Importing CentOS Errata with Pulp3

Finally i’ve found a problem:
my ContentView had a filter for one rpm ( qpid-proton-c ), after deleting this filter and publishing a new version of CV, all errata is visible in the CV version and at the host.

The errata in from the repo doesn’t seem to be associated correctly by foreman. For CESA-2022:0274 polkit-0.112-26.el7_9.1.x86_64.rpm seem to be the solution package which has the vulnerability fixed. So the errata should show all hosts that need to upgraded to that package. For example polkit-0.112-11.el7_3.x86_64 which should be shown as a security errata for that packages simply gets registered to a package which need to be upgraded and not showing errata properly.

kuva
kuva
kuva

I’ve created a separate post regarding that issue but so far no solutions have been provided. I don’t know wether the issue lies in xml file, the script that processes it or in how foreman handles errata from local repos. Errata is shown correctly atleast with AlmaLinuxes.

I’m using a locally built CentOS 7 errata repository, attached to a content view, and it seems to be working fine for the CESA mentioned:

As “yum list-sec” shows it:

CESA_2022__0274 Important/Sec. polkit-0.112-26.el7_9.1.x86_64

Well how do you create that repo? I’m wondering if there is some difference on how we create the local repo and that’s the reason why it doesn’t work properly for me.

using this script (https://github.com/vmfarms/generate_updateinfo)

This is how i sync the errata. I’m not using content views but that really shouldn’t affect on how errata is handled in the system


#download latest errata
wget -q https://cefs.steve-meier.de/errata.latest.xml.bz2 -e use_proxy=yes -e https_proxy=http://proxy:3128 -O /var/lib/foreman-errata/errata.latest.xml.bz2
/usr/bin/bzip2 -d -f /var/lib/foreman-errata/errata.latest.xml.bz2
#process the errrata
/usr/bin/python /usr/bin/generate_updateinfo.py -s all -t all /var/lib/foreman-errata/errata.latest.xml -d /tmp/ > /dev/null 2>&1
#inject errata to a local repo
modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos7-errata/repodata/ > /dev/null 2>&1
#sync via api


Hi John- Can you please explain me on this.

  • Ive created a folder on /var/www/html/pub/centos-errata/
  • used createrepo /var/www/html/pub/centos-errata/ to create the repodata.
  • Executed the commands as per the git (GitHub - vmfarms/generate_updateinfo)

wget -q -N -P/tmp http://cefs.steve-meier.de/errata.latest.xml.bz2

(cd /tmp/ && sha1sum -c <(wget -qO- http://cefs.steve-meier.de/errata.latest.sha1|grep bz2) )

generate_updateinfo.py <(bzip2 -dc /tmp/errata.latest.xml.bz2)

but it throws the below error. Can you help what im i missing here

WARNING:root:Unwanted advisory type: CEEA-2021:4452. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4473. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4488. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4491. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4498. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4514. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4539. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:5239. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0684. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0687. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0702. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0703. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0790. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0827. Skipping

I’d say you’re not running generate_updateinfo.py appropriately, this is my wrapper script - we’re only interested in CentOS 7 errata:

#!/bin/bash

SCRIPTDIR=$(dirname $0)
TMPDIR="/tmp/generate_updateinfo$$"
REPODIR=/var/www/html/pub/centos-errata

wget -q -N -P$TMPDIR http://cefs.steve-meier.de/errata.latest.xml.bz2

$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all <(bzcat $TMPDIR/errata.latest.xml.bz2) &> /dev/null

modifyrepo --remove updateinfo $REPODIR/7/repodata
modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

rm -fr $TMPDIR

Hi John,

The wrapper was throwing error for open ( brace. hence modified to tiled ` and executed the script.

[root@xxxxx tmp]# cat centoswrapper.sh
#!/bin/bash

SCRIPTDIR=$(dirname $0)
TMPDIR="/tmp/generate_updateinfo$$"
REPODIR=/var/www/html/pub/centos-errata

wget -q -N -P$TMPDIR http://cefs.steve-meier.de/errata.latest.xml.bz2

$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all < bzcat $TMPDIR/errata.latest.xml.bz2 &> /dev/null
#$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all < (bzcat $TMPDIR/errata.latest.xml.bz2}

modifyrepo --remove updateinfo $REPODIR/7/repodata
modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

rm -fr $TMPDIR
[root@xxxx tmp]#

Output of the script at the bottom:

<packages>expat-static-2.1.0-15.el7_9.i686.rpm</packages>
<packages>expat-static-2.1.0-15.el7_9.x86_64.rpm</packages>
Steve Meier Free for non-commercial use This software is provided AS IS. There are no guarantees. It might kill your cat. Tue Oct 11 07:13:18 UTC 2022 : File name too long Metadata not found: updateinfo Could not add metadata from file /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml: /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml not found [root@xxxx tmp]#

This one runs in my test box. Ive already created the repo in Satellite 6.10 GUI as you suggested above. Can you please help on the error

Your change to my script completely changes the meaning of the main line of the script. It needs to stay as it is, and be run by bash.

I believe it executed successfully.

From which location in need to take the “updateinfo.xml” to the run the below command ? Once we run the below command we need to sync from satellite for that repo ?

modifyrepo updateinfo.xml /var/www/html/pub/centos-errata/7/repodata/”

[root@xxx tmp]# ./centoswrapper.sh
Removed:
type = updateinfo
location = repodata/7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93-updateinfo.xml.gz
checksum = 7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93
timestamp = 1666346209
open-checksum = 2fda6ec5bf85b713be63073ceaf54631267f269a8ad0505e3f8d3c9f522cd075
Wrote: /var/www/html/pub/centos-errata/7/repodata/repomd.xml
Wrote: /var/www/html/pub/centos-errata/7/repodata/updateinfo.xml.gz
type = updateinfo
location = repodata/7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93-updateinfo.xml.gz
checksum = 7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93
timestamp = 1666346532
open-checksum = 2fda6ec5bf85b713be63073ceaf54631267f269a8ad0505e3f8d3c9f522cd075
Wrote: /var/www/html/pub/centos-errata/7/repodata/repomd.xml
[root@xxxx tmp]#

For us it’s just a repo in a product, and that gets synced daily. New CVV publications then take in the new errata.

Our team has created product named “centos” and it has 6 reposiotries. It sync every week and we follow the below steps to update errata info but now we have upgraded to satellite 6.10 the script is not working coz of errata. Ive followed your instruction and created one more repo but im missing something errata info not syncing in. Attached the images.

This “New CVV publications then take in the new errata.” will come only after we run "modifyrepo updateinfo.xml /var/www/html/pub/centos-errata/7/repodata/”. If so from which location i need get the updateinfo.xml file.


Directory: /root/centos_oel_sync/katello-centos-errata-import
Execute the script in below order once moved into above directory.

  1. sh download-data.sh
  2. bzip2 -d data/com.redhat.rhsa-all.xml
  3. mv com.redhat.rhsa-all.xml.out com.redhat.rhsa-all.xml
  4. ./centos-errata-redis-loader.py
  5. Edit the config.yaml to add one after another repositories
    Finally run this command ./centos-errata-katello-importer.py

Looks like they followed this git “GitHub - nicolas-r/katello-centos-errata-import: Imports CentOS (from http://cefs.steve-meier.de/) errata into Katello”.

It’s in the script

modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

As in, the updateinfo.xml is generated in a temporary directory, and then inserted into the yum repository.

“modifyrepo ff0894025b701998e85d6081ea06e443bddf2a370c8467ef4e82f9795e75dada-updateinfo.xml.gz /var/www/html/pub/centos-errata/7/repodata/” - it got completed.

Now i synced the repo “CentOS errata 7” i do not see any errata :frowning:

anything else we need to do. ?

Use my script, or at least attempt to understand what it’s doing?

A .xml.gz file is not the same as a .xml file.

It is pretty simple (how I do it):
create repo dir:

mkdir -p /var/www/html/pub/centos-erratas/7/repodata

Generate and add to repo:

generate_updateinfo.py -s all -t all errata.latest.xml
modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos-erratas/7/repodata

Create errata repo in foreman with url to

 https://<foreman FQDN>/pub/centos-erratas/7/

Use hammer to sync it:

hammer --quiet repository synchronize --id <repo id> --organization <your org>

When working, just add it all to a bash script and run whenever…

1 Like

Thanks for patiently replying for my questions John. It worked !!

Thanks a lot pal for making it very simple. Worked like Charm !! im able to see the errata and able to publish CV.

71 errata looks super low unless you have intentionally filtered out many of them when you generate the updateinfo.xml. Maybe you do not use the “-s all -t all” parameters?
I have 5192 in mine.

I used as arguments as you suggested. When i clicked on the 71 errata i can see only from May 2022 - October 2022 errata is added.

root@xxx tmp]# ./generate_updateinfo.py -s all -t all errata.latest.xml
[root@xxx tmp]#

[root@xxx repodata]# modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos-erratas/7/repodata
Wrote: /var/www/html/pub/centos-erratas/7/repodata/updateinfo.xml.gz
type = updateinfo
location = repodata/56bbf19ec024e230299204bf25de353631231a238afc26e25e744c65e69c4e9e-updateinfo.xml.gz
checksum = 56bbf19ec024e230299204bf25de353631231a238afc26e25e744c65e69c4e9e
timestamp = 1666356812
open-checksum = 85a9e67803862930a38e8c5a95a654936896faeead4751ec81708fa36aea8362
Wrote: /var/www/html/pub/centos-erratas/7/repodata/repomd.xml
[root@xxx repodata]#