View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018260||CentOS-7||kernel||public||2021-07-27 18:34||2021-08-04 00:48|
|Status||closed||Resolution||no change required|
|Summary||0018260: Inclusion of kernel-3.10.0-1160.36.2.el7.x86_64.rpm to remediate CVE-2021-33909 causes ISO reboot|
|Description||Inclusion of the latest kernel provided by CentOS as part of https://access.redhat.com/errata/RHSA-2021:2725 advisory on the ISO causes the installation to fail after rpms are installed via kspackages during kickstart's preinstall phase and anaconda-yum is running.|
After we see the following message on console, the system reboots:
Performing post-installation tasks
Further digging into /tmp/program.log and /tmp/anaconda.log reveals that anaconda-yum python tool fails with the following message:
PackageSackError: Rpmdb checksum is invalid: dCDPT(pkg checksums): grubby.x86_64: 0:8.28-26.el7
|Additional Information||This issue does not happen with any of the previous kernels during fresh installation.|
This is also not seen if an existing centos 7.9 system is being upgraded using this kernel rpm.
Only the kernel rpm has been included from the list of rpms released by CentOS to fix the security vulnerability from CVE-2021-33909.
|Tags||centos7, kernel, Linux, security-vulnerability|
|That error rhymes a lot with a corrupted rpm. Are you sure that the file is OK ?|
Thanks for your response @ManuelWolfshant.
I have checked the PGP signatures and md5sums for grubby and kernel rpm packages included on our ISO and the ones from the two different Centos mirrors. They match. So it feels unlikely that the rpm is corrupted, especially since we have been using the same grubby rpm in our previous ISO builds successfully.
In addition, the above error only happens when the kernel rpm is updated to kernel-3.10.0-1160.36.2.el7.x86_64.rpm. The previous two kernels kernel-3.10.0-1160.31.1.el7.x86_64.rpm and kernel-3.10.0-1160.25.1.el7.x86_64.rpm included along with the same grubby rpm (grubby-8.28-26.el7.x86_64.rpm), do not cause such failure in anaconda (version 184.108.40.206-1).
|Wait. You're respinning the isos with a newer kernel? Don't do that. Add a new repo in your kickstart file with just the kernel packages in it. Leave the iso alone. Modifying it renders the entire thing unsupported.|
|Hi @TrevorH. We aren't respinning ISOs by just replacing the kernel (or any other) rpm. We are creating repo using corresponding comps.xml and other essential steps in the process. This ISObuild approach has worked for as long as I can recall, so I'm curious to know why the inclusion of this specific patched kernel alone runs into this error.|
I am afraid we cannot really help you. We only support what we ship and specifically do not support either cherry picking updates or respinning ISOs.
You could try to raise the problem with RedHat via bugzilla.redhat.com but I am very much afraid you will receive the same answer.
Normally I'd close the ticket at this point but I find the issue intriguing and I will leave it open in case someone has useful ideas. I for one still believe you have a damaged rpm in there.
Thanks for the help. It appears the problem disappeared when we updated a bunch of other rpms, so we're able to proceed for now & could close this ticket. It does not look like grubby rpm was at fault here, but would have definitely liked to understand the root cause of where the corruption could have happened or if there was some unfulfilled dependency that misled to this error.
For reference, here is the list of new rpms updated along with kernel which resolved the issue:
|2021-07-27 18:34||swagh||New Issue|
|2021-07-27 18:34||swagh||Tag Attached: centos7|
|2021-07-27 18:34||swagh||Tag Attached: kernel|
|2021-07-27 18:34||swagh||Tag Attached: Linux|
|2021-07-27 18:34||swagh||Tag Attached: security-vulnerability|
|2021-07-27 18:34||swagh||File Added: Screen Shot 2021-07-23 at 11.15.54 AM.png|
|2021-08-02 12:03||ManuelWolfshant||Note Added: 0038556|
|2021-08-02 16:46||swagh||Note Added: 0038557|
|2021-08-02 16:48||TrevorH||Note Added: 0038558|
|2021-08-02 17:07||swagh||Note Added: 0038559|
|2021-08-03 08:09||ManuelWolfshant||Note Added: 0038563|
|2021-08-03 08:10||ManuelWolfshant||Note Edited: 0038563|
|2021-08-04 00:43||swagh||Note Added: 0038567|
|2021-08-04 00:48||ManuelWolfshant||Status||new => closed|
|2021-08-04 00:48||ManuelWolfshant||Resolution||open => no change required|