1697963 – DNF has inconsistent behaviour for kernel-core package

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1697963 - DNF has inconsistent behaviour for kernel-core package

Summary: DNF has inconsistent behaviour for kernel-core package

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnf
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Packaging Maintenance Team
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1698145
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-09 11:12 UTC by Andrei Stepanov
Modified:	2019-05-22 05:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-09 15:14:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Andrei Stepanov 2019-04-09 11:25:40 UTC

Okay, it seems because of hidden logic:

/usr/lib64/python3.6/site-packages/libdnf/conf.py:    def autocheck_running_kernel(self):

Could you please help me ? How can I check that package can be clearly removed without actual removing it?

Comment 2 Andrei Stepanov 2019-04-09 11:34:02 UTC

# dnf remove --setopt=autocheck_running_kernel=no --allowerasing kernel-core-4.18.0-80.el8.x86_64
Doesn't help.

Comment 3 Andrei Stepanov 2019-04-09 12:50:19 UTC

# dnf --assumeno remove kernel-core-4.18.0-80.5.el8.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Error:
 Problem: The operation would result in removing the following protected packages: kernel-core
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
# echo $?
1



# dnf --assumeno remove bc
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository beaker-client-testing is listed more than once in the configuration
Dependencies resolved.
=============================================================================================================================================================================================================
 Package                                      Arch                                             Version                                                 Repository                                       Size
=============================================================================================================================================================================================================
Removing:
 bc                                           x86_64                                           1.07.1-5.el8                                            @rhel                                           234 k
 
Transaction Summary
=============================================================================================================================================================================================================
Remove  1 Package
 
Freed space: 234 k
Operation aborted.
# echo $?
1

Comment 4 Andrei Stepanov 2019-04-09 12:56:38 UTC

It seems a solution can be:

# dnf --assumeyes --setopt tsflags=test remove kernel-core-4.18.0-80.5.el8.x86_64

Comment 5 Jaroslav Mracek 2019-04-09 15:14:56 UTC

The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action. If you know what you do you can  always run "rpm -e kernel-core". In general users of DNF expects a certain level of security that includes protecting of a running kernel. Please don't hesitate to reopen the bug if you thing that approach with rpm is not suitable for your user case. Then please explain your story in details and why it is essential to implement disablement of basic mechanisms of protection of system integrity and stability.

Comment 6 Eugene Syromiatnikov 2019-04-09 15:45:01 UTC

(In reply to Jaroslav Mracek from comment #5)
> The protection of a running kernel is a feature of DNF and it is more than recommended to not perform such an action.

Protection of kernel image itself is close to meaningless, the only meaningful protection is protection of kernel modules (as they may be loaded on demand at any time and their absence may lead to severe issues), and DNF doesn't provide that.

Moreover, the protection is meaningless if the action is requested within a mount namespace.

Note You need to log in before you can comment on or make changes to this bug.