From da9dfd9aca9fa378670ff03aaba11c80c6a89ce7 Mon Sep 17 00:00:00 2001
From: Pino Toscano <ptoscano@redhat.com>
Date: Tue, 5 Nov 2024 11:33:06 +0100
Subject: [PATCH] feat: ensure to disable RHUI in cdn package

The redhat-cloud-client-configuration-cdn binary package will ensure
that the system does not get content via RHUI by default, in case it is
installed, as that is what the automatic registration of
subscription-manager will provide.

Because of that:
- create /var/lib/rhui/disable-rhui on installation (removing it on
  removal) to tell RHUI to not enable any repository; this happens
  during the upgrade of the RHUI packages
- create a boot systemd service that runs a script which tries to
  disable all the non-public RHUI repositories available (typically the
  RHEL repositories)
  - both the systemd service and the script should work also when RHUI
    is not installed
  - the service will run only once when /etc/rhccc-firstboot-run is
    available

Signed-off-by: Pino Toscano <ptoscano@redhat.com>
---
 80-rhccc-disable-rhui-repos.preset     |  1 +
 redhat-cloud-client-configuration.spec | 20 ++++++++++++
 rhccc-disable-rhui-repos.py            | 42 ++++++++++++++++++++++++++
 rhccc-disable-rhui-repos.service.in    | 14 +++++++++
 4 files changed, 77 insertions(+)
 create mode 100644 80-rhccc-disable-rhui-repos.preset
 create mode 100755 rhccc-disable-rhui-repos.py
 create mode 100644 rhccc-disable-rhui-repos.service.in

diff --git a/80-rhccc-disable-rhui-repos.preset b/80-rhccc-disable-rhui-repos.preset
new file mode 100644
index 0000000..d2d02ec
--- /dev/null
+++ b/80-rhccc-disable-rhui-repos.preset
@@ -0,0 +1 @@
+enable rhccc-disable-rhui-repos.service
diff --git a/redhat-cloud-client-configuration.spec b/redhat-cloud-client-configuration.spec
index a12bd00..c4e20b1 100644
--- a/redhat-cloud-client-configuration.spec
+++ b/redhat-cloud-client-configuration.spec
@@ -22,6 +22,9 @@ Source9: rhcd-stop.service.in
 Source10: 80-rhcd-register.preset
 Source11: insights-register-cgroupv1.service.in
 Source12: insights-register.path.in
+Source13: rhccc-disable-rhui-repos.py
+Source14: rhccc-disable-rhui-repos.service.in
+Source15: 80-rhccc-disable-rhui-repos.preset
 
 BuildArch:      noarch
 
@@ -71,6 +74,7 @@ sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE2} > insights-unregister.path
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' -e 's|@bindir@|%{_bindir}|g' %{SOURCE3} > insights-unregister.service
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE5} > insights-unregistered.path
 sed -e 's|@sysconfdir@|%{_sysconfdir}|g' %{SOURCE6} > insights-unregistered.service
+sed -e 's|@libexecdir@|%{_libexecdir}|g' %{SOURCE14} > rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 # rhcd
@@ -88,9 +92,14 @@ install -m644 insights-unregister.path    %{buildroot}%{_unitdir}/
 install -m644 insights-unregister.service %{buildroot}%{_unitdir}/
 install -m644 insights-unregistered.path %{buildroot}%{_unitdir}/
 install -m644 insights-unregistered.service %{buildroot}%{_unitdir}/
+install -m644 rhccc-disable-rhui-repos.service %{buildroot}%{_unitdir}/
 install -d %{buildroot}%{_presetdir}
 install -m644 %{SOURCE4} -t %{buildroot}%{_presetdir}/
 
+install -d %{buildroot}%{_libexecdir}
+install %{SOURCE13} %{buildroot}%{_libexecdir}
+install -m644 %{SOURCE15} -t %{buildroot}%{_presetdir}/
+
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 # rhcd
 install -D -m644 rhcd.path %{buildroot}%{_unitdir}/
@@ -236,6 +245,7 @@ fi
 %systemd_post insights-register.path
 %systemd_post insights-unregister.path
 %systemd_post insights-unregistered.path
+%systemd_post rhccc-disable-rhui-repos.service
 #rhcd
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_post rhcd.path
@@ -244,6 +254,10 @@ fi
 
 # Make sure that rhsmcertd.service is enabled and running
 %systemd_post rhsmcertd.service
+# Tell RHUI to disable itself, if possible: at this point RHUI might
+# not be installed yet, so this will fail in that case;
+# the firstboot script will disable RHUI again anyway
+touch /var/lib/rhui/disable-rhui || :
 # Run following block only during installation (not during update)
 if [ $1 -eq 1 ]; then
     # Try to get current value of auto-registration in rhsm.conf
@@ -283,6 +297,7 @@ fi
 %systemd_preun insights-register.path
 %systemd_preun insights-unregister.path
 %systemd_preun insights-unregistered.path
+%systemd_preun rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_preun rhcd.path
@@ -293,12 +308,14 @@ fi
 %systemd_postun insights-register.path
 %systemd_postun insights-unregister.path
 %systemd_postun insights-unregistered.path
+%systemd_postun rhccc-disable-rhui-repos.service
 
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %systemd_postun rhcd.path
 %systemd_postun rhcd-stop.path
 %endif
 
+rm -f /var/lib/rhui/disable-rhui
 
 if [ $1 -eq 0 ]; then
     if [ -f /etc/rhsm/rhsm.conf.cloud_save ]; then
@@ -325,7 +342,9 @@ fi
 
 
 %files cdn
+%{_libexecdir}/rhccc-disable-rhui-repos.py
 %{_presetdir}/80-insights-register.preset
+%{_presetdir}/80-rhccc-disable-rhui-repos.preset
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %{_presetdir}/80-rhcd-register.preset
 %endif
@@ -335,6 +354,7 @@ fi
 %{_unitdir}/insights-unregister.service
 %{_unitdir}/insights-unregistered.path
 %{_unitdir}/insights-unregistered.service
+%{_unitdir}/rhccc-disable-rhui-repos.service
 %if 0%{?rhel} >= 8 || 0%{?fedora}
 %{_unitdir}/rhcd-stop.path
 %{_unitdir}/rhcd-stop.service
diff --git a/rhccc-disable-rhui-repos.py b/rhccc-disable-rhui-repos.py
new file mode 100755
index 0000000..6dc47d3
--- /dev/null
+++ b/rhccc-disable-rhui-repos.py
@@ -0,0 +1,42 @@
+#!/usr/bin/python3
+
+import configparser
+import pathlib
+import sys
+
+
+def process_repo(p):
+    config = configparser.ConfigParser(interpolation=None)
+    try:
+        with p.open() as f:
+            config.read_file(f, str(p))
+        changed = 0
+        for section in config.sections():
+            try:
+                url = config.get(section, "mirrorlist", fallback=None) or config.get(
+                    section, "baseurl"
+                )
+                if "/rhui/" in url and config.getboolean(
+                    section, "enabled", fallback=True
+                ):
+                    config.set(section, "enabled", "0")
+                    changed += 1
+            except configparser.NoOptionError as e:
+                print(f"Warning when processing {p}: {e}", file=sys.stderr)
+        if changed > 0:
+            with p.open("w") as f:
+                config.write(f, space_around_delimiters=False)
+            print(f"Disabled {changed} repositories in {p}")
+    except Exception as e:
+        print(f"Error when processing {p}: {e}", file=sys.stderr)
+
+
+if __name__ == "__main__":
+    for arg in sys.argv[1:]:
+        p = pathlib.Path(arg)
+        if p.is_file():
+            process_repo(p)
+        elif p.is_dir():
+            for child in p.iterdir():
+                if child.suffix == ".repo":
+                    process_repo(child)
diff --git a/rhccc-disable-rhui-repos.service.in b/rhccc-disable-rhui-repos.service.in
new file mode 100644
index 0000000..ac0e16e
--- /dev/null
+++ b/rhccc-disable-rhui-repos.service.in
@@ -0,0 +1,14 @@
+[Unit]
+Description=Run disable-rhui-repos on first boot
+ConditionPathExists=/etc/rhccc-firstboot-run
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm /etc/rhccc-firstboot-run
+ExecStart=-/usr/bin/touch /var/lib/rhui/disable-rhui
+ExecStart=@libexecdir@/rhccc-disable-rhui-repos.py /etc/yum.repos.d/
+
+[Install]
+WantedBy=multi-user.target