centos-infra

#1177 buildlogs.centos.org serving different packages
Closed: Fixed with Explanation by arrfab. Opened by smooge.

Closed: Fixed with Explanation
Reopen Issue

CentOS Automotive noticed that the CI and other components were having problems with unsigned packages coming from some requests to buildlogs.centos.org. With some detective work by the toolchain team it was narrowed down to the fact that requests answered by .nyc.cdn77.com servers would give unsigned packages but .fra.cdn77.com

Steps used to duplicate.
1. determine ip addresses for end nodes

ssmoogen@ssmoogen-rh:~$ host 195.181.170.19
19.170.181.195.in-addr.arpa domain name pointer 610407756.fra.cdn77.com.
ssmoogen@ssmoogen-rh:~$ host 156.146.36.23
23.36.146.156.in-addr.arpa domain name pointer 137173278.nyc.cdn77.com.
  1. use curl to fake out and use a node outside of your 'region'
$ curl -v --resolve 'buildlogs.cdn.centos.org:80:195.181.170.19' --location --output x0.rpm 'http://buildlogs.centos.org/9-stream/automotive/x86_64/packages-main/Packages/o/osbuildtest-ostree-compliance-mode-0.1-1.el9iv.noarch.rpm'
$ curl -v --resolve 'buildlogs.cdn.centos.org:80:156.146.36.23' --location --output x1.rpm 'http://buildlogs.centos.org/9-stream/automotive/x86_64/packages-main/Packages/o/osbuildtest-ostree-compliance-mode-0.1-1.el9iv.noarch.rpm'
  1. check the rpm signatures
$ rpm -qip x0.rpm
Name        : osbuildtest-ostree-compliance-mode
Version     : 0.1
Release     : 1.el9iv
Architecture: noarch
Install Date: (not installed)
Group       : Unspecified
Size        : 2331
License     : GPLv2
Signature   : RSA/SHA256, Mon 29 May 2023 16:10:28 EDT, Key ID 4b411a9068e964ca
Source RPM  : osbuildtest-ostree-compliance-mode-0.1-1.el9iv.src.rpm
Build Date  : Fri 31 Mar 2023 04:54:41 EDT
Build Host  : x86-04.bsys.centos.org
Packager    : CBS <cbs@centos.org>
Vendor      : CentOS Community Build Service
Summary     : Populates the ostree-compliance-mode.conf file with the checksum for the current booted deployment.
Description :
Populates the ostree-compliance-mode.conf file with the checksum for the current booted deployment.
This is required by the ostree-compliance-mode rpm which allows the system to move to a modifiable state,
in compliance with GPLv3
$  rpm -qip x1.rpm                                                                                                                                               
Name        : osbuildtest-ostree-compliance-mode                                                                                                                                              
Version     : 0.1                                                                              
Release     : 1.el9iv       
Architecture: noarch          
Install Date: (not installed)                                                                  
Group       : Unspecified                                                                                                                                                                     
Size        : 2331                                                                             
License     : GPLv2                                                                                                                                                                           
Signature   : (none)                                                                           
Source RPM  : osbuildtest-ostree-compliance-mode-0.1-1.el9iv.src.rpm                       
Build Date  : Fri 31 Mar 2023 04:54:41 EDT                                                     
Build Host  : x86-04.bsys.centos.org                                                           
Packager    : CBS <cbs@centos.org>                                                             
Vendor      : CentOS Community Build Service
Summary     : Populates the ostree-compliance-mode.conf file with the checksum for the current booted deployment.
Description :                                                                                  
Populates the ostree-compliance-mode.conf file with the checksum for the current booted deployment.
This is required by the ostree-compliance-mode rpm which allows the system to move to a modifiable state,
in compliance with GPLv3

Fabian said to open a ticket to track this

Metadata Update from @arrfab:
- Issue assigned to arrfab

Metadata Update from @arrfab:
- Issue tagged with: cbs, centos-build-pipeline, high-gain, medium-trouble

When we enabled signing for all -testing tags, we processed again all these tags, to ensure that signed packages (and so referenced in repodata) would be going out.
As buildlogs.centos.org is also backed by CDN77, we used their API to purge all cached files at all edge locations but it seems that it wasn't done everywhere :/

We don't have a view on all their infra but we just reissued a purge-all api call to see if that would help (it seems that just path/filename is checked at their side and because it's same NEVR from an rpm PoV it doesn't see that as a changed/updated file)

Michael Ho (in a different communication channel) said that it seems to have fixed it .
If that's the case, can you confirm so that we can close this ticket ?

We reused your test case and confirm that returned .rpm packages have identical checksum : 

cf997b74fe24f9a7ce2639a8a97aa07b9996bd1936d1cc9572dc2e9b3a4d11d4  x0.rpm
cf997b74fe24f9a7ce2639a8a97aa07b9996bd1936d1cc9572dc2e9b3a4d11d4  x1.rpm

Metadata Update from @arrfab:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

I can confirm it is working as expected now.

thanks for the feedback

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

Log in to comment on this ticket.

Metadata

cbs centos-build-pipeline high-gain medium-trouble

None
None
Highest
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.