Fix and enhance invalid symlink handling when installing certificates to target container #1135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thank you for contributing to the Leapp project!Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build. If you need a different version of leapp from PR#42, use It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported,
[Deprecated] To launch on-demand regression testing public members of oamg organization can leave the following comment:
Please open ticket in case you experience technical problem with the CI. (RH internal only) Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra. |
dkubek
force-pushed
the
cert_symlink_handling
branch
2 times, most recently
from
77609aa to
50e9e24
Compare
|
We need to make sure that this fixes this: #1136 (comment) and that the original issue there doesn't regress with this change. Perhaps a unitest checking that a dangling symlink in /etc/pki is copied over as a dangling symlink to the target container? |
dkubek
force-pushed
the
cert_symlink_handling
branch
from
50e9e24 to
74e739e
Compare
|
Regarding #1136 , it should not be possible to copy any dangling symlink from the source system now. I have also added a unit test for this situation already so it should be handled |
dkubek
force-pushed
the
cert_symlink_handling
branch
from
74e739e to
e4ab44a
Compare
dkubek
changed the title
dkubek
force-pushed
the
cert_symlink_handling
branch
from
e4ab44a to
aa1f96c
Compare
|
Right. I'm not sure if ignoring dangling symlinks or not breaking when we do so is the correct thing to do. But since pstodulka solved that particular issue by not creating a dangling symlink, it's not something we have to decide on now. |
abadger
previously requested changes
Nov 8, 2023
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Outdated
Show resolved
Hide resolved
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Outdated
Show resolved
Hide resolved
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Show resolved
Hide resolved
Comment on lines
+481
to
+494
| # NOTE(dkubek): context.call(['update-ca-trust']) seems to not be working. | ||
| # I am not really sure why. The changes to files are not | ||
| # being written to disk. |
There was a problem hiding this comment.
We should probably look into why, right? Is this something that I can replicate using a failing unittest and replacing the run(chroot....) with context.call([update-ca-trust...)?
There was a problem hiding this comment.
I think this is not suitable for unit-tests (in the way that unit-tests should uncover this problem) as we want to omit unit-tests that are actually somehow messing with the system (it would require an installation of a container somewhere, ....). This is something what should be covered by integration tests.
One difference between the run and context.call is, that the run operation executes chroot, in which the command is performed. Whereas the context.call performs systemd-nspawn. Also env & some sys/run/... files could be different. I am curious what is the real reason behind that difference. We should definitely check that. @Jakuje any thought?
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Outdated
Show resolved
Hide resolved
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Outdated
Show resolved
Hide resolved
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Show resolved
Hide resolved
repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
Outdated
Show resolved
Hide resolved
| # Assertion: no broken symlinks exist in /etc/pki in the container | ||
| # So any broken symlinks created will be by the installed packages. | ||
|
|
||
| # Recover installed packages as they always get precedence | ||
| for filepath in files_owned_by_rpms: |
There was a problem hiding this comment.
What is the difference in what the following code is attempting to achieve and the code in _copy_decouple? It feels like the link detection and possible dereferencing and copying would be the same and the main difference is just that we're looping over different files? The implementations are a bit different so I'm not sure if I'm understanding it, but if the purpose is the same, we should look at making it a helper function that we call from both places.
There was a problem hiding this comment.
Yes I agree that the implementation is quite similar and I have considered to abstract it to to a common function, however there is a subtle difference in checking whether the symlink is broken. When checking a symlink /etc/pki/A -> /etc/pki/B on the source system, it is easy to dereference it to file /etc/pki/B, however consider a symlink installed in the container $target_container/etc/pki/A -> /etc/pki/B - every time we dereference a link we have to manually update the path to point to a file within the the context of the container. Another small difference is that we have made the decision to respect the files installed by RPMs. So whenever they point to a file outside /etc/pki we keep this symlink there, even though when copying certificates from the source system we would replace this link with the file. I am not sure whether this happens or not or makes a significant difference. With these small differences I felt justified in keeping the two procedures separate (even though very similar). However if you still feel differently I will figure something out.
...ystem_upgrade/common/actors/targetuserspacecreator/tests/unit_test_targetuserspacecreator.py
Show resolved
Hide resolved
abadger
reviewed
Nov 8, 2023
...ystem_upgrade/common/actors/targetuserspacecreator/tests/unit_test_targetuserspacecreator.py
Show resolved
Hide resolved
dkubek
force-pushed
the
cert_symlink_handling
branch
2 times, most recently
from
bcef484 to
45e6cf4
Compare
In response to the identified flaws in the originally delivered fix, for
feature enabling http repositories, this commit addresses the following
issues:
1. Previously, files installed via RPMs that were originally symlinks
were being switched to standard files. This issue has been resolved
by preserving symlinks within the /etc/pki directory. Any symlink
pointing to a file within the /etc/pki directory (whether present in
the source system or installed by a package in the container) will be
present in the container, ensuring changes to certificates are
properly propagated.
2. Lists of trusted CAs were not being updated, as the update-ca-trust
call was missing inside the container. This commit now includes the
necessary update-ca-trust call.
The solution specification has been modified as follows:
- Certificate _files_ in /etc/pki (excluding symlinks) are copied to
the container as in the original solution.
- Files installed by packages within the container are preserved and
given higher priority.
- Handling of symlinks is enhanced, ensuring that symlinks within
the /etc/pki directory are preserved, while any symlink pointing
outside the /etc/pki directory will be copied as a file.
- Certificates are updated using `update-ca-trust`.
dkubek
force-pushed
the
cert_symlink_handling
branch
from
45e6cf4 to
be48f4f
Compare
pirat89
approved these changes
Nov 14, 2023
There was a problem hiding this comment.
lgtm - discovered just one small corner case, that is ok to be merged if not fixed - see my comment.
I've also tested the behaviour when TLS configuration is broken after the update-ca-trust execution (can be reproduced when upgrade RHEL 6 -> 7 and use an older releases)
| # otherwise resolve and copy it as a file it points to | ||
| if pointee is not None and not pointee.startswith(srcdir): | ||
| # Follow the path until we hit a file or get back to /etc/pki | ||
| while not pointee.startswith(srcdir) and os.path.islink(pointee): |
There was a problem hiding this comment.
@dkubek in this case it's not accorate as the srcdir is nowadays /etc/pki instead of /etc/pki/. From this point, if I have symlink to /etc/pki-custom, it will be missleading. From this piont, I suggest to update the call of the function to _copy_decouple('/etc/pki/', target_pki), which will resolve this very corner case. In some other actors, we have this check resolved, but as TBH, I would not go so far in this case to have Py2 & Py3 compatible code (py3 has a nice functions for that in os.path, but py2 doesn't).
it's very corner (I do not expect customers to create own /etc/pki..../ dir) so it's not blocking the merge nor it's required to be applied from my side, but keeping the space for the application if you want to. I want to merge the PR ideally tomorrow (Wed).
|
@dkubek let's continue with the merge, and in case of another changes, let's do them in another iteration, so we unblock the testing for CTC1. @abadger it seems that all required changes have been applied. let us know in case you find something is missing, so it could be addressed in the next iteration. Thank you guys for the good work! |
pirat89
dismissed
abadger’s stale review
seems that all problems have been adressed (see my comments above).
pirat89
added
the
changelog-checked
|
+1. Merging is good with me. I had some thoughts on code structure but I don't know if they'll pan out. Since I'm on PTO and then a US-only holiday, I'll see if I can make any of that work for fun and submit a PR for @dkubek to review if so :-) |
pirat89
added a commit
to pirat89/leapp-repository
that referenced
this pull request
Feb 13, 2024
## Packaging - Requires xfsprogs and e2fsprogs (oamg#1154) - Bump leapp-repository-dependencies to 10 (oamg#1154) ## Upgrade handling ### Fixes - Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131) - Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120) - Drop the invalid `tuv` target channel (oamg#1130) - Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166) - Fix semanage import issue (oamg#1164) - Fix the issue of going out of bounds in the isccfg parser (oamg#1124) - Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132) - Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143) - Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134) - Minor updates of generated reports (oamg#1151) - Print nice error msg when device and driver deprecation data is malformed (oamg#1168) - Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131) - Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120) - [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150) - [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138) ### Enhancements - Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175) - RHEL 7.9 -> 8.10, 8.8 (default: 8.10) - RHEL with SAPAHA 7.9 -> 8.10, 8.8 (default: 8.8) - RHEL w/o SAP HANA 8.8 -> 9.2 - RHEL w/o SAP HANA 8.10 -> 9.4 - Added possibility to define DNF configuration for the target system (oamg#1143) - Code cleaning: drop redundant and invalid NFS checks (oamg#1127) - Default to NO_RHSM mode when subscription-manager is not found (oamg#1133) - Detect customized configuration of dynamic linker (oamg#1118) - Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101) - Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175) - Ignore Leapp related PES events (oamg#1153) - Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174) - Introduce possibility to upgrade with local repositories (oamg#1099) - Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140) - Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148) - Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057) - Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170) - [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172) ## Additional changes interesting for devels - Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156) - Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876) - Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
pirat89
added a commit
to pirat89/leapp-repository
that referenced
this pull request
Feb 13, 2024
## Packaging - Requires xfsprogs and e2fsprogs (oamg#1154) - Bump leapp-repository-dependencies to 10 (oamg#1154) ## Upgrade handling ### Fixes - Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131) - Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120) - Drop the invalid `tuv` target channel (oamg#1130) - Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166) - Fix semanage import issue (oamg#1164) - Fix the issue of going out of bounds in the isccfg parser (oamg#1124) - Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132) - Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143) - Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134) - Minor updates of generated reports (oamg#1151) - Print nice error msg when device and driver deprecation data is malformed (oamg#1168) - Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131) - Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120) - [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150) - [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138) ### Enhancements - Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175) - RHEL 7.9 -> 8.10, 8.8 (default: 8.10) - RHEL with SAPAHA 7.9 -> 8.10, 8.8 (default: 8.8) - RHEL w/o SAP HANA 8.8 -> 9.2 - RHEL w/o SAP HANA 8.10 -> 9.4 - Added possibility to define DNF configuration for the target system (oamg#1143) - Code cleaning: drop redundant and invalid NFS checks (oamg#1127) - Default to NO_RHSM mode when subscription-manager is not found (oamg#1133) - Detect customized configuration of dynamic linker (oamg#1118) - Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101) - Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175) - Ignore Leapp related PES events (oamg#1153) - Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174) - Introduce possibility to upgrade with local repositories (oamg#1099) - Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140) - Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148) - Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057) - Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170) - [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172) ## Additional changes interesting for devels - Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156) - Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876) - Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
Merged
pirat89
added a commit
to pirat89/leapp-repository
that referenced
this pull request
Feb 13, 2024
## Packaging - Requires xfsprogs and e2fsprogs (oamg#1154) - Bump leapp-repository-dependencies to 10 (oamg#1154) ## Upgrade handling ### Fixes - Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131) - Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120) - Drop the invalid `tuv` target channel (oamg#1130) - Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166) - Fix semanage import issue (oamg#1164) - Fix the issue of going out of bounds in the isccfg parser (oamg#1124) - Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132) - Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143) - Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134) - Minor updates of generated reports (oamg#1151) - Print nice error msg when device and driver deprecation data is malformed (oamg#1168) - Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131) - Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120) - [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150) - [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138) ### Enhancements - Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175) - RHEL 7.9 -> 8.10, 8.8 (default: 8.10) - RHEL with SAPAHA 7.9 -> 8.10, 8.8 (default: 8.8) - RHEL w/o SAP HANA 8.8 -> 9.2 - RHEL w/o SAP HANA 8.10 -> 9.4 - Added possibility to define DNF configuration for the target system (oamg#1143) - Code cleaning: drop redundant and invalid NFS checks (oamg#1127) - Default to NO_RHSM mode when subscription-manager is not found (oamg#1133) - Detect customized configuration of dynamic linker (oamg#1118) - Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101) - Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175) - Ignore Leapp related PES events (oamg#1153) - Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174) - Introduce possibility to upgrade with local repositories (oamg#1099) - Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140) - Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148) - Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057) - Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170) - [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172) - Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (oamg#1157) ## Additional changes interesting for devels - Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156) - Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876) - Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
pirat89
added a commit
that referenced
this pull request
Feb 13, 2024
## Packaging - Requires xfsprogs and e2fsprogs (#1154) - Bump leapp-repository-dependencies to 10 (#1154) ## Upgrade handling ### Fixes - Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (#1131) - Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (#1120) - Drop the invalid `tuv` target channel (#1130) - Fix handling of symlinks under /etc/pki when managing certificates (#1135, #1160, #1166) - Fix semanage import issue (#1164) - Fix the issue of going out of bounds in the isccfg parser (#1124) - Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (#1132) - Handle the upgrade better when a proxy is configured in YUM/DNF configutations (#1143) - Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (#1134) - Minor updates of generated reports (#1151) - Print nice error msg when device and driver deprecation data is malformed (#1168) - Report information about required manual steps after the upgrade when openssl-ibmca is installed (#1131) - Update error messages and reports when installed upgrade data files are malformed or missing (#1120) - [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (#1150) - [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (#1136, #1138) ### Enhancements - Update upgrade paths: (#1146, #1147, #1175) - RHEL 7.9 -> 8.10, 8.8 (default: 8.10) - RHEL with SAPAHA 7.9 -> 8.10, 8.8 (default: 8.8) - RHEL w/o SAP HANA 8.8 -> 9.2 - RHEL w/o SAP HANA 8.10 -> 9.4 - Added possibility to define DNF configuration for the target system (#1143) - Code cleaning: drop redundant and invalid NFS checks (#1127) - Default to NO_RHSM mode when subscription-manager is not found (#1133) - Detect customized configuration of dynamic linker (#1118) - Detect possible unexpected RPM GPG keys has been installed during RPM transaction (#1101) - Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (#1175) - Ignore Leapp related PES events (#1153) - Introduce generic transition of systemd services states during the IPU (#1060, #1174) - Introduce possibility to upgrade with local repositories (#1099) - Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (#1140) - Report the upgrade customisations and modifications of the upgrade tooling (#1148) - Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (#1057) - Update the leapp upgrade data files - bump data stream to "3.0" (#1163, #1165, #1170) - [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (#1137, #1165, #1172) - Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (#1157) ## Additional changes interesting for devels - Introduced new functions returning a list of packages related to upgrade - see the rpms library (#1156) - Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (#876) - Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (#876)
yuravk
pushed a commit
to yuravk/leapp-repository
that referenced
this pull request
Aug 9, 2024
## Packaging - Requires xfsprogs and e2fsprogs (oamg#1154) - Bump leapp-repository-dependencies to 10 (oamg#1154) ## Upgrade handling ### Fixes - Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131) - Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120) - Drop the invalid `tuv` target channel (oamg#1130) - Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166) - Fix semanage import issue (oamg#1164) - Fix the issue of going out of bounds in the isccfg parser (oamg#1124) - Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132) - Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143) - Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134) - Minor updates of generated reports (oamg#1151) - Print nice error msg when device and driver deprecation data is malformed (oamg#1168) - Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131) - Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120) - [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150) - [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138) ### Enhancements - Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175) - RHEL 7.9 -> 8.10, 8.8 (default: 8.10) - RHEL with SAPAHA 7.9 -> 8.10, 8.8 (default: 8.8) - RHEL w/o SAP HANA 8.8 -> 9.2 - RHEL w/o SAP HANA 8.10 -> 9.4 - Added possibility to define DNF configuration for the target system (oamg#1143) - Code cleaning: drop redundant and invalid NFS checks (oamg#1127) - Default to NO_RHSM mode when subscription-manager is not found (oamg#1133) - Detect customized configuration of dynamic linker (oamg#1118) - Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101) - Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175) - Ignore Leapp related PES events (oamg#1153) - Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174) - Introduce possibility to upgrade with local repositories (oamg#1099) - Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140) - Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148) - Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057) - Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170) - [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172) - Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (oamg#1157) ## Additional changes interesting for devels - Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156) - Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876) - Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876) (cherry picked from commit 6421225)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In response to the identified flaws in the originally delivered fix, for feature enabling http repositories, this commit addresses the following issues:
Previously, files installed via RPMs that were originally symlinks were being switched to standard files. This issue has been resolved by preserving symlinks within the /etc/pki directory. Any symlink pointing to a file within the /etc/pki directory (whether present in the source system or installed by a package in the container) will be present in the container, ensuring changes to certificates are properly propagated.
Lists of trusted CAs were not being updated, as the update-ca-trust call was missing inside the container. This commit now includes the necessary update-ca-trust call.
The solution specification has been modified as follows:
update-ca-trust.JIRA: OAMG-6388
Note: Also fixes OAMG-5073