View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006998Rocky-Linux-9python39public2024-06-03 19:472024-06-04 05:03
Reporterrichard hornsby Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformplatform:el9OSRocky .94OS Version9.4
Summary0006998: appstream python3-botocore pkg conflict with @System and epel
DescriptionRocky 9.4, fairly vanilla build with epel repo added during kickstart. We also install python3-boto3 package during kickstart. Been humming along well for quite a long while.

Found today that `yum update` is failing on live boxes because it says that the appstream repo has a conflict with the python3-botocore package in @System and epel:

```
Last metadata expiration check: 0:15:56 ago on Mon 03 Jun 2024 06:47:13 PM UTC.
Error:
 Problem: package python3-boto3-1.22.10-1.el9.noarch from @System requires (python3.9dist(botocore) < 1.26 with python3.9dist(botocore) >= 1.25.10), but none of the providers can be installed
  - cannot install both python3-botocore-1.31.62-1.el9.noarch from appstream and python3-botocore-1.25.10-1.el9.noarch from @System
  - cannot install both python3-botocore-1.31.62-1.el9.noarch from appstream and python3-botocore-1.25.10-1.el9.noarch from epel
  - cannot install the best update candidate for package python3-botocore-1.25.10-1.el9.noarch
  - cannot install the best update candidate for package python3-boto3-1.22.10-1.el9.noarch
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
```

I'm honestly not sure which repo is correct. We don't have any particular reason to use one version of botocore over the other, but it looks like appstream is causing the problem. @System and epel agree on the versions, appstream does not?

appstream has 317 installed packages on our vanilla box, so it doesn't seem like disabling that repo would work or help.

Is EPEL disfavored? It looks like we're grabbing just a few things from it - `python3-boto3, python3-botocore, python3-s3transfer` and `dkms` that we use to build the AWS ENA driver. I don't see dkms in appstream so we can't abandon EPEL entirely.

While the issue appears once the box is live/production, have attached the kickstart file we use to build the image if it matters at all.

`--allowerasing` has no effect
`--nobest` skips the botocore packages and upgrades everything else, but things are still otherwise broken without this flag.
Steps To Reproduce* Build minimal box with repos for minimal, baseos, appstream, extras, and epel.
* Install python3-boto3 during kickstart (? not sure how much this matters to the issue)
* Try to `yum update` a box
TagsNo tags attached.

Activities

richard hornsby

richard hornsby

2024-06-03 19:50

reporter   ~0007329

Sorry, not seeing how I can edit my report. OS field should say "Rocky 9.4", and wasn't sure of the correct "Category" selection.
richard hornsby

richard hornsby

2024-06-03 21:35

reporter   ~0007331

Attaching renamed KS config file. ".cfg" files are not allowed.
ami-rocky-9.ks.txt (4,511 bytes)    
%pre

ARCH=$(uname -p)

KS_REPO_LIST=/tmp/ks-repo-list.cfg
touch $KS_REPO_LIST

release_ver=$(awk -F= '/^VERSION_ID=/ {print $2}' /etc/os-release | tr -d \") # ie "7.3"
major_ver=$(echo "$release_ver" | awk -F. '{print $1}') # "7"

os_id=$(awk -F= '/^ID=/ {print $2}' /etc/os-release | tr -d \")

# @arg name
# @arg url
# @arg type (optional, defaults to 'mirrorlist')
function add_repo() {
  if [ -n "$3" ]; then repo_type=$3; else repo_type="mirrorlist"; fi
  echo "repo --name=$1 --${repo_type}=$2" >> $KS_REPO_LIST
}

add_repo minimal    "file:///run/install/sources/mount-0000-cdrom/minimal" baseurl
add_repo baseos     "http://download.rockylinux.org/pub/rocky/${release_ver}/BaseOS/$ARCH/os" baseurl
add_repo appstream  "http://download.rockylinux.org/pub/rocky/${release_ver}/AppStream/$ARCH/os" baseurl
add_repo extras     "http://download.rockylinux.org/pub/rocky/${release_ver}/extras/$ARCH/os" baseurl
add_repo epel       "https://mirrors.fedoraproject.org/metalink?repo=epel-$major_ver&arch=\$basearch" metalink

%end

%include /tmp/ks-repo-list.cfg

text

# install
cdrom
lang en_US.UTF-8
keyboard us
network --bootproto=dhcp
rootpw vagrant
firewall --disabled
selinux --permissive
timezone UTC
bootloader --location=mbr
text
skipx

zerombr
clearpart --all --initlabel

# hardening requirements:
# os-14: Check mountpoints for noexec mount options
# os-15: Check mountpoints for nosuid mount options
# os-16: Check mountpoints for nodev mount options

part /boot --ondisk=sda --fstype="xfs"  --size=1024 --fsoptions="defaults,noexec,nosuid,nodev"
part pv.00 --ondisk=sda --size=8192 --grow
volgroup vg00 pv.00

# partition layout:
# /boot     1G
# swap      2G
# /tmp      2G
# /var      1G
# /var/log  2G
# /var/log/audit 0.5G
# /opt      3.5G
# /         min 1G, grow to fill remaining

logvol swap --vgname=vg00 --fstype="swap" --size=2048 --name=swap
logvol /tmp --vgname=vg00 --fstype="xfs"  --size=2048 --name=lv_tmp --label=tmp --fsoptions="defaults,nodev,nosuid"

# cloud-init needs exec for the scripts in /var
logvol /var             --vgname=vg00 --fstype="xfs" --size=2048 --name=lv_var      --label=var     --fsoptions="defaults,nodev,nosuid"
logvol /var/log         --vgname=vg00 --fstype="xfs" --size=1024 --name=lv_log      --label=log     --fsoptions="defaults,nodev,noexec,nosuid"
logvol /var/log/audit   --vgname=vg00 --fstype="xfs" --size=512  --name=lv_audit    --label=audit   --fsoptions="defaults,nodev,noexec,nosuid"
logvol /opt             --vgname=vg00 --fstype="xfs" --size=3588 --name=lv_opt      --label=opt     --fsoptions="defaults,nodev,nosuid"

logvol / --vgname=vg00 --fstype="xfs" --size=1024 --name=lv_root --label=root --grow


authselect minimal
firstboot --disabled
eula --agreed
services --enabled=NetworkManager,sshd --disabled=cups
user --name=vagrant --plaintext --password=vagrant --groups=wheel
reboot

%addon com_redhat_kdump --disable
%end

%packages --excludedocs
@^minimal-environment
@Development Tools
epel-release
elfutils-libelf-devel
# redhat-lsb # not available in rhel 9

python3-boto3

cloud-init

openssh-clients
sudo
net-tools
yum-utils
vim
wget
curl
rsync
tar
zsh

# chef needs this to properly inventory the box
dmidecode

# Disable graphical booting
# https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-commands-and-options-reference/#bootloader-required_kickstart-commands-for-handling-storage
-plymouth*

# unnecessary firmware
-aic94xx-firmware
-atmel-firmware
-b43-openfwwf
-bfa-firmware
-ipw*-firmware
-ivtv-firmware
-iwl*-firmware
-libertas-usb8388-firmware
-ql*-firmware
-rt61pci-firmware
-rt73usb-firmware
-xorg-x11-drv-ati-firmware
-zd1211-firmware
%end

%post
yum update -y

# update root certs
curl https://curl.haxx.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust

# Import OS GPG key
rpm --import https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9

# Allow wheel group (vagrant user) pasword-less sudo
sed -i \
    -e 's/^%wheel/# &/' \
    -e '/^#\s*%wheel.*NOPASSWD:\s*ALL$/s/^#\s*//' \
        /etc/sudoers

# Disable sshd DNS lookups
# https://www.vagrantup.com/docs/boxes/base.html#ssh-tweaks
sed -i '/^#\s*UseDNS no/s/^#\s*//' /etc/ssh/sshd_config

# Disable sudo tty requirement
sed -i 's/^Defaults requiretty/Defaults !requiretty/' /etc/sudoers

yum clean all

# fix the busted lvm configuration ... ?
# see https://bugzilla.redhat.com/show_bug.cgi?id=1965941
sed -i 's/# use_devicesfile = 1/use_devicesfile = 0/' /etc/lvm/lvm.conf

%end
ami-rocky-9.ks.txt (4,511 bytes)   
richard hornsby

richard hornsby

2024-06-04 05:03

reporter   ~0007333

Not sure why I didn't see this before, but appstream only has `python3-botocore`. It does not have `python3-boto3`. So if you do disable epel, you lose access to packages you need.

There's a possibility of using `yum-plugin-priorities` to give epel a higher precedence, but that seems like a hack likely to break things in the long run. The more targeted solution is adding `exclude=python3-botocore*` to the `[appstream]` repo config in /etc/yum.repos.d/rocky.repo. It's maybe less of a hack than repo priorities, but a hack nonetheless.

Issue History

Date Modified Username Field Change
2024-06-03 19:47 richard hornsby New Issue
2024-06-03 19:50 richard hornsby Note Added: 0007329
2024-06-03 21:35 richard hornsby Note Added: 0007331
2024-06-03 21:35 richard hornsby File Added: ami-rocky-9.ks.txt
2024-06-04 05:03 richard hornsby Note Added: 0007333