Bugzilla – Bug 1221444
[Build 64.2] openQA test fails in zypper_migration - Valid metadata not found at specified URL
Last modified: 2024-06-03 17:02:11 UTC
Created attachment 873530 [details] zypper log ## Observation This is online migration test, after run zypper migration, it failed for 'Valid metadata not found at specified URL'. It seems failed for 'Signature verification': ### 2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 RepoManager.cc(refreshMetadata):1289 THROW: [SUSE_Linux_Enterprise_Server_15_SP6_x86_64:SLE-Product-SLES15-SP6-Pool|http://openqa.suse.de/assets/repo/SLE-15-SP6-Product-SLES-POOL-x86_64-Build64.2-Media1/] Valid metadata not found at specified URL 2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 History: 2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 - Signature verification failed for repomd.xml 2024-03-14 16:02:34 <5> susetest(10118) [zypp-core] Exception.cc(log):186 - Can't provide /repodata/repomd.xml ### openQA test in scenario sle-15-SP6-Migration-from-SLE15-SPx-x86_64-migr_sles15sp3@64bit fails in [zypper_migration](https://openqa.suse.de/tests/13785004/modules/zypper_migration/steps/7) ## Test suite description Online migration from sles 15 sp3 with default addons via zypper migration. Origin system has system role textmode and default patterns. Additionally, lock package feature tested. ## Reproducible Fails since (at least) Build [64.2](https://openqa.suse.de/tests/13785004) (current job) ## Expected result Last good: [62.1](https://openqa.suse.de/tests/13713619) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.suse.de/tests/latest?arch=x86_64&distri=sle&flavor=Migration-from-SLE15-SPx&machine=64bit&test=migr_sles15sp3&version=15-SP6)
Created attachment 873531 [details] autoinst log
Created attachment 873532 [details] zypper migration journal log
The same issue: https://openqa.suse.de/tests/13784986#step/zypper_migration/8 https://openqa.suse.de/tests/13784815#step/zypper_migration/7 #### 2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 repos.cc(build_cache):458 CAUGHT: [SUSE_Linux_Enterprise_Server_15_SP6_x86_64:SLE-Product-SLES15-SP6-Updates|http://openqa.suse.de/assets/repo/SLE-15-SP6-Product-SLES-POOL-x86_64-Build64.2-Media1/] Valid metadata not found at specified URL 2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 History: 2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 - Signature verification failed for repomd.xml 2024-03-14 16:01:43 <5> susetest(13752) [zypp-core] Exception.cc(log):186 - Can't provide /repodata/repomd.xml ###
I think the Import untrusted gpg key during yast migration is the same issue: https://openqa.suse.de/tests/13784829#step/yast2_migration/6
Repo key changed
(In reply to Radoslav Tzvetkov from comment #5) > Repo key changed I tried to import the GnuKey manually, it works. I filed a ticket for this https://progress.opensuse.org/issues/157411.
(In reply to Radoslav Tzvetkov from comment #5) > Repo key changed Hi Rado, I have a question about this flow. In fact, we have never been asked to import the unsigned key at the beginning of zypper/yast migration, I'm not sure whether need update test to accept it or signing the package in a way so that we won't have such popup message any more? Or any other thought about it? Thanks.
SLES 15 SP6 has a new signing key. I tried to get the old products to auto import via suse-build-key updates, but if that did not happen this kind of dialog will popup. So if SLES 15 SP3 has all updates installed (including LTSS) it should have this key imported. If you implement the keyimport in openqa, make sure you also match the full fingerprint in the needle.
(In reply to Marcus Meissner from comment #8) > SLES 15 SP6 has a new signing key. > > I tried to get the old products to auto import via suse-build-key updates, > but if that did not happen this kind of dialog will popup. > > So if SLES 15 SP3 has all updates installed (including LTSS) it should have > this key imported. > > If you implement the keyimport in openqa, make sure you also match the full > fingerprint in the needle. Hi Marcus, I used a image(autoyast-SLES-15-SP3-aarch64-GM-ltss-desktop-gnome-updated.qcow2 published in job https://openqa.suse.de/tests/13809889#) with latest update but still have the popup shown. https://openqa.suse.de/tests/13810084#step/yast2_migration/7
Increased Severity as too many migrations are failing.
I need to look at this more deep what failed with updates. I have however today and tomorrow friday off. the key auto import is a bit delayed on the updates, i need to check why this did not work.
On RC1 candidate build 71.1, we still have the same issue: https://openqa.suse.de/tests/13848780#step/zypper_migration/8 https://openqa.suse.de/tests/13848777#step/yast2_migration/7
On build 71.1, we have 40+ test cases blocked by the bug, so make us lost much test coverage.
I searched some documents. Got the information: There are rare cases where this update did not refresh the RPM keyring, e.g. if you refresh all repositories all the time. In this case there was a bug in libzypp which prohibited the automatic refresh of the key. manually refresh the new gpg key from suse-build-key as root: rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-39db7c82-5f68629b.asc I use this method to manual testing, it can work well at this case. After update code to debug, it can work: Refer: https://openqa.suse.de/tests/13888621#
For minimal update. After install the base system, then do 'zypper -n patch --with-interactive -l --updatestack-only' Before migration import the gpg key: rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-*.asc It still need import gpg key during migration. Refer job: https://openqa.suse.de/tests/13915666#step/zypper_migration/6