Project

Profile

Help

Issue #9205

Updated by pulpbot over 2 years ago

 

 **Ticket moved to GitHub**: "pulp/pulpcore/2036":https://github.com/pulp/pulpcore/issues/2036 




 ---- 


 On Pulp2, if GPG signing of repo metadata is enabled per https://docs.pulpproject.org/en/2.21/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-of-repository-metadata , but signing fails for any reason, yum publish incorrectly succeeds. 

 This is wrong - if signing is enabled, it's a mandatory part of the publish process and failures should cause the entire publish to fail. 

 ## Steps to reproduce 

 - Enable repodata signing by setting "gpg_sign_metadata": true for a repo 
 - Ensure configuration is such that signing will fail (e.g. don't set up any secret key) 
 - Publish repo 

 ## Actual behavior 

 Signing fails, but publish task for repo is marked successful, as in example: 

 ~~~ 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344) Finalizing failed 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344) Traceback (most recent call last): 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)     File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 265, in process 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)       self.finalize() 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)     File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/publish.py", line 416, in finalize 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)       self.parent.repomd_file_context.finalize() 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)     File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/yum/metadata/repomd.py", line 49, in finalize 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)       signer.sign(self.metadata_file_path) 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)     File "/usr/lib/python2.7/site-packages/pulp_rpm/yum_plugin/util.py", line 327, in sign 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344)       stdout=stdout, stderr=stderr) 
 Aug    3 23:32:40 rhsm-pulp04 pulp: pulp.plugins.util.publish_step:ERROR: [4a67d40b] (4703-09344) SignerError: Return code: 2 
 Aug    3 23:32:41 rhsm-pulp04 pulp: celery.app.trace:INFO: [4a67d40b] Task pulp.server.managers.repo.publish.publish[4a67d40b-9a78-4e05-970b-f8851d623d0b] succeeded in 0.957519632997s: {'exception': None, 'repo_id': 'satellite-tools-6_DOT_8-for-rhel-8-x86_64-eus-rpms__8_DOT_1', 'traceback': None, 'started': datetime.datetime(2021, 8, 3, 23, 32, 40, 226116, tzinfo=<isodate.tzinfo.Utc object at 0x7f1edc27a710>), '_ns': 'repo_publish_results', 'completed': datetime.datetime(2021, 8, 3, 23, 32, 41, 155973, tzinfo=<isodate.tzinfo.Utc object at 0x7f1edc27a710>), 'error_message': None, 'distributor_type_id': 'yum_distributor', 'distributor_id': 'yum_distributor', 'summary': {'generate sqlite': 'FINISHED', 'initialize_repo_metadata': 'FINISHED', 'remove_old_repodata': 'FINISHED', 'rpms': 'FINISHED', 'modules': 'SKIPPED', 'close_repo_metadata': 'FINISHED', 'drpms': 'SKIPPED', 'comps': 'FINISHED', 'distribution': 'FINISHED', 'repoview': 'SKIPPED', 'publish_directory': 'FINISHED', 'errata': 'FINISHED', 'metadata': 'FINISHED'}, 'result': 'success', 'id': '6109d219d822f2125ffc3bcf', 'details': [{'num_processed': 1, 'items_total': 1, 'state': 'FINISHED', 'num_success': 1, 'error_details': [...], 'descript...', ...}]} 
 ~~~ 

 ## Expected behavior 

 Signing fails, and publish task for repo fails. 

 ## Additional info 

 There's code here which catches all exceptions from finalize and doesn't re-raise them or mark the task as failed: 
 https://github.com/pulp/pulp/blob/f84198bb4cb9aaf233e8c4d9208ec7ee9df9790c/server/pulp/plugins/util/publish_step.py#L262 

 I've filed this as relating to signing since that's where the issue is relevant to me, but the above code seems like it could cause tasks to be incorrectly marked as successful in many other error cases as well, e.g. an I/O error when trying to close the repomd.xml file normally.

Back