJjODll
+NC0zZjM2LTQ4NTgtOTkxMy04ZTc5OTYxM2Q5NzldMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBoDCBnTAJBgNVHRMEAjAAMDUGDCsGAQQBkggJAYMjAQQlDCNSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIEFSTSA2NDAVBgwrBgEEAZIICQGDIwIEBQwD
+OC43MBkGDCsGAQQBkggJAYMjAwQJDAdhYXJjaDY0MCcGDCsGAQQBkggJAYMjBAQX
+DBVyaGVsLTgscmhlbC04LWFhcmNoNjQwDQYJKoZIhvcNAQELBQADggIBANZE6GPc
+I1/WYEDtvEMts3mLO6+NtKzd8Bt3nmMZEYorN3mZ0WjpbNuBcVlbQX87eoMLA9g2
+P54gkuPzpY+ea1ZKYJ7zzG6AnKXNprL1RrHNkdEs79r3AM1t/m1CdlZwsSfRlGdX
+hDZR8Gy5tgX9Q75jMK/JuXuQFJiOpLIK2yeD6/9geGWv1NXbV/gkE7U+K8LwvQRa
+gR0FLzJpJlzFIbJXutldvwDm22zgECfzvfoSCFw5E7Sk+5lprVdlDMfW1t9Bj5lF
+FBDYJBT4iAXVcyRj5QBBMG1xcUxh7XEM3XiD9/2albaeTMkiIip7OCsOdPi9uPcs
+wvjgJ6+Uxd33sLnfl/hywrrKc8gZGX+IhkeNph3GMq0CwijLT6/0jA/dbYyusGDO
+OdEilyP4YIe5nltwO8rgW4AytIrX9xKfF56qjdudUNbrzLrbKF8+URwdjQBSJOdh
+q4NS9gRnaCnn6FlrpYW4aUJAjcWfugUj8dpKBIdOCZo55G3AqAAl7lv2MwibGwuw
+XX8wE5EVnr3Wq3UIiqNoGU/Gkz4sdoTXGPSMQQPWYPhJ/nUtC943d/MDZkZ1HF6L
+CwsmLK9fTstiRdm5DF6q7nAUxgXz0dslLln1WYHXi4k/x5gIZmLbLBwqfsbMg53d
+jlJwRkvUou7uq1C4Cc0oH7es4chgkyShYNyR
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/433.pem b/repos/system_upgrade/common/files/prod-certs/8.7/433.pem
new file mode 100644
index 00000000..bed65e1c
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/433.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGKTCCBBGgAwIBAgIJALDxRLt/tU7yMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDgwOFoXDTQyMDEw
+NTEwMDgwOFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFtiYjg0YzZl
+MS03NGE3LTRjOTMtYjViNC01MDYzMzQxN2UxMjNdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBsjCBrzAJBgNVHRMEAjAAMEEGDCsGAQQBkggJAYMxAQQxDC9SZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIElCTSB6IFN5c3RlbXMgQmV0YTAaBgwrBgEE
+AZIICQGDMQIECgwIOC43IEJldGEwFwYMKwYBBAGSCAkBgzEDBAcMBXMzOTB4MCoG
+DCsGAQQBkggJAYMxBAQaDBhyaGVsLTgscmhlbC04LWJldGEtczM5MHgwDQYJKoZI
+hvcNAQELBQADggIBAFHSGH0JiAad8JnEJQxH7JklzxaTxLFlueLc2Q8P1wV2g+ib
+XsdmP+fq9YR56UN/3rYip6MTEwp2tTCZy9FRraLTunscYB19LwBmiYirDBNyyJms
+hCOzIN6itJrfjD7WOJ9DgEDstnEJrTW76a1TV92etWNvW3bwkktKnfHlbv2tgRSj
+44zIWaF5J9P9R4oOD27ArmR0/AK13194U8iRwJi8Tw/z90QznSYj4QGJZyBm9a/d
+alEktaNkdjNYcGczlepOwZ7pHkDyMihBUVBXLBK68j2d6OdZf9qptM5oouaIKMOp
+DBCjecfQ11q3avAjvGPAOoIuAzVlRZE1pDP2VtFPoCohWytP4QMSfvFWgFx2zWjR
+Gc0LEAHkP9iLnkqvSZfAYXdsaZ564Y1H6zv3PbQPSC540edRbWSufSa46LeR0U6+
+zavOtchYFwZaeTZc4rzxDffMJQhv27C+QOnSth/YR2r9Yg+QfRwfmwR+zPBbbfUP
+t8dL/Es7vi3mMjmshcSvRpka1b8kMemm+xIV7zQPfpcPXGy1+SzC0jbYApE608WG
+kjqttn6qWADc3kpAFGKXf2nozwDhqKXLLVCKPcTRds+IB36wKeH6eTgS/tv6df7x
+U2CVpb5fgHz4TgZaGJPTRkzDRtRnuct6LJ/bokKrGw+9+v4WZvRrWQ4dncS+
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/479.pem b/repos/system_upgrade/common/files/prod-certs/8.7/479.pem
new file mode 100644
index 00000000..c79cdb7c
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/479.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFTCCA/2gAwIBAgIJALDxRLt/tU7dMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDI1M1oXDTQyMDEw
+NTEwMDI1M1owRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFsxN2ZmNWVj
+YS1kM2YyLTQ1NGYtYjliZi01MThiYmM1MDk0NzhdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBnjCBmzAJBgNVHRMEAjAAMDUGDCsGAQQBkggJAYNfAQQlDCNSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIHg4Nl82NDAVBgwrBgEEAZIICQGDXwIEBQwD
+OC43MBgGDCsGAQQBkggJAYNfAwQIDAZ4ODZfNjQwJgYMKwYBBAGSCAkBg18EBBYM
+FHJoZWwtOCxyaGVsLTgteDg2XzY0MA0GCSqGSIb3DQEBCwUAA4ICAQBvy4DLCvm7
+gH40xQ+oGqaQ49X5dshAyIVhQ8cUhnas283F/qWDOLcPgv4qMDV0uk1GNJ89aIkj
+jDgxCXozgKZmo1AAFuWKtSrKcj0q+mV5iKKBqcc6vV6ud0WoKWNACLeDR+GkZAH8
+WcpU/077Sv7o5Km09p2kzHDwuDbeucibrirMJ13hYqvWePnp/G149mYlplnVJnsH
+DMtVOO+NG1Z0hRXGFsq63FUBiDgeRFKNc+7lL3GAlTO47RQDkQ05BFh8Guce4LMv
+xnGrY+X0vEUyYPbOxNH6qdys6NrEg8ZxEj0iPJCqyaWFpum1/9f32CHPJ9i2+5Qm
+Sg7CRHiF6iK86DcanaIwrvuqyy+HI3G1N84SnbJilQHwiJSAyNh/7pctroHgQK0b
+K2O89xHJpG2/s0IO9/GlT1ERtBBYDNYXalkuuqaEbbBpBHTcmBmeIBg+njg9VXAv
+MsOtQad8BFl7g+iXO6xEajgt+DpfKPthtwP5vpse00EhYpoRAmCErfvxOlrRriZe
+5NBFi+VBuGTIboiu31LBHfDeTEjFNvRhoqiEY0DQgMBIXNCimfaK/BwuA/HwgL3b
+mVzOoRYeTLfRr+hovdQFrwVJLMAITS1PQReJ4OTfhG3P6ybk8eDIuK9PxV1KPCGr
+MdOPQcr4cqixZyH0ZM/961cOjvKuabHA6Q==
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/486.pem b/repos/system_upgrade/common/files/prod-certs/8.7/486.pem
new file mode 100644
index 00000000..fbd26bfe
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/486.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJDCCBAygAwIBAgIJALDxRLt/tU7zMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDgxM1oXDTQyMDEw
+NTEwMDgxM1owRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFsyOWY3NGM1
+MC04NzE0LTQyNWYtODg2YS03YjgwYzFkZDJmN2VdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrTCBqjAJBgNVHRMEAjAAMDoGDCsGAQQBkggJAYNmAQQqDChSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIHg4Nl82NCBCZXRhMBoGDCsGAQQBkggJAYNm
+AgQKDAg4LjcgQmV0YTAYBgwrBgEEAZIICQGDZgMECAwGeDg2XzY0MCsGDCsGAQQB
+kggJAYNmBAQbDBlyaGVsLTgscmhlbC04LWJldGEteDg2XzY0MA0GCSqGSIb3DQEB
+CwUAA4ICAQCqoYGO8Ic681iebYurHHMm4ZszBfsG3dPqXvkYCLGIKs8y3eYWHMGt
+8PG6HdLiFuM0klz3WSfbRDFmQ2Lna4HmJSo+kzHkF27eu/4zU6h+CzHN4hI392KK
+TXcsUoAacyXyhcIHg9lZeHNDWitMyYuoJjHURnicCf3GSWvsemmyRSpZiDDMPORp
+RA7OSlfn9jH8vANX4TStbjn2Ptqd/9oowaZVeFQarpNnJjw6+5eCtm8Yp4krEa7X
+u4smSyQWO9U9/i3ITCIln1fAadrLUEg8T9hR2AptAa6QjlIE4PHy+O7BLyfNSM2k
+qVtg+ws1k7io+yz7bJzVt5MtTEmTWviy96aT8DEZm51fRkDoG0HNxtTc15bcfkw1
+NZQ7Dll1qvn/WTkgoJ32ZR0paI790zqThmouoVRflBC0dmIqjplSzhTOsoSIDeum
+u613P77Xk2km0ll0Aw8BUG5oacoxFGY0C252Y0QMhpI8PSn9d/FUBdLD0SwG0gyd
+1j2O2rwXpoVBYTqJafy6zINGjMMYA3K1UoinL7YE8KdIv0CMewnoNILpCMdeou8g
+DvCVdRMHxlnA8upL1CjjNJeSNMAEaZjWfzdDHSIETAWs4XxFM3flBSqmX2ecspmb
+vTHBwfOYs0iuNCi+sbWCX2lb4XP1r/pvA/T1lH6k7J3ON9XOHOVWRw==
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/8.7/72.pem b/repos/system_upgrade/common/files/prod-certs/8.7/72.pem
new file mode 100644
index 00000000..63bb2f18
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/8.7/72.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFjCCA/6gAwIBAgIJALDxRLt/tU7cMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDExMDEwMDI0OVoXDTQyMDEw
+NTEwMDI0OVowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFtkNTBkM2Vl
+Zi1iMTI0LTRkNWItYmI1Mi05OTNkNTUzYjU3YTFdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBnzCBnDAJBgNVHRMEAjAAMDsGCysGAQQBkggJAUgBBCwMKlJlZCBIYXQg
+RW50ZXJwcmlzZSBMaW51eCBmb3IgSUJNIHogU3lzdGVtczAUBgsrBgEEAZIICQFI
+AgQFDAM4LjcwFgYLKwYBBAGSCAkBSAMEBwwFczM5MHgwJAYLKwYBBAGSCAkBSAQE
+FQwTcmhlbC04LHJoZWwtOC1zMzkweDANBgkqhkiG9w0BAQsFAAOCAgEAFrbUKzXJ
+odKPWFSsCO29xwbI2udUSQNphjpumtFDgi/8fteWgb7iJtL4iGTVXjoTbS+lJkML
+1d0a20v0GcMk7oULYTzzbgSaDZ/NQmkblo9nQ3tKVb8pBcJDRZJ6OnyG/nm/dH1p
+TMXKWbLfGySlqyGyDe8F3nEQRRkJsbTkQdzC196/C8fjiTBcsS6KASQTOS9t7H8M
+zLeisuCiozMk34Vf1bbgeLNJp33ZhAbKxTble2UfrA/9VYKe/vLP/i4sUY1VcYoF
+ZEbqh3QFaTZ3mBNkENtmivKwxysWW5pa7GUbnfEO23+9flp+BLoElfMqHxmh8sdx
+7UbvdOpWhzvO+i+By26HjRv4wtjY+Wsm8kHeGT0O+dEEB1vfsRWCwHUYhEfpdoxy
+Ivo5/fi6cCETFhzeneJyOWrUsg1PnYIa6EZ7oBRrrOMpcSvgpM+MIQC/NYgwF5lh
+TWQzrSta34HZdtuwqGQ5I6etjp45OyUOcE1ww4YEHYJCoQXyHdiFDpETWYoR9x6Q
+FZ+JvLuzm61Kn3wT/H+kxFSfT8CmSc0nIGR6Fe4MEG5Ly9DH+PoDf3f7XDdIsFoX
+OU81koyfPHejg7J89hzWQh596sc+pv67l/ThfjZxjuhI2RU4P0PzXtMc/5SnQQb5
+faCsMhoTZWRVvgumW77D0uk7k91BSVYKbkY=
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/279.pem b/repos/system_upgrade/common/files/prod-certs/9.1/279.pem
new file mode 100644
index 00000000..23e565f8
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/279.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJTCCBA2gAwIBAgIJALDxRLt/tU8gMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTQzNloXDTQyMDEy
+MjE2MTQzNlowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFswMjA2OWIw
+NC03ODY3LTQ2OTQtOGFlOS01MDFlMmExMDBjMDddMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrjCBqzAJBgNVHRMEAjAAMEMGDCsGAQQBkggJAYIXAQQzDDFSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIFBvd2VyLCBsaXR0bGUgZW5kaWFuMBUGDCsG
+AQQBkggJAYIXAgQFDAM5LjEwGQYMKwYBBAGSCAkBghcDBAkMB3BwYzY0bGUwJwYM
+KwYBBAGSCAkBghcEBBcMFXJoZWwtOSxyaGVsLTktcHBjNjRsZTANBgkqhkiG9w0B
+AQsFAAOCAgEAsR3LlRmkKG8hA9H6RKEJwHxZnTb+fGF0gnYMCQYQ5z+J0LLmeP5R
+KgJP62lauRtQwsVCEyKURV8k8SBCDcQ8xpqhC/GkZRqaELo0NNgJ4KS+mmbsee88
+VW7mU8j91n1h1Dz+7zQVrXyP/uNailjPmDKB/l9LpSTGdHVuEJMBZP9840SjCv/Q
+S2hCN5aLGf8Jg7Vz72LRUINEZW0At36MKX50NenWsD9ME45E8CRzH3Nfg/iQs8wX
+bavUDiHAwTMSHlUZRRtPQf69MIQVfr+EMGBM307GqurNdtrGreOwnRoHmvvXsa0k
+3SRZ+WUwR7ajsCA2nGn4sybYdaB4+DWMWk/ZHvWQazU7Ff0J8F6QdIMfN6g/slBC
+t4YOsmYO46oVcrYAuqIJ2E3IMzZCsz4MODGwbj8brVL5OnZ/DHPzNaKxJ/DN+YqU
+xe3j1ZKts4dRBQIuVrudp2mf8Ergrk8iqAltNpWNEZEPkLH8pNlPV3MmBEtshTWu
+pHskG2WSm+o/qM4aoKwlvROaa9xoHPtck0xYiMujrohnQWgxdlUuiQIl43yAt7m1
+dmfm085Vgn26UrPLYYoFVOCQLiSPnVtqGIBrsC7Qp1wzNYrUfo9WI1AjTJzxwPaU
+tgsDMdfF3yQJuDw+LwL+8LHnuAGQj94+6pXfmG/n2qXhfgQDrA1uK8I=
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/362.pem b/repos/system_upgrade/common/files/prod-certs/9.1/362.pem
new file mode 100644
index 00000000..1bf886e2
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/362.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGNDCCBBygAwIBAgIJALDxRLt/tU82MA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTcwM1oXDTQyMDEy
+MjE2MTcwM1owRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFs4Njc0Yjk5
+OC1iZmU1LTRjY2MtODg4NC0zNDgwMDlhY2EzMGZdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBvTCBujAJBgNVHRMEAjAAMEgGDCsGAQQBkggJAYJqAQQ4DDZSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIFBvd2VyLCBsaXR0bGUgZW5kaWFuIEJldGEw
+GgYMKwYBBAGSCAkBgmoCBAoMCDkuMSBCZXRhMBkGDCsGAQQBkggJAYJqAwQJDAdw
+cGM2NGxlMCwGDCsGAQQBkggJAYJqBAQcDBpyaGVsLTkscmhlbC05LWJldGEtcHBj
+NjRsZTANBgkqhkiG9w0BAQsFAAOCAgEAQyA3WPkt5NdFxpA60uTkhSCqgsuwDwCZ
+D1iFeSClTqT5WvEZxAacmepILXqFEv7DIP82cRXbAVYLvr24Wlc9LuEe0r+gAMI1
+SS/IZ/A2kf8yQ4spaPEZ+S8cmtrErM0CqxabaV4E79CTnhxz9Sv0ktG1nIx3e2q9
+ZbrFfXbrmNzli9xOhIFxLtqxvFIVktW3ak0ugDl7Ah7zlt3gJlf2q3/JeaFYuOAf
+4+93F916ss9skekUwd798FPJN8FMDOm9ClRyHFSitgeDijwYCf+rvWjVYnb0Wpfs
+eCZvTGP8J+VnJxDSUlnFbjTEjuzOXXVTqoPrlvfrqfeSTp1X9bf4r2AvstAswfp2
+f/HGli3ZAgnIyupb2HE85wTM+qjeescIIIhzo8BjjiFLszOwNdn74ZcoWC/mSftd
+fx6MAXZH3Qygd3BmaGQ4oDoMpqeK1s8wXNAt/xQ9VpHe/WVQLBOZwi0AqB6bw5Cj
+K4k8YMsFq3yfgJFk4LqDELZd9RYOR6/A6zAcoHGmjqkRTmeC1xVt9UB1fChHNjZK
+/ZDT4mS1qwY48laIdkTiKNqdRiAXUUktQNCkqQ/C2SLgsGe23vJfaxwLh/dLht2u
+GcSes7HrzhdwxOUFnoXZSAxoWyWL2uU6V+iHMLyP78TqhpsaZ0vYQcYw4vQyB8LQ
+AuQfqagBINQ=
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/363.pem b/repos/system_upgrade/common/files/prod-certs/9.1/363.pem
new file mode 100644
index 00000000..c30db921
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/363.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJjCCBA6gAwIBAgIJALDxRLt/tU81MA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTY1OFoXDTQyMDEy
+MjE2MTY1OFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFtlY2JjYTFi
+Zi1kYWY2LTQ0MjctYThlNC0wNTQzMWE0ZjdmNGVdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrzCBrDAJBgNVHRMEAjAAMDoGDCsGAQQBkggJAYJrAQQqDChSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIEFSTSA2NCBCZXRhMBoGDCsGAQQBkggJAYJr
+AgQKDAg5LjEgQmV0YTAZBgwrBgEEAZIICQGCawMECQwHYWFyY2g2NDAsBgwrBgEE
+AZIICQGCawQEHAwacmhlbC05LHJoZWwtOS1iZXRhLWFhcmNoNjQwDQYJKoZIhvcN
+AQELBQADggIBAJskY+jnlGF7G1NVA16XYdQkSs0n8BPQElSTibN9XBbEqkEsSHsS
+SOuYaMa6lH46YFqLEMXrbJ1mvwu2BfkeOTEqtwax61D+MnwHBD9ouEwVQVJXwdKz
+aqVa3ppLdds1wOv4B9bBhVVBElE1YU6I6NMdetQI++zEfmXseqlb19yCEPuva/1h
+H5BX/2EJgQJYPnS3+x2hcOKl5lcX40ZuM876BkWPyp9gy79sd/DrWGYhCRyNNfL4
+9IaPbrEgSxvuhtdIWq4+g5LHU3sRuNuzYSoh+CJU9a0wDaL+PeKmiiuP2FP9Pmbu
+avMO7uQf9hTZQweHePqxVrBfjQM7kgBi2x3oedLGsr2DG6WfOeIa+1J076eChwDQ
+5rYzybyHZwiCu/UKhacGQgEPk35IGDnxNMpSqZOCC8peiKQyq3aSIhZH0rk6J4pV
+SVyhNWmSfCbNboehTB8Qjpt9BAywMPn0jo1JqNWQ9/qEHK95MKu27tU9IqIQvwO5
+ZF4kuJouuBqoPG/N2edkMp+53wu2LLvdgPYEs6UghDh2Eq33AyCCX27W15taxXeR
+91h0qXibsaAUD7e8bvDy5goSER8bD3UFxLdjCIWkQpp5jgzJyIWjY1Dm4OVPcWoB
+/aIQOe15VyH87eyXMXPiDKRe1cLOsK7MqJs+Iks/QIw0hHaOVNt5MpI5
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/419.pem b/repos/system_upgrade/common/files/prod-certs/9.1/419.pem
new file mode 100644
index 00000000..6acbc763
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/419.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFzCCA/+gAwIBAgIJALDxRLt/tU8fMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTQzMVoXDTQyMDEy
+MjE2MTQzMVowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFs2YjI1NDIy
+OC03MjZhLTQxMWMtYWJjZS04NDhhNTY0MjBkZTRdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBoDCBnTAJBgNVHRMEAjAAMDUGDCsGAQQBkggJAYMjAQQlDCNSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIEFSTSA2NDAVBgwrBgEEAZIICQGDIwIEBQwD
+OS4xMBkGDCsGAQQBkggJAYMjAwQJDAdhYXJjaDY0MCcGDCsGAQQBkggJAYMjBAQX
+DBVyaGVsLTkscmhlbC05LWFhcmNoNjQwDQYJKoZIhvcNAQELBQADggIBAErSvVD1
+Rq4PcUUGjVoZxCuNL6gwZmTZyN7KkSHRBXgOcYbxRdUvRHTxBJ2fnA91cMh5wdJf
+TOkYQEekH5iW70jLQUtRW7Ld6d5M6yXGYa54TIZRBFRHn66ltZL8Ub42PkKWb0tu
+icF8gtk2WEx4vm/rLvU1xS2ZEYzX1lyn0fj6UJmqO82EuJOhQW1qeYhTa7sW9SpD
+D58zJiFLovVcNk8Te8A1UVMiajazUMQn7eapyFEqDAOnrhY31oMUuoyon2XLeFQc
+DPtL+NBKh1x9Y1dyHGN0wwYrLzqLbSiGS7van2lzgI4E7niRpJGsTGg9E3A5g7Mu
+FRcp1dWXnP/82/mR4Vln1bLvujNaOdx3VjuJt5GsS7XYZu2AwjpEMwEosWvayzLd
+TqS8MDWilCIVVFScDUYQUaqYDkASweAe/HEpNirKZK01LGsXOeZxVOxUlOXM28eH
+fyVlKT5zM2dhFXnkQR9yRuXvteKXIVFelH5zD7smDmDqwSeSDXqaxETVHyy2igSU
+70l7cx9XsjSbLpgTLBg61PRE9JMKoUrCrA70zphTTAq6cZ0KIkgJMsQH3iAqChL2
+aY2o2FrOovBWmjqOl6sF1VHU43Io9cJPeNwXNR5UI9jxf8wPy/4mBPDPaUGhHpL2
+bwJPlJP/516RMFzGXhR5PuCvw1UGzqN8UCmL
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/433.pem b/repos/system_upgrade/common/files/prod-certs/9.1/433.pem
new file mode 100644
index 00000000..6bf7a7ce
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/433.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGKTCCBBGgAwIBAgIJALDxRLt/tU83MA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTcwOFoXDTQyMDEy
+MjE2MTcwOFowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFtjY2Q5OTA5
+My01OGY2LTQ5YzQtYWQ0YS0zMGViNjQ3MjA2N2VdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBsjCBrzAJBgNVHRMEAjAAMEEGDCsGAQQBkggJAYMxAQQxDC9SZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIElCTSB6IFN5c3RlbXMgQmV0YTAaBgwrBgEE
+AZIICQGDMQIECgwIOS4xIEJldGEwFwYMKwYBBAGSCAkBgzEDBAcMBXMzOTB4MCoG
+DCsGAQQBkggJAYMxBAQaDBhyaGVsLTkscmhlbC05LWJldGEtczM5MHgwDQYJKoZI
+hvcNAQELBQADggIBALHMRvdZe+o9Q10SomVtnf2i/AKg+APq60JCwBXim7bpZKrz
+GpH5o6FPlUG9mAvrbf14lXq1wQDM4lbpm7NxXzauxf9SF/L/kp9RzCD9MXXze0rv
+zZBPj2gnGrvtyo3jXp5ZB8/BIMxkzOjUooYSVVGtRwI4PDEWStVzUokVHTIr9Aej
+ErJbtY7qGQpCruqD/66UX/8lffbbaPbh148ZNkz0eDmVU97PEnPpzDV8S+ikTayc
+uzXadOrmPP/oMBRMFhw5lCST0J0mWXxyWfZzU3Et9Lm3w9sDd+r8Ed7dlJImLH5N
+FwWv4Yu3ucX4Ww4/nASE5Ag6n7drNRs/+EfSTFNu33uicVqoVwu2kJosekAnZ/EI
+Pof1TvYiVRp2R3XGJQQ4hcOkHLF40kurfqxTLUTyrSk5e80IR10cT/WBUoze7h5y
+SJ098+9NRbMSoRdZ2y/CEOy1CHJQ1RCuj8zGSadhhO0mJC3Bio63boGidVhDZYJR
+k6oIbU8K/DIbPlcvcQ1iuIvRRDH2lHXzC5s9CVzThq43EHk7DtaHisZkHTjRbZDf
+/3kEFiHmEq84id4AQ+c55U8t+OfMcERDfbVF0+R9U9AsdI2TcSsiUt0byLj5R6HJ
+XLz/rDfj13pv5I3nmb2tcTD2dw+c8rbO8WeodVQ3Au9q4X9ggWkTkJ7UJ/Xu
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/479.pem b/repos/system_upgrade/common/files/prod-certs/9.1/479.pem
new file mode 100644
index 00000000..daf2a5e5
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/479.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFTCCA/2gAwIBAgIJALDxRLt/tU8iMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTQ0NloXDTQyMDEy
+MjE2MTQ0NlowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFs4ODA2Yjll
+My00OWRlLTQ4NmQtYTJhYi0wMDk0Mzc0MGRkNDBdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBnjCBmzAJBgNVHRMEAjAAMDUGDCsGAQQBkggJAYNfAQQlDCNSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIHg4Nl82NDAVBgwrBgEEAZIICQGDXwIEBQwD
+OS4xMBgGDCsGAQQBkggJAYNfAwQIDAZ4ODZfNjQwJgYMKwYBBAGSCAkBg18EBBYM
+FHJoZWwtOSxyaGVsLTkteDg2XzY0MA0GCSqGSIb3DQEBCwUAA4ICAQDW03/f7G4a
+DeZ9vW/fmgqk/08PSp0B9eknQJAl4JGSoK6GfIyqlHBlYRd+eiAIJD0CnIAF7mEP
+UBJkdT3OlLtqGzXCHZVU8Cwkuvg/0WVfH6qAr8GRwc8fa5DdC1odkDthz4gCbusm
+Mtkq9rETow1Ub04eEt7mGNE/NaGwUBVnT7jfmrdFMr+SNjQhgH3Tb/ftnQ2vOZn3
+QRAvpbmUX1YNC/uf00k95XX7Ibsqr3awvTad47L5UKtVxlgxPzuerB5EgUt8XJBK
+NRk9Bz7T8UMvu+8j8cMB2Mxp8X/3XV0aF17mGR7JuG1KUfgoVU23GHtGx5fZtk6F
+/bg53ibXtC9ULmoRP9E+RRG1o/66QMV4DvPig43mP139jq3PohRfYqSowFCZu6aS
+F7Tn1Ceu1LPQdq17DXOlaSdrlFpS4Psf/GLOOh8LtJdDfJMeD9NFF8DB78rnNOVN
+AZ2qAZYxMxxjRamHrg6pnnm08bGNI/aNXNyhssFPxqWcXFzwr3ZGoYCTph35xi0R
++43f9T/Wb0aqa1yyOkDVdtxDllX+spYUwb3IwxBnWq2PYeNqVi5Qy4R4aWlOVGRX
+U8WZGLrkK9w76r882b+z9qhJlpvz9weCikpytj1cD3+ExOMsOPcJS3OfX0Gxdjba
+LOwZVjjsa8cCnK1+wd/QIRhh+IHDdJkG2g==
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/486.pem b/repos/system_upgrade/common/files/prod-certs/9.1/486.pem
new file mode 100644
index 00000000..8ffd13a4
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/486.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGJDCCBAygAwIBAgIJALDxRLt/tU84MA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTcxM1oXDTQyMDEy
+MjE2MTcxM1owRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFsxYjdlYzQz
+Ny04ODQ2LTQ2ZWMtYjdmZi03MzQ3MzM3NjAwOTRdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBrTCBqjAJBgNVHRMEAjAAMDoGDCsGAQQBkggJAYNmAQQqDChSZWQgSGF0
+IEVudGVycHJpc2UgTGludXggZm9yIHg4Nl82NCBCZXRhMBoGDCsGAQQBkggJAYNm
+AgQKDAg5LjEgQmV0YTAYBgwrBgEEAZIICQGDZgMECAwGeDg2XzY0MCsGDCsGAQQB
+kggJAYNmBAQbDBlyaGVsLTkscmhlbC05LWJldGEteDg2XzY0MA0GCSqGSIb3DQEB
+CwUAA4ICAQBy2AguldzCVHFa3C02RoPZu9fIakvyQMqtq+xN9fhbPFJdcDWG6nqZ
+w63Oq6bzYYIkeM1KRfnteVwG54OOPlnhfnSt4AQ2HOjffFgMlZKbiCL1mV2UBsN9
+TFivspxb88I82X+31sYdqgd7HZP8e+hmhENLOoEwntCsG2bjtRzYlXLF/7JEWGml
+/Dgfx5e2/wyerIQMQ384WfVpAxJBdJrkUe5W/ap8TnmkN/Ct9jKwIJ3JLSe+tbwI
+KUHFLAHcAm/7zZzzNps4M6MC/XrakvG6HiBODzc2QMgxiGNIm+FNhF3sgJVebSyy
+m9qbk8w/OjSCD2cdeZkuoLdi3f26GiJi3QzT5Bojcf/y2GTJzzzy3BaVlbOdwd+T
+Do4AVv5nmF/0HkquJPCM92avLIOIuqbAU7q92y00l8ephPFo7dNorO1jqBSPEOzb
+Ff9EXIqy12xicbAO4ob1WoTjcGwX8qTB16sfcYd+pSucqQnYaIyFaDrH7yYuWCWO
+qDKyi3REbQNtAi7xYsMNLiS+ZA8XO394ijPFNqQgEcaGx20iY4l23y7D2rx+hUQL
+TVMvxWD0eS1ZC3LuGFqF5A1y/MPxT8n0giItWI5ASlp5fzgxsq4aBdQ/Z2QuvtMu
+gstPN2uvybhokLoNseOgEYz+Y5J8EuO1rrVMfRDLeKVqE9/O9z6aXw==
+-----END CERTIFICATE-----
diff --git a/repos/system_upgrade/common/files/prod-certs/9.1/72.pem b/repos/system_upgrade/common/files/prod-certs/9.1/72.pem
new file mode 100644
index 00000000..2a2e4762
--- /dev/null
+++ b/repos/system_upgrade/common/files/prod-certs/9.1/72.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFjCCA/6gAwIBAgIJALDxRLt/tU8hMA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAUBgNVBAoMDVJlZCBI
+YXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEuMCwGA1UEAwwlUmVk
+IEhhdCBFbnRpdGxlbWVudCBQcm9kdWN0IEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJ
+ARYVY2Etc3VwcG9ydEByZWRoYXQuY29tMB4XDTIyMDEyNzE2MTQ0MVoXDTQyMDEy
+MjE2MTQ0MVowRDFCMEAGA1UEAww5UmVkIEhhdCBQcm9kdWN0IElEIFtiMjY4OGFl
+MC0xOWRlLTQ4N2EtYjQ3Zi04OTNhZjA3Zjg5YTBdMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxj9J04z+Ezdyx1U33kFftLv0ntNS1BSeuhoZLDhs18yk
+sepG7hXXtHh2CMFfLZmTjAyL9i1XsxykQpVQdXTGpUF33C2qBQHB5glYs9+d781x
+8p8m8zFxbPcW82TIJXbgW3ErVh8vk5qCbG1cCAAHb+DWMq0EAyy1bl/JgAghYNGB
+RvKJObTdCrdpYh02KUqBLkSPZHvo6DUJFN37MXDpVeQq9VtqRjpKLLwuEfXb0Y7I
+5xEOrR3kYbOaBAWVt3mYZ1t0L/KfY2jVOdU5WFyyB9PhbMdLi1xE801j+GJrwcLa
+xmqvj4UaICRzcPATP86zVM1BBQa+lilkRQes5HyjZzZDiGYudnXhbqmLo/n0cuXo
+QBVVjhzRTMx71Eiiahmiw+U1vGqkHhQNxb13HtN1lcAhUCDrxxeMvrAjYdWpYlpI
+yW3NssPWt1YUHidMBSAJ4KctIf91dyE93aStlxwC/QnyFsZOmcEsBzVCnz9GmWMl
+1/6XzBS1yDUqByklx0TLH+z/sK9A+O2rZAy1mByCYwVxvbOZhnqGxAuToIS+A81v
+5hCjsCiOScVB+cil30YBu0cH85RZ0ILNkHdKdrLLWW4wjphK2nBn2g2i3+ztf+nQ
+ED2pQqZ/rhuW79jcyCZl9kXqe1wOdF0Cwah4N6/3LzIXEEKyEJxNqQwtNc2IVE8C
+AwEAAaOBnzCBnDAJBgNVHRMEAjAAMDsGCysGAQQBkggJAUgBBCwMKlJlZCBIYXQg
+RW50ZXJwcmlzZSBMaW51eCBmb3IgSUJNIHogU3lzdGVtczAUBgsrBgEEAZIICQFI
+AgQFDAM5LjEwFgYLKwYBBAGSCAkBSAMEBwwFczM5MHgwJAYLKwYBBAGSCAkBSAQE
+FQwTcmhlbC05LHJoZWwtOS1zMzkweDANBgkqhkiG9w0BAQsFAAOCAgEAMrD6Jk+a
+rSI/tW1YXvO++Th/x6+kvYmPTFCSG2h3VyC+PUgsn/Oq+szuSlS6alWOFX2UWjyM
+RI+VxCL0nRWHuqOWJXIxJy/qoqQwAikimsLfS7UgB/TnbP4d5J19jwtkVFlAIqWu
+FEWiMgLBQyjaKuqR0puexD8N5QfAx+++7sh27NU2NPFHOKi0gv4omITny0so5gAJ
+/AvgyU9p0czelRmO7cjtHD37fBMnVWRSfCAd2D5puadoQwAMe5a+YDQ95yQmpRi6
+FjQYXfuSVxdac1nLHXpK/KzRYP2YlTK7e6GbVTCR5QpTrXKv83hZS8KTZN1oSJ3H
+Q97Ykyyl6xTUv0nGggtkSWlLY1S+LzV5Bs+Jx7M4Vwb9cKQVtWeKB1tt+caLzhlu
+qMW8fELU8cbS2+9W7+wphRx7MUyEihKCMmEyUg5PNIRUxDiVCYgET3fAo38eWqv0
+By99ZBfzgaSN9N25zVvZd8/iDpNCvz49675nx/o04hbMDFc7b1JE9D6lsnqZc+Po
+voeiQC/AYiyB0cwgEIoJL6VF0crYMOAUdxJlx5pYByrOMxMRkeBhREgtNjZOPMFC
+FUvKuC15Mp6Cnkiu0jtoCRW649R0txxBeKl8oFq4WxAkjYitjk72Mmd6ogFr3BU4
+6dnEcucOH7d7QQUfdt7iMFSvwjQO02ya4Nk=
+-----END CERTIFICATE-----
--
2.35.3

31
SOURCES/0035-Add-upgrade-path-8.7-9.0.patch Normal file
View File

@ -0,0 +1,31 @@
From 5e364e0aedacb93340d7a43ce8b34b84eababa3f Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Thu, 19 May 2022 10:18:19 +0200
Subject: [PATCH 35/39] Add upgrade path 8.7 -> 9.0
The next supported upgrade path for IPU 8 -> 9 is 8.7 -> 9.0.
As the development and testing are already in progress, enable
8.7 system for the upgrade for non-sap systems.
With that, we expect in future to drop 8.6 -> 9.0, but keeping it
for now as we want to be able to test the functionality with 8.6
as well in this phase.
---
repos/system_upgrade/common/files/upgrade_paths.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/repos/system_upgrade/common/files/upgrade_paths.json b/repos/system_upgrade/common/files/upgrade_paths.json
index 30d25353..224d6563 100644
--- a/repos/system_upgrade/common/files/upgrade_paths.json
+++ b/repos/system_upgrade/common/files/upgrade_paths.json
@@ -3,6 +3,7 @@
"7.6": ["8.4", "8.6"],
"7.9": ["8.4", "8.6"],
"8.6": ["9.0"],
+ "8.7": ["9.0"],
"7": ["8.4", "8.6"],
"8": ["9.0"]
},
--
2.35.3

255
SOURCES/0036-Handle-7-to-8-IPUs-on-Google-Cloud-897.patch Normal file
View File

@ -0,0 +1,255 @@
From 2958dffb2807e1cae01fc22754f6da4314ebf7a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20He=C4=8Dko?= <michal.sk.com@gmail.com>
Date: Thu, 26 May 2022 11:30:23 +0200
Subject: [PATCH 36/39] Handle 7 to 8 IPUs on Google Cloud (#897)
* Handle upgrades on google cloud
* Fix "switch" typo
Co-authored-by: Irina Gulina <alexxa@users.noreply.github.com>
Co-authored-by: Michal Hecko <mhecko@redhat.com>
Co-authored-by: Michal Reznik (mreznik) <mreznik@redhat.com>
Co-authored-by: Irina Gulina <alexxa@users.noreply.github.com>
---
.../common/actors/cloud/checkrhui/actor.py | 28 +++++++++++++++++--
.../libraries/peseventsscanner_repomap.py | 15 +++++-----
.../actors/redhatsignedrpmscanner/actor.py | 19 ++++++-------
.../libraries/setuptargetrepos_repomap.py | 15 +++++-----
repos/system_upgrade/common/libraries/rhui.py | 24 ++++++++++++++++
.../common/models/repositoriesmap.py | 9 +++---
6 files changed, 78 insertions(+), 32 deletions(-)
diff --git a/repos/system_upgrade/common/actors/cloud/checkrhui/actor.py b/repos/system_upgrade/common/actors/cloud/checkrhui/actor.py
index df055f94..552cde54 100644
--- a/repos/system_upgrade/common/actors/cloud/checkrhui/actor.py
+++ b/repos/system_upgrade/common/actors/cloud/checkrhui/actor.py
@@ -1,14 +1,19 @@
+import os
+
from leapp import reporting
from leapp.actors import Actor
from leapp.libraries.common import rhsm, rhui
from leapp.libraries.common.rpms import has_package
+from leapp.libraries.stdlib import api
from leapp.models import (
+ CopyFile,
DNFPluginTask,
InstalledRPM,
KernelCmdlineArg,
RequiredTargetUserspacePackages,
RHUIInfo,
- RpmTransactionTasks
+ RpmTransactionTasks,
+ TargetUserSpacePreupgradeTasks
)
from leapp.reporting import create_report, Report
from leapp.tags import FactsPhaseTag, IPUWorkflowTag
@@ -28,6 +33,8 @@ class CheckRHUI(Actor):
RequiredTargetUserspacePackages,
Report, DNFPluginTask,
RpmTransactionTasks,
+ TargetUserSpacePreupgradeTasks,
+ CopyFile,
)
tags = (FactsPhaseTag, IPUWorkflowTag)
@@ -44,6 +51,16 @@ class CheckRHUI(Actor):
is_azure_sap = True
provider = 'azure-sap'
info = rhui.RHUI_CLOUD_MAP[upg_path]['azure-sap']
+
+ if provider.startswith('google'):
+ rhui_dir = api.get_common_folder_path('rhui')
+ repofile = os.path.join(rhui_dir, provider, 'leapp-{}.repo'.format(provider))
+ api.produce(
+ TargetUserSpacePreupgradeTasks(
+ copy_files=[CopyFile(src=repofile, dst='/etc/yum.repos.d/leapp-google-copied.repo')]
+ )
+ )
+
if not rhsm.skip_rhsm():
create_report([
reporting.Title('Upgrade initiated with RHSM on public cloud with RHUI infrastructure'),
@@ -56,7 +73,9 @@ class CheckRHUI(Actor):
reporting.Tags([reporting.Tags.PUBLIC_CLOUD]),
])
return
- # AWS RHUI package is provided and signed by RH but the Azure one not
+
+ # When upgrading with RHUI we cannot switch certs and let RHSM provide us repos for target OS content.
+ # Instead, Leapp's provider-specific package containing target OS certs and repos has to be installed.
if not has_package(InstalledRPM, info['leapp_pkg']):
create_report([
reporting.Title('Package "{}" is missing'.format(info['leapp_pkg'])),
@@ -71,12 +90,15 @@ class CheckRHUI(Actor):
reporting.Remediation(commands=[['yum', 'install', '-y', info['leapp_pkg']]])
])
return
+
# there are several "variants" related to the *AWS* provider (aws, aws-sap)
if provider.startswith('aws'):
# We have to disable Amazon-id plugin in the initramdisk phase as the network
# is down at the time
self.produce(DNFPluginTask(name='amazon-id', disable_in=['upgrade']))
- # if RHEL7 and RHEL8 packages differ, we cannot rely on simply updating them
+
+ # If source OS and target OS packages differ we must remove the source pkg, and install the target pkg.
+ # If the packages do not differ, it is sufficient to upgrade them during the upgrade
if info['src_pkg'] != info['target_pkg']:
self.produce(RpmTransactionTasks(to_install=[info['target_pkg']]))
self.produce(RpmTransactionTasks(to_remove=[info['src_pkg']]))
diff --git a/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner_repomap.py b/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner_repomap.py
index 22892e4b..567e8475 100644
--- a/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner_repomap.py
+++ b/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner_repomap.py
@@ -50,13 +50,14 @@ class RepoMapDataHandler(object):
# will be used instead
self.prio_channel = get_target_product_channel(default=None)
- # Cloud provider might have multiple variants: aws: (aws, aws-sap-es4), azure: (azure, azure-sap)
- if cloud_provider.startswith('aws'):
- self.cloud_provider = 'aws'
- elif cloud_provider.startswith('azure'):
- self.cloud_provider = 'azure'
- else:
- self.cloud_provider = cloud_provider
+ self.cloud_provider = cloud_provider
+
+ # Cloud provider might have multiple variants, e.g, aws: (aws, aws-sap-es4) - normalize it
+ cloud_providers = ('aws', 'azure', 'google')
+ for provider in cloud_providers:
+ if cloud_provider.startswith(provider):
+ self.cloud_provider = provider
+ break
def set_default_channels(self, default_channels):
"""
diff --git a/repos/system_upgrade/common/actors/redhatsignedrpmscanner/actor.py b/repos/system_upgrade/common/actors/redhatsignedrpmscanner/actor.py
index 01f6df38..ce6d9985 100644
--- a/repos/system_upgrade/common/actors/redhatsignedrpmscanner/actor.py
+++ b/repos/system_upgrade/common/actors/redhatsignedrpmscanner/actor.py
@@ -54,15 +54,14 @@ class RedHatSignedRpmScanner(Actor):
"""Whitelist the katello package."""
return pkg.name.startswith('katello-ca-consumer')
- def is_azure_pkg(pkg):
- """Whitelist Azure config package."""
- upg_path = rhui.get_upg_path()
-
- src_pkg = rhui.RHUI_CLOUD_MAP[upg_path].get('azure', {}).get('src_pkg')
- src_pkg_sap = rhui.RHUI_CLOUD_MAP[upg_path].get('azure-sap', {}).get('src_pkg')
- target_pkg = rhui.RHUI_CLOUD_MAP[upg_path].get('azure', {}).get('target_pkg')
- target_pkg_sap = rhui.RHUI_CLOUD_MAP[upg_path].get('azure-sap', {}).get('target_pkg')
- return pkg.name in [src_pkg, src_pkg_sap, target_pkg, target_pkg_sap]
+ upg_path = rhui.get_upg_path()
+ whitelisted_cloud_flavours = ('azure', 'azure-sap', 'google', 'google-sap')
+ whitelisted_cloud_pkgs = {
+ rhui.RHUI_CLOUD_MAP[upg_path].get(flavour, {}).get('src_pkg') for flavour in whitelisted_cloud_flavours
+ }
+ whitelisted_cloud_pkgs.update(
+ rhui.RHUI_CLOUD_MAP[upg_path].get(flavour, {}).get('target_pkg') for flavour in whitelisted_cloud_flavours
+ )
for rpm_pkgs in self.consume(InstalledRPM):
for pkg in rpm_pkgs.items:
@@ -71,7 +70,7 @@ class RedHatSignedRpmScanner(Actor):
has_rhsig(pkg),
is_gpg_pubkey(pkg),
has_katello_prefix(pkg),
- is_azure_pkg(pkg),
+ pkg.name in whitelisted_cloud_pkgs,
]
):
signed_pkgs.items.append(pkg)
diff --git a/repos/system_upgrade/common/actors/setuptargetrepos/libraries/setuptargetrepos_repomap.py b/repos/system_upgrade/common/actors/setuptargetrepos/libraries/setuptargetrepos_repomap.py
index 22892e4b..567e8475 100644
--- a/repos/system_upgrade/common/actors/setuptargetrepos/libraries/setuptargetrepos_repomap.py
+++ b/repos/system_upgrade/common/actors/setuptargetrepos/libraries/setuptargetrepos_repomap.py
@@ -50,13 +50,14 @@ class RepoMapDataHandler(object):
# will be used instead
self.prio_channel = get_target_product_channel(default=None)
- # Cloud provider might have multiple variants: aws: (aws, aws-sap-es4), azure: (azure, azure-sap)
- if cloud_provider.startswith('aws'):
- self.cloud_provider = 'aws'
- elif cloud_provider.startswith('azure'):
- self.cloud_provider = 'azure'
- else:
- self.cloud_provider = cloud_provider
+ self.cloud_provider = cloud_provider
+
+ # Cloud provider might have multiple variants, e.g, aws: (aws, aws-sap-es4) - normalize it
+ cloud_providers = ('aws', 'azure', 'google')
+ for provider in cloud_providers:
+ if cloud_provider.startswith(provider):
+ self.cloud_provider = provider
+ break
def set_default_channels(self, default_channels):
"""
diff --git a/repos/system_upgrade/common/libraries/rhui.py b/repos/system_upgrade/common/libraries/rhui.py
index 3d355ff6..194aad98 100644
--- a/repos/system_upgrade/common/libraries/rhui.py
+++ b/repos/system_upgrade/common/libraries/rhui.py
@@ -78,6 +78,30 @@ RHUI_CLOUD_MAP = {
('leapp-azure-sap.repo', YUM_REPOS_PATH)
],
},
+ 'google': {
+ 'src_pkg': 'google-rhui-client-rhel7',
+ 'target_pkg': 'google-rhui-client-rhel8',
+ 'leapp_pkg': 'leapp-rhui-google',
+ 'leapp_pkg_repo': 'leapp-google.repo',
+ 'files_map': [
+ ('content.crt', RHUI_PKI_PRODUCT_DIR),
+ ('ca.crt', RHUI_PKI_DIR),
+ ('key.pem', RHUI_PKI_DIR),
+ ('leapp-google.repo', YUM_REPOS_PATH)
+ ],
+ },
+ 'google-sap': {
+ 'src_pkg': 'google-rhui-client-rhel79-sap',
+ 'target_pkg': 'google-rhui-client-rhel8-sap',
+ 'leapp_pkg': 'leapp-rhui-google-sap',
+ 'leapp_pkg_repo': 'leapp-google-sap.repo',
+ 'files_map': [
+ ('content.crt', RHUI_PKI_PRODUCT_DIR),
+ ('ca.crt', RHUI_PKI_DIR),
+ ('key.pem', RHUI_PKI_DIR),
+ ('leapp-google-sap.repo', YUM_REPOS_PATH)
+ ],
+ },
},
'8to9': {
'aws': {
diff --git a/repos/system_upgrade/common/models/repositoriesmap.py b/repos/system_upgrade/common/models/repositoriesmap.py
index c1873333..824c4557 100644
--- a/repos/system_upgrade/common/models/repositoriesmap.py
+++ b/repos/system_upgrade/common/models/repositoriesmap.py
@@ -1,4 +1,4 @@
-from leapp.models import Model, fields
+from leapp.models import fields, Model
from leapp.topics import TransactionTopic
@@ -71,12 +71,11 @@ class PESIDRepositoryEntry(Model):
purposes. The other channels indicate premium repositories.
"""
- rhui = fields.StringEnum(['', 'aws', 'azure'])
+ rhui = fields.StringEnum(['', 'aws', 'azure', 'google'])
"""
- Indicate whether the repository is deliver for RHUI and which one.
+ Specifies what cloud provider (RHUI) is the repository specific to.
- For non-rhui systems: empty string
- For AWS or Azure: 'aws' / 'azure'
+ Empty string denotes that the repository is not specific to any cloud provider.
"""
--
2.35.3

92
SOURCES/0037-CheckNFS-actor-should-respect-nfsd-filesystem.patch Normal file
View File

@ -0,0 +1,92 @@
From 184dc7be352e5f23d5f85fadb681ddc839dfffbe Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 10 May 2022 14:41:37 +0200
Subject: [PATCH 37/39] CheckNFS actor should respect nfsd filesystem
Check filesystem type for full match with 'nfs'
otherwise false positive fires like in 'nfsd' may
occur.
OAMG-6355
---
.../system_upgrade/common/actors/checknfs/actor.py | 13 ++++++++-----
.../common/actors/checknfs/tests/test_checknfs.py | 11 +++++++++--
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/repos/system_upgrade/common/actors/checknfs/actor.py b/repos/system_upgrade/common/actors/checknfs/actor.py
index 2461a83a..cfef3827 100644
--- a/repos/system_upgrade/common/actors/checknfs/actor.py
+++ b/repos/system_upgrade/common/actors/checknfs/actor.py
@@ -1,7 +1,7 @@
+from leapp import reporting
from leapp.actors import Actor
from leapp.models import StorageInfo
-from leapp.reporting import Report, create_report
-from leapp import reporting
+from leapp.reporting import create_report, Report
from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
@@ -22,24 +22,27 @@ class CheckNfs(Actor):
"We have found NFS usage at the following locations:\n"
nfs_found = False
+ def _is_nfs(a_type):
+ return a_type.startswith('nfs') and a_type != 'nfsd'
+
for storage in self.consume(StorageInfo):
# Check fstab
for fstab in storage.fstab:
- if fstab.fs_vfstype.startswith("nfs"):
+ if _is_nfs(fstab.fs_vfstype):
nfs_found = True
details += "- One or more NFS entries in /etc/fstab\n"
break
# Check mount
for mount in storage.mount:
- if mount.tp.startswith("nfs"):
+ if _is_nfs(mount.tp):
nfs_found = True
details += "- Currently mounted NFS shares\n"
break
# Check systemd-mount
for systemdmount in storage.systemdmount:
- if systemdmount.fs_type.startswith("nfs"):
+ if _is_nfs(systemdmount.fs_type):
nfs_found = True
details += "- One or more configured NFS mounts in systemd-mount\n"
break
diff --git a/repos/system_upgrade/common/actors/checknfs/tests/test_checknfs.py b/repos/system_upgrade/common/actors/checknfs/tests/test_checknfs.py
index 4577de46..0d48c491 100644
--- a/repos/system_upgrade/common/actors/checknfs/tests/test_checknfs.py
+++ b/repos/system_upgrade/common/actors/checknfs/tests/test_checknfs.py
@@ -1,8 +1,8 @@
import pytest
-from leapp.snactor.fixture import current_actor_context
-from leapp.models import StorageInfo, SystemdMountEntry, FstabEntry, MountEntry
+from leapp.models import FstabEntry, MountEntry, StorageInfo, SystemdMountEntry
from leapp.reporting import Report
+from leapp.snactor.fixture import current_actor_context
@pytest.mark.parametrize('nfs_fstype', ('nfs', 'nfs4'))
@@ -50,6 +50,13 @@ def test_actor_without_fstab_entry(current_actor_context):
assert not current_actor_context.consume(Report)
+def test_actor_with_nfsd(current_actor_context):
+ with_nfsd = [MountEntry(name="nfsd", mount="/proc/fs/nfsd", tp="nfsd", options="rw,relatime")]
+ current_actor_context.feed(StorageInfo(mount=with_nfsd))
+ current_actor_context.run()
+ assert not current_actor_context.consume(Report)
+
+
@pytest.mark.parametrize('nfs_fstype', ('nfs', 'nfs4'))
def test_actor_with_mount_share(current_actor_context, nfs_fstype):
with_mount_share = [MountEntry(name="nfs", mount="/mnt/data", tp=nfs_fstype,
--
2.35.3

47
SOURCES/0038-Remove-temporary-leapp-directory-in-root.patch Normal file
View File

@ -0,0 +1,47 @@
From 1cc680adf1d63028c0b5f79544b6bd9e501b249e Mon Sep 17 00:00:00 2001
From: Michal Reznik <mreznik@redhat.com>
Date: Fri, 13 May 2022 12:00:15 +0200
Subject: [PATCH 38/39] Remove temporary leapp directory in /root
Leaving the directory behind will cause issues during upgrades to
another major verison. E.g in case of RHEL 7 > RHEL 8 > RHEL 9
upgrade.
---
.../preparepythonworkround/libraries/workaround.py | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/repos/system_upgrade/common/actors/preparepythonworkround/libraries/workaround.py b/repos/system_upgrade/common/actors/preparepythonworkround/libraries/workaround.py
index f61c78cf..de3079ee 100644
--- a/repos/system_upgrade/common/actors/preparepythonworkround/libraries/workaround.py
+++ b/repos/system_upgrade/common/actors/preparepythonworkround/libraries/workaround.py
@@ -1,7 +1,9 @@
import os
+import shutil
import sys
from leapp.libraries.common.utils import makedirs
+from leapp.libraries.stdlib import api
LEAPP_HOME = '/root/tmp_leapp_py3'
@@ -18,10 +20,15 @@ def _get_orig_leapp_path():
def apply_python3_workaround():
py3_leapp = os.path.join(LEAPP_HOME, 'leapp3')
+ if os.path.exists(LEAPP_HOME):
+ try:
+ shutil.rmtree(LEAPP_HOME)
+ except OSError as e:
+ api.current_logger().error('Could not remove {} directory: {}'.format(LEAPP_HOME, str(e)))
+
makedirs(LEAPP_HOME)
leapp_lib_symlink_path = os.path.join(LEAPP_HOME, 'leapp')
- if not os.path.exists(leapp_lib_symlink_path):
- os.symlink(_get_orig_leapp_path(), leapp_lib_symlink_path)
+ os.symlink(_get_orig_leapp_path(), leapp_lib_symlink_path)
with open(py3_leapp, 'w') as f:
f_content = [
'#!/usr/bin/python3',
--
2.35.3

90
SOURCES/0039-Improve-Leapp-resume-service-cleanup-logging.patch Normal file
View File

@ -0,0 +1,90 @@
From ae40cb78af75ff0901280b624e6d633a55023933 Mon Sep 17 00:00:00 2001
From: Michal Reznik <mreznik@redhat.com>
Date: Thu, 26 May 2022 13:02:31 +0200
Subject: [PATCH 39/39] Improve Leapp resume service cleanup + logging
---
.../actors/createresumeservice/actor.py | 15 ++++++++---
.../actors/removeresumeservice/actor.py | 25 +++++++++++--------
2 files changed, 26 insertions(+), 14 deletions(-)
diff --git a/repos/system_upgrade/common/actors/createresumeservice/actor.py b/repos/system_upgrade/common/actors/createresumeservice/actor.py
index 3019c611..eae4aa8f 100644
--- a/repos/system_upgrade/common/actors/createresumeservice/actor.py
+++ b/repos/system_upgrade/common/actors/createresumeservice/actor.py
@@ -1,11 +1,12 @@
-import shutil
import os
+import shutil
-from leapp.exceptions import StopActorExecutionError
+from leapp import reporting
from leapp.actors import Actor
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.stdlib import api
+from leapp.reporting import create_report, Report
from leapp.tags import FinalizationPhaseTag, IPUWorkflowTag
-from leapp.reporting import Report, create_report
-from leapp import reporting
class CreateSystemdResumeService(Actor):
@@ -36,6 +37,12 @@ class CreateSystemdResumeService(Actor):
except OSError:
pass
+ if os.path.exists(symlink_path):
+ api.current_logger().debug(
+ 'Symlink {} already exists (from previous upgrade?). Removing... '.format(symlink_path)
+ )
+ os.unlink(symlink_path)
+
try:
os.symlink(service_path, symlink_path)
except OSError as e:
diff --git a/repos/system_upgrade/common/actors/removeresumeservice/actor.py b/repos/system_upgrade/common/actors/removeresumeservice/actor.py
index c69816d5..07e96eae 100644
--- a/repos/system_upgrade/common/actors/removeresumeservice/actor.py
+++ b/repos/system_upgrade/common/actors/removeresumeservice/actor.py
@@ -1,10 +1,10 @@
-import os
import errno
+import os
-from leapp.actors import Actor
-from leapp.libraries.stdlib import run
-from leapp.reporting import Report, create_report
from leapp import reporting
+from leapp.actors import Actor
+from leapp.libraries.stdlib import api, run
+from leapp.reporting import create_report, Report
from leapp.tags import FirstBootPhaseTag, IPUWorkflowTag
@@ -24,12 +24,17 @@ class RemoveSystemdResumeService(Actor):
service_name = 'leapp_resume.service'
if os.path.isfile('/etc/systemd/system/{}'.format(service_name)):
run(['systemctl', 'disable', service_name])
- try:
- os.unlink('/etc/systemd/system/{}'.format(service_name))
- os.unlink('/etc/systemd/system/default.target.wants/{}'.format(service_name))
- except OSError as e:
- if e.errno != errno.ENOENT:
- raise
+ paths_to_unlink = [
+ '/etc/systemd/system/{}'.format(service_name),
+ '/etc/systemd/system/default.target.wants/{}'.format(service_name),
+ ]
+ for path in paths_to_unlink:
+ try:
+ os.unlink(path)
+ except OSError as e:
+ api.current_logger().debug('Failed removing {}: {}'.format(path, str(e)))
+ if e.errno != errno.ENOENT:
+ raise
create_report([
reporting.Title('"{}" service deleted'.format(service_name)),
--
2.35.3

125
SOURCES/0040-Revert-Move-multipathconfread-into-common-repository.patch Normal file
View File

@ -0,0 +1,125 @@
From e80ee7184cd0d01d81418e5f925d1460fc51f0a6 Mon Sep 17 00:00:00 2001
From: Benjamin Marzinski <bmarzins@redhat.com>
Date: Wed, 20 Apr 2022 14:01:43 -0500
Subject: [PATCH 40/47] Revert "Move "multipathconfread" into common
repository"
This reverts commit 1c171ec3a5f9260a3c6f84a9b15cad78a875ac61.
the multipath actors need to do different things in the el8toel9 upgrade
than in the el7toel8 upgrade, so leave the old actors in the el7toel8
repo. After reverting, the code was relinted.
---
.../{common => el7toel8}/actors/multipathconfread/actor.py | 0
.../actors/multipathconfread/libraries/multipathconfread.py | 0
.../actors/multipathconfread/tests/files/all_the_things.conf | 0
.../actors/multipathconfread/tests/files/already_updated.conf | 0
.../actors/multipathconfread/tests/files/conf.d/all_devs.conf | 0
.../actors/multipathconfread/tests/files/conf.d/empty.conf | 0
.../actors/multipathconfread/tests/files/default_rhel7.conf | 0
.../actors/multipathconfread/tests/files/default_rhel8.conf | 0
.../actors/multipathconfread/tests/files/just_all_devs.conf | 0
.../actors/multipathconfread/tests/files/just_checker.conf | 0
.../actors/multipathconfread/tests/files/just_detect.conf | 0
.../actors/multipathconfread/tests/files/just_exists.conf | 0
.../actors/multipathconfread/tests/files/just_reassign.conf | 0
.../actors/multipathconfread/tests/files/ugly1.conf | 0
.../actors/multipathconfread/tests/files/ugly2.conf | 0
.../multipathconfread/tests/test_library_multipathconfread.py | 0
.../{common => el7toel8}/libraries/multipathutil.py | 0
.../{common => el7toel8}/models/multipathconffacts.py | 0
18 files changed, 0 insertions(+), 0 deletions(-)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/actor.py (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/libraries/multipathconfread.py (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/all_the_things.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/already_updated.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/conf.d/all_devs.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/conf.d/empty.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/default_rhel7.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/default_rhel8.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/just_all_devs.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/just_checker.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/just_detect.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/just_exists.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/just_reassign.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/ugly1.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/files/ugly2.conf (100%)
rename repos/system_upgrade/{common => el7toel8}/actors/multipathconfread/tests/test_library_multipathconfread.py (100%)
rename repos/system_upgrade/{common => el7toel8}/libraries/multipathutil.py (100%)
rename repos/system_upgrade/{common => el7toel8}/models/multipathconffacts.py (100%)
diff --git a/repos/system_upgrade/common/actors/multipathconfread/actor.py b/repos/system_upgrade/el7toel8/actors/multipathconfread/actor.py
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/actor.py
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/actor.py
diff --git a/repos/system_upgrade/common/actors/multipathconfread/libraries/multipathconfread.py b/repos/system_upgrade/el7toel8/actors/multipathconfread/libraries/multipathconfread.py
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/libraries/multipathconfread.py
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/libraries/multipathconfread.py
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/all_the_things.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/all_the_things.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/all_the_things.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/all_the_things.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/already_updated.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/already_updated.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/already_updated.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/already_updated.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/conf.d/all_devs.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/conf.d/all_devs.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/conf.d/all_devs.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/conf.d/all_devs.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/conf.d/empty.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/conf.d/empty.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/conf.d/empty.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/conf.d/empty.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/default_rhel7.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/default_rhel7.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/default_rhel7.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/default_rhel7.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/default_rhel8.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/default_rhel8.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/default_rhel8.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/default_rhel8.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/just_all_devs.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_all_devs.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/just_all_devs.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_all_devs.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/just_checker.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_checker.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/just_checker.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_checker.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/just_detect.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_detect.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/just_detect.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_detect.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/just_exists.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_exists.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/just_exists.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_exists.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/just_reassign.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_reassign.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/just_reassign.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/just_reassign.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/ugly1.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/ugly1.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/ugly1.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/ugly1.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/files/ugly2.conf b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/ugly2.conf
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/files/ugly2.conf
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/files/ugly2.conf
diff --git a/repos/system_upgrade/common/actors/multipathconfread/tests/test_library_multipathconfread.py b/repos/system_upgrade/el7toel8/actors/multipathconfread/tests/test_library_multipathconfread.py
similarity index 100%
rename from repos/system_upgrade/common/actors/multipathconfread/tests/test_library_multipathconfread.py
rename to repos/system_upgrade/el7toel8/actors/multipathconfread/tests/test_library_multipathconfread.py
diff --git a/repos/system_upgrade/common/libraries/multipathutil.py b/repos/system_upgrade/el7toel8/libraries/multipathutil.py
similarity index 100%
rename from repos/system_upgrade/common/libraries/multipathutil.py
rename to repos/system_upgrade/el7toel8/libraries/multipathutil.py
diff --git a/repos/system_upgrade/common/models/multipathconffacts.py b/repos/system_upgrade/el7toel8/models/multipathconffacts.py
similarity index 100%
rename from repos/system_upgrade/common/models/multipathconffacts.py
rename to repos/system_upgrade/el7toel8/models/multipathconffacts.py
--
2.35.3

14955
SOURCES/0041-add-multipathconf-read-check-update-el8toel9-actors.patch Normal file
View File

File diff suppressed because it is too large Load Diff

107
SOURCES/0042-el8toel9-Warn-about-the-NVIDIA-driver-before-upgrade.patch Normal file
View File

@ -0,0 +1,107 @@
From efa3becc424438b3904013310d6a8b7ec675ae6a Mon Sep 17 00:00:00 2001
From: Niels De Graef <ndegraef@redhat.com>
Date: Tue, 12 Apr 2022 13:08:31 +0200
Subject: [PATCH 42/47] el8toel9: Warn about the NVIDIA driver before upgrade
---
.../actors/nvidiaproprietarydriver/actor.py | 47 +++++++++++++++++++
.../tests/test_nvidiadriver.py | 33 +++++++++++++
2 files changed, 80 insertions(+)
create mode 100644 repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/actor.py
create mode 100644 repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/tests/test_nvidiadriver.py
diff --git a/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/actor.py b/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/actor.py
new file mode 100644
index 00000000..7397f3e2
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/actor.py
@@ -0,0 +1,47 @@
+from leapp import reporting
+from leapp.actors import Actor
+from leapp.models import ActiveKernelModulesFacts
+from leapp.reporting import create_report, Report
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+
+class CheckNvidiaProprietaryDriver(Actor):
+ """
+ Check if NVIDIA proprietary driver is in use. If yes, inhibit the upgrade process.
+
+ Updating bare metal (or VM) with the binary NVIDIA driver will end up with a blacklisted nouveau.
+
+ See also https://bugzilla.redhat.com/show_bug.cgi?id=2057026
+ """
+
+ name = 'check_nvidia_proprietary_driver'
+ consumes = (ActiveKernelModulesFacts,)
+ produces = (Report,)
+ tags = (ChecksPhaseTag, IPUWorkflowTag)
+
+ def process(self):
+
+ for fact in self.consume(ActiveKernelModulesFacts):
+ nvidia_driver_loaded = any('nvidia' in active_mod.filename for active_mod in fact.kernel_modules)
+ if nvidia_driver_loaded:
+ create_report([
+ reporting.Title('Proprietary NVIDIA driver detected'),
+ reporting.Summary(
+ 'Leapp has detected that the NVIDIA proprietary driver has been loaded, which also means '
+ 'the nouveau driver is blacklisted. If you upgrade now, you will end up without a '
+ 'graphical session, as the newer kernel won\'t be able to load the NVIDIA driver module '
+ 'and nouveau will still be blacklisted.'
+ '\n\n'
+ 'Please uninstall the NVIDIA graphics driver before upgrading to make sure you have a '
+ 'graphical session after upgrading.'
+ ),
+ reporting.ExternalLink(
+ title='How to uninstall proprietary NVIDIA graphics driver and switch back to Red Hat '
+ 'shipped nouveau graphics driver?',
+ url='https://access.redhat.com/solutions/421683'
+ ),
+ reporting.Severity(reporting.Severity.HIGH),
+ reporting.Flags([reporting.Flags.INHIBITOR]),
+ reporting.Tags([reporting.Tags.KERNEL, reporting.Tags.DRIVERS]),
+ ])
+ break
diff --git a/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/tests/test_nvidiadriver.py b/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/tests/test_nvidiadriver.py
new file mode 100644
index 00000000..3cd299b0
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/nvidiaproprietarydriver/tests/test_nvidiadriver.py
@@ -0,0 +1,33 @@
+from leapp.models import ActiveKernelModule, ActiveKernelModulesFacts
+from leapp.reporting import Report
+
+
+def test_actor_with_nvidia_driver(current_actor_context):
+ with_nvidia = [
+ ActiveKernelModule(filename='nvidia', parameters=[]),
+ ActiveKernelModule(filename='kvm', parameters=[])]
+
+ current_actor_context.feed(ActiveKernelModulesFacts(kernel_modules=with_nvidia))
+ current_actor_context.run()
+ report_fields = current_actor_context.consume(Report)[0].report
+ assert 'inhibitor' in report_fields['flags']
+
+
+def test_actor_without_nvidia_driver(current_actor_context):
+ without_nvidia = [
+ ActiveKernelModule(filename='i915', parameters=[]),
+ ActiveKernelModule(filename='kvm', parameters=[])]
+
+ current_actor_context.feed(ActiveKernelModulesFacts(kernel_modules=without_nvidia))
+ current_actor_context.run()
+ assert not current_actor_context.consume(Report)
+
+
+def test_actor_with_nouveau_driver(current_actor_context):
+ without_nvidia = [
+ ActiveKernelModule(filename='nouveau', parameters=[]),
+ ActiveKernelModule(filename='kvm', parameters=[])]
+
+ current_actor_context.feed(ActiveKernelModulesFacts(kernel_modules=without_nvidia))
+ current_actor_context.run()
+ assert not current_actor_context.consume(Report)
--
2.35.3

26
SOURCES/0043-Fix-unnecessary-dunder-call-violation.patch Normal file
View File

@ -0,0 +1,26 @@
From 191865db1725dcdf17d8d2d7c5a75d3d1f7b7d80 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 7 Jun 2022 17:17:02 +0200
Subject: [PATCH 43/47] Fix unnecessary-dunder-call violation
That's an interesting linter check, let's keep it.
---
.../actors/peseventsscanner/libraries/peseventsscanner.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner.py b/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner.py
index 1be2caa1..03d1bde5 100644
--- a/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner.py
+++ b/repos/system_upgrade/common/actors/peseventsscanner/libraries/peseventsscanner.py
@@ -470,7 +470,7 @@ def is_event_relevant(event, installed_pkgs, tasks):
def add_packages_to_tasks(tasks, packages, task_type):
if packages:
api.current_logger().debug('{v:7} {p}'.format(
- v=task_type.name, p=', '.join([p.__repr__() for p in packages])))
+ v=task_type.name, p=', '.join([repr(p) for p in packages])))
for p in packages:
tasks[task_type][(p.name, p.modulestream)] = p.repository
--
2.35.3

438
SOURCES/0044-Massive-workflow-refactor-split-into-reusable-parts.patch Normal file
View File

@ -0,0 +1,438 @@
From ef458450bcaf38ee3427eb21a0fd11fef5144fe4 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Mon, 6 Jun 2022 16:16:38 +0200
Subject: [PATCH 44/47] Massive workflow refactor: split into reusable parts
1 separate workflow has been introduced - reuse-copr-build;
2 workflows have been reused from leapp project - reuse-tests-7to8
and reuse-tests-8to9.
This should make adding new tests a bit easier.
Status reporting has been enabled as well.
e2e execution on aws also added as separate test run.
OAMG-6980
---
.github/workflows/reuse-copr-build.yml | 157 ++++++++++++++++
.github/workflows/tmt-tests.yml | 241 ++++++-------------------
2 files changed, 212 insertions(+), 186 deletions(-)
create mode 100644 .github/workflows/reuse-copr-build.yml
diff --git a/.github/workflows/reuse-copr-build.yml b/.github/workflows/reuse-copr-build.yml
new file mode 100644
index 00000000..fd59b073
--- /dev/null
+++ b/.github/workflows/reuse-copr-build.yml
@@ -0,0 +1,157 @@
+name: reuse-copr-build@TF
+
+on:
+ workflow_call:
+ secrets:
+ FEDORA_COPR_LOGIN:
+ required: true
+ FEDORA_COPR_TOKEN:
+ required: true
+ outputs:
+ artifacts:
+ description: "A string with test artifacts to install in tft test env"
+ value: ${{ jobs.reusable_workflow_copr_build_job.outputs.artifacts }}
+
+jobs:
+ reusable_workflow_copr_build_job:
+ # This job only runs for '/rerun' pull request comments by owner, member, or collaborator of the repo/organization.
+ name: Build copr builds for tft tests
+ runs-on: ubuntu-20.04
+ outputs:
+ artifacts: ${{ steps.gen_artifacts.outputs.artifacts }}
+ if: |
+ github.event.issue.pull_request
+ && startsWith(github.event.comment.body, '/rerun')
+ && contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)
+ steps:
+ - name: Install necessary deps
+ id: deps_install
+ run: sudo apt-get install -y libkrb5-dev
+
+ - name: Get pull request number
+ id: pr_nr
+ run: |
+ PR_URL="${{ github.event.comment.issue_url }}"
+ echo "::set-output name=pr_nr::${PR_URL##*/}"
+
+ - name: Checkout
+ # TODO: The correct way to checkout would be to use simmilar approach as in get_commit_by_timestamp function of
+ # the github gluetool module (i.e. do not use HEAD but the last commit before comment).
+ id: checkout
+ uses: actions/checkout@v2
+ with:
+ ref: "refs/pull/${{ steps.pr_nr.outputs.pr_nr }}/head"
+
+ - name: Get ref and sha
+ id: ref_sha
+ run: |
+ echo "::set-output name=sha::$(git rev-parse --short HEAD)"
+ echo "::set-output name=ref::refs/pull/${{ steps.pr_nr.outputs.pr_nr }}/head"
+
+ - name: Trigger copr build
+ id: copr_build
+ env:
+ COPR_CONFIG: "copr_fedora.conf"
+ COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
+ run: |
+ cat << EOF > $COPR_CONFIG
+ [copr-cli]
+ login = ${{ secrets.FEDORA_COPR_LOGIN }}
+ username = @oamg
+ token = ${{ secrets.FEDORA_COPR_TOKEN }}
+ copr_url = https://copr.fedorainfracloud.org
+ # expiration date: 2030-07-04
+ EOF
+
+ pip install copr-cli
+ PR=${{ steps.pr_nr.outputs.pr_nr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
+
+ COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
+ echo "::set-output name=copr_url::${COPR_URL}"
+ echo "::set-output name=copr_id::${COPR_URL##*/}"
+
+ - name: Add comment with copr build url
+ # TODO: Create comment when copr build fails.
+ id: link_copr
+ uses: actions/github-script@v4
+ with:
+ script: |
+ github.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: 'Copr build succeeded: ${{ steps.copr_build.outputs.copr_url }}'
+ })
+
+ - name: Get dependent leapp pr number from rerun comment
+ uses: actions-ecosystem/action-regex-match@v2
+ id: leapp_pr_regex_match
+ with:
+ text: ${{ github.event.comment.body }}
+ regex: '^/rerun\s+([0-9]+)\s*$'
+
+ - name: If leapp_pr was specified in the comment - trigger copr build
+ # TODO: XXX FIXME This should schedule copr build for leapp but for now it will be just setting an env var
+ id: leapp_pr
+ if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ run: |
+ echo "::set-output name=leapp_pr::${{ steps.leapp_pr_regex_match.outputs.group1 }}"
+
+ - name: Checkout leapp
+ id: checkout_leapp
+ if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ uses: actions/checkout@v2
+ with:
+ repository: "oamg/leapp"
+ ref: "refs/pull/${{ steps.leapp_pr.outputs.leapp_pr }}/head"
+
+ - name: Get ref and sha for leapp
+ id: ref_sha_leapp
+ if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ run: |
+ echo "::set-output name=sha::$(git rev-parse --short HEAD)"
+ echo "::set-output name=ref::refs/pull/${{ steps.leapp_pr.outputs.leapp_pr }}/head"
+
+ - name: Trigger copr build for leapp
+ id: copr_build_leapp
+ if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ env:
+ COPR_CONFIG: "copr_fedora.conf"
+ COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
+ run: |
+ cat << EOF > $COPR_CONFIG
+ [copr-cli]
+ login = ${{ secrets.FEDORA_COPR_LOGIN }}
+ username = @oamg
+ token = ${{ secrets.FEDORA_COPR_TOKEN }}
+ copr_url = https://copr.fedorainfracloud.org
+ # expiration date: 2030-07-04
+ EOF
+
+ pip install copr-cli
+ PR=${{ steps.leapp_pr.outputs.leapp_pr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
+
+ COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
+ echo "::set-output name=copr_url::${COPR_URL}"
+ echo "::set-output name=copr_id::${COPR_URL##*/}"
+
+ - name: Add comment with copr build url for leapp
+ # TODO: Create comment when copr build fails.
+ id: link_copr_leapp
+ if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
+ uses: actions/github-script@v4
+ with:
+ script: |
+ github.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: 'Copr build succeeded: ${{ steps.copr_build_leapp.outputs.copr_url }}'
+ })
+
+ - name: Generate artifacts output
+ id: gen_artifacts
+ env:
+ ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
+ run: |
+ echo "::set-output name=artifacts::${{ env.ARTIFACTS }}"
diff --git a/.github/workflows/tmt-tests.yml b/.github/workflows/tmt-tests.yml
index 24334978..a069bd96 100644
--- a/.github/workflows/tmt-tests.yml
+++ b/.github/workflows/tmt-tests.yml
@@ -6,193 +6,62 @@ on:
- created
jobs:
- pr_commented:
- # This job only runs for '/rerun' pull request comments by owner, member, or collaborator of the repo/organization.
- name: Run tmt tests on Testing Farm service
+ call_workflow_copr_build:
+ uses: ./.github/workflows/reuse-copr-build.yml
+ secrets: inherit
+
+ call_workflow_tests_7to8_integration:
+ needs: call_workflow_copr_build
+ uses: oamg/leapp/.github/workflows/reuse-tests-7to8.yml@master
+ secrets: inherit
+ with:
+ copr_artifacts: ${{ needs.call_workflow_copr_build.outputs.artifacts }}
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)(?!.*morf)"
+
+ call_workflow_tests_7to8_sst:
+ needs: call_workflow_copr_build
+ uses: oamg/leapp/.github/workflows/reuse-tests-7to8.yml@master
+ secrets: inherit
+ with:
+ copr_artifacts: ${{ needs.call_workflow_copr_build.outputs.artifacts }}
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)(.*morf)"
+ pull_request_status_name: "7to8-sst"
+ update_pull_request_status: 'false'
if: |
github.event.issue.pull_request
- && startsWith(github.event.comment.body, '/rerun')
+ && startsWith(github.event.comment.body, '/rerun-all')
&& contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)
- runs-on: ubuntu-20.04
- steps:
- - name: Install necessary deps
- id: deps_install
- run: sudo apt-get install -y libkrb5-dev
- - name: Get pull request number
- id: pr_nr
- run: |
- PR_URL="${{ github.event.comment.issue_url }}"
- echo "::set-output name=pr_nr::${PR_URL##*/}"
-
- - name: Checkout
- # TODO: The correct way to checkout would be to use simmilar approach as in get_commit_by_timestamp function of
- # the github gluetool module (i.e. do not use HEAD but the last commit before comment).
- id: checkout
- uses: actions/checkout@v2
- with:
- ref: "refs/pull/${{ steps.pr_nr.outputs.pr_nr }}/head"
-
- - name: Get ref and sha
- id: ref_sha
- run: |
- echo "::set-output name=sha::$(git rev-parse --short HEAD)"
- echo "::set-output name=ref::refs/pull/${{ steps.pr_nr.outputs.pr_nr }}/head"
-
- - name: Trigger copr build
- id: copr_build
- env:
- COPR_CONFIG: "copr_fedora.conf"
- COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
- run: |
- cat << EOF > $COPR_CONFIG
- [copr-cli]
- login = ${{ secrets.FEDORA_COPR_LOGIN }}
- username = @oamg
- token = ${{ secrets.FEDORA_COPR_TOKEN }}
- copr_url = https://copr.fedorainfracloud.org
- # expiration date: 2030-07-04
- EOF
-
- pip install copr-cli
- PR=${{ steps.pr_nr.outputs.pr_nr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
-
- COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
- echo "::set-output name=copr_url::${COPR_URL}"
- echo "::set-output name=copr_id::${COPR_URL##*/}"
-
- - name: Add comment with copr build url
- # TODO: Create comment when copr build fails.
- id: link_copr
- uses: actions/github-script@v4
- with:
- script: |
- github.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: 'Copr build succeeded: ${{ steps.copr_build.outputs.copr_url }}'
- })
-
- - name: Get dependent leapp pr number from rerun comment
- uses: actions-ecosystem/action-regex-match@v2
- id: leapp_pr_regex_match
- with:
- text: ${{ github.event.comment.body }}
- regex: '^/rerun\s+([0-9]+)\s*$'
-
- - name: If leapp_pr was specified in the comment - trigger copr build
- # TODO: XXX FIXME This should schedule copr build for leapp but for now it will be just setting an env var
- id: leapp_pr
- if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
- run: |
- echo "::set-output name=leapp_pr::${{ steps.leapp_pr_regex_match.outputs.group1 }}"
-
- - name: Checkout leapp
- id: checkout_leapp
- if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
- uses: actions/checkout@v2
- with:
- repository: "oamg/leapp"
- ref: "refs/pull/${{ steps.leapp_pr.outputs.leapp_pr }}/head"
-
- - name: Get ref and sha for leapp
- id: ref_sha_leapp
- if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
- run: |
- echo "::set-output name=sha::$(git rev-parse --short HEAD)"
- echo "::set-output name=ref::refs/pull/${{ steps.leapp_pr.outputs.leapp_pr }}/head"
-
- - name: Trigger copr build for leapp
- id: copr_build_leapp
- if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
- env:
- COPR_CONFIG: "copr_fedora.conf"
- COPR_CHROOT: "epel-7-x86_64,epel-8-x86_64"
- run: |
- cat << EOF > $COPR_CONFIG
- [copr-cli]
- login = ${{ secrets.FEDORA_COPR_LOGIN }}
- username = @oamg
- token = ${{ secrets.FEDORA_COPR_TOKEN }}
- copr_url = https://copr.fedorainfracloud.org
- # expiration date: 2030-07-04
- EOF
-
- pip install copr-cli
- PR=${{ steps.leapp_pr.outputs.leapp_pr }} COPR_CONFIG=$COPR_CONFIG COPR_CHROOT=$COPR_CHROOT make copr_build | tee copr.log
-
- COPR_URL=$(grep -Po 'https://copr.fedorainfracloud.org/coprs/build/\d+' copr.log)
- echo "::set-output name=copr_url::${COPR_URL}"
- echo "::set-output name=copr_id::${COPR_URL##*/}"
-
- - name: Add comment with copr build url for leapp
- # TODO: Create comment when copr build fails.
- id: link_copr_leapp
- if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
- uses: actions/github-script@v4
- with:
- script: |
- github.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: 'Copr build succeeded: ${{ steps.copr_build_leapp.outputs.copr_url }}'
- })
-
- - name: Schedule regression testing for 7to8
- id: run_test_7to8
- env:
- ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: sclorg/testing-farm-as-github-action@v1.2.10
- with:
- # required
- api_url: ${{ secrets.TF_ENDPOINT }}
- api_key: ${{ secrets.TF_API_KEY }}
- git_url: 'https://gitlab.cee.redhat.com/oamg/tmt-plans'
- github_token: ${{ secrets.GITHUB_TOKEN }}
- # optional
- tf_scope: 'private'
- tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)"
- compose: ${{ secrets.COMPOSE_RHEL79 }}
- arch: 'x86_64'
- copr: 'epel-7-x86_64'
- copr_artifacts: ${{ env.ARTIFACTS }}
- debug: ${{ secrets.ACTIONS_STEP_DEBUG }}
- tmt_context: 'distro=rhel-7'
- pull_request_status_name: '7to8'
- create_issue_comment: 'true'
- # NOTE(ivasilev) In order to update pr status this workflow has to be massively refactored with artifacts
- # preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
- # triggered on a specific repository dispatch event.
- update_pull_request_status: 'false'
- environment_settings: '{"provisioning": {"post_install_script": "#!/bin/sh\nsudo sed -i s/.*ssh-rsa/ssh-rsa/ /root/.ssh/authorized_keys"}}'
-
- - name: Schedule regression testing for 8to9
- id: run_test_8to9
- env:
- ARTIFACTS: ${{ steps.leapp_pr_regex_match.outputs.match != '' && format('{0};{1}', steps.copr_build_leapp.outputs.copr_id, steps.copr_build.outputs.copr_id) || steps.copr_build.outputs.copr_id }}
- uses: sclorg/testing-farm-as-github-action@v1.2.10
- with:
- # required
- api_url: ${{ secrets.TF_ENDPOINT }}
- api_key: ${{ secrets.TF_API_KEY }}
- git_url: 'https://gitlab.cee.redhat.com/oamg/tmt-plans'
- github_token: ${{ secrets.GITHUB_TOKEN }}
- # optional
- tf_scope: 'private'
- tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*7to8)"
- compose: ${{ secrets.COMPOSE_RHEL86 }}
- arch: 'x86_64'
- copr: 'epel-8-x86_64'
- copr_artifacts: ${{ env.ARTIFACTS }}
- debug: ${{ secrets.ACTIONS_STEP_DEBUG }}
- variables: 'TARGET_RELEASE=9.0;TARGET_KERNEL=el9;RHSM_SKU=RH00069;RHSM_REPOS=rhel-8-for-x86_64-appstream-beta-rpms,rhel-8-for-x86_64-baseos-beta-rpms;LEAPP_EXEC_ENV_VARS=LEAPP_DEVEL_TARGET_PRODUCT_TYPE=beta'
- tmt_context: 'distro=rhel-8'
- pull_request_status_name: '8to9'
- create_issue_comment: 'true'
- # NOTE(ivasilev) In order to update pr status this workflow has to be massively refactored with artifacts
- # preparation moved out to a different workflow and the rest split into 2 workflows - 7to8 and 8to9 that are
- # triggered on a specific repository dispatch event.
- update_pull_request_status: 'false'
- environment_settings: '{"provisioning": {"post_install_script": "#!/bin/sh\nsudo sed -i s/.*ssh-rsa/ssh-rsa/ /root/.ssh/authorized_keys"}}'
+ call_workflow_tests_7to8_aws:
+ needs: call_workflow_copr_build
+ uses: oamg/leapp/.github/workflows/reuse-tests-7to8.yml@master
+ secrets: inherit
+ with:
+ copr_artifacts: ${{ needs.call_workflow_copr_build.outputs.artifacts }}
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*8to9)(.*e2e)"
+ compose: "RHEL-7.9-rhui"
+ environment_settings: '{"provisioning": {"post_install_script": "#!/bin/sh\nsudo sed -i s/.*ssh-rsa/ssh-rsa/ /root/.ssh/authorized_keys; echo 42; yum-config-manager --enable rhel-7-server-rhui-optional-rpms"}}'
+ pull_request_status_name: "7to8-aws-e2e"
+ variables: "RHUI=aws"
+
+ call_workflow_tests_8to9_integration:
+ needs: call_workflow_copr_build
+ uses: oamg/leapp/.github/workflows/reuse-tests-8to9.yml@master
+ secrets: inherit
+ with:
+ copr_artifacts: ${{ needs.call_workflow_copr_build.outputs.artifacts }}
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*7to8)(?!.*morf)"
+
+ call_workflow_tests_8to9_sst:
+ needs: call_workflow_copr_build
+ uses: oamg/leapp/.github/workflows/reuse-tests-8to9.yml@master
+ secrets: inherit
+ with:
+ copr_artifacts: ${{ needs.call_workflow_copr_build.outputs.artifacts }}
+ tmt_plan_regex: "^(?!.*c2r)(?!.*sap)(?!.*7to8)(.*morf)"
+ pull_request_status_name: "8to9-sst"
+ update_pull_request_status: 'false'
+ if: |
+ github.event.issue.pull_request
+ && startsWith(github.event.comment.body, '/rerun-all')
+ && contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)
--
2.35.3

34
SOURCES/0045-Allow-running-all-tests-with-dependent-leapp-pr.patch Normal file
View File

@ -0,0 +1,34 @@
From 92ee19013e02f09ac03bb4f2979fcf4d3d3156cf Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 7 Jun 2022 16:24:29 +0200
Subject: [PATCH 45/47] Allow running all tests with dependent leapp pr
/rerun-all 4242 now would correctly pick leapp pr 4242 instead of master.
---
.github/workflows/reuse-copr-build.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/reuse-copr-build.yml b/.github/workflows/reuse-copr-build.yml
index fd59b073..08d78024 100644
--- a/.github/workflows/reuse-copr-build.yml
+++ b/.github/workflows/reuse-copr-build.yml
@@ -88,14 +88,14 @@ jobs:
id: leapp_pr_regex_match
with:
text: ${{ github.event.comment.body }}
- regex: '^/rerun\s+([0-9]+)\s*$'
+ regex: '^/(rerun|rerun-all)\s+([0-9]+)\s*$'
- name: If leapp_pr was specified in the comment - trigger copr build
# TODO: XXX FIXME This should schedule copr build for leapp but for now it will be just setting an env var
id: leapp_pr
if: ${{ steps.leapp_pr_regex_match.outputs.match != '' }}
run: |
- echo "::set-output name=leapp_pr::${{ steps.leapp_pr_regex_match.outputs.group1 }}"
+ echo "::set-output name=leapp_pr::${{ steps.leapp_pr_regex_match.outputs.group2 }}"
- name: Checkout leapp
id: checkout_leapp
--
2.35.3

32
SOURCES/0046-Update-pr-welcome-msg.patch Normal file
View File

@ -0,0 +1,32 @@
From bb4e242af283c58dc8d4d627cac38ff0474dfea9 Mon Sep 17 00:00:00 2001
From: Inessa Vasilevskaya <ivasilev@redhat.com>
Date: Tue, 7 Jun 2022 17:12:23 +0200
Subject: [PATCH 46/47] Update pr-welcome-msg
Include information about /rerun-all command that will
schedule all regression tests including sst ones.
Also finally fix formatting issue with asterisks in markdown.
---
.github/workflows/pr-welcome-msg.yml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/pr-welcome-msg.yml b/.github/workflows/pr-welcome-msg.yml
index a259dc55..c4435578 100644
--- a/.github/workflows/pr-welcome-msg.yml
+++ b/.github/workflows/pr-welcome-msg.yml
@@ -25,8 +25,10 @@ jobs:
- **/packit copr-build** to submit a public copr build using packit
To launch regression testing public members of oamg organization can leave the following comment:
- - **/rerun** to schedule tests using this pr build and leapp*master* as artifacts
- - **/rerun 42** to schedule tests using this pr build and leapp*PR42* as artifacts
+ - **/rerun** to schedule basic regression tests using this pr build and leapp\*master\* as artifacts
+ - **/rerun 42** to schedule basic regression tests using this pr build and leapp\*PR42\* as artifacts
+ - **/rerun-all** to schedule all tests (including sst) using this pr build and leapp\*master\* as artifacts
+ - **/rerun-all 42** to schedule all tests (including sst) using this pr build and leapp\*PR42\* as artifacts
Please [open ticket](https://url.corp.redhat.com/oamg-ci-issue) in case you experience technical problem with the CI. (RH internal only)
--
2.35.3

33
SOURCES/0047-Fix-set-of-supported-OS-versions-for-IPU-8-9.patch Normal file
View File

@ -0,0 +1,33 @@
From 7aa0ca5f3673257a6f955eebecc2de86eae2c117 Mon Sep 17 00:00:00 2001
From: Petr Stodulka <pstodulk@redhat.com>
Date: Fri, 10 Jun 2022 08:30:01 +0200
Subject: [PATCH 47/47] Fix set of supported OS versions for IPU 8 -> 9
Previously we have updated the upgrade_paths.json file to create
a mapping 8.7 -> 9.0. However, we have not enabled 8.7 for in-place
upgrades. Also, RHEL for SAP HANA has not been enabled for
IPU 8 -> 9.
Enable 8.7 for rhel and 8.6 for saphana for IPU 8 -> 9 via
SUPPORT_VERSIONS in the leapp.libraries.common.config.version
library.
---
repos/system_upgrade/common/libraries/config/version.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/repos/system_upgrade/common/libraries/config/version.py b/repos/system_upgrade/common/libraries/config/version.py
index 03f3cd42..e148932a 100644
--- a/repos/system_upgrade/common/libraries/config/version.py
+++ b/repos/system_upgrade/common/libraries/config/version.py
@@ -14,7 +14,7 @@ OP_MAP = {
_SUPPORTED_VERSIONS = {
# Note: 'rhel-alt' is detected when on 'rhel' with kernel 4.x
'7': {'rhel': ['7.9'], 'rhel-alt': ['7.6'], 'rhel-saphana': ['7.9']},
- '8': {'rhel': ['8.5', '8.6']},
+ '8': {'rhel': ['8.6', '8.7'], 'rhel-saphana': ['8.6']},
}
--
2.35.3

106
SPECS/leapp-repository.spec
View File

@ -42,7 +42,7 @@ py2_byte_compile "%1" "%2"}
Name: leapp-repository Name: leapp-repository
Version: 0.16.0 Version: 0.16.0
Release: 6%{?dist} Release: 8%{?dist}
Summary: Repositories for leapp Summary: Repositories for leapp
License: ASL 2.0 License: ASL 2.0
@ -53,12 +53,54 @@ BuildArch: noarch
### PATCHES HERE ### PATCHES HERE
# Patch0001: filename.patch # Patch0001: filename.patch
Patch0001: 0001-pcidevicesscanner-Also-match-deprecation-data-agains.patch1 Patch0001: 0001-Update-welcome-message.patch
Patch0002: 0002-pciscanner-Fix-2-issues-in-regards-to-pci-address-ha.patch Patch0002: 0002-Fix-linting-violations.patch
Patch0003: 0003-Ensure-the-right-repositories-are-enabled-on-Satelli.patch Patch0003: 0003-Enable-building-leapp-repository-for-specific-chroot.patch
Patch0004: 0004-Enforce-the-removal-of-rubygem-irb-do-not-install-it.patch Patch0004: 0004-Switch-to-the-official-composite-action-for-tft.patch
Patch0005: 0005-IPU-8-9-Migrate-blacklisted-CAs-hotfix.patch Patch0005: 0005-Switch-to-semicolon-build-separator-in-tmt-tests-873.patch
Patch0006: 0006-Skip-comment-lines-when-parsing-grub-configuration-f.patch Patch0006: 0006-pcidevicesscanner-Also-match-deprecation-data-agains.patch
Patch0007: 0007-Fix-krb5-config-not-found-error.patch
Patch0008: 0008-pciscanner-Fix-2-issues-in-regards-to-pci-address-ha.patch
Patch0009: 0009-Ensure-the-right-repositories-are-enabled-on-Satelli.patch
Patch0010: 0010-IPU-8-9-Migrate-blacklisted-CAs-hotfix.patch
Patch0011: 0011-Skip-comment-lines-when-parsing-grub-configuration-f.patch
Patch0012: 0012-Add-actor-that-checks-for-obsolete-.NET-versions.patch
Patch0013: 0013-Move-OpenSSH-server-config-Scanner-and-related-model.patch
Patch0014: 0014-Add-actor-for-updating-OpenSSH-configuration-to-RHEL.patch
Patch0015: 0015-Add-OpenSSH-Drop-in-directory-check-to-emit-info-rep.patch
Patch0016: 0016-OpenSSH-Config-Scanner-Record-the-presence-of-subsys.patch
Patch0017: 0017-Warn-if-the-SSHD-is-not-configured-to-use-SFTP-serve.patch
Patch0018: 0018-Fix-actor-tracebacks-for-non-default-lang.patch
Patch0019: 0019-Move-the-OpenSSH-PermitRootLogin-check-to-common-rep.patch
Patch0020: 0020-PermitRootLogin-check-add-new-use-cases-for-8to9.patch
Patch0021: 0021-If-the-config-is-not-modified-leave-it-up-to-RPM.patch
Patch0022: 0022-Improve-remediation-do-not-trigger-second-inhibitor.patch
Patch0023: 0023-Add-doc-strings-and-improve-code-readability.patch
Patch0024: 0024-Pass-enable-root-auth-post-install-script.patch
Patch0025: 0025-Pin-version-to-1.2.10.patch
Patch0026: 0026-Drop-the-checkcpu-actor-from-the-el8toel9-repo.patch
Patch0027: 0027-BZ-2087144-do-not-enable-Ansible-repository-when-upg.patch
Patch0028: 0028-call-Satellite-installer-with-disable-system-checks-.patch
Patch0029: 0029-Allow-specifying-report-schema-1.2.0.patch
Patch0030: 0030-restrict-Satellite-upgrades-to-x86_64.patch
Patch0031: 0031-Add-missing-documentation-link-to-the-SFTP-deprecati.patch
Patch0032: 0032-Fix-satellite-actor-due-to-some-oversight-of-a-missi.patch
Patch0033: 0033-Drop-the-obsoleted-copr-build-job.patch
Patch0034: 0034-Add-prod-certs-for-8.7-9.1-Beta-GA.patch
Patch0035: 0035-Add-upgrade-path-8.7-9.0.patch
Patch0036: 0036-Handle-7-to-8-IPUs-on-Google-Cloud-897.patch
Patch0037: 0037-CheckNFS-actor-should-respect-nfsd-filesystem.patch
Patch0038: 0038-Remove-temporary-leapp-directory-in-root.patch
Patch0039: 0039-Improve-Leapp-resume-service-cleanup-logging.patch
Patch0040: 0040-Revert-Move-multipathconfread-into-common-repository.patch
Patch0041: 0041-add-multipathconf-read-check-update-el8toel9-actors.patch
Patch0042: 0042-el8toel9-Warn-about-the-NVIDIA-driver-before-upgrade.patch
Patch0043: 0043-Fix-unnecessary-dunder-call-violation.patch
Patch0044: 0044-Massive-workflow-refactor-split-into-reusable-parts.patch
Patch0045: 0045-Allow-running-all-tests-with-dependent-leapp-pr.patch
Patch0046: 0046-Update-pr-welcome-msg.patch
Patch0047: 0047-Fix-set-of-supported-OS-versions-for-IPU-8-9.patch
%description %description
%{summary} %{summary}
@ -182,6 +224,48 @@ Requires: policycoreutils-python-utils
%patch0004 -p1 %patch0004 -p1
%patch0005 -p1 %patch0005 -p1
%patch0006 -p1 %patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch0021 -p1
%patch0022 -p1
%patch0023 -p1
%patch0024 -p1
%patch0025 -p1
%patch0026 -p1
%patch0027 -p1
%patch0028 -p1
%patch0029 -p1
%patch0030 -p1
%patch0031 -p1
%patch0032 -p1
%patch0033 -p1
%patch0034 -p1
%patch0035 -p1
%patch0036 -p1
%patch0037 -p1
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
# enforce removal of packages below during the upgrade # enforce removal of packages below during the upgrade
@ -257,6 +341,14 @@ done;
# no files here # no files here
%changelog %changelog
* Mon Jun 13 2022 Petr Stodulka <pstodulk@redhat.com> - 0.16.0-8
- enable RHEL 8.7 for the upgrade
- Resolves: rhbz#2090995
* Wed Apr 27 2022 Petr Stodulka <pstodulk@redhat.com> - 0.16.0-7
- CTC 1 build
- Resolves: rhbz#2090995
* Wed Apr 27 2022 Petr Stodulka <pstodulk@redhat.com> - 0.16.0-6 * Wed Apr 27 2022 Petr Stodulka <pstodulk@redhat.com> - 0.16.0-6
- Skip comments in /etc/default/grub during the parsing - Skip comments in /etc/default/grub during the parsing
- Resolves: #1997076 - Resolves: #1997076