How can I prevent the use of non-content view repos when provisioning new hosts?

aws.wrk · April 29, 2024, 2:53pm

Problem:
Systems install default public repositories when provisioning, and then update, pulling the latest packages from the internet rather than matching their assigned Content View.
Expected outcome:
Full customization of which repos are created at install, mainly limited to Foreman maintained only repos.
Foreman and Proxy versions:
3.9.1
Foreman and Proxy plugin versions:
3.9.1
Distribution and version:

Other relevant data:
I’ve been able to get OracleLinux 9 provisioned through Foreman using kickstart, however during the install, it seems like the public Oracle repos are added to /etc/yum.repos.d as well as adding the repositories I have configured and synced within the content view.
Perhaps I’m doing this incorrectly, or at least inefficiently, but I was only able to get the system to install and register by creating a Global Registration key and adding the curl command to %post. I have a repo containing subscription-manager packages built for OL9 hosted in /var/www/html/pub/… and the GR key points to that location so that the host can install subscription-manager and register to Foreman.
After the install is complete, I see the following in /etc/yum.repos.d
foreman_registration.repo
oracle-linux-ol9.repo
redhat.repo
uek-ol9.repo
virt-ol9.repo

The content view repos are in redhat.repo (can I change this name during install?), and the foreman_registration.repo contains the pub hosted repo I built. The other three are all public repositories for Oracle which I’d like to be excluded.

jeremylenz · April 29, 2024, 3:41pm

Can I see the output of subscription-manager repos?

aws.wrk · April 29, 2024, 4:35pm

Sure, I removed the foreman fqdn just for security sake, but there it be:

[root@foreman-ol9-test02 ~]# subscription-manager repos
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   Default_Organization_OracleLinux9_OracleLinux_9_AppStream_Latest
Repo Name: OracleLinux_9_AppStream_Latest
Repo URL:  https://foreman-fqdn/pulp/content/Default_Organization/OL9_DEV/OracleLinux9_Base/custom/OracleLinux9/OracleLinux_9_AppStream_Latest
Enabled:   1

Repo ID:   Default_Organization_OracleLinux9_OracleLinux_9_BaseOS_Latest
Repo Name: OracleLinux_9_BaseOS_Latest
Repo URL:  https://foreman-fqdn/pulp/content/Default_Organization/OL9_DEV/OracleLinux9_Base/custom/OracleLinux9/OracleLinux_9_BaseOS_Latest
Enabled:   1

and just for good measure the yum repolist. The last 3 “ol9” repos are the ones I don’t want to be there.

[root@foreman-ol9-test02 ~]# yum repolist
Updating Subscription Management repositories.
repo id                                                                                                         repo name
Default_Organization_OracleLinux9_OracleLinux_9_AppStream_Latest                                                OracleLinux_9_AppStream_Latest
Default_Organization_OracleLinux9_OracleLinux_9_BaseOS_Latest                                                   OracleLinux_9_BaseOS_Latest
foreman_register                                                                                                foreman_register
ol9_UEKR7                                                                                                       Oracle Linux 9 UEK Release 7 (x86_64)
ol9_appstream                                                                                                   Oracle Linux 9 Application Stream Packages (x86_64)
ol9_baseos_latest                                                                                               Oracle Linux 9 BaseOS Latest (x86_64)

Thanks for your reply!

jeremylenz · April 29, 2024, 4:42pm

Ok, it’s as I thought; you won’t be able to use content overrides in Katello to control repos outside redhat.repo.

It seems something (perhaps in a provisioning template?) is enabling those ol9 repos. You should be able to disable them with yum config-manager --disablerepo ol9_UEKR7 etc.

aws.wrk · May 1, 2024, 4:29pm

Thanks, I noted when doing my initial testing with Rocky (they have a kickstart repo which made provisioning a lot easier) that it also added public repos. I suppose if I’m able to disable the oracle public repos in %post, that might work? I’ll give it a try, but will also keep looking through the kickstart and see if I can find where that setting might be in (I pretty much just cloned the Kickstart Default template, added some self hosted repos which might not have been necessary and added the registration curl command in %post)

quba42 · May 2, 2024, 9:23am

We have a snippet that runs the following line to handle this:

find /etc/yum.repos.d -type f -iname "*.repo" -exec rm {} \; -exec touch {} \;

This removes all platform repo files, and replaces the file with an empty file.
The point to re-adding an empty version of the upstream repo file, is that it prevents future package upgrades from re-populating those repo files.

This approach has generally worked for us.

Dirk · May 2, 2024, 10:49am

There is also a setting disable_system_repos for /etc/yum/pluginconf.d/subscription-manager.conf or /etc/dnf/plugins/subscription-manager.conf which would disable all repositories not managed by subscription-manager.

The snippet redhat_register has a parameter only_subscription_manager_repos to manage this.

aws.wrk · May 2, 2024, 9:33pm

Interestingly setting only_subscription_manager_repos to true for the host group seemed to cause the installation of subscription-manager to fail in the general registration bit. Though it did also remove the oracle linux public repos.

aws.wrk · May 2, 2024, 9:46pm

I ended up adding the following to the %post section right after registering, and it seems to have worked to achieve what I was looking for. The new host came up registered properly to the correct content view and group, ran updates, but only got what was available in the content view. Publishing a new view then showed the host missing updates.

yum config-manager --set-disabled ol9_*
rm -f /etc/yum.repos.d/*-ol9.repo*

Dirk · May 3, 2024, 7:14am

As quba42 mentioned I would recommend to recreate the repository configuration as empty files so they are not recreated when updating the packages where they are coming from.
Not sure how package dependencies are but if nothing depends on those packages they can also be uninstalled to have the same effect.

tedevil · May 3, 2024, 2:58pm

In my “join host to Foreman” automation I do:

#Disable system repos in subscription-manager
if [ -f /etc/yum/pluginconf.d/subscription-manager.conf ]
then
        grep -q disable_system_repos /etc/yum/pluginconf.d/subscription-manager.conf || sed -i '/\[main\]/a disable_system_repos=1' /etc/yum/pluginconf
.d/subscription-manager.conf
        grep -q "disable_system_repos=0" /etc/yum/pluginconf.d/subscription-manager.conf && sed -i 's/disable_system_repos=0/disable_system_repos=1/g'
/etc/yum/pluginconf.d/subscription-manager.conf
fi
if [ -f /etc/dnf/plugins/subscription-manager.conf ]
then
        sed -i 's/disable_system_repos=0/disable_system_repos=1/g' /etc/dnf/plugins/subscription-manager.conf
fi

#Moving unwanted repo files from /etc/yum.repos.d to /etc/yum.repos.d/unused
mkdir -p /etc/yum.repos.d/unused
for repo in $(find /etc/yum.repos.d -maxdepth 1 -name "*.repo" ! -name redhat.repo ! -size 0)
do
        /usr/bin/cp -f $repo /etc/yum.repos.d/unused/
        > $repo
done

Then you will end up with someting like (for Almalinux):

# ls -l
total 72
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-appstream.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-baseos.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-crb.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-extras.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-highavailability.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-nfv.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-plus.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-resilientstorage.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-rt.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-saphana.repo
-rw-r--r--. 1 root root     0 May  3 13:08 almalinux-sap.repo
-rw-r--r--. 1 root root 66049 May  3 13:08 redhat.repo
drwxr-xr-x. 2 root root  4096 May  3 13:08 unused

aws.wrk · May 6, 2024, 3:12pm

I don’t think the system should be using those repos anyway, and the initial install should be coming from the repo I host on the pub site for Foreman. However just to be sure, I might go ahead with that plan, but additionally add a comment in each file stating why it’s blank.

aws.wrk · May 8, 2024, 2:32pm

At what point in the kickstart do you add this in by the way? It seems like it would gather any repo files including the redhat.repo and foreman_register.repo in the find and then remove them and recreate empty repo files. I suppose I could find on “ol9.repo” and it should only select the Oracle Linux files.

quba42 · May 8, 2024, 2:48pm

We add this right about here:

github.com

theforeman/foreman/blob/develop/app/views/unattended/provisioning_templates/snippet/redhat_register.erb#L97


      
              redhat_install_host_tools = host_param_true?('redhat_install_host_tools')
              redhat_install_host_tracer_tools = host_param_true?('redhat_install_host_tracer_tools')
            end
          -%>
          
          echo "##############################################################"
          echo "################# SUBSCRIPTION MANAGER #######################"
          echo "##############################################################"
          echo
          echo "Starting the subscription-manager registration process"
          
          # Set up subscription-manager
          <%= snippet("subscription_manager_setup", variables: { subman_setup_scenario: 'provisioning' }).strip -%>
          
          <%- if (host_param('syspurpose_role') || host_param('syspurpose_usage') || host_param('syspurpose_sla') || host_param('syspurpose_addons')) -%>
            # Avoid timeout accessing unreachable repo on air gapped infrastructure,
            #  assuming subscription-manager-syspurpose is installed in custom packages section.
            if ! rpm --query --quiet subscription-manager-syspurpose ; then
              $PKG_MANAGER_INSTALL subscription-manager-syspurpose
            fi

We add the following lines:

  <%- unless host_param('register_keep_repos') %>     
    find /etc/yum.repos.d -type f -iname "*.repo" -exec rm {} \; -exec touch {} \;     
  <%- end %>

This means it happens just before the host is registered using subscription-manager (but crucially after subscription-manager was installed). At this point the redhat.repo has not been created yet, so it is not cleared. Any repos that were temporarily added in order to install subscription-manager are also cleared, and then replaced by a repo coming in via the activation key.

The redhat_register.erb snippet is in turn included by various kickstart and other provisioning templates.