Proxy interferes with repository sync

We are stuck behind a proxy which detects an rpm as a threat(specifically python-impacket), I say one package but I’m sure there will be more and it explains some of the issues we’ve been having. The missing package is of no concern to me and won’t cause me any issues however, pulp seems unable or unwilling to publish the repository omitting the package in question.

Expected outcome:
Mark the repository sync as a warning state and identify the offending package but publish the remaining packages in the repository or allow some level of override.

Foreman and Proxy versions:

foreman.noarch 2.1.3-1.el7 @foreman-local
foreman-cli.noarch 2.1.3-1.el7 @foreman-local
foreman-debug.noarch 2.1.3-1.el7 @foreman-local
foreman-dynflow-sidekiq.noarch 2.1.3-1.el7 @foreman-local
foreman-installer.noarch 1:2.1.3-1.el7 @foreman-local
foreman-installer-katello.noarch 1:2.1.3-1.el7 @foreman-local
foreman-postgresql.noarch 2.1.3-1.el7 @foreman-local
foreman-proxy.noarch 2.1.3-1.el7 @foreman-local
foreman-selinux.noarch 2.1.3-1.el7 @foreman-local
foreman-service.noarch 2.1.3-1.el7 @foreman-local

Foreman and Proxy plugin versions:

katello.noarch 3.16.1-1.el7 @katello-local
katello-certs-tools.noarch 2.7.0-1.el7 @foreman-local
katello-client-bootstrap.noarch 1.7.5-1.el7 @katello-local
katello-common.noarch 3.16.1-1.el7 @katello-local
katello-debug.noarch 3.16.1-1.el7 @katello-local
katello-default-ca.noarch 1.0-1 installed
katello-selinux.noarch 3.4.0-1.el7 @foreman-local
katello-server-ca.noarch 1.0-1 installed

Distribution and version:

CentOS Linux release 7.8.2003 (Core)

Other relevant data:
As advised by @iballou I have tried to revert to pulp 2 due to problems with sync in previous discussion Katello 3.16.1-1 repo sync file validation error

–katello-use-pulp-2-for-docker 1 --katello-use-pulp-2-for-file 1 --katello-use-pulp-2-for-yum 1

Hey @andyfry,

Did the pulp2 switch work?

I can’t really think of a way to skip one package for a repository sync at this moment. Maybe an on demand download policy for the repo would help?

Ideally, the proxy would allow the packages to be synced. Any other information we can provide?

Hey @John_Mitsch,

Nope, I’m afraid the pulp 2 switch didn’t help.

My current workaround is to reposync to another server, and createrepo form the packages which get downloaded successfully. The reposync seems quite happy to just not download anything that isn’t regarded as “wholesome”.

It’s a nasty workaround, but it’s working for now.

On-Demand won’t cut it because I need to get the content views exported to another offline server. I’d go for rsync but it’s a restricted network and that’s not going to be allowed.

They seem intent on making this as difficult as possible lol