Bug 1328729
Summary: | Docker client doesn't link entitlements certs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Stanislav Graf <sgraf> |
Component: | subscription-manager | Assignee: | vritant <vrjain> |
Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.2 | CC: | alikins, aweiteka, bcourt, cbredesen, dwalsh, lsm5, randalap, redakkan, rrajasek, sgajanur, sgraf, tbutt, vrjain |
Target Milestone: | rc | Keywords: | Extras, Triaged |
Target Release: | 7.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | subscription-manager-plugin-container-1.17.7-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-03 20:28:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stanislav Graf
2016-04-20 07:45:41 UTC
Lokesh is this something we do in the docker package install? Stansislav, how should we handle this if the order is reversed? Docker installed then you do subscription-manager? Adding subscription-manager guys to this, because I am not sure how we should handle this. I suspect you have not configured /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf to include your ${domain.name}s in the comma separated list of registry_hostnames Please see https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c2 > # Steps to Reproduce:
> 1. subscription-manager register / attach
> 2. subscription-manager repos --enable...
> 3. install docker
> 4. ls -l /etc/docker/certs.d/${domain.name}/
Not sure I understand this flow. The subscription-manager docker/container support only runs inside of a container. But the 'install docker' step implies this is not in a container (and at the time of running subman, not even a 'host').
Afaik, The subscription-manager container plugin that sets up /etc/docker/certs.d/${domain.name}/ is only invoked when subman is ran from inside a container.
(In reply to John Sefler from comment #3) > I suspect you have not configured > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf to > include your ${domain.name}s in the comma separated list of > registry_hostnames > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c2 Thanks for the info, so I've retested: vvvvv * install subscription-manager-plugin-container * check /etc/docker/certs.d/ /etc/docker/certs.d/: total 0 drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com /etc/docker/certs.d/cdn.redhat.com: total 4 -rw-r--r--. 1 root root 2626 Oct 13 2015 redhat-entitlement-authority.crt * install docker * check /etc/docker/certs.d/ /etc/docker/certs.d/: total 0 drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.com drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.io /etc/docker/certs.d/cdn.redhat.com: total 4 -rw-r--r--. 1 root root 2626 Oct 13 2015 redhat-entitlement-authority.crt /etc/docker/certs.d/redhat.com: total 0 lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem /etc/docker/certs.d/redhat.io: total 0 lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem * add ',redhat.com' to /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf * restart rhsm and docker service systemctl restart rhsmcertd.service systemctl docker restart * list again # ls -lR /etc/docker/certs.d/ /etc/docker/certs.d/: total 0 drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.com drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.io /etc/docker/certs.d/cdn.redhat.com: total 4 -rw-r--r--. 1 root root 2626 Oct 13 2015 redhat-entitlement-authority.crt /etc/docker/certs.d/redhat.com: total 0 lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem /etc/docker/certs.d/redhat.io: total 0 lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem * check there is containerimage in my entitlement: rct cat-cert /etc/pki/entitlement/8125772367146128011.pem | grep -i containerimage Type: containerimage Type: containerimage ^^^^^ 1) subscription-manager-plugin-container was not installed by default on my machine, should be added to product specific install guide 2) editing container_content.ContainerContentPlugin.conf does nothing - maybe I missed some step? 3) editing container_content.ContainerContentPlugin.conf should be added also to product specific install guide until it's fixed between docker and subscription-manager The update to the registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf should be done *before* you attach the subscription to the system. (In reply to John Sefler from comment #6) > The update to the registry_hostnames in > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf should > be done *before* you attach the subscription to the system. Thanks, that works! 4) I need to attach entitlements to install subscription-manager-plugin-container, change config and then detach and attach again to get config applied 5) Linking/copying of CA cert is not consistent /etc/docker/certs.d/access.redhat.com: (none) /etc/docker/certs.d/cdn.redhat.com: -rw-r--r--. 1 root root 2626 Oct 13 2015 redhat-entitlement-authority.crt /etc/docker/certs.d/redhat.com: lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem /etc/docker/certs.d/redhat.io: lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem /etc/docker/certs.d/registry.access.redhat.com: (none) (In reply to Stanislav Graf from comment #7) > 4) I need to attach entitlements to install > subscription-manager-plugin-container, change config and then detach and > attach again to get config applied Or you could wait for up to 4 hours for rhsmcertd to automatically run and sync container certificates to /etc/docker/certs.d/<registry_hostnames> from /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf UGLY: attach (to install subscription-manager-plugin-container), remove, and re-attach (to sync container certificates) is a terrible customer experience. However, I believe subscription-manager-plugin-container is installed by default on RHEL Atomic which was the intended product for docker delivery. > > 5) Linking/copying of CA cert is not consistent > > /etc/docker/certs.d/access.redhat.com: > (none) > > /etc/docker/certs.d/cdn.redhat.com: > -rw-r--r--. 1 root root 2626 Oct 13 2015 redhat-entitlement-authority.crt > > /etc/docker/certs.d/redhat.com: > lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> > /etc/rhsm/ca/redhat-uep.pem > > /etc/docker/certs.d/redhat.io: > lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> > /etc/rhsm/ca/redhat-uep.pem > > /etc/docker/certs.d/registry.access.redhat.com: > (none) You are right... they are not consistent because they were all provided by different packages/teams... [root@jsefler-7 ~]# ls -d1 /etc/docker/certs.d/* /etc/docker/certs.d/access.redhat.com /etc/docker/certs.d/cdn.redhat.com /etc/docker/certs.d/redhat.com /etc/docker/certs.d/redhat.io /etc/docker/certs.d/registry.access.redhat.com [root@jsefler-7 ~]# [root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/access.redhat.com file /etc/docker/certs.d/access.redhat.com is not owned by any package [root@jsefler-7 ~]# [root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/cdn.redhat.com subscription-manager-plugin-container-1.15.9-15.el7.x86_64 [root@jsefler-7 ~]# [root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/redhat.com docker-1.8.2-2.el7.x86_64 [root@jsefler-7 ~]# [root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/redhat.io docker-1.8.2-2.el7.x86_64 [root@jsefler-7 ~]# [root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/registry.access.redhat.com file /etc/docker/certs.d/registry.access.redhat.com is not owned by any package [root@jsefler-7 ~]# The two not owned by any package are because they were included in the default registry_hostnames in container_content.ContainerContentPlugin.conf and will therefore be absent of a CA cert (not sure if that is a problem). Is there anything needed to be done in the docker package to make this work better? (In reply to John Sefler from comment #8) > (In reply to Stanislav Graf from comment #7) > > 4) I need to attach entitlements to install > > subscription-manager-plugin-container, change config and then detach and > > attach again to get config applied > > UGLY: attach (to install subscription-manager-plugin-container), remove, and > re-attach (to sync container certificates) is a terrible customer experience. After a good night sleep, here are the best two options to avoid the ugly subscription re-attachment steps: 1. do nothing and wait for up to 4 hours for the rhsmcertd to run automatically which will sync the entitlements to the new redhat.com redhat.io directories, OR... 2. run /usr/libexec/rhsmcertd-worker as root which will immediately run the container plugin that syncs the entitlements to the new redhat.com redhat.io directories. Remember that these two options are only relevant if you have already attached a subscription that provides containerimage content without first appending ,redhat.com,redhat.io to registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf. (In reply to John Sefler from comment #10) > Remember that these two options are only relevant if you have already > attached a subscription that provides containerimage content without first > appending ,redhat.com,redhat.io to registry_hostnames in > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf. Couldn't we pre-populate the redhat.* domains in the file /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we ship? (In reply to Aaron Weitekamp from comment #11) > Couldn't we pre-populate the redhat.* domains in the file > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we > ship? Are you asking the sub-man dev team to build a new subscription-manager package with additional default registry_hostnames (with appropriate CA cert) everytime the docker team has new ones? That does not sound efficient. That's why it is a configuration. As sgraf has learned the hard way, there is an order of operations needed to get a RHEL7 system configured to run docker images with access to "containerimage" content. I'll try to re-cap what I think the order is (without looking at any docs)... 1. Install a bare RHEL7 system (probably from an iso) 2. Entitle the system with a RHEL subscription using subscription-manager 3. enable the rhel-7-server-extras-rpms repo and then yum install docker 4. enable the rhel-7-server-optional-rpms repo and then yum install subscription-manager-plugin-container 5. append ",redhat.com,redhat.io" to registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf 6. THE NEXT STEP DEPENDS ON WHETHER OR NOT THE RHEL SUBSCRIPTION ATTACHED IN STEP 2 ALSO PROVIDES "Red Hat Software Collections (for RHEL Server)" WHICH APPEARS TO BE THE SOURCE FOR THE "containerimage" CONTENT YOU WANT ACCESS TO If yes - then either wait for up to four hours OR run /usr/libexec/rhsmcertd-worker as root which will immediately run the container plugin that syncs the entitlements to the new redhat.com redhat.io registry_hostname directories. If no - then attach another subscription that provides "Red Hat Software Collections (for RHEL Server)" I assume there is a customer facing document that contains this workflow. Maybe it needs a few tweaks. I don't think the docker or subscription-manager-plugin-container packages need any changes. One last thing that could still be an issue is to make sure the correct CA cert is being provided in the registry_hostnames directories. I noticed that the redhat-ca.crt packaged with docker and the redhat-entitlement-authority.crt packaged with subscription-manager-plugin-container are not the same. cbredesen mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c5 registry hostnames (registry.access.redhat.com / registry.redhat.io). Beware... I think subscription-manager-plugin-container requires the configurations to be fully qualified. That means that in comment 12 you should change redhat.io to registry.redhat.io and redhat.com to registry.access.redhat.com and include CA certs. This needs to be tested. I think sgraf can help test this concern. If true, then some changes to the docker package could be needed. *** Bug 1328869 has been marked as a duplicate of this bug. *** Tell us what we need to change in the docker package? Dan & Aaron, Is there a reason we would not want to automatically load all the directories under /etc/docker/certs.d/* as registry_hostnames? If there is a concern about opening it up entirely we could support wildcard masks *.redhat.com *.redhat.io if that would be helpful. If we did either of those two things that then as changes are made from docker side the content_container plugin would not need to have it's configuration updated. As a short term fix, if you give us the updated list of registry hostname values we can update the list in the default config file. (In reply to John Sefler from comment #12) > (In reply to Aaron Weitekamp from comment #11) > > Couldn't we pre-populate the redhat.* domains in the file > > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we > > ship? > > Are you asking the sub-man dev team to build a new subscription-manager > package with additional default registry_hostnames (with appropriate CA > cert) everytime the docker team has new ones? That does not sound > efficient. That's why it is a configuration. > Yes, this is what I am asking. As you know, /etc/rhsm/rhsm.conf ships configured so a new system registers with production. hostname = subscription.rhn.redhat.com baseurl= https://cdn.redhat.com I view this as the same thing. The registry hostnames are stable. > As sgraf has learned the hard way, there is an order of operations needed to > get a RHEL7 system configured to run docker images with access to > "containerimage" content. Remember, our goal is to support an atomic host workflow which must be able to register and start RHEL-based containers to be functional (using cloud-init, for example). There is no waiting 4 hours. There is no special config. A subscribed system can install applications via docker by default. I agree 100% with comment 18. Thanks, Aaron. I agree too. Then a subscription-manager-plugin-container design changed based on comment 17 should be pursued. I think we should only need registry.redhat.io as that was intended to replace registry.access.redhat.com, we simply kept that in place for backwards compat. registry.redhat.io is meant to be THE ONE. I checked installing AH VM to understand more about the experience with docker entitlement certs. I noticed that, after I register to subscription-manager and attach the required entitlements it still does not reflect the entitlement certs under /etc/docker/certs.d @John, does it require 4Hrs even on AH? Running /usr/libexec/rhsmcerts-worker helped as you suggested in comment 10 reply to Sushma from comment #22) If you configured registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf on your Atomic Host with all of the /etc/docker/certs.d/<registry_hostnames> that you will be pulling docker images from *BEFORE* you attached the Atomic subscription, then you should see the entitlement certs/keys appear in the /etc/docker/certs.d/<registry_hostnames>/ directories *immediately* after attaching the Atomic subscription. If you attached the Atomic subscription *before* you configure container_content.ContainerContentPlugin.conf, then you will need to wait up to 4 hrs OR manually run /usr/libexec/rhsmcertd-worker as root to see the entitlement certs/keys appear in the /etc/docker/certs.d/<registry_hostnames>/ directories(In Thanks John, the steps and order mentioned above in comment #23 works on AtomicHost VM To be clear, this is what I did > I installed AH (from iso) on VM > Created /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf with the below details ------ [main] enabled = 1 registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com ------ > subscription-manager register --auto-attach I found the entitlement certs created for each registry_hostnames mentioned above under /etc/docker/certs.d/. @Chris, John This is regarding another issue that was noticed for protected repos in live + For the protected repos, we had to update the redirect URLs point to protected CDN https://cdn.redhat.com instead of the default unprotected CDN https://access.redhat.com/webassets/docker/ because entitlement certs expect it to be so + Following which docker client does not seem to work fine with cacert: - with the CA cert which is found under /etc/docker/certs.d/cdn.redhat.com - OR with redhat-uep.pem which is located at /etc/rhsm/ca/ (tried manaully linking to this cert) - neither with ca-bundle.crt which is located at /etc/pki/tls/certs (tried manually linking to this cert) We are getting the error "x509: certificate signed by unknown authority" when we try to "docker pull" the image from registry.access.redhat.com which redirects to cdn.redhat.com to locate the image. This needs to be investigated. This is blocker for RHMAP GA release. At this point, IT Crane team is working/investigating on a patch at crane end. Verifying Version.... [root@jsefler-rhel7 ~]# rpm -q subscription-manager subscription-manager-plugin-container subscription-manager-1.17.7-1.el7.x86_64 subscription-manager-plugin-container-1.17.7-1.el7.x86_64 As indicated in comment 21 and comment 25, the subscription-manager dev team has updated the subscription-manager-plugin-container to include registry.redhat.io in the default registry_hostnames of /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf [root@jsefler-rhel7 ~]# rpm -q subscription-manager --changelog | grep 1328729 - 1328729: add registry.redhat.io to default registry_hostnames [root@jsefler-rhel7 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf [main] enabled = 1 registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io VERIFIED: THE DEFAULT CONFIG FOR registry_hostnames IN /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf NOW INCLUDES "registry.redhat.io" I'll also demonstrate that when a RHEL7 system is registered and subscribed to a subscription that provides "containerimage" content, the entitlement will land in directory /etc/docker/certs.d/registry.redhat.io/ as desired. [root@jsefler-rhel7 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 Beta (Maipo) [root@jsefler-rhel7 ~]# ls -lR /etc/docker/certs.d/ /etc/docker/certs.d/: total 0 drwxr-xr-x. 2 root root 45 Jun 21 15:09 cdn.redhat.com /etc/docker/certs.d/cdn.redhat.com: total 4 -rw-r--r--. 1 root root 2626 Jun 3 19:06 redhat-entitlement-authority.crt [root@jsefler-rhel7 ~]# subscription-manager register --serverurl subscription.rhsm.stage.redhat.com:443/subscription Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: stage_auto_testuser1 Password: The system has been registered with ID: 4df923bc-8fea-4a52-b933-044011352010 [root@jsefler-rhel7 ~]# subscription-manager list --available --matches "*Container*" +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Enterprise Linux Server, Standard (Physical or Virtual Nodes) Provides: Red Hat Beta Red Hat Container Images Beta dotNET on RHEL Beta (for RHEL Server) Red Hat Software Collections (for RHEL Server) Oracle Java (for RHEL Server) Red Hat Enterprise Linux Atomic Host Beta Red Hat Container Images Red Hat Enterprise Linux Server dotNET on RHEL (for RHEL Server) Red Hat Enterprise Linux Atomic Host Red Hat Software Collections Beta (for RHEL Server) Red Hat Developer Toolset (for RHEL Server) SKU: RH00004 Contract: Pool ID: 8a99f986553a7fbb01553c03870624c3 Provides Management: No Available: 400 Suggested: 1 Service Level: Standard Service Type: L1-L3 Subscription Type: Instance Based Ends: 05/27/2017 System Type: Physical [root@jsefler-rhel7 ~]# subscription-manager attach --pool 8a99f986553a7fbb01553c03870624c3 Successfully attached a subscription for: Red Hat Enterprise Linux Server, Standard (Physical or Virtual Nodes) [root@jsefler-rhel7 ~]# rct cat-cert /etc/pki/entitlement/9015880968579070254.pem | grep "containerimage" -A1 Type: containerimage Name: Red Hat Enterprise Linux 6 Server - Beta (Containers) -- Type: containerimage Name: Red Hat Enterprise Linux 6 Server (Containers) -- Type: containerimage Name: Red Hat Enterprise Linux 7 Server - Beta (Containers) -- Type: containerimage Name: Red Hat Enterprise Linux 7 Server (Containers) -- Type: containerimage Name: dotNET on RHEL Beta (Containers) for Red Hat Enterprise Linux 7 Server -- Type: containerimage Name: dotNET on RHEL (Containers) for Red Hat Enterprise Linux 7 Server -- Type: containerimage Name: Red Hat Software Collections Beta (Containers) for Red Hat Enterprise Linux 7 Server -- Type: containerimage Name: Red Hat Software Collections (Containers) for Red Hat Enterprise Linux 7 Server [root@jsefler-rhel7 ~]# ls -lR /etc/docker/certs.d/ /etc/docker/certs.d/: total 4 drwxr-xr-x. 2 root root 67 Jun 21 15:12 access.redhat.com drwxr-xr-x. 2 root root 4096 Jun 21 15:12 cdn.redhat.com drwxr-xr-x. 2 root root 67 Jun 21 15:12 registry.access.redhat.com drwxr-xr-x. 2 root root 67 Jun 21 15:12 registry.redhat.io /etc/docker/certs.d/access.redhat.com: total 20 -rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert -rw-------. 1 root root 1679 Jun 21 15:12 9015880968579070254.key /etc/docker/certs.d/cdn.redhat.com: total 24 -rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert -rw-------. 1 root root 1679 Jun 21 15:12 9015880968579070254.key -rw-r--r--. 1 root root 2626 Jun 3 19:06 redhat-entitlement-authority.crt /etc/docker/certs.d/registry.access.redhat.com: total 20 -rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert -rw-------. 1 root root 1679 Jun 21 15:12 9015880968579070254.key /etc/docker/certs.d/registry.redhat.io: total 20 -rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert -rw-------. 1 root root 1679 Jun 21 15:12 9015880968579070254.key VERIFIED: THE ENTITLEMENT FROM SUBSCRIPTION SKU RH00004 WHICH PROVIDES "containerimage" CONTENT LANDED IN /etc/docker/certs.d/registry.redhat.io AS WELL AS ALL THE OTHER CONFIGURED registry_hostnames [root@jsefler-rhel7 ~]# rpm -q docker package docker is not installed [root@jsefler-rhel7 ~]# subscription-manager repos | grep extras-rpms -A4 Repo ID: rhel-7-server-extras-rpms Repo Name: Red Hat Enterprise Linux 7 Server - Extras (RPMs) Repo URL: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/$basearch/extras/os Enabled: 0 [root@jsefler-rhel7 ~]# subscription-manager repos --enable rhel-7-server-extras-rpms Repository 'rhel-7-server-extras-rpms' is enabled for this system. [root@jsefler-rhel7 ~]# yum install -q -y docker This system is not registered with RHN Classic or Red Hat Satellite. You can use rhn_register to register. Red Hat Satellite or RHN Classic support will be disabled. Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at line 147 of /etc/selinux/targeted/tmp/modules/100/virt/cil /usr/sbin/semodule: Failed! libsemanage.semanage_direct_install_info: Overriding docker module at lower priority 100 with module at priority 400. [root@jsefler-rhel7 ~]# rpm -q docker docker-1.9.1-40.el7.x86_64 [root@jsefler-rhel7 ~]# systemctl start docker.service [root@jsefler-rhel7 ~]# docker pull registry.redhat.io/rhel7:latest c453594215e4: Download complete Status: Downloaded newer image for registry.redhat.io/rhel7:latest registry.redhat.io/rhel7: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker. [root@jsefler-rhel7 ~]# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE registry.redhat.io/rhel7 latest c453594215e4 6 weeks ago 203.4 MB [root@jsefler-rhel7 ~]# setenforce 0 [root@jsefler-rhel7 ~]# docker run --rm registry.redhat.io/rhel7:latest yum repolist Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning. Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager repo id repo name status rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs 10871 repolist: 10871 VERIFIED: I successfully registered, subscribed, installed docker, pulled an image from registry.redhat.io and ran a command inside a container that demonstrates the container has yum access through the entitlement on the host. NOTE: I had to disable selinux (setenforce 0) to workaround current policy issues. Great job! (1) subscription-manager-plugin-container preinstalled Take a clean system. I prepared my system with latest RHEL 7.2 with updates and following extra packages: # rpm -qa '*rhsm*' '*subscription*' | sort python-rhsm-1.17.2-1.el7.x86_64 subscription-manager-1.17.7-1.el7.x86_64 subscription-manager-plugin-container-1.17.7-1.el7.x86_64 I didn't need to edit anything, I didn't need any hacks. I just registered to production with account that can pull protected images, installed docker and I was able to pull images. (2) subscription-manager-plugin-container installed later Take a clean system. I prepared my system with RHEL 7.2 and registered to production. Update to latest, update subscription-manager and install container plugin. # rpm -qa '*rhsm*' '*subscription*' | sort python-rhsm-1.17.2-1.el7.x86_64 subscription-manager-1.17.7-1.el7.x86_64 subscription-manager-plugin-container-1.17.7-1.el7.x86_64 I didn't need to edit anything, I didn't need any hacks. I was able to pull images. Note: I did also negative testing - that without proper entitlements I wasn't able to pull images - just to be sure I'm not downloading unprotected images. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2592.html |