[Katello] Updating katello-ca-consumer reverts rhsm.conf to Redhat CDN

Problem:

I recently added a Smart Proxy and noticed the /pub showed an updated katello-ca-consumer rpm. When hosts update to latest, the pre-existing rhsm.conf.kat-backup (the OS original config) from the previous package’s transactions is swapped back to be rhsm.conf.

Hosts then cannot connect to Foreman/Katello.

Running /usr/bin/katello-rhsm-consumer restores the proper config.

Doing a yum remove of the prev version first and then installing the update also succeeds.

This sounds exactly like [Satellite 6] While upgrading katello-ca-consumer package on the client system registered to Satellite or capsule, it reverts rhsm.conf to point to CDN/RHN - Red Hat Customer Portal but I have no RH subscriptions.

Expected outcome:

An update to katello-ca-consumer should not revert the rhsm.conf and break a working host.

Foreman and Proxy versions:

3.1.3

Foreman and Proxy plugin versions:

Distribution and version:

CentOS 7.9

Other relevant data:
Snip of yum output:

Upgrade  1 Package

Total download size: 6.5 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
katello-ca-consumer-foreman01.example.net-1.0-5.noarch.rpm                                                                                         | 6.5 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : katello-ca-consumer-foreman01-ops.am-usw02.ttops.net-1.0-5.noarch                                                                                                 1/2

WARNING

The yum/dnf plugins: /etc/yum/pluginconf.d/subscription-manager.conf were automatically enabled for the benefit of Red Hat Subscription Management. If not desired, use "subscription-manager config --rhsm.auto_enable_yum_plugins=0" to block this behavior.

  Cleanup    : katello-ca-consumer-foreman01.example.net-1.0-1.noarch                                                                                                 2/2
  Verifying  : katello-ca-consumer-foreman01.example.net-1.0-5.noarch                                                                                                 1/2
  Verifying  : katello-ca-consumer-foreman01.example.net-1.0-1.noarch                                                                                                 2/2

Updated:
  katello-ca-consumer-foreman01.example.net.noarch 0:1.0-5

Complete!

Update…

If one deletes the rhsm.conf.kat-backup created by the first version before doing the update, there is no file to restore and the problem is mitigated.

It appears to me that the cleanup tasks of the old version are executed AFTER the install tasks of the new version. So if there is a backup file, it is restored.

Were there any errors in the DNF log? We’ve had the same code in the RPM for as long as I can remember around the backup file. Code snippet

      %postun
      if [ $1 -eq 0 ]; then
        test -f /etc/rhsm/rhsm.conf.kat-backup && command cp /etc/rhsm/rhsm.conf.kat-backup /etc/rhsm/rhsm.conf
      fi

Does this only happen on EL7 clients?

I only have CentOS 7 clients to test on so I’m unsure of others.

I didn’t go looking for errors in DNF/YUM logs. Not sure if I can remember the host in questions, but I might be able to reproduce on a yet-upgraded host.

I assumed that, like for me, events causing an update to the katello-ca-consumer package are rare? Maybe so rare that it’s an untested case?

The postrun is doing just what I’m suffering. It all comes down to what conditions cause what order the postrun is executed when old is replaced by new? RPM skill beyond my depth.