Update Problem // baseos does not belong to a distupgrade repository

glenny · February 13, 2025, 8:22am

Hi there

I need to ask for my particular problem.

All of the company servers won’t update due to this error:

Error:
 Problem: iptables-libs-1.8.10-4.el9_4.i686 from baseos  does not belong to a distupgrade repository
  - package iptables-services-1.8.10-4.1.el9.noarch from @System requires (iptables-libs = 1.8.10-4.el9 or iptables-libs = 1.8.10-4.el9_4), but none of the providers can be installed
  - cannot install both iptables-libs-1.8.10-11.el9_5.x86_64 from baseos and iptables-libs-1.8.10-4.el9_4.x86_64 from @System
  - cannot install both iptables-libs-1.8.10-4.el9_4.x86_64 from baseos and iptables-libs-1.8.10-11.el9_5.x86_64 from baseos
  - cannot install the best update candidate for package iptables-services-1.8.10-4.1.el9.noarch
  - cannot install the best update candidate for package iptables-libs-1.8.10-4.el9_4.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

My home running servers are fine with updates. Both are configured in the same way.

The problem occours since last week. I just waited b/c from other topics I read that a non-updated mirror could be the problem but nothing changed.

I already tried: dnf clean all followed by dnf update but it wont help.
I commented out the mirrorlist= changed the baseurl= by trying severall mirrors but the problem still persist.

When I try updating with --nobest option the updater won’t fail but the problem pkg is still in the old version which results in the same error as before on the next update attempt.

Here are my machine details:

Operating System: AlmaLinux 9.5 (Teal Serval)
     CPE OS Name: cpe:/o:almalinux:almalinux:9::baseos
          Kernel: Linux 5.14.0-503.23.1.el9_5.x86_64
    Architecture: x86-64

And here is my baseos.repo:

[baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9
metadata_expire=86400
enabled_metadata=1

Any help or hints are welcome

jlehtone · February 13, 2025, 12:18pm

version 1.8.10-11.el9_5 was built last week by AlmaLinux.

The iptables-services is in EPEL. EPEL has not yet (re)built iptables-services for 1.8.10-11.el9_5.

The iptables is deprecated. I do suggest translating your ruleset and start use of nftables.service.

You can see the actual ruleset created by iptables.service by looking at:
nft list ruleset

glenny · February 13, 2025, 2:36pm

Thanks for the EPEL hint.

Will see if I get it managed to switch to nftables.

I mean Firewalld is using nftables as default and I didn’t switch it to iptables.

But it seems that an Ansible module in use requires the iptables-services packages which has iptables-libs as sub-dependency.

Will mark the thread as solved as far as I get it running again.

jlehtone · February 13, 2025, 6:12pm

The iptables.service is essentially a script, a oneshot executed on boot. The script at least used to call the ‘iptables’ tool. Hence its dependency on the what looks like iptables tool.

Out of curiosity, which Ansible module? I’ve used rhel-system-roles.firewall with FirewallD, and a simple ansible.builtin.copy task with (handwritten) nftables rulesets.

mbalzer · February 15, 2025, 8:28am

I’ve got the same issue, with 2 out of 9 server having no issues and already updated to 1.8.10-11.

The actual reason for this seems to be an inconsistent mirror update for the epel repository, with some mirrors still having iptables-services.noarch 1.8.10-4.1.el9, which blocks the update of the baseos packages.

You can wait for the epel mirror sync to finish.

This works for me: force dnf to pick another epel mirror. I did this by simply adding “&country=de” to the metalink in the repository definition /etc/yum.repos.d/epel.repo:

[epel]
…
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-9&arch=$basearch&infra=$infra&content=$contentdir&country=de

That’s no guarantee the new mirror is up to date though, in case that doesn’t work you’ll need to pick a mirror yourself.

glenny · February 17, 2025, 10:53am

jlehtone: Out of curiosity, which Ansible module? I’ve used rhel-system-roles.firewall with FirewallD, and a simple ansible.builtin.copy task with (handwritten) nftables rulesets.

I double checked but it seems that since we moved from 8 to 9 that the package iptables-services isn’t required anymore. The Ansible module I mean is ansible.posix.firewalld. But please don’t nail me on that.

mbalzer: This works for me: force dnf to pick another epel mirror. I did this by simply adding “&country=de” to the metalink in the repository definition

Thank you very much. This looks pretty well and could be the reason why some machines just updating and others won’t.

Fun fact is that the mirror seems to be updated now and I am able to update the servers as usual.

I definitly marke this thread as bookmark