Bug 1221444

Summary: [Build 64.2] openQA test fails in zypper_migration - Valid metadata not found at specified URL
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Lemon Li <leli>
Component: Media ContentAssignee: Marcus Meissner <meissner>
Status: NEW --- QA Contact: Lemon Li <leli>
Severity: Critical    
Priority: P3 - Medium CC: eugenio.paolantonio, jeriveramoya, meissner, yuwang
Version: unspecifiedFlags: jeriveramoya: needinfo? (meissner)
Target Milestone: ---   
Hardware: Other   
OS: SLES 15   
URL: https://openqa.suse.de/tests/13785004/modules/zypper_migration/steps/7
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: zypper log
autoinst log
zypper migration journal log

Description Lemon Li 2024-03-15 02:34:29 UTC 
Created attachment 873530 [details]
zypper log

## Observation
This is online migration test, after run zypper migration, it failed for 'Valid metadata not found at specified URL'.

It seems failed for 'Signature verification':
###
2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 RepoManager.cc(refreshMetadata):1289 THROW:    [SUSE_Linux_Enterprise_Server_15_SP6_x86_64:SLE-Product-SLES15-SP6-Pool|http://openqa.suse.de/assets/repo/SLE-15-SP6-Product-SLES-POOL-x86_64-Build64.2-Media1/] Valid metadata not found at specified URL
2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 History:
2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186  - Signature verification failed for repomd.xml
2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186  - Can't provide /repodata/repomd.xml
###


openQA test in scenario sle-15-SP6-Migration-from-SLE15-SPx-x86_64-migr_sles15sp3@64bit fails in
[zypper_migration](https://openqa.suse.de/tests/13785004/modules/zypper_migration/steps/7)

## Test suite description
Online migration from sles 15 sp3 with default addons via zypper migration. Origin system has system role textmode and default patterns. Additionally, lock package feature tested.


## Reproducible

Fails since (at least) Build [64.2](https://openqa.suse.de/tests/13785004) (current job)


## Expected result

Last good: [62.1](https://openqa.suse.de/tests/13713619) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.suse.de/tests/latest?arch=x86_64&distri=sle&flavor=Migration-from-SLE15-SPx&machine=64bit&test=migr_sles15sp3&version=15-SP6)
Comment 1 Lemon Li 2024-03-15 02:35:05 UTC 
Created attachment 873531 [details]
autoinst log
Comment 2 Lemon Li 2024-03-15 02:35:29 UTC 
Created attachment 873532 [details]
zypper migration journal log
Comment 3 Lemon Li 2024-03-15 02:36:32 UTC 
The same issue:
https://openqa.suse.de/tests/13784986#step/zypper_migration/8
https://openqa.suse.de/tests/13784815#step/zypper_migration/7
####
2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 repos.cc(build_cache):458 CAUGHT:   [SUSE_Linux_Enterprise_Server_15_SP6_x86_64:SLE-Product-SLES15-SP6-Updates|http://openqa.suse.de/assets/repo/SLE-15-SP6-Product-SLES-POOL-x86_64-Build64.2-Media1/] Valid metadata not found at specified URL
2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 History:
2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186  - Signature verification failed for repomd.xml
2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186  - Can't provide /repodata/repomd.xml
###
Comment 4 Lemon Li 2024-03-15 02:38:11 UTC 
I think the Import untrusted gpg key during yast migration is the same issue: https://openqa.suse.de/tests/13784829#step/yast2_migration/6
Comment 5 Radoslav Tzvetkov 2024-03-15 10:12:15 UTC 
Repo key changed
Comment 6 Lemon Li 2024-03-18 03:40:40 UTC 
(In reply to Radoslav Tzvetkov from comment #5)
> Repo key changed

I tried to import the GnuKey manually, it works. I filed a ticket for this https://progress.opensuse.org/issues/157411.
Comment 7 Lemon Li 2024-03-18 07:49:32 UTC 
(In reply to Radoslav Tzvetkov from comment #5)
> Repo key changed

Hi Rado, I have a question about this flow. In fact, we have never been asked to import the unsigned key at the beginning of zypper/yast migration, I'm not sure whether need update test to accept it or signing the package in a way so that we won't have such popup message any more? Or any other thought about it? Thanks.
Comment 8 Marcus Meissner 2024-03-18 08:19:51 UTC 
SLES 15 SP6 has a new signing key.

I tried to get the old products to auto import via suse-build-key updates, but if that did not happen this kind of dialog will popup.

So if SLES 15 SP3 has all updates installed (including LTSS) it should have this key imported.

If you implement the keyimport in openqa, make sure you also match the full fingerprint in the needle.
Comment 9 Lemon Li 2024-03-19 07:20:20 UTC 
(In reply to Marcus Meissner from comment #8)
> SLES 15 SP6 has a new signing key.
> 
> I tried to get the old products to auto import via suse-build-key updates,
> but if that did not happen this kind of dialog will popup.
> 
> So if SLES 15 SP3 has all updates installed (including LTSS) it should have
> this key imported.
> 
> If you implement the keyimport in openqa, make sure you also match the full
> fingerprint in the needle.

Hi Marcus, I used a image(autoyast-SLES-15-SP3-aarch64-GM-ltss-desktop-gnome-updated.qcow2 published in job https://openqa.suse.de/tests/13809889#) with latest update but still have the popup shown. https://openqa.suse.de/tests/13810084#step/yast2_migration/7
Comment 10 JoaquĆ­n Rivera 2024-03-19 13:33:39 UTC 
Increased Severity as too many migrations are failing.
Comment 11 Marcus Meissner 2024-03-21 08:36:44 UTC 
I need to look at this more deep what failed with updates. 

I have however today and tomorrow friday off.
 
the key auto import is a bit delayed on the updates, i need to check why this did not work.
Comment 12 Lemon Li 2024-03-26 06:26:02 UTC 
On RC1 candidate build 71.1, we still have the same issue:
https://openqa.suse.de/tests/13848780#step/zypper_migration/8
https://openqa.suse.de/tests/13848777#step/yast2_migration/7
Comment 13 Lemon Li 2024-03-26 06:34:47 UTC 
On build 71.1, we have 40+ test cases blocked by the bug, so make us lost much test coverage.
Comment 14 yutao wang 2024-03-27 09:35:53 UTC 
I searched some documents. Got the information:
There are rare cases where this update did not refresh the RPM keyring, e.g. if you refresh all repositories all the time.
In this case there was a bug in libzypp which prohibited the automatic refresh of the key. 

manually refresh the new gpg key from suse-build-key as root:

rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-39db7c82-5f68629b.asc

I use this method to manual testing, it can work well at this case.
After update code to debug, it can work:
Refer: https://openqa.suse.de/tests/13888621#
Comment 15 yutao wang 2024-04-03 02:06:30 UTC 
For minimal update. 
After install the base system, then do 'zypper -n patch --with-interactive -l --updatestack-only'
Before migration import the gpg key:
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-*.asc

It still need import gpg key during migration.
Refer job: https://openqa.suse.de/tests/13915666#step/zypper_migration/6