feat: ensure to disable RHUI in cdn package

The redhat-cloud-client-configuration-cdn binary package will ensure that the system does not get content via RHUI by default, in case it is installed, as that is what the automatic registration of subscription-manager will provide. Because of that: - create /var/lib/rhui/disable-rhui on installation (removing it on removal) to tell RHUI to not enable any repository; this happens during the upgrade of the RHUI packages - create a boot systemd service that runs a script which tries to disable all the non-public RHUI repositories available (typically the RHEL repositories) - both the systemd service and the script should work also when RHUI is not installed - the service will run only once when /etc/rhccc-firstboot-run is available Signed-off-by: Pino Toscano <[email protected]>
RedHatInsights · Jan 7, 2025 · 66a9430 · 66a9430
1 parent 90e8707
commit 66a9430
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 0 deletions.
diff --git a/80-rhccc-disable-rhui-repos.preset b/80-rhccc-disable-rhui-repos.preset
@@ -0,0 +1 @@
+enable rhccc-disable-rhui-repos.service
diff --git a/redhat-cloud-client-configuration.spec b/redhat-cloud-client-configuration.spec
@@ -22,6 +22,9 @@ Source9: rhcd-stop.service.in
 Source10: 80-rhcd-register.preset
 Source11: insights-register-cgroupv1.service.in
 Source12: insights-register.path.in
+Source13: rhccc-disable-rhui-repos.py
+Source14: rhccc-disable-rhui-repos.service.in
+Source15: 80-rhccc-disable-rhui-repos.preset
 
 BuildArch:      noarch
 
@@ -71,6 +74,7 @@ sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE2} > insights-unregister.path
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' -e 's|@bindir@|%{_bindir}|g' %{SOURCE3} > insights-unregister.service
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE5} > insights-unregistered.path
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE6} > insights-unregistered.service
+sed -e 's|@libexecdir@|%{_libexecdir}|g' %{SOURCE14} > rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 # rhcd
@@ -88,9 +92,14 @@ install -m644 insights-unregister.path    %{buildroot}%{_unitdir}/
 install -m644 insights-unregister.service %{buildroot}%{_unitdir}/
 install -m644 insights-unregistered.path %{buildroot}%{_unitdir}/
 install -m644 insights-unregistered.service %{buildroot}%{_unitdir}/
+install -m644 rhccc-disable-rhui-repos.service %{buildroot}%{_unitdir}/
 install -d %{buildroot}%{_presetdir}
 install -m644 %{SOURCE4} -t %{buildroot}%{_presetdir}/
 
+install -d %{buildroot}%{_libexecdir}
+install %{SOURCE13} %{buildroot}%{_libexecdir}
+install -m644 %{SOURCE15} -t %{buildroot}%{_presetdir}/
+
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 # rhcd
 install -D -m644 rhcd.path %{buildroot}%{_unitdir}/
@@ -232,6 +241,7 @@ fi
 %systemd_post insights-register.path
 %systemd_post insights-unregister.path
 %systemd_post insights-unregistered.path
+%systemd_post rhccc-disable-rhui-repos.service
 #rhcd
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_post rhcd.path
@@ -240,6 +250,10 @@ fi
 
 # Make sure that rhsmcertd.service is enabled and running
 %systemd_post rhsmcertd.service
+# Tell RHUI to disable itself, if possible: at this point RHUI might
+# not be installed yet, so this will fail in that case;
+# the firstboot script will disable RHUI again anyway
+touch /var/lib/rhui/disable-rhui || :
 # Run following block only during installation (not during update)
 if [ $1 -eq 1 ]; then
     # Try to get current value of auto-registration in rhsm.conf
@@ -279,6 +293,7 @@ fi
 %systemd_preun insights-register.path
 %systemd_preun insights-unregister.path
 %systemd_preun insights-unregistered.path
+%systemd_preun rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_preun rhcd.path
@@ -289,12 +304,14 @@ fi
 %systemd_postun insights-register.path
 %systemd_postun insights-unregister.path
 %systemd_postun insights-unregistered.path
+%systemd_postun rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_postun rhcd.path
 %systemd_postun rhcd-stop.path
 %endif
 
+rm -f /var/lib/rhui/disable-rhui
 
 if [ $1 -eq 0 ]; then
     if [ -f /etc/rhsm/rhsm.conf.cloud_save ]; then
@@ -321,14 +338,17 @@ fi
 
 
 %files cdn
+%{_libexecdir}/rhccc-disable-rhui-repos.py
 %{_presetdir}/80-insights-register.preset
+%{_presetdir}/80-rhccc-disable-rhui-repos.preset
 %{_presetdir}/80-rhcd-register.preset
 %{_unitdir}/insights-register.path
 %{_unitdir}/insights-register.service
 %{_unitdir}/insights-unregister.path
 %{_unitdir}/insights-unregister.service
 %{_unitdir}/insights-unregistered.path
 %{_unitdir}/insights-unregistered.service
+%{_unitdir}/rhccc-disable-rhui-repos.service
 %{_unitdir}/rhcd-stop.path
 %{_unitdir}/rhcd-stop.service
 %{_unitdir}/rhcd.path

diff --git a/rhccc-disable-rhui-repos.py b/rhccc-disable-rhui-repos.py
@@ -0,0 +1,42 @@
+#!/usr/bin/python3
+
+import configparser
+import pathlib
+import sys
+
+
+def process_repo(p):
+    config = configparser.ConfigParser(interpolation=None)
+    try:
+        with p.open() as f:
+            config.read_file(f, str(p))
+        changed = 0
+        for section in config.sections():
+            try:
+                url = config.get(section, "mirrorlist", fallback=None) or config.get(
+                    section, "baseurl"
+                )
+                if "/rhui/" in url and config.getboolean(
+                    section, "enabled", fallback=True
+                ):
+                    config.set(section, "enabled", "0")
+                    changed += 1
+            except configparser.NoOptionError as e:
+                print(f"Warning when processing {p}: {e}", file=sys.stderr)
+        if changed > 0:
+            with p.open("w") as f:
+                config.write(f, space_around_delimiters=False)
+            print(f"Disabled {changed} repositories in {p}")
+    except Exception as e:
+        print(f"Error when processing {p}: {e}", file=sys.stderr)
+
+
+if __name__ == "__main__":
+    for arg in sys.argv[1:]:
+        p = pathlib.Path(arg)
+        if p.is_file():
+            process_repo(p)
+        elif p.is_dir():
+            for child in p.iterdir():
+                if child.suffix == ".repo":
+                    process_repo(child)
diff --git a/rhccc-disable-rhui-repos.service.in b/rhccc-disable-rhui-repos.service.in
@@ -0,0 +1,14 @@
+[Unit]
+Description=Run disable-rhui-repos on first boot
+ConditionPathExists=/etc/rhccc-firstboot-run
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm /etc/rhccc-firstboot-run
+ExecStart=-/usr/bin/touch /var/lib/rhui/disable-rhui
+ExecStart=@libexecdir@/rhccc-disable-rhui-repos.py /etc/yum.repos.d/
+
+[Install]
+WantedBy=multi-user.target