we’ve got a number of Rocky8 clients which are enrolled into Foreman/Katello for content subscriptions. Those clients are locked to a specific kernel version using dnf versionlock. This is unfortunately necessary due to storage client requirements.
When I check these hosts in the foreman gui all of them are reporting some Erratas available. For example there’s a bug fix for package kmod-kvdo which requires a newer kernel-modules version. However due to the dnf versionlock on the kernel-modules package, trying to install/apply the Errata will result in a failure.
Is there a way to tell either the client, subscription manager or foreman/katello to ignore certain packages? I know it’s a long shot but I’d prefer to not have all clients in the foreman gui showing error-statuses.
Well, I guess the short answer is “the feature works as intended” as you do have outstanding errata on those hosts and you really should be yelling at that storage client vendor. But while being technically correct, this answer is not really helpful, so let’s see.
The upload of package lists happens via subscription-manager, and you probably could adjust their code to filter out certain packages:
If a package is not reported as installed, it can’t have errata, right?
But that would require a patch to sub-man on every host, as there is today no way to locally configure an exclude list.
I don’t see a way to achieve the same on the @katello side, but maybe someone knows batter
Thanks @evgeni and @maximilian. I know it’s an edge case and more a cosmetic/reporting thing I’m trying to achieve here. I’ll checkout your both suggestions Thanks!
Another possibility is a content view filter, which could filter out packages and/or errata by date. The errata then would show as applicable, but not installable. And you could set the setting “Generate errata status from directly-installable content” to Yes, which would avoid the negative host status.
That’s a very great idea! Let me try that right now. I might create a separate content view for those hosts and exclude the package group. Thanks @jeremylenz
@jeremylenz I create a seperate content view and applied the below filters. When publishing a new version which includes the filters the task just sits there and doesn’t progress. Looking at the running steps it seems to attempt to poll some data. It’s not failing but attempting over and over again as I can see the counter going up every couple of seconds. Any idea what would cause that?
Looking at the dynflow console its sitting at step 50. I was able to publish a version without filters just fine but as soon as I add a filter its not getting past this step.
Since I see MultiCopyContent there that means you’re using dependency solving – it dramatically slows down content view publishes. We have some warnings in the UI about it, but I would say to use it only if you really must.
Edit: also make sure that you’re using the latest Pulp packages, there was a bug fixed recently that might’ve caused slower than usual Pulp content copying.
@jeremylenz alright I think I got it working. Good old selinux was preventing /usr/bin/rpm from getattr access on /var/lib/rpm/Packages. After running restorecon -v '/var/lib/rpm/Packages' it’s now progressing.
I’m still fairly new to Katello, could you tell me how to check? I’m on foreman: 3.8.0 and katello 4.10.0. On the about page I have following pulp packages installed.
Ah gotcha. I’m on the latest then. I think as you mentioned before the dependency solving I had enabled contributed to the slow publishing. I’ve disabled it as I noticed it does seem to interfere with the content view filters. I’m all good now
When I need to exclude newer kernels (for out-of-tree kmod reasons), I do something like
pattern
arch
version
bpftool
All architectures
Greater than version 4.18.0-425.3.1.el8
kernel*
All architectures
Greater than version 4.18.0-425.3.1.el8
*perf
All architectures
Greater than version 4.18.0-425.3.1.el8
kmod-kvdo
All architectures
Greater than version 6.2.7.17-87.el8
I don’t know if this is relevant to your use case, but if you exclude the package group you may have trouble using the CV to Kickstart.
I would also suggest you make sure you are only applying filters to BaseOS if that’s where all the packages you need to exclude are from, since in my experience that is (a) faster to publish and (b) in the past I’ve lost modulemd_defaults by applying even non-matching filters to AppStream or other repositories.
Right now I have individuals packages excluded just like you in your example. But I didn’t know or see that you can apply it to only a subset of repositories. That’s a very great tip! Thanks a lot