Performing # dnf update on Foreman server results in Errors

ericville · September 3, 2023, 4:23pm

Problem:

dnf update on Foreman server results in Errors

Expected outcome:
Successful update
Foreman and Proxy versions:
Foreman 3.6.1 - Katello 4.6 - Proxy 3.6.1
Foreman and Proxy plugin versions:
foreman-tasks - 7.2.1
foreman_ansible -11.2.0
foreman_expire_hosts - 8.1.0
foreman_openscap - 9.1.0
foreman_remote_execution - 9.1.0
foreman_templates - 9.3.3
katello - 4.8.1

Distribution and version:
CentOS Stream 8

Other relevant data:
Result of running # dnf update command -

Problem 1: cannot install the best update candidate for package pki-servlet-engine-1:9.0.30-3.module_el8.5.0+854+e1c92b81.noarch

both package tomcat-el-3.0-api-1:9.0.62-12.el8.noarch and tomcat-lib-1:9.0.62-12.el8.noarch obsolete pki-servlet-engine
package tomcat-jsp-2.3-api-1:9.0.62-12.el8.noarch requires tomcat-servlet-4.0-api = 1:9.0.62-12.el8, but none of the providers can be installed
package tomcat-lib-1:9.0.62-12.el8.noarch requires tomcat-servlet-4.0-api = 1:9.0.62-12.el8, but none of the providers can be installed
package tomcat-servlet-4.0-api-1:9.0.62-12.el8.noarch is filtered out by modular filtering
Problem 2: package rubygem-openscap-0.4.9-8.el8.noarch requires openscap < 1.3.8, but none of the providers can be installed
openscap-1.3.7-1.el8.i686 has inferior architecture
openscap-1.3.4-5.el8.i686 has inferior architecture
openscap-1.3.5-10.el8.i686 has inferior architecture
openscap-1.3.5-2.el8.i686 has inferior architecture
openscap-1.3.5-4.el8.i686 has inferior architecture
openscap-1.3.5-5.el8.i686 has inferior architecture
openscap-1.3.5-6.el8.i686 has inferior architecture
openscap-1.3.5-9.el8.i686 has inferior architecture
openscap-1.3.6-3.el8.i686 has inferior architecture
openscap-1.3.6-4.el8.i686 has inferior architecture
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.7-1.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.4-5.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-10.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-2.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-4.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-5.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-6.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.5-9.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.6-3.el8.x86_64
cannot install both openscap-1.3.8-1.el8.x86_64 and openscap-1.3.6-4.el8.x86_64
cannot install the best update candidate for package rubygem-openscap-0.4.9-8.el8.noarch
cannot install the best update candidate for package openscap-1.3.7-1.el8.x86_64
(try to add ‘–allowerasing’ to command line to replace conflicting packages or ‘–skip-broken’ to skip uninstallable packages or ‘–nobest’ to use not only best candidate packages)

tedevil · September 4, 2023, 9:30am

I would suggest removing the i686 version of openscap first of all.
Also seems you have packages I do not have even though we have a similar setup.
Using AlmaLinux 8 Foreman 3.6.1/Katello 4.8.4:

# rpm -qa| egrep -i 'servlet|tomcat|^openscap|rubygem-openscap'
pki-servlet-4.0-api-9.0.50-1.module_el8.7.0+3312+8a7ba00f.noarch
pki-servlet-engine-9.0.50-1.module_el8.7.0+3312+8a7ba00f.noarch
tomcatjss-7.7.1-1.module_el8.6.0+2764+9fc58d50.noarch
openscap-1.3.7-1.el8.alma.x86_64
rubygem-openscap-0.4.9-8.el8.noarch
rubygem-openscap_parser-1.0.2-2.el8.noarch
openscap-scanner-1.3.7-1.el8.alma.x86_64

When issues like this happens I suggest snapshotting the VM and perhaps try the “–allowerasing” or “–nobest” switch?

tedevil · September 4, 2023, 9:37am

My enabled modules:

dnf module list --enabled
Last metadata expiration check: 3:25:56 ago on Mon 04 Sep 2023 06:08:45 AM UTC.
AlmaLinux 8 - AppStream
Name                        Stream              Profiles                         Summary
ant                         1.10 [d][e]         common [d]                       Java build tool
httpd                       2.4 [d][e]          common [d], devel, minimal       Apache HTTP Server
javapackages-runtime        201801 [d][e]       common [d]                       Basic runtime utilities to support Java applications
maven                       3.5 [d][e]          common [d]                       Java project management and project comprehension tool
perl                        5.26 [d][e]         common [d], minimal              Practical Extraction and Report Language
perl-IO-Socket-SSL          2.066 [d][e]        common [d]                       Perl library for transparent TLS
perl-libwww-perl            6.34 [d][e]         common [d]                       A Perl interface to the World-Wide Web
pki-core                    10.6 [e]                                             PKI Core module for PKI 10.6 or later
pki-deps                    10.6 [e]                                             PKI Dependencies module for PKI 10.6 or later
postgresql                  12 [e]              client, server [d]               PostgreSQL server and client module
python36                    3.6 [d][e]          build, common [d]                Python programming language, version 3.6
python38                    3.8 [d][e]          build, common [d]                Python programming language, version 3.8
python39                    3.9 [d][e]          build, common [d]                Python programming language, version 3.9
redis                       6 [e]               common [d]                       Redis persistent key-value database
ruby                        2.7 [e]             common [d]                       An interpreter of object-oriented scripting language
virt                        rhel [d][e]         common [d]                       Virtualization module

Foreman 3.6
Name                        Stream              Profiles                         Summary
foreman                     el8 [e]             installer                        Foreman module

Katello 4.8
Name                        Stream              Profiles                         Summary
katello                     el8 [e]             installer                        Katello module

pulpcore: Fetch, Upload, Organize, and Distribute Software Packages.
Name                        Stream              Profiles                         Summary
pulpcore                    el8 [e]                                              Pulpcore module

ericville · September 4, 2023, 12:36pm

Thanks for the reply Paul!
I have tried the “allowerasing, and nobest” switch with no success. In fact the nobest switch breaks https and am unable to access Foreman after that. I’ll try removing the i686 version and see what happens.

Thanks again,

Eric

tedevil · September 4, 2023, 12:42pm

What does these commands show?

rpm -qa| egrep -i 'servlet|tomcat|^openscap|rubygem-openscap'
dnf module list --enabled

ericville · September 4, 2023, 1:02pm

rpm -qa| egrep -i ‘servlet|tomcat|^openscap|rubygem-openscap’

openscap-1.3.7-1.el8.x86_64
openscap-scanner-1.3.7-1.el8.x86_64
rubygem-openscap_parser-1.0.2-2.el8.noarch
pki-servlet-4.0-api-9.0.30-3.module_el8.5.0+854+e1c92b81.noarch
tomcatjss-7.7.1-1.module_el8.6.0+1038+e795ee4b.noarch
rubygem-openscap-0.4.9-8.el8.noarch
pki-servlet-engine-9.0.30-3.module_el8.5.0+854+e1c92b81.noarch

#dnf module list --enabled
CentOS Stream 8 - AppStream
Name Stream Profiles Summary
ant 1.10 [d][e] common [ Java build tool
d]
container-tools rhel8 [d][e] common [ Most recent (rolling) versions of po
d] dman, buildah, skopeo, runc, conmon,
runc, conmon, CRIU, Udica, etc as w
ell as dependencies such as containe
r-selinux built and tested together,
and updated as frequently as every
12 weeks.
httpd 2.4 [d][e] common [ Apache HTTP Server
d], deve
l, minim
al
javapackages-runtime 201801 [d][e] common [ Basic runtime utilities to support J
d] ava applications
maven 3.5 [d][e] common [ Java project management and project
d] comprehension tool
perl 5.26 [d][e] common [ Practical Extraction and Report Lang
d], mini uage
mal
perl-IO-Socket-SSL 2.066 [d][e] common [ Perl library for transparent TLS
d]
perl-libwww-perl 6.34 [d][e] common [ A Perl interface to the World-Wide W
d] eb
pki-core 10.6 [e] PKI Core module for PKI 10.6 or late
r
pki-deps 10.6 [e] PKI Dependencies module for PKI 10.6
or later
postgresql 12 [e] client, PostgreSQL server and client module
server [
d]
python39 3.9 [d][e] build, c Python programming language, version
ommon [d 3.9
]
redis 6 [e] common [ Redis persistent key-value database
d]
ruby 2.7 [e] common [ An interpreter of object-oriented sc
d] ripting language
virt rhel [d][e] common [ Virtualization module
d]

Foreman 3.6
Name Stream Profiles Summary
foreman el8 [e] installe Foreman module
r

Katello 4.8
Name Stream Profiles Summary
katello el8 [e] installe Katello module
r

pulpcore: Fetch, Upload, Organize, and Distribute Software Packages.
Name Stream Profiles Summary
pulpcore el8 [e] Pulpcore module

evgeni · September 5, 2023, 7:44am

The OpenSCAP part was fixed in Depend on libopenscap.so.25 explicitly by ekohl · Pull Request #9051 · theforeman/foreman-packaging · GitHub

I’ll see that we backport that change to 3.6.

Edit: backported.

ericville · September 5, 2023, 1:06pm

Thank you Evgeni!

ericville · September 5, 2023, 1:51pm

The OpenSCAP error is now gone, thanks again Evgeni. Just need to troubleshoot the other error now.

Eric

ehelms · September 5, 2023, 2:26pm

First, I have reached out to and am working with the Tomcat maintainers to try to fix this. The issue is not as much with the Tomcat packages which are designed to replace pki-servlet-engine but with the challenges of modularity.

The workaround for the Tomcat issue is not “pretty” and please read the steps carefully especially the end. Luckily, if you don’t do the last part, dnf update will bomb out anyway from my testing.

Open the AppStream repository file (/etc/yum.repos.d/CentOS-Stream-AppStream.repo) and add module_hotfixes=1. You MUST remove this at the end.
dnf update tomcat – a full dnf update will not work, it must be a targeted update
Open the AppStream repository file (/etc/yum.repos.d/CentOS-Stream-AppStream.repo) and REMOVE module_hotfixes=1.
dnf update – update the system

jruk · September 5, 2023, 2:52pm

That worked perfectly for me, many thanks Eric

ericville · September 5, 2023, 3:52pm

Fantastic Sir! That fixed my issue. Now I can upgrade to 3.7/4.9

Much appreciated!

Eric

dmgeurts · September 19, 2023, 8:21am

Thank you!

bnerickson · September 20, 2023, 11:09pm

@ehelms

I followed your instructions, but after running dnf update after disabling module_hotfixes I receive the “opposite” error (require pki-servlet-engine instead of tomcat):

# dnf update --allowerasing
...
Error:
 Problem: cannot install the best update candidate for package candlepin-4.3.1-1.el8.noarch
  - problem with installed package candlepin-4.3.1-1.el8.noarch
  - package candlepin-4.3.1-1.el8.noarch from @System requires pki-servlet-engine, but none of the providers can be installed
  - package tomcat-1:9.0.62-14.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM conflicts with pki-servlet-engine <= 1:9.0.50 provided by tomcat-1:9.0.62-12.el8.noarch from @System
  - cannot install both tomcat-1:9.0.62-14.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM and tomcat-1:9.0.62-12.el8.noarch from @System
  - package tomcat-1:9.0.62-14.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM conflicts with pki-servlet-engine <= 1:9.0.50 provided by pki-servlet-engine-1:9.0.30-1.module_el8.4.0+595+e59c9af2.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM
  - package tomcat-1:9.0.62-14.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM conflicts with pki-servlet-engine <= 1:9.0.50 provided by pki-servlet-engine-1:9.0.30-3.module_el8.5.0+854+e1c92b81.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM
  - package tomcat-1:9.0.62-10.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM is filtered out by modular filtering
  - package tomcat-1:9.0.62-12.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM is filtered out by modular filtering
  - package tomcat-el-3.0-api-1:9.0.62-10.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM is filtered out by modular filtering
  - package tomcat-jsp-2.3-api-1:9.0.62-10.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM is filtered out by modular filtering
  - package tomcat-lib-1:9.0.62-10.el8.noarch from ORG_PRODUCT-EL8-X86_64-CENTOS_STREAM_REPO-EL8-X86_64-CENTOS_STREAM_APPSTREAM is filtered out by modular filtering
  - cannot install the best update candidate for package tomcat-1:9.0.62-12.el8.noarch
  - problem with installed package tomcat-1:9.0.62-12.el8.noarch
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Am I correct in assuming this will remain an issue until the packaging issue is worked out with the Tomcat package maintainers?

bnerickson · October 25, 2023, 5:11pm

@ehelms , I’m still seeing the issue above. Is there anything I can do to remediate?