Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Openssl and ibmca #1131

Merged
merged 2 commits into from
Jan 12, 2024
Merged

Openssl and ibmca #1131

merged 2 commits into from
Jan 12, 2024

Conversation

pirat89
Copy link
Member

@pirat89 pirat89 commented Oct 20, 2023

  • The openssl-ibmca needs to be reconfigured manually after the upgrade.
    Report it to the user if the package is installed.

  • The openssl configuration file (/etc/pki/tls/openssl.cnf) is not
    100% compatible between major verions of RHEL due to different
    versions of OpenSSL. Also the configuration is supposed to be
    done via system wide crypto policies instead, so it's expected
    to not modify this file anymore. If the content of the file has
    been modified, report to user what will happen during the upgrade
    and what they should do after it.

  • If the openssl config file is modified (rpm -Vf ) and
    *.rpmnew file exists, back up the file with .leappsave suffix
    and replace it by the *.rpmsave one.

Introduce TrackedFilesInfoSource

I see here some pattern, when it's needed to check just whether a file has been changed, etc.. Regarding that, I'Ve introduced TrackedFilesInfoSource msg and a generic actor that creates it. So in case someone needs similar information in future, they can add the file path to the input list defined in the actor without the need to create additional extra actor for it.

Tickets

JIRA: OAMG-9960
JIRA: RHEL-11193

Missing unit-tests for scansourcefiles actor. Expecting to deliver them in a followup PR. Tracked by JIRA ticket: OAMG-10367

@pirat89 pirat89 added this to the 8.10/9.4 milestone Oct 20, 2023
@github-actions
Copy link

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

  • review please @oamg/developers to notify leapp developers of the review request
  • /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build. If you need a different version of leapp from PR#42, use /packit test oamg/leapp#42

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones.
To launch on-demand tests with packit:

  • /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
  • /packit test --labels beaker-minimal-8.9to9.3,kernel-rt-8.9to9.3 to schedule kernel-rt and beaker-minimal test sets for 8.9->9.3 upgrade path

[Deprecated] To launch on-demand regression testing public members of oamg organization can leave the following comment:

  • /rerun to schedule basic regression tests using this pr build and latest upstream leapp build as artifacts
  • /rerun 42 to schedule basic regression tests using this pr build and leapp*PR42* as artifacts
  • /rerun-sst to schedule sst tests using this pr build and latest upstream leapp build as artifacts
  • /rerun-sst 42 to schedule sst tests using this pr build and leapp*PR42* as artifacts

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

@pirat89 pirat89 force-pushed the openssl-and-ibmca branch 4 times, most recently from ae3a2b3 to 8f6a715 Compare October 24, 2023 09:40
@pirat89 pirat89 force-pushed the openssl-and-ibmca branch 2 times, most recently from cbf4195 to 36867e7 Compare January 9, 2024 19:20
@pirat89 pirat89 added the report Any reports have been added / removed / changed in the PR label Jan 10, 2024
@pirat89 pirat89 force-pushed the openssl-and-ibmca branch 2 times, most recently from 631c9b8 to 5ff584d Compare January 10, 2024 19:13
@pirat89 pirat89 marked this pull request as ready for review January 10, 2024 19:17
@pirat89 pirat89 added the bug Something isn't working label Jan 10, 2024
@pirat89 pirat89 changed the title WIP: Openssl and ibmca Openssl and ibmca Jan 10, 2024
@pirat89
Copy link
Member Author

pirat89 commented Jan 10, 2024

@oamg/developers I will most likely create a houseleeping ticket to create unit-tests for scansourcefiles actor later. The rest of the code is covered now.

@pirat89 pirat89 requested review from a team, abadger and fernflower January 11, 2024 10:29
Copy link
Member

@fernflower fernflower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unit tests for scansourcefiles actor are missing. I am not really comfortable merging the code without them, as standard upstream tests we run (even tier1 ones) might not trigger that actor execution.
Otherwise lgtm

@@ -0,0 +1,4 @@
def test_scansourcefiles():
# TODO(pstodulk): keeping unit tests for later after I check the idea
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we want this merged today - looks like this has been checked and discussed and deserves proper unit test coverage

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added Jira ticket to the comments: OAMG-10367. Regarding the time frame, I expect to deliver tests the next week. But most likely I will not be able to finish them today.

We hit already several times a situation that an actor needed an
information about specific file (whether exists, has been changed,...).
And for that purpose extra scanner actor needed to be created, with
an associated message and Model.

To cover such cases, we are introducing new model
TrackedFilesInfoSource and actor scansourcefiles. So in future, when
any actor needs such a piece of information and do something based
on it, developer can just update lists in the introduced actor's
library, so the information about particular file will be provided.

Another benefit is saving a time on writting new unit tests and code
for the scan, as updating a list of files to be tracked does not
affect the algorithm.
* The openssl-ibmca needs to be reconfigured manually after the upgrade.
  Report it to the user if the package is installed.

* The openssl configuration file (/etc/pki/tls/openssl.cnf) is not
  100% compatible between major verions of RHEL due to different
  versions of OpenSSL. Also the configuration is supposed to be
  done via system wide crypto policies instead, so it's expected
  to not modify this file anymore. If the content of the file has
  been modified, report to user what will happen during the upgrade
  and what they should do after it.

* If the openssl config file is modified (rpm -Vf <file>) and
  *.rpmnew file exists, back up the file with .leappsave suffix
  and replace it by the *.rpmsave one.
@fernflower
Copy link
Member

Checked manually that scanner doesn't crash.

@pirat89
Copy link
Member Author

pirat89 commented Jan 12, 2024

Doing some additional manual sanity testing. For systems with changed openssl.cnf config file:

----------------------------------------
Risk Factor: high
Title: The /etc/pki/tls/openssl.cnf file is modified and will be replaced during the upgrade.
Summary: The OpenSSL configuration file (/etc/pki/tls/openssl.cnf) has been modified on the system. RHEL 8 (and newer) systems provide a crypto-policies mechanism ensuring usage of system-wide secure cryptography algorithms. Also the target system uses newer version of OpenSSL that is not fully compatible with the current one. To ensure the upgraded system uses crypto-policies as expected, the new version of the openssl configuration file must be installed during the upgrade. This will be done automatically. The original configuration file will be saved as "/etc/pki/tls/openssl.cnf.leappsave".

Note this can affect the ability to connect to the system after the upgrade if it depends on the current OpenSSL configuration. Such a problem may be caused by using a particular OpenSSL engine, as OpenSSL engines built for the RHEL 7 system are not compatible with RHEL 8.
Related links:
    - Using system-wide cryptographic policies.: https://red.ht/rhel-9-system-wide-crypto-policies
Remediation: [hint] Check that your ability to login to the system does not depend on the OpenSSL configuration. After the upgrade, review the system configuration and configure the system as needed. Please, be aware that it is not recommended to configure the system default {fpath}. Instead, it is recommended to copy the file and use this copy to configure particular applications. The default OpenSSL configuration file should be modified only when it is really necessary.
Key: 20e32da940e6b410dc82fed685233c9033066b74

During the upgrade:

----------------------------------------------------------------------
Actor: migrate_openssl_conf
Executed: True
Phase: Applications
Started: 2024-01-12T11:31:08.737660Z
Produced messages:
    ----
Executed shell commands:
    - ['rpm', '-Vf', '/etc/pki/tls/openssl.cnf']
    - ['mv', '/etc/pki/tls/openssl.cnf', '/etc/pki/tls/openssl.cnf.leappsave']
    - ['mv', '/etc/pki/tls/openssl.cnf.rpmnew', '/etc/pki/tls/openssl.cnf']
Logs:
    2024-01-12 12:31:08.771 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has started: ['rpm', '-Vf', '/etc/pki/tls/openssl.cnf']
    2024-01-12 12:31:08.794 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: S.5....T.  c /etc/pki/tls/openssl.cnf
    2024-01-12 12:31:08.803 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: Command ['rpm', '-Vf', '/etc/pki/tls/openssl.cnf'] failed with exit code 1.
    2024-01-12 12:31:08.807 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has finished: ['rpm', '-Vf', '/etc/pki/tls/openssl.cnf']
    2024-01-12 12:31:08.809 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has started: ['mv', '/etc/pki/tls/openssl.cnf', '/etc/pki/tls/openssl.cnf.leappsave']
    2024-01-12 12:31:08.816 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has finished: ['mv', '/etc/pki/tls/openssl.cnf', '/etc/pki/tls/openssl.cnf.leappsave']
    2024-01-12 12:31:08.817 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has started: ['mv', '/etc/pki/tls/openssl.cnf.rpmnew', '/etc/pki/tls/openssl.cnf']
    2024-01-12 12:31:08.823 DEBUG    PID: 1293 leapp.workflow.Applications.migrate_openssl_conf: External command has finished: ['mv', '/etc/pki/tls/openssl.cnf.rpmnew', '/etc/pki/tls/openssl.cnf']
----------------------------------------------------------------------

On the upgraded system:

root@localhost ~]# ls -l /etc/pki/tls/openssl*
-rw-r--r--. 1 root root 11227 Nov 30 14:02 /etc/pki/tls/openssl.cnf
-rw-r--r--. 1 root root 10925 Jan 12 12:07 /etc/pki/tls/openssl.cnf.leappsave
[root@localhost ~]# rpm -V `rpm -qf /etc/pki/tls/openssl.cnf`
[root@localhost ~]# 

@pirat89 pirat89 merged commit c8321a9 into oamg:master Jan 12, 2024
22 of 38 checks passed
@pirat89 pirat89 deleted the openssl-and-ibmca branch January 12, 2024 11:39
@pirat89 pirat89 added the changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant label Jan 12, 2024
pirat89 added a commit to pirat89/leapp-repository that referenced this pull request Feb 13, 2024
## Packaging
- Requires xfsprogs and e2fsprogs (oamg#1154)
- Bump leapp-repository-dependencies to 10 (oamg#1154)

## Upgrade handling
### Fixes
- Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131)
- Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120)
- Drop the invalid `tuv` target channel (oamg#1130)
- Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166)
- Fix semanage import issue (oamg#1164)
- Fix the issue of going out of bounds in the isccfg parser (oamg#1124)
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132)
- Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143)
- Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134)
- Minor updates of generated reports (oamg#1151)
- Print nice error msg when device and driver deprecation data is malformed (oamg#1168)
- Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131)
- Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120)
- [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150)
- [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138)

### Enhancements
- Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175)
  - RHEL 7.9  -> 8.10, 8.8 (default: 8.10)
  - RHEL with SAPAHA 7.9  -> 8.10, 8.8 (default: 8.8)
  - RHEL w/o SAP HANA 8.8  -> 9.2
  - RHEL w/o SAP HANA 8.10 -> 9.4
- Added possibility to define DNF configuration for the target system (oamg#1143)
- Code cleaning: drop redundant and invalid NFS checks (oamg#1127)
- Default to NO_RHSM mode when subscription-manager is not found (oamg#1133)
- Detect customized configuration of dynamic linker (oamg#1118)
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101)
- Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175)
- Ignore Leapp related PES events (oamg#1153)
- Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174)
- Introduce possibility to upgrade with local repositories (oamg#1099)
- Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140)
- Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148)
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057)
- Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170)
- [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172)

## Additional changes interesting for devels
- Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156)
- Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876)
- Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
pirat89 added a commit to pirat89/leapp-repository that referenced this pull request Feb 13, 2024
## Packaging
- Requires xfsprogs and e2fsprogs (oamg#1154)
- Bump leapp-repository-dependencies to 10 (oamg#1154)

## Upgrade handling
### Fixes
- Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131)
- Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120)
- Drop the invalid `tuv` target channel (oamg#1130)
- Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166)
- Fix semanage import issue (oamg#1164)
- Fix the issue of going out of bounds in the isccfg parser (oamg#1124)
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132)
- Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143)
- Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134)
- Minor updates of generated reports (oamg#1151)
- Print nice error msg when device and driver deprecation data is malformed (oamg#1168)
- Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131)
- Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120)
- [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150)
- [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138)

### Enhancements
- Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175)
  - RHEL 7.9  -> 8.10, 8.8 (default: 8.10)
  - RHEL with SAPAHA 7.9  -> 8.10, 8.8 (default: 8.8)
  - RHEL w/o SAP HANA 8.8  -> 9.2
  - RHEL w/o SAP HANA 8.10 -> 9.4
- Added possibility to define DNF configuration for the target system (oamg#1143)
- Code cleaning: drop redundant and invalid NFS checks (oamg#1127)
- Default to NO_RHSM mode when subscription-manager is not found (oamg#1133)
- Detect customized configuration of dynamic linker (oamg#1118)
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101)
- Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175)
- Ignore Leapp related PES events (oamg#1153)
- Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174)
- Introduce possibility to upgrade with local repositories (oamg#1099)
- Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140)
- Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148)
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057)
- Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170)
- [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172)

## Additional changes interesting for devels
- Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156)
- Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876)
- Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
@pirat89 pirat89 mentioned this pull request Feb 13, 2024
pirat89 added a commit to pirat89/leapp-repository that referenced this pull request Feb 13, 2024
## Packaging
- Requires xfsprogs and e2fsprogs (oamg#1154)
- Bump leapp-repository-dependencies to 10 (oamg#1154)

## Upgrade handling
### Fixes
- Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131)
- Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120)
- Drop the invalid `tuv` target channel (oamg#1130)
- Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166)
- Fix semanage import issue (oamg#1164)
- Fix the issue of going out of bounds in the isccfg parser (oamg#1124)
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132)
- Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143)
- Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134)
- Minor updates of generated reports (oamg#1151)
- Print nice error msg when device and driver deprecation data is malformed (oamg#1168)
- Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131)
- Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120)
- [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150)
- [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138)

### Enhancements
- Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175)
  - RHEL 7.9  -> 8.10, 8.8 (default: 8.10)
  - RHEL with SAPAHA 7.9  -> 8.10, 8.8 (default: 8.8)
  - RHEL w/o SAP HANA 8.8  -> 9.2
  - RHEL w/o SAP HANA 8.10 -> 9.4
- Added possibility to define DNF configuration for the target system (oamg#1143)
- Code cleaning: drop redundant and invalid NFS checks (oamg#1127)
- Default to NO_RHSM mode when subscription-manager is not found (oamg#1133)
- Detect customized configuration of dynamic linker (oamg#1118)
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101)
- Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175)
- Ignore Leapp related PES events (oamg#1153)
- Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174)
- Introduce possibility to upgrade with local repositories (oamg#1099)
- Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140)
- Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148)
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057)
- Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170)
- [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172)
- Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (oamg#1157)

## Additional changes interesting for devels
- Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156)
- Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876)
- Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)
pirat89 added a commit that referenced this pull request Feb 13, 2024
## Packaging
- Requires xfsprogs and e2fsprogs (#1154)
- Bump leapp-repository-dependencies to 10 (#1154)

## Upgrade handling
### Fixes
- Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (#1131)
- Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (#1120)
- Drop the invalid `tuv` target channel (#1130)
- Fix handling of symlinks under /etc/pki when managing certificates (#1135, #1160, #1166)
- Fix semanage import issue (#1164)
- Fix the issue of going out of bounds in the isccfg parser (#1124)
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (#1132)
- Handle the upgrade better when a proxy is configured in YUM/DNF configutations (#1143)
- Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (#1134)
- Minor updates of generated reports (#1151)
- Print nice error msg when device and driver deprecation data is malformed (#1168)
- Report information about required manual steps after the upgrade when openssl-ibmca is installed (#1131)
- Update error messages and reports when installed upgrade data files are malformed or missing (#1120)
- [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (#1150)
- [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (#1136, #1138)

### Enhancements
- Update upgrade paths: (#1146, #1147, #1175)
  - RHEL 7.9  -> 8.10, 8.8 (default: 8.10)
  - RHEL with SAPAHA 7.9  -> 8.10, 8.8 (default: 8.8)
  - RHEL w/o SAP HANA 8.8  -> 9.2
  - RHEL w/o SAP HANA 8.10 -> 9.4
- Added possibility to define DNF configuration for the target system (#1143)
- Code cleaning: drop redundant and invalid NFS checks (#1127)
- Default to NO_RHSM mode when subscription-manager is not found (#1133)
- Detect customized configuration of dynamic linker (#1118)
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction (#1101)
- Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (#1175)
- Ignore Leapp related PES events (#1153)
- Introduce generic transition of systemd services states during the IPU (#1060, #1174)
- Introduce possibility to upgrade with local repositories (#1099)
- Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (#1140)
- Report the upgrade customisations and modifications of the upgrade tooling (#1148)
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (#1057)
- Update the leapp upgrade data files - bump data stream to "3.0" (#1163, #1165, #1170)
- [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (#1137, #1165, #1172)
- Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (#1157)

## Additional changes interesting for devels
- Introduced new functions returning a list of packages related to upgrade - see the rpms library (#1156)
- Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (#876)
- Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (#876)
yuravk pushed a commit to yuravk/leapp-repository that referenced this pull request Aug 9, 2024
## Packaging
- Requires xfsprogs and e2fsprogs (oamg#1154)
- Bump leapp-repository-dependencies to 10 (oamg#1154)

## Upgrade handling
### Fixes
- Detect changes in openssl default configuration file and restore it to the default to the target default during the upgrade to reduce risk of potential issues (oamg#1131)
- Do not try to download data files anymore when missing as the service is obsoleted since the data is part of installed packages (oamg#1120)
- Drop the invalid `tuv` target channel (oamg#1130)
- Fix handling of symlinks under /etc/pki when managing certificates (oamg#1135, oamg#1160, oamg#1166)
- Fix semanage import issue (oamg#1164)
- Fix the issue of going out of bounds in the isccfg parser (oamg#1124)
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet (oamg#1132)
- Handle the upgrade better when a proxy is configured in YUM/DNF configutations (oamg#1143)
- Load all rpm repository substitutions that dnf knows about, not just releasever since repofiles may use the other substitutions too (oamg#1134)
- Minor updates of generated reports (oamg#1151)
- Print nice error msg when device and driver deprecation data is malformed (oamg#1168)
- Report information about required manual steps after the upgrade when openssl-ibmca is installed (oamg#1131)
- Update error messages and reports when installed upgrade data files are malformed or missing (oamg#1120)
- [IPU 7 -> 8] Fix the upgrade of the RH Satellite server when tomcat is installed (oamg#1150)
- [IPU 8 -> 9] Fix the upgrade from RHEL 8.9+ when the release is locked by subscription-manager (oamg#1136, oamg#1138)

### Enhancements
- Update upgrade paths: (oamg#1146, oamg#1147, oamg#1175)
  - RHEL 7.9  -> 8.10, 8.8 (default: 8.10)
  - RHEL with SAPAHA 7.9  -> 8.10, 8.8 (default: 8.8)
  - RHEL w/o SAP HANA 8.8  -> 9.2
  - RHEL w/o SAP HANA 8.10 -> 9.4
- Added possibility to define DNF configuration for the target system (oamg#1143)
- Code cleaning: drop redundant and invalid NFS checks (oamg#1127)
- Default to NO_RHSM mode when subscription-manager is not found (oamg#1133)
- Detect customized configuration of dynamic linker (oamg#1118)
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction (oamg#1101)
- Drop obsoleted upgrade paths that relates to releases: 8.6, 8.9, 9.0, 9.3 (oamg#1175)
- Ignore Leapp related PES events (oamg#1153)
- Introduce generic transition of systemd services states during the IPU (oamg#1060, oamg#1174)
- Introduce possibility to upgrade with local repositories (oamg#1099)
- Introduced some changes getting us closer to possibility of IPU for Centos (Stream) systems (oamg#1140)
- Report the upgrade customisations and modifications of the upgrade tooling (oamg#1148)
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers (oamg#1057)
- Update the leapp upgrade data files - bump data stream to "3.0" (oamg#1163, oamg#1165, oamg#1170)
- [IPU 8 -> 9] Enable upgrades RHEL 8 -> 9 using RHUI on Alibaba cloud (oamg#1137, oamg#1165, oamg#1172)
- Unify breakpoints inside the upgrade initramfs for the easier troubleshooting (oamg#1157)

## Additional changes interesting for devels
- Introduced new functions returning a list of packages related to upgrade - see the rpms library (oamg#1156)
- Make detection of installed signed packages distribution agnostic - covers RHEL & CentOS (oamg#876)
- Model InstalledRedHatSignedRPM is deprecated, replaced by DistributionSignedRPM (oamg#876)

(cherry picked from commit 6421225)
@pirat89 pirat89 added the shortened-urls PR is introducing new shortened red.ht URLs label Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working changelog-checked The merger/reviewer checked the changelog draft document and updated it when relevant report Any reports have been added / removed / changed in the PR shortened-urls PR is introducing new shortened red.ht URLs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants