How to use local-only repositories?

Bugenhagen · October 21, 2020, 10:06am

Hi, again!

Still struggling to create a functional katello/foreman, CentOS installation-server …
Right now, I’m on foreman 2.1.4 & katello 3.16.1

Is there a preferred way to limit the newly born server to only use the repositories provided by katello/foreman?

I have no internet access in my deployment network and because of this; I got many places in the installation procedure that has to wait for dnf to timeout for the default CentOS* repositories.

Is the setting “only_subscription_manager_repos” doing anything in this regards? If so, I cannot get it to work.

If the answer is to create prescript to disable all repositories in allt the repofiles … so be it, but it feels a bit artificial. Is the pre-script executed so it sees both /etc/yum.repos.d & /mnt/sysimage/etc/yum.repos.d , and do I need to disable the repos in both places?

//Br Christian

pineapplebun · October 22, 2020, 3:14am

Hi,

I am facing a similar situation as you. May i know if you have any progress?

Bugenhagen · October 22, 2020, 5:48am

No, no real progress. Just ugly workarounds.
I didn’t succeed in disabling the default repositories in a %pre - script, so I took an alternate , even uglier, route:
You have to find everything that want to use the default repositories and unset/comment it out. This also means that you have to take care of needed packages during %install rather than any later stage.

For me, I beleve it was::

[settings]
package_upgrade=false
enable-epel=false

[templates]
create "<my_provistioning_template> custom repositories"
- add repositories: my_epel_repo, my_puppet_repo
create "<my_provistioning_template> custom packages"
- add packages: subscription-manager, puppet-agent
edit: redhat_registration - remove yum/dnf install
edit: puppet_setup - remove yum/dnf install
edit: "<my_provistioning_template> - update the inclusion of the above snippets.

Up until now I had my whole setup scripted with hammer, just to be able to easily remake it completely. It also proves a good documentation, But cloning and editing the templates this way feels tricky. Maybe using ‘patch’ could simplify it to some extent …

I really hope that someone know a easier way.

//Br Christian

iballou · October 22, 2020, 5:44pm

Hi @Bugenhagen,

only_subscription_manager_repos is the host parameter that you want for this scenario. It should be setting the disable_system_repos flag in your /etc/yum/pluginconf.d/subscription-manager.conf or /etc/dnf/plugins/subscription-manager.conf

Do you see this flag being set on your clients?

Bugenhagen · October 23, 2020, 9:02am

Hi!

After looking in all the wrong places I finally found that ‘only_subscription_manager_repos’ is committed in: 3e693b0713fa43db600bc55fbf3476b9fa9f780a ( Fixes #30415) from aug 25 2020

But that isn’t in foreman-2.1.4-1.el7 - built on 15 Oct 2020 …
Maybe it’s not in the stable edition yet?

How can I get this function without breaking everything else?
Would it work to download just the register_redhat.erb and put it in the correct place?

//Br Christian

Thulium-Drake · October 23, 2020, 2:51pm

Hi @Bugenhagen, @iballou,

You can take a look at the code in my role on https://github.com/thulium-drake/ansible-role-foreman

What I did was 2 things:

Set the host-parameters enable-epel to False
Create a new snippet named Kickstart default custom packages and make it contain at least subscription-manager

This will ‘force’ the Kickstart installation to not contact EPEL and more importantly, install subscription-manager in the initial package installation step.

As mentioned, the Ansible role I mentioned, can save you a lot of work! (Also check out my blog at Foreman :: Foreman Config as Code !)

iballou · October 23, 2020, 8:56pm

@Bugenhagen ah good find, you’re right about only_subscription_manager_repos being in the latest foreman. To fix, I suppose you could just clone the redhat_register provisioning template from within the UI and edit in the change here: https://github.com/theforeman/foreman/pull/7823

tedevil · October 26, 2020, 12:42pm

Have a CentOS 8 VM not access to Internet and so I set disable_system_repos=1 in /etc/dnf/plugins/subscription-manager.conf and then added the VM with:
subscription-manager register --org=“XXX” --activationkey=“key-dummy”

I noticed the system registration took a long time so looking in /var/log/rhsm/rhsm.log I see:

2020-10-26 12:27:18,090 [ERROR] subscription-manager:39922:MainThread @profile.py:81 - Unable to create sack object: Failed to download metadata for repo ‘AppStream’: Cannot prepare internal mirrorlist: Curl error (28): Timeout was reached for http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=$infra [Connection timed out after 30000 milliseconds]

So it seems subscription-manager ignore the disable_system_repos=1 setting when you register a new host and try to reach out to http://mirrorlist.centos.org coming from /etc/yum.repos.d/CentOS-AppStream.repo.

Is this to be expected?

tedevil · October 26, 2020, 1:15pm

I actually noticed that when performing a yum update with “disable_system_repos=1” I see:

# yum update
Updating Subscription Management repositories.
subscription-manager plugin disabled 6 system repositories with respect of configuration in /etc/dnf/plugins/subscription-manager.conf

The update works fine but right when it has finished (after “Installed products updated” is printed) the updates hangs and after a while it time out again with:
2020-10-26 13:08:09,901 [ERROR] yum:40232:MainThread @profile.py:81 - Unable to create sack object: Failed to download metadata for repo ‘AppStream’: Cannot prepare internal mirrorlist: Curl error (28): Timeout was reached for http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=$infra [Connection timed out after 30001 milliseconds]

iballou · October 26, 2020, 1:45pm

@tedevil,

I wonder if this BZ is related: https://bugzilla.redhat.com/show_bug.cgi?id=1713626

What is your version of subscription-manager?

Bugenhagen · October 26, 2020, 2:34pm

After provisioning a new server, (Even with a working “only_subscription_manager_repos”, I still need to add ‘subscription-manager’ to %packages. Otherwise the “dnf -y install subscription-manager” high up in redhat-register.erb will timeout on “CentOS-8 AppStream”)
- there is still problem with the default repo-files.

I’m on:
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 3.16.1.2-Unknown
subscription management rules: 5.40
subscription-manager: 1.26.20-1.el8_2

but it seems that the only command that adheres to disable_system_repos=1 , is “dnf repolist”. “subscription-manager repos” - just hangs. Installing packages works … but just before completion they hang. Interrupting the command dumps

"Errors during downloading metadata for repository ‘AppStream’:
- Curl error (28): Timeout was reached for http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=$infra [Connection timed out after 30001 milliseconds]
to the console.

Deleteing all the /etc/yum.repos.d/CentOS* - files and cleaning the cache solves the problem.

tedevil · October 26, 2020, 4:28pm

Indeed related to https://bugzilla.redhat.com/show_bug.cgi?id=1713626. Running this version:

subscription-manager version

server type: Red Hat Subscription Management
subscription management server: 3.16.1.2-Unknown
subscription management rules: 5.40
subscription-manager: 1.27.16-1.el8

tedevil · October 26, 2020, 4:59pm

Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1713626 closer it seems the tester actually never used a machine with no access to Internet so he never seen the connection attempts to the outside after the packages are installed. I can replicate his exact results if I use a machines with internet access from a proxy for example.

iballou · October 26, 2020, 5:43pm

Would you mind filing a Bugzilla under RHEL 8 -> subscription-manager? It does look like we’ve uncovered a new bug here.

https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%208