Mitigate installing yggdrasil from EPEL #3270
Conversation
|
The PR preview for c0052a4 is available at theforeman-foreman-documentation-preview-pr-3270.surge.sh The following output files are affected by this PR: |
guides/common/modules/proc_configuring-a-host-to-use-the-pull-client.adoc
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Further context: theforeman/foreman_ygg_worker#21 is working on supporting yggdrasil 0.4.
I indeed see it's in EPEL 8 & 9: https://src.fedoraproject.org/rpms/yggdrasil
Probably better to add excludepkgs=yggdrasil in epel.repo. If you have synced content views, you can exclude it there.
Though yggdrasil 0.4.2 is also in CentOS Stream 9 now, so there you have a similar problem. I wonder if we should set a more narrow version dependency in foreman_ygg_worker. Let's have that discussion in theforeman/foreman-packaging#11232.
If you install the pull provider for remote execution from Foreman Clients on hosts running AlmaLinux, Amazon Linux, CentOS, Oracle Linux, Red Hat Enterprise Linux, or Rocky Linux, you install the yggdrasil package. Because EPEL also contains a package called “yggdrasil”, you have to ensure that the package comes from the Foreman Client and not EPEL in case it is enabled on your host.
maximiliankolb
force-pushed
the
rex_pull_epel
branch
from
9e3fc89
to
706c7d8
Compare
guides/common/modules/proc_configuring-a-host-to-use-the-pull-client.adoc
Outdated
Show resolved
Hide resolved
maximiliankolb
added
Needs tech review
maximiliankolb
added
style review done
There was a problem hiding this comment.
I'd prefer a technical solution to it. As you can see in theforeman/foreman-packaging#11232 (comment) it's possible to properly enforce the requirement. Right now that's waiting on final approval and cherry picking.
pr-processor
bot
added
the
Waiting on contributor
|
@ekohl Should I reopen this PR against 3.11 or the newest version that does not receive a backport? I can even make it non-Satellite and/or non-orcharhino for versions that receive backported bugfixes. |
|
I intend to backport it to 3.10 (oldest supported version). I'll check internally about Satellite |
maximiliankolb
removed
the
Waiting on contributor
|
@ekohl Is that PR still needed for Foreman nightly? I saw that theforeman/foreman-packaging#11232 had been merged. |
|
@adamruzicka any thoughts on this? |
What changes are you introducing?
Mitigate issue on hosts with EPEL enabled when installing REX pull client.
Why are you introducing these changes? (Explanation, links to references, issues, etc.)
If you install the pull provider for remote execution from Foreman Clients on hosts running AlmaLinux, Amazon Linux, CentOS, Oracle Linux, Red Hat Enterprise Linux, or Rocky Linux, you install the yggdrasil package. Because EPEL also contains a package called “yggdrasil”, you have to ensure that the package comes from the Foreman Client and not EPEL in case it is enabled on your host.
Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)
This is a verified solution from ATIX Service Portal.
Another alternative solution is to use
dnf --disablerepo="_My_EPEL_Repository_" install yggdrasil.Checklists
Please cherry-pick my commits into: