containerbuildsystem / cachi2

Cachi2 is a CLI tool that pre-fetches your project's dependencies to aid in making your build process network-isolated.
GNU General Public License v3.0
8 stars 26 forks source link

Authenticated access for RPMs #580

Closed brianwcook closed 2 weeks ago

brianwcook commented 3 months ago

This is not ready to merge, but at this point I need a review on the approach to know whether to go ay further or not.

I was able to build cachi2 on a UBI image that can be registered with subscription-manager with just one hack - fetching an RPM for createrepo_c from the Rocky repo.

The issue is that the rpm support is using asyncio to download RPMs instead of using dnf. This circumvents the certificate handshake the is normally handled by the dnf subscription-manager plugin. I believe that this image and the prefetch task updates I have would enable authenticated RPM prefetch..._if we can switch to using 'dnf download' for fetching RPMs.

Regarding the hack for createrepo_C, the only alternative I could find is to get it from a repo that requires an entitlement which would make this container non-redistributable. I tried to build a createrepo_c rpm from source but the dependencies aren't available either.

Depends on: https://github.com/containerbuildsystem/cachi2/pull/682

Maintainers will complete the following section

Note: if the contribution is external (not from an organization member), the CI pipeline will not run automatically. After verifying that the CI is safe to run:

eskultety commented 3 months ago

I was able to build cachi2 on a UBI image that can be registered with subscription-manager with just one hack - fetching an RPM for createrepo_c from the Rocky repo.

And ^this was exactly the reason why we chose Rocky over UBI, because we'd ultimately end up with a complete Frankenstein of an image where besides fetching Golang/NodeJS from their official images we'd install individual RPMs from other RPM distros due to UBI being inadequate in terms of repo contents for cachi2 purposes (many package managers support => many potential direct dependencies) which,as a use case, ultimately may not fall exactly into UBI's intended purpose. Speaking in numbers, here's a rough comparison of the number of packages available in both

# UBI9
$ dnf list --all | wc -l
2261
================
# Rocky
$ dnf list --all | wc -l
6825

The issue is that the rpm support is using asyncio to download RPMs instead of using dnf. This circumvents the certificate handshake the is normally handled by the dnf subscription-manager plugin. I believe that this image and the prefetch task updates I have would enable authenticated RPM prefetch..._if we can switch to using 'dnf download' for fetching RPMs.

^This is a direct result of the original design which heavily revolved around the idea that a package name wouldn't be enough to identify a package uniquely using PURL which is still a problem to this day and apart from https://redhatproductsecurity.github.io/security-data-guidelines/purl/ we don't anything in the official PURL upstream guideline (not a blocker, the project looks like it needs more active maintenance anyway). TL;DR We could start recognizing a new field name in the RPM lockfile and use DNF to download a package.

Regarding the hack for createrepo_C, the only alternative I could find is to get it from a repo that requires an entitlement which would make this container non-redistributable. I tried to build a createrepo_c rpm from source but the dependencies aren't available either.

See my response at the top. ...

AFAICT subscription manager scans the underlying platform before enabling repositories, so in general there isn't a single platform that would satisfy all use cases and all builds depending on the intended product against which the build is supposed to run, is there? In other words, not all RH product will always support all its active RHEL platforms, will they? For example, Satellite can be deployed on RHEL-7 and RHEL-8 (but not RHEL-9) depending on the exact Satellite version one is installing, so on UBI-9 the subscription manager would never enable the repositories, see the example below. This all means we'd have to maintain multiple concurrent cachi2 container images to satisfy just Red Hat pipeline build needs - sounds like a downstream candidate IMO rather than upstream. Then again, upstream aside, someone will still have to solve which UBI-based cachi2 image would be used in such a pipeline based on what the intended build is for IIUC.

Another minor issue is multi-arch. With RPM URLs, cachi2 doesn't need to care about non-x86 arches. With subscription manager the consumer has to make sure that all arch repos are enabled using the activation key so that dnf download --arch would work, but admittedly this problem relies outside of this project.

# UBI8
[root@64b60c84e7ef /]# dnf repolist
Updating Subscription Management repositories.
repo id                                        repo name
rhel-8-for-x86_64-appstream-rpms               Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
rhel-8-for-x86_64-baseos-rpms                  Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
satellite-6.15-for-rhel-8-x86_64-rpms          Red Hat Satellite 6.15 for RHEL 8 x86_64 (RPMs)
satellite-6.15-for-rhel-8-x86_64-source-rpms   Red Hat Satellite 6.15 for RHEL 8 x86_64 (Source RPMs)
ubi-8-appstream-rpms                           Red Hat Universal Base Image 8 (RPMs) - AppStream
ubi-8-baseos-rpms                              Red Hat Universal Base Image 8 (RPMs) - BaseOS
ubi-8-codeready-builder-rpms                   Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
===========================================================
# UBI9
[root@668790fa564c /]# dnf repolist
Updating Subscription Management repositories.
repo id                                  repo name
rhel-9-for-x86_64-appstream-rpms         Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms            Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
ubi-9-appstream-rpms                     Red Hat Universal Base Image 9 (RPMs) - AppStream
ubi-9-baseos-rpms                        Red Hat Universal Base Image 9 (RPMs) - BaseOS
ubi-9-codeready-builder                  Red Hat Universal Base Image 9 (RPMs) - CodeReady Builder

Goes without saying that both were registered with the same activation key.

brianwcook commented 3 months ago

UBI-9 the subscription manager would never enable the repositories

I think you can enable any repository you want on any platform that has subscription manager installed and is registered, even if it is for a different RHEL version or architecture. The only requirement is that you have rights to the repo. With activation keys you can select any repos you want and then register the system with that activation key. You can also add all the repos you care about across N builds to a a single activation key and control which repos are enabled at runtime with --enablerepo or with enabled= in cachi2 repo files refrenced by the rpms.in when resolving deps and creating the lock file. Subscription-manager does try to intelligently manage the redhat.repo file though. The repolist command only shows enabled repos by default. I believe you can pass --enablerepo and download dnfs from any repo that exists and that the activation key is enabled for.

dnf [options] repolist [--enabled|--disabled|--all]
Lists all enabled repositories by default.
eskultety commented 3 months ago

Another minor issue is multi-arch. With RPM URLs, cachi2 doesn't need to care about non-x86 arches. With subscription manager the consumer has to make sure that all arch repos are enabled using the activation key so that dnf download --arch would work, but admittedly this problem relies outside of this project.

Correction! I just tried adding alternative arch repos to the activation key and subscription manager didn't enable them in the base system, so pulling alternative arches will be a problem and require multi-UBI + multi-arch cachi2 container image builds.

brianwcook commented 3 months ago

i don't think that is correct. You just need to pass --enablerepo when you run dnf.

eskultety commented 3 months ago

UBI-9 the subscription manager would never enable the repositories

I think you can enable any repository you want on any platform that has subscription manager installed and is registered, even if it is for a different RHEL version or architecture. The only requirement is that you have rights to the repo. With activation keys you can select any repos you want and then register the system with that activation key. You can also add all the repos you care about across N builds to a a single activation key and control which repos are enabled at runtime with --enablerepo or with enabled= in cachi2 repo files refrenced by the rpms.in when resolving deps and creating the lock file. Subscription-manager does try to intelligently manage the redhat.repo file though. The repolist command only shows enabled repos by default. I believe you can pass --enablerepo and download dnfs from any repo that exists and that the activation key is enabled for.

dnf [options] repolist [--enabled|--disabled|--all]
Lists all enabled repositories by default.

This doesn't seem to be correct:

# UBI9
$ grep "Red Hat Satellite" /etc/yum.repos.d/redhat.repo
name = Red Hat Satellite Client 6 for RHEL 9 x86_64 - Extended Update Support (RPMs)

# UBI8
$ grep "Red Hat Satellite" /etc/yum.repos.d/redhat.repo
name = Red Hat Satellite Utils 6.14 for RHEL 8 x86_64
name = Red Hat Satellite Capsule 6.13 for RHEL 8 x86_64
name = Red Hat Satellite Maintenance 6.12 for RHEL 8 x86_64
... // the list is really long

i don't think that is correct. You just need to pass --enablerepo when you run dnf.

Have you actually tried with arbitrary repos? Because what I'm seeing is that the .repo file that RSM enables doesn't even list those repos, neither for products that don't support the base plaftorm nor for alternative arches.

brianwcook commented 3 months ago

[look at the later example instead of this]

brianwcook commented 3 months ago

[root@c86479bb8ccf yum.repos.d]# cat /etc/rhsm/facts/multiarch.facts 
{"supported_architectures": "x86_64,aarch64"}

[root@c86479bb8ccf facts]# subscription-manager register --org [org] --activationkey [key]
The system has been registered with ID: [id]
The registered system name is: [name]

[root@c86479bb8ccf yum.repos.d]# dnf info kernel-devel
Updating Subscription Management repositories.
Red Hat Enterprise Linux 9 for AMD 64 - AppStream (RPMs)                                                                                                                                     21 MB/s |  38 MB     00:01    
Last metadata expiration check: 0:00:07 ago on Mon Jul 22 17:00:55 2024.
Available Packages
Name         : kernel-devel
Version      : 5.14.0
Release      : 427.26.1.el9_4
Architecture : aarch64
Size         : 24 M
Source       : kernel-5.14.0-427.26.1.el9_4.src.rpm
Repository   : rhel-9-for-aarch64-appstream-rpms
Summary      : Development package for building kernel modules to match the kernel
URL          : https://www.kernel.org/
License      : ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-2-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR CDDL-1.0) AND ((GPL-2.0-only WITH
             : Linux-syscall-note) OR Linux-OpenIB) AND ((GPL-2.0-only WITH Linux-syscall-note) OR MIT) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR
             : MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND (GPL-1.0-or-later WITH
             : Linux-syscall-note) AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR
             : GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND (GPL-2.0-only WITH Linux-syscall-note) AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND
             : (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (GPL-2.0-or-later WITH Linux-syscall-note) AND ISC AND LGPL-2.0-or-later AND
             : (LGPL-2.0-or-later OR BSD-2-Clause) AND (LGPL-2.0-or-later WITH Linux-syscall-note) AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND (LGPL-2.1-only WITH Linux-syscall-note) AND LGPL-2.1-or-later
             : AND (LGPL-2.1-or-later WITH Linux-syscall-note) AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT
             : OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib
Description  : This package provides kernel headers and makefiles sufficient to build modules
             : against the kernel package.

Name         : kernel-devel
Version      : 5.14.0
Release      : 427.26.1.el9_4
Architecture : x86_64
Size         : 25 M
Source       : kernel-5.14.0-427.26.1.el9_4.src.rpm
Repository   : rhel-9-for-x86_64-appstream-rpms
Summary      : Development package for building kernel modules to match the kernel
URL          : https://www.kernel.org/
License      : ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-2-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR CDDL-1.0) AND ((GPL-2.0-only WITH
             : Linux-syscall-note) OR Linux-OpenIB) AND ((GPL-2.0-only WITH Linux-syscall-note) OR MIT) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR
             : MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND (GPL-1.0-or-later WITH
             : Linux-syscall-note) AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR
             : GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND (GPL-2.0-only WITH Linux-syscall-note) AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND
             : (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (GPL-2.0-or-later WITH Linux-syscall-note) AND ISC AND LGPL-2.0-or-later AND
             : (LGPL-2.0-or-later OR BSD-2-Clause) AND (LGPL-2.0-or-later WITH Linux-syscall-note) AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND (LGPL-2.1-only WITH Linux-syscall-note) AND LGPL-2.1-or-later
             : AND (LGPL-2.1-or-later WITH Linux-syscall-note) AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT
             : OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib
Description  : This package provides kernel headers and makefiles sufficient to build modules
             : against the kernel package.

then add repo

[rhel-9-for-x86_64-appstream-rpms]
name = Red Hat Enterprise Linux 9 for AMD 64 - AppStream (RPMs)
baseurl = https://cdn.redhat.com/content/dist/rhel9/$releasever/x86_64/appstream/os
enabled = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/1217013518381510732-key.pem
sslclientcert = /etc/pki/entitlement/1217013518381510732.pem
sslverifystatus = 1
metadata_expire = 86400
enabled_metadata = 1

and then:


[root@c86479bb8ccf yum.repos.d]# dnf info kernel-devel
Updating Subscription Management repositories.
Last metadata expiration check: 0:22:48 ago on Mon Jul 22 17:00:55 2024.
Available Packages
Name         : kernel-devel
Version      : 5.14.0
Release      : 427.26.1.el9_4
Architecture : aarch64
Size         : 24 M
Source       : kernel-5.14.0-427.26.1.el9_4.src.rpm
Repository   : rhel-9-for-aarch64-appstream-rpms
Summary      : Development package for building kernel modules to match the kernel
URL          : https://www.kernel.org/
License      : ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-2-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR CDDL-1.0) AND ((GPL-2.0-only WITH
             : Linux-syscall-note) OR Linux-OpenIB) AND ((GPL-2.0-only WITH Linux-syscall-note) OR MIT) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR
             : MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND (GPL-1.0-or-later WITH
             : Linux-syscall-note) AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR
             : GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND (GPL-2.0-only WITH Linux-syscall-note) AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND
             : (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (GPL-2.0-or-later WITH Linux-syscall-note) AND ISC AND LGPL-2.0-or-later AND
             : (LGPL-2.0-or-later OR BSD-2-Clause) AND (LGPL-2.0-or-later WITH Linux-syscall-note) AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND (LGPL-2.1-only WITH Linux-syscall-note) AND LGPL-2.1-or-later
             : AND (LGPL-2.1-or-later WITH Linux-syscall-note) AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT
             : OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib
Description  : This package provides kernel headers and makefiles sufficient to build modules
             : against the kernel package.

Name         : kernel-devel
Version      : 5.14.0
Release      : 427.26.1.el9_4
Architecture : x86_64
Size         : 25 M
Source       : kernel-5.14.0-427.26.1.el9_4.src.rpm
Repository   : rhel-9-for-x86_64-appstream-rpms
Summary      : Development package for building kernel modules to match the kernel
URL          : https://www.kernel.org/
License      : ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-2-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-only WITH Linux-syscall-note) OR CDDL-1.0) AND ((GPL-2.0-only WITH
             : Linux-syscall-note) OR Linux-OpenIB) AND ((GPL-2.0-only WITH Linux-syscall-note) OR MIT) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR BSD-3-Clause) AND ((GPL-2.0-or-later WITH Linux-syscall-note) OR
             : MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND (GPL-1.0-or-later WITH
             : Linux-syscall-note) AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR
             : GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND (GPL-2.0-only WITH Linux-syscall-note) AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND
             : (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (GPL-2.0-or-later WITH Linux-syscall-note) AND ISC AND LGPL-2.0-or-later AND
             : (LGPL-2.0-or-later OR BSD-2-Clause) AND (LGPL-2.0-or-later WITH Linux-syscall-note) AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND (LGPL-2.1-only WITH Linux-syscall-note) AND LGPL-2.1-or-later
             : AND (LGPL-2.1-or-later WITH Linux-syscall-note) AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT
             : OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib
Description  : This package provides kernel headers and makefiles sufficient to build modules
             : against the kernel package.
ben-alkov commented 3 months ago

@brianwcook; Please do not put references to RH internals in public GitHub.

ben-alkov commented 3 months ago

@brianwcook; Please mark this as a draft PR

ben-alkov commented 3 months ago

@brianwcook; Your Dockerfile doesn't seem to build a usable image https://github.com/containerbuildsystem/cachi2/actions/runs/10040853225/job/27804698612?pr=580

ben-alkov commented 3 months ago

@brianwcook; Please ensure that all commits have a DCO https://github.com/containerbuildsystem/cachi2/pull/580/checks?check_run_id=27747719569

brianwcook commented 3 months ago

Latest commit enables prefetch for content from dnf repositories that require client certificate authorization. Together with this task the authenticated content can be fetched with cachi2 in a Konflux pipeline.

chmeliik commented 3 months ago

@brianwcook would you mind splitting this into two PRs? I don't think anyone understood where you were going with the changes, so most of the comments here are about subscription-manager and UBI x Rocky whereas the change that actually matters for Authenticated access for RPMs is just using the client certificates coming from outside cachi2.

Switching the base image to UBI and enabling certificate-auth support for RPMs are unrelated changes, it would be much easier for us to review them as such

chmeliik commented 3 months ago

@brianwcook would you mind splitting this into two PRs?

Or, before that, we should get confirmation from the DNF folk that their lockfile support will be able to support subscription-manager for multi-arch lockfiles. We are treating the RPM support as tech-preview, but still I wouldn't like to pull this feature from under users' feet when the DNF lockfile support lands and we switch to it.

eskultety commented 3 months ago

@brianwcook would you mind splitting this into two PRs?

Or, before that, we should get confirmation from the DNF folk that their lockfile support will be able to support subscription-manager for multi-arch lockfiles.

Firstly, I don't think ^this work has been officially announced anywhere, has it? Secondly, how are subman and DNF related in particular? The repos subscription-manager enables are (in simple terms) based on the platform product tags (e.g. rhel-8-server) and the base architecture which can be tweaked with the means of facts files under /etc/rhsm/facts where one can "enable" for more arches for which corresponding entries in the resulting .repo file are generated. That should be pretty much the connection between the subscription manager and DNF as far as lockfile goes, since lockfiles can already host multiple architectures.

The problems I see are:

brianwcook commented 3 months ago

since content specifically targeting RHEL-8 won't be enabled on UBI-9 I think this is possible as well, but honestly the direct download method seems much more straightforward to me and is likely more performant as it appears dnf serializes content downloads.

messing with /etc/rhsm does require a privileged user. For UBI9 we can export SMDEV_CONTAINER_OFF=1 instead, but it does not work on UBI8.

subscription-manager register and even dnf install also require user 0. if you want to register and install RPMs you just need user 0, but the way I separated it you don't need to run cachi2 as root.

brunoapimentel commented 1 month ago

/ok-to-test

brianwcook commented 1 month ago

@eskultety Thanks for your review. I believe I have addressed all of your comments, however somehow your interim commit dropping _DNFOptions has become linked to my PR in a way that I can't seem to undo. I've tried to rebase as many ways as I know how to no avail... advice welcome.

eskultety commented 1 month ago

@eskultety Thanks for your review. I believe I have addressed all of your comments, however somehow your interim commit dropping _DNFOptions has become linked to my PR in a way that I can't seem to undo. I've tried to rebase as many ways as I know how to no avail... advice welcome.

It was merged to main in the meantime. You need to pull your main branch, then run an interactive rebase on this branch against main, it should pick up the right commits,since it's interactive you can adjust the list of commits if needed before you hit a potential merge conflict.

brianwcook commented 1 month ago

I ended up having to clone repo over again and apply a patch to get it to look right. The integration test is being blocked by Dockerhub rate limiting now though.

eskultety commented 1 month ago

Please split the changes into multiple commits in your next revision, it's extremely exhausting to review this in a single commit, we wouldn't accept this as a sigle patch anyway, I just didn't want to push that hard since you've struggled with rebasing, but I'm finding it difficult to keep context of all files changed in my head as I'm scrolling through the changes. The fact you're proposing scripts which aren't used anywhere doesn't help either. I'll expect that in the next round of reviews.

I forgot to be more specific on how this should be split:

  1. SSL options model introduction + unit test
  2. package_managers/rpm changes + unit test
  3. integration test changes
eskultety commented 1 month ago

@brianwcook sorry, getting back to this one after PTO. I don't see any update on the comments I made during the last round of review. In any case, have a look at https://github.com/containerbuildsystem/cachi2/compare/main...eskultety:cachi2:rpm-ssl-opts where I applied (hopefully) all things I have raised including splitting the work to more commits to give you an idea what I had in mind.

brianwcook commented 3 weeks ago

@brianwcook sorry, getting back to this one after PTO.

No problem, I have been occupied with other work too. Thanks for the branch! I just pushed it.

eskultety commented 3 weeks ago

/ok-to-test

eskultety commented 3 weeks ago

Fixed the merge conflict, rebased on top of main and force pushed to @brianwcook's branch.

eskultety commented 2 weeks ago

Since last revision:

Note some commit references for the CI changes will have to tweaked once #682 is merged and the target test RPM repo has to be created (merged with an existing one), but other than that this is ready to review, these final touches will be done in the final revision.

eskultety commented 2 weeks ago

Note some commit references for the CI changes will have to tweaked once https://github.com/containerbuildsystem/cachi2/pull/682 is merged and the target test RPM repo has to be created (merged with an existing one), but other than that this is ready to review, these final touches will be done in the final revision.

Merging.