"Repository listed more than once" when also using Spacewalk (RHN)

[wschaft]

Environment: CentOS 6 and 7 servers Lynis version: 2.5.1 Lynis executed daily by cron: /usr/bin/lynis audit system --auditor "automated" --cronjob

We're using Spacewalk for 99% of our packages. On a few servers, there are also some local Yum repository files. And on those servers the Lynis cronjob always give this kind of output:

"Repository XXX is listed more than once in the configuration"

In the past, this was due to a bug in the yum-rhn-plugin package: https://access.redhat.com/articles/15475

But the thing is, none of the yum commands I tried triggered this message...

[mboelen]

That output must come from yum itself. To find the specific test, use: lynis audit system --debug --verbose

With the discovery of the specific test ID, we can look together to find the possible cause.

[wschaft]

The message appears directly after this test: Performing test ID PKGS-7387 (Check for GPG signing in YUM security package)

[mboelen]

Can you run the related Python one-liner and show the output?

[wschaft]

You mean this one?

python -c 'import yum ; yb = yum.YumBase() ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | grep "^\[" | tr -d '[] ' | tr -d "'" | sed 's/,/ /g'

Repository dell-system-update_independent is listed more than once in the configuration
Repository dell-system-update_dependent is listed more than once in the configuration
Repository dell-omsa-indep is listed more than once in the configuration
Repository dell-omsa-specific is listed more than once in the configuration
centos7=False centos_7-repos=False dell-system-update_dependent=True dell-system-update_independent=True epel_7=False scality-el7=False spacewalk_client-el7=False zabbix-el7=False

[mboelen]

Yes. That a message really coming from YUM itself. Can you show one of those 4 repo files? That might give a hint if this is a configuration issue or something with YUM itself.

[wschaft]

cat dell-system-update.repo
[dell-system-update_independent]
name=dell-system-update_independent
baseurl=http://linux.dell.com/repo/hardware/DSU_16.12.00/os_independent/
gpgcheck=1
gpgkey=http://linux.dell.com/repo/hardware/DSU_16.12.00/public.key
enabled=1
exclude=dell-system-update*.i386

[dell-system-update_dependent]
name=dell-system-update_dependent
mirrorlist=http://linux.dell.com/repo/hardware/DSU_16.12.00/mirrors.cgi?osname=el$releasever&basearch=$basearch&native=1
gpgcheck=1
gpgkey=http://linux.dell.com/repo/hardware/DSU_16.12.00/public.key
enabled=1

[mboelen]

Nothing special with that. Did you try a yum clean all? Does this happen on all servers, or just a few?

[wschaft]

It happens on all our CentOS 6/7 servers which have one or more local repo file(s) in /etc/yum.repos.d (and also receiving updates from Spacewalk).

I've tried yum clean all, but that didn't help either.

yum repolist for example, does correctly show the configured repositories, without complains.

[mboelen]

Possibly the yum command filters the output, while directly accessing it via the yum library might reveal these specifics. What version do you have of the yum-rhn-plugin package?

[wschaft]

yum-rhn-plugin-2.5.5-1 on both CentOS 6 and 7

[mboelen]

After reading several pages, I can only conclude it is related to this particular plugin. Not much Lynis can do about it, besides filtering out this error. If you prefer this option, please create a pull request that filters out this error. As I can't reproduce it at this moment, it needs to be tested on one of your machines to ensure it is the right fix. Are you up for that?

I also suggest creating a ticket at Red Hat related to this issue with specific attention for their rhn plugin, accompanied with the Python one-liner.

[wschaft]

For the moment I can live with the false messages. :) I prefer a solution at the source, which - after your help and investigation - is obviously yum.

I just created this issue: https://github.com/rpm-software-management/yum/issues/50

[mboelen]

Yes, I agree that fixing it at the source is the best location. Will close this issue then. Thanks :)

[wschaft]

Hi,

It appears (https://github.com/rpm-software-management/yum/issues/50) this can be fixed within Lynis by changing the Python one-liner to:

python -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | grep "^\[" | tr -d '[] ' | tr -d "'" | sed 's/,/ /g'

Thanks to @dmnks