Remote execution - update/reboot succeeded - security errata still shown as applicable


“Security errata applicable” is still shown after all available updates were installed. Executing “recalculate” doesn’t change anything.
Only “foreman-rake katello:import_applicability” seems to refresh the errata status.

Is this a limitation of “remote execution”?

I’m using Katello 2.1.4. The client is based on RHEL8.2, katello-host-tools and katello-host-tools-tracer is installed.


@tonido thank you for posting about this.

As far as I know, this is not a limitation of the remote execution.
Can you check in the foreman-console for “Katello::Event.count” ?

Additionally, can you check the output of “hammer ping”?

Thanks for looking into this.

hammer ping returns “ok”, nothing has failed.
Katello::Event.count returns “0” before and after applying installable errata.

@tonido btw, was this a fresh install or an upgrade?

it is a fresh installation.

Also, are you using pulp2 or pulp3 for your content?

pulp2. The version which was automatically installed

It’s pulp3 not pulp2.
It seem to be related to the client’s OS. The “Installable Updates” info gets refreshed for RHEL7.8 hosts but it doesn’t change for RHEL8.2 hosts.

@tonido ok - ty for the update, still throwing this around here with other team members.

@tonido can check the version of subscription-manager on each of the RHEL8.2 hosts?

subscription-manager version

Sory for my late reply.
It’s not woking with subscription-manager 1.26.20-1.el8_2

I haven’t been able to reproduce this using pulp3 and a the same version of subscription-manager, etc.
$ sudo subscription-manager version
server type: Red Hat Subscription Management
subscription management server:
subscription management rules: 5.40
subscription-manager: 1.26.20-1.el8_2

Your situation is confusing because the “import_applicabilty” should only affect pulp2.

I’ll present this scenario again today to another team member, and we may open an issue.

A fresh setup of Katello 3.16 installs pulp3, doesn’t it? I’m asking because a package named “pulp-server-2.21.3-1.el7.noarch” is also installed. How can I verify the pulp version?

@tonido until a later Katello release, right now version 4.0.0, both pulp2 and pulp3 are installed in parallel. Eventually all content will be supported by pulp3, and pulp2 will be removed/unsupported.

You can check to see which pulp service is hosting which content types by looking at the Infrastructure->Smart Proxies-> (your katello host) -> Services tab.

You can see in this screen shot that both version of pulp are installed. “Pulpcore” here means pulp3. The version is the proxy version, IIRC.

Looking at the “supported content types” we see that pulp3 is handling file, ansible collections, and yum content. Pulp2 is handling all other types (debian, puppet, etc).

New details:
-registered an older RHEL version to katello
-updated all available packages using remote execution (+reboot)
-number of applicable errata reduced but 4 avdisories (rhsa) are still listed as applicable:

But these advisories were also installed (“yum update” returns “Nothing to do.”).
Any ideas why they are still listed?

It looks like you are hitting this bug: Bug #30964: Katello Pulp 3 Applicability is incorrect when multiple versions of a package exist - Katello - Foreman

You could work around it by deleting old kernel versions on the client systems, but we’ll work on getting it fixed