Importing CentOS Errata with Pulp3

loitho · April 23, 2021, 6:20pm

Problem:
Hi, now with Pulp3 arriving thanks to the tremendous work from the Foreman / Katello team, I was wondering if anyone has found a way to import Centos Errata into Pulp3 ?

From my understanding, it’s not possible to do it anymore “natively” as pulp-admin doesn’t work with pulp3.

One workaround that I saw was this one : Not seeing my repos via pulp-admin - #8 by Michael
When you basically recreate manually a local Centos repository (base / extra etc …) , run the script to add the Errata to the repository, then point Foreman to it.
It’s however not ideal compared to the “old method” that was way simpler to manage with a script and pulp-admin.

Has anyone faced this issue ?

Kind regards,

loitho

grajangam · July 19, 2021, 1:59pm

Hello Everyone,

Please let us know, if anyone could able to upload CentOS errata to repos hosted in Pulp3 backend thru Pulp3 API.

Except errata import, all other features of Foreman (2.3.3)/katello (3.18) working as expected.

Tried above Python & Perl scripts to import errata from http://cefs.steve-meier.de/ to Katello/pulp3 repos. These scripts were written for pulp2 version, where “pulp-admin” does all uploading, but not working on Katello 3.18/pulp3.

I’m having exactly same issue as described in this link Errata info is processed and obviously assigned to rpms, but not imported · Issue #13 · nicolas-r/katello-centos-errata-import · GitHub

Thanks in advance!

caseybea · July 19, 2021, 3:28pm

After a whole lot of pain and agony trying to get the pulp-direct method of errata working long ago, I gave up and do the workaround as you mentioned. I keep a local centos repo, inject the errata into it and that’s where I point foreman. It’s actually pretty simple to use and works, even for centos8-based repos like Rocky Linux and Oracle8.

loitho · August 23, 2021, 10:27pm

Hi, sorry for the delayed answer.

So in the end, I just ended up doing the following :

create a docker image
build it and use this script that basically convert the Cefs xml into proper yum readable repository GitHub - vmfarms/generate_updateinfo
upload the created yum repository files to an AWS S3 bucket
Get foreman to sync the S3 bucket on a specific repository

That way, I have another repository yes, but containing only errata and I don’t have to deal with injecting the errata an existing CentOS repository.

John_Beranek · September 6, 2021, 2:46pm

Can you expand upon this a bit please?

How do you generate your yum repository from the updateinfo.xml file?
Does it only contain metadata, or does it also need to contain the CentOS RPMs?

John_Beranek · September 6, 2021, 2:59pm

So, I appear to have answered my own questions:

Create an empty yum repo with “createrepo”, run “modifyrepo updateinfo.xml PATH_TO_REPO/repodata”
Just the metadata

OUTLOOK_2021-09-06_15-57-35

loitho · September 7, 2021, 10:53pm

Yes exactly !
It works nicely, and it’s less cumbersome than having to deal with the RPM + the metadata for the errata

sjansen · September 9, 2021, 9:47am

That is one of the reasons why i switched to OL and now AlmaLinux some time ago. For people that like to have errata without hacks and looking for alternatives after CentOS goes EOL.

Oracle Linux 7 and 8 provide errata, but OL8 is missing tracer data about restart/reboot after update.
AlmaLinux 8 provide errata and correctly provide with restart/reboot information in tracer.

jkalchik · September 9, 2021, 2:59pm

Sneaky… I think I can work with this. Thanks for the tip-off.

caseybea · September 9, 2021, 7:23pm

@sjansen FYI Rocky Linux now provides full errata as well, no hacks necessary.

Stevedd · October 17, 2021, 5:55pm

Am I understanding this correctly, that the errata can be contained in its own repo and isn’t imported to my existing repos containing packages?

Example;
Existing Config is:
Product = Centos7
Repos = CentOS-7-Base, CentOS-7-Updates, epel

New Config is:
Product = Centos7
Repos = CentOS-7-Base, CentOS-7-Updates, epel, CentOS-7-Errata

where CentOS-7-Errata has no rpm’s, only Errata once its sync’d?

Thanks

loitho · October 17, 2021, 10:59pm

Hi,
That’s correct !
I handle them like that, it’s less of a hassle as you don’t have to merge the errata with a rpm repository

a.khalil · November 28, 2021, 10:55am

can you please show us commands or how to from gui to create this blank repo for errata shall i use file or yum type for this errata

John_Beranek · December 3, 2021, 12:58pm

I stored the repository on the Katello server, in /var/www/html/pub/centos-errata and then added it as a yum repository.

loitho · December 6, 2021, 2:15pm

Hi,
As pointed by John above, you have to use a “yum” repository, it’s just that you won’t see any package, just errata.

I made my script public, you can check it out here :

It simply uses a docker container to upload a file to an S3, or use an nginx server to hold the yum repository

mattatjgi · December 16, 2021, 11:42pm

I’m working on converting the perl script to work with pulp 3 here: https://github.com/mattatnersc/pulp_centos_errata_import. I’ve converted the various “pulp” calls to API calls. It worked, then it stopped working and now I’m baffled. If anyone can figure out why a file like this doesn’t upload, then we’ll be in business:

{
  "status": "final",
  "version": "1",
  "release": "2.el8",
  "description": "Not available",
  "pkglist": [
    {
      "packages": [
        {
          "epoch": "0",
          "filename": "watchdog-5.15-2.el8.x86_64.rpm",
          "version": "5.15",
          "arch": "x86_64",
          "name": "watchdog",
          "release": "2.el8"
        }
      ],
      "name": "collection-0",
      "shortname": ""
    }
  ],
  "issued_date": "2021-11-09 00:00:00",
  "summary": "CentOS watchdog Update",
  "references": [
    {
      "href": "https://access.redhat.com/errata/RHBA-2021:4379",
      "type": "Bug Fix Advisory",
      "title": "CentOS watchdog Update",
      "id": "CEBA-2021:4379"
    }
  ],
  "id": "CEBA-2021:4379",
  "updated_date": "2021-11-09 00:00:00",
  "type": "bugfix",
  "title": "CentOS watchdog Update",
  "severity": "",
  "fromstr": "email@steve-meier.de"
}

http \
        --cert ~/.pulp/cert.pem \
        --cert-key ~/.pulp/priv.pem \
        --form POST \
        'https://foreman.example.com/pulp/api/v3/content/rpm/advisories/' \
        file@./"$JSON_FILE" \
        repository='/pulp/api/v3/repositories/rpm/rpm/bba16ffb-1796-4dca-1234-9dd63432c743/'

The resulting task complains of:

{
  "pulp_href": "/pulp/api/v3/tasks/dfd45719-9b8a-497c-a4e6-b7862ebe51f5/",
  "pulp_created": "2021-12-16T23:24:23.950390Z",
  "state": "failed",
  "name": "pulpcore.app.tasks.base.general_create_from_temp_file",
  "logging_cid": "f8a8f7f331bd4ae786d9f5246bb03788",
  "started_at": "2021-12-16T23:24:24.281947Z",
  "finished_at": "2021-12-16T23:24:24.613998Z",
  "error": {
    "traceback": "  File \"/usr/lib/python3.6/site-packages/pulpcore/tasking/pulpcore_worker.py\", line 317, in _perform_task\n    result = func(*args, **kwargs)\n  File \"/usr/lib/python3.6/site-packages/pulpcore/app/tasks/base.py\", line 18, in general_create_from_temp_file\n    general_create(app_label, serializer_name, data=data, *args, **kwargs)\n  File \"/usr/lib/python3.6/site-packages/pulpcore/app/tasks/base.py\", line 35, in general_create\n    serializer.save()\n  File \"/usr/lib/python3.6/site-packages/rest_framework/serializers.py\", line 205, in save\n    self.instance = self.create(validated_data)\n  File \"/usr/lib/python3.6/site-packages/pulp_rpm/app/serializers/advisory.py\", line 135, in create\n    raise serializers.ValidationError(\"Advisory already exists in Pulp.\")\n",
    "description": "[ErrorDetail(string='Advisory already exists in Pulp.', code='invalid')]"
  },
  "worker": "/pulp/api/v3/workers/a5fe8c87-d11a-495b-b60f-b1cb731dcc6d/",
  "parent_task": null,
  "child_tasks": [],
  "task_group": null,
  "progress_reports": [],
  "created_resources": [],
  "reserved_resources_record": [
    "/pulp/api/v3/repositories/rpm/rpm/bba16ffb-1796-4dca-1234-9dd63432c743/"
  ]
}

George · January 10, 2022, 1:43pm

I used this method to sync the errata to foreman. However I think there are some issues how foreman processes the errata.

I used this python script to process the errata.xml file.GitHub - vmfarms/generate_updateinfo
then proceeded to make a local repository on the host and synced the repo to foreman. All this works just fine.

The issue however seems to be with how foreman handles that information. CESA_2021__5192 for example. According to foreman there are no hosts that this applies to. While according to spacewalk this errata affects hosts that are registered to foreman.

Package installed currently on the host.
samba-common-4.10.16-15.el7_9.noarch
Package that should contain fix for the security issue.
samba-common-4.10.16-17.el7_9.noarch

So I believe that foreman does not correctly inform the admin about what needs to be updated. AFAIK the packages where the version is lower than what is listed on the updated packages here https://access.redhat.com/errata/RHSA-2021:5192 is affected.

Foreman does see that the package needs to be updated but doesn’t inform that there is some errata to be applied to the host even though the errata is synced to the host.

I’m curious wheter this is an issue with how foreman handles this specific errata file or something else. ATM I have not updated the package yet, but I’m guessing that when the package matches the package version on the errata updated packaged foreman might inform that there is errata that need to be applied. I’m currently using this errata file. https://cefs.steve-meier.de/errata.latest.xml.bz2

Stevedd · January 28, 2022, 7:19pm

Also noticing the same, I have imported errata also from the same steve-meier source into a new repo centos7-errata which is in my Product named Centos7.

I can find the latest polkit errata from centos mailing list [CentOS-announce] CESA-2022:0274 Important CentOS 7 polkit Security Update in the Centos7 → Centos7-errata repo in katello. If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.

The applicable package is installable on those hosts, but that list of hosts shows no security errata available.

Stevedd · January 30, 2022, 6:03pm

Correction, the following is not accurate:

If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.

If I click on the errata it shows no hosts are applicable, and no content hosts are listed. If I select packages, click the applicable package, ie polkit from example above, I then see the count of hosts polkit is installed on, and how many are upgradable. Clicking on upgradable redirects to content → with the following query upgradable_rpms=polkit-0.112-26.el7_9.1.x86_64.

So the errata from the centos7-errata repo doesn’t associate with packages in another repo.

almorr · February 4, 2022, 2:24pm

Hi @Stevedd
Do you use a content view? In my case, i see the errata in the repo, but it doesn’t present in published versions of ContentView.

On my Foreman server i’ve created a local repo in /var/www/html/pub/centos_errata/7, then using a script i import and inject errata to the local repo
generate_updateinfo.py -s all -t all -v <(bzip2 -dc /tmp/errata.latest.xml.bz2)
/usr/bin/modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos_errata/7/repodata/

In Foreman i’ve added a new repo, synched it to a local repo https://foreman/pub/centos_errata/7/ (here i see all errata), added this new repo to a CV and published.
There are no errata in published version

It appear only in case if i add an errata by an incremental update:
hammer content-view version incremental-update --content-view-version-id NNNN --errata-ids NNNN --organization XXXX

I’m on foreman-3.0.1-1, katello-4.2.1-1

Best regards,