768953 - auditd rpm puppet errors

Status: RESOLVED FIXED

(Cloud Services :: Operations: Miscellaneous, task)

Description

[Gene Wood [:gene]]

When doing puppet runs in stage the following errors are being generated (see below)

(10:06:10 AM) atoll: we have to rpm wipe all auditd in all sites
(10:06:25 AM) atoll: it's a giant pain b/c infra's audit puppet module is catastrophically wrong
(10:06:37 AM) atoll: and i missed fixing all of it on my last pass
(10:06:52 AM) atoll: it's fixed in puppet *now*, but we have to remove "rpm -qa | grep ^audit | grep 2.2"
(10:07:06 AM) atoll: and then puppet will (hopefully) install the correct 2.1-x stuff and stop whining


err: /Stage[main]/Audit/Package[audit-libs]/ensure: change from absent to 2.1.3-3.el6.moz8 failed: Could not update: Could not find package audit-libs at /etc/puppet/modules/audit/manifests/init.pp:16
err: /Stage[main]/Audit/Package[audispd-plugins]/ensure: change from 2.2-2.el6 to 2.1.3-3.el6.moz8 failed: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y downgrade audispd-plugins-2.1.3-3.el6.moz8' returned 1: Please report this error in https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=yum
ERROR with rpm_check_debug vs depsolve:
audit conflicts with audit-mozilla-2.1.3-3.el6.moz8.x86_64
 You could try running: rpm -Va --nofiles --nodigest
Your transaction was saved, rerun it with: yum load-transaction /tmp/yum_save_tx-2012-06-27-10-12xDod95.yumtx
 at /etc/puppet/modules/audit/manifests/init.pp:16
err: /Stage[main]/Audit/Package[audit]/ensure: change from 2.2-2.el6 to 2.1.3-3.el6.moz8 failed: Could not update: Execution of '/usr/bin/yum -d 0 -e 0 -y downgrade audit-2.1.3-3.el6.moz8' returned 1: Error: Package: audispd-plugins-2.2-2.el6.x86_64 (@rhel-base)
           Requires: audit = 2.2-2.el6
           Removing: audit-2.2-2.el6.x86_64 (@rhel-base)
               audit = 2.2-2.el6
           Downgraded By: audit-2.1.3-3.el6.moz8.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz8
           Available: audit-2.1.3-3.el6.moz1.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz1
           Available: audit-2.1.3-3.el6.moz2.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz2
           Available: audit-2.1.3-3.el6.moz4.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz4
           Available: audit-2.1.3-3.el6.moz5.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz5
           Available: audit-2.1.3-3.el6.moz6.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz6
           Available: audit-2.1.3-3.el6.moz7.x86_64 (mozilla)
               audit = 2.1.3-3.el6.moz7
           Available: audit-mozilla-2.1.3-3.el6.moz8.x86_64 (mozilla)
               audit
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
 at /etc/puppet/modules/audit/manifests/init.pp:16

Comment 1

[:Atoll]

This stems from the use of "ensure => latest" in modules/audit/ as originally inherited. We altered *some* but not *all* of the latest to a precise version number (2.1.3-3.el6.moz8), but the ones that were on latest automagically broke-updated to 2.2- when upstream redhat pushed that recently.

Our module has been fixed, though I don't know if infra has pulled the fixes yet.

To repair our servers, we'll have to (site wide, on all rhel6/sl6 servers) remove any audit-* 2.2.* that's present and then run puppet to install the correct precise version.

It might be possible to do that repair with a precise set of "rpm -e" commands in a pre-exec section in puppet or something.