sap_general_preconfigure: Remove dependency on yum group performance (lsr/sap-preconfigure issue #172)

[berndfinger]

Copy of https://github.com/linux-system-roles/sap-preconfigure/issues/172#issue-1079850712, reported by https://github.com/Klaas-):

Hi, because of the log4j debacle we noticed log4j is installed on all our sap systems because group install of performance (performance includes parfait which has a dependency to log4j).

https://github.com/linux-system-roles/sap-preconfigure/blob/master/vars/RedHat_7.yml#L22

I am not seeing parfait or log4j from the OS RPMs being used by SAP on our systems so I am guessing this is just installed because SAP was too lazy to properly list their dependencies.

Source of the group install requirement: https://launchpad.support.sap.com/#/notes/2002167

Maybe you could use your red hat contacts to get them to drop the requirement from their notes and/or at least remove performance from this role.

Greetings Klaas

[berndfinger]

Copy of https://github.com/linux-system-roles/sap-preconfigure/issues/172#issuecomment-994524010 (comment by https://github.com/Klaas-):

sap has confirmed that parfait is not used by SAP, not sure if they'll update the sap note any time soon though :)

[sean-freeman]

log4j is a dependency of various SAP software products, for example:

• SAP HANA XS Advanced (XSA) [aka. CloudFoundry] > https://launchpad.support.sap.com/#/notes/3130698
• SAP Netweaver Application Server Java Core Components > https://launchpad.support.sap.com/#/notes/3129883

[Klaas-]

Hi @sean-freeman , so this issue was/is not about the log4j that was packaged inside of SAP, but rather that SAP (on RHEL7) installs parfait as (and dependency log4j from rhel repositories) via the include of the yum group @performance. So this was about removing @performance from the required packages so that there is no finding for the old log4j version.

I even got a statement from SAP that they do not use parfait or the OS log4j, but I did not get them to actually list the dependencies that they need instead of just installing everything from @performance :) I was hoping Red Hat could intervene and get them to change this, but that did not work out :)

As of the general issue for me, I am phasing out RHEL7 already, so I didn't force the issue with SAP. This is not an issue with RHEL8+, the dependencies are better selected on the SAP side, they no longer force a lot of package groups :)

Red Hat did fix it in the log4j version that parfait requires later though, https://access.redhat.com/errata/RHSA-2022:0442 , so I don't think this is something that needs fixing anymore; it just means you have way too many packages on a rhel7 sap system that are not actually in use :)

Greetings Klaas

[sean-freeman]

I was just providing the counterpoint evidence to original text "I am not seeing parfait or log4j from the OS RPMs being used by SAP"; just in case it is believed log4j is unnecessary, the @performance Package Group was removed and log4j Package was not added back as a separate package to be installed by the *preconfigure Ansible Roles, which would lead to broken installations in the future.

[Klaas-]

yeah that is what I am saying, the log4j used by those SAP products is not the one from the OS RPM, at least that is my understanding.

[Klaas-]

so no need to add the log4j package manually, SAP uses it's own version, not the one that is installed via @perfomance

[berndfinger]

The discussion has stopped 2 years ago, so let's close this issue. Customers who do not want or need the package group performance can specify their own list of package groups, using role variable sap_general_preconfigure_packagegroups.