Bug 1671534

Summary: [WARNING] rhsmcertd-worker:5015:MainThread @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/
Product: Red Hat Enterprise Linux 8 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Jiri Hnidek <jhnidek>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 8.0CC: csnyder, jhnidek, jsefler, lvrabec, mmalik, redakkan, shughes
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 8.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:15:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682763    
Bug Blocks:    

Description John Sefler 2019-01-31 20:33:11 UTC 
Description of problem:

When the rhsmcertd-worker runs to auto heal a system with a subscription that provides content of type "containerImage", the granted entitlement cert and key are supposed to be copied to all the registry_hostnames directories configured in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf.

The problem on RHEL8 is that rhsm.log indicates a WARNING that "Container cert directory does not exist: /etc/docker/certs.d" when it does indeed exist.  This is blocking the subscription-manager-plugin-container from copying certificates from /etc/pki/entitlement/ to /etc/docker/certs.d/<registry_hostnames>/

Note 1: When manually attaching a subscription that provides "containerImage" content, the subscription-manager-plugin-container successfully copies the entitlement cert&key without any warnings in the rhsm.log.

Note 2: When selinux is running in permissive mode, the rhsmcertd-worker successfully copies the entitlement certs.

Note 3: When selinux is in enforcing mode, rhsmcertd-worker fails to copy entitlement certs, yet I cannot find any denials in the audit log.



Version-Release number of selected component (if applicable):
[root@kvm-01-guest17 ~]# rpm -q subscription-manager-plugin-container selinux-policy
subscription-manager-plugin-container-1.23.8-15.el8.x86_64
selinux-policy-3.14.1-53.el8.noarch


How reproducible:
always


Steps to Reproduce:
This testing is being done against an onpremise candlepin server with the TESTDATA deployed and product certs from the TESTDATA installed.


[root@kvm-01-guest17 ~]# subscription-manager config --rhsmcertd.splay=0 --rhsmcertd.disable=0
[root@kvm-01-guest17 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@kvm-01-guest17 ~]# setenforce 1
[root@kvm-01-guest17 ~]# restorecon -Rv /etc /run /var
Relabeled /etc/dnf/modules.d/virt.module from system_u:object_r:root_t:s0 to system_u:object_r:etc_t:s0
Relabeled /run/user/0 from system_u:object_r:tmpfs_t:s0 to system_u:object_r:user_tmp_t:s0
[root@kvm-01-guest17 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@kvm-01-guest17 ~]# systemctl restart rhsmcertd
[root@kvm-01-guest17 ~]# sleep 120
[root@kvm-01-guest17 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@kvm-01-guest17 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf
[main]
enabled = 1
registry_hostnames=registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io,cdn.rhsm-test.redhat.com,rhsm-test.redhat.com
[root@kvm-01-guest17 ~]# ls /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:

/etc/docker/certs.d/cdn.redhat.com:
redhat-entitlement-authority.crt

/etc/docker/certs.d/cdn.rhsm-test.redhat.com:
redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:

/etc/docker/certs.d/registry.redhat.io:

/etc/docker/certs.d/rhsm-test.redhat.com:
[root@kvm-01-guest17 ~]# 
[root@kvm-01-guest17 ~]# subscription-manager list --consumed | grep "Awesome OS Docker" -A16
Subscription Name:   Awesome OS Docker
Provides:            Awesome OS Docker Bits
SKU:                 awesomeos-docker
Contract:            0
Account:             12331131231
Serial:              3336717941861560708
Pool ID:             8a88714e68a53f5d0168a53fb7f901e6
Provides Management: No
Active:              True
Quantity Used:       1
Service Level:       
Service Type:        
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              01/30/2019
Ends:                01/30/2020
System Type:         Physical

[root@kvm-01-guest17 ~]# rct cat-cert /etc/pki/entitlement/3336717941861560708.pem | grep -i containerImage -A1 -B1
Content:
	Type: containerImage
	Name: awesomeos-docker-images
[root@kvm-01-guest17 ~]# 


FAILED: EXPECTED THE DIRECTORIES DEFINED BY registry_hostnames TO BE POPULATED WITH THE ENTITLEMENT SERIAL FROM Awesome OS Docker BECAUSE IT PROVIDES "containerImage" CONTENT.




Additional info:

[root@kvm-01-guest17 ~]# tail -f /var/log/rhsm/rhsm.log  | grep WARNING
2019-01-31 14:34:49,393 [WARNING] rhsmcertd-worker:4969:MainThread @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/
2019-01-31 14:34:49,393 [WARNING] rhsmcertd-worker:4969:MainThread @container.py:141 - Exiting plugin



[root@kvm-01-guest17 ~]# tail -f /var/log/rhsm/rhsmcertd.log 
Thu Jan 31 14:32:48 2019 [INFO] rhsmcertd is shutting down...
Thu Jan 31 14:32:48 2019 [INFO] Starting rhsmcertd...
Thu Jan 31 14:32:48 2019 [INFO] Auto-attach interval: 1440.0 minutes [86400 seconds]
Thu Jan 31 14:32:48 2019 [INFO] Cert check interval: 240.0 minutes [14400 seconds]
Thu Jan 31 14:32:48 2019 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first auto-attach.
Thu Jan 31 14:32:48 2019 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first cert check.
Thu Jan 31 14:34:49 2019 [INFO] (Cert Check) Certificates updated.
Thu Jan 31 14:34:51 2019 [INFO] (Auto-attach) Certificates updated.
Comment 1 John Sefler 2019-01-31 20:38:14 UTC 
This is a regression from fixed bug 1344500
Comment 2 John Sefler 2019-01-31 20:43:21 UTC 
setting a NEEDINFO on mgrepl to help troubleshoot
Comment 11 Rehana 2019-05-30 14:21:36 UTC 
Verifying on :
------------

# rpm -qa subscription-manager selinux*
selinux-policy-3.14.3-4.el8.noarch
subscription-manager-1.25.6-1.el8.x86_64
selinux-policy-targeted-3.14.3-4.el8.noarch


[root@dell-r730-001-guest23 ~]# subscription-manager register
Registering to: ansible-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: admin
The system has been registered with ID: 06c96b36-2743-4bb8-ac4d-b3e978487d44
The registered system name is: dell-r730-001-guest23.dsal.lab.eng.rdu2.redhat.com

[root@dell-r730-001-guest23 ~]# subscription-manager config --rhsmcertd.splay=0 --rhsmcertd.disable=0

[root@dell-r730-001-guest23 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@dell-r730-001-guest23 ~]# setenforce 1
[root@dell-r730-001-guest23 ~]# restorecon -Rv /etc /run /var
[root@dell-r730-001-guest23 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dell-r730-001-guest23 ~]# 
[root@dell-r730-001-guest23 ~]# systemctl restart rhsmcertd

wait for 2mins for the auto-attach to complete

[root@dell-r730-001-guest23 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i 
<no matches>
[root@dell-r730-001-guest23 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf
[main]
enabled = 1
registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io

[root@dell-r730-001-guest23 ~]# ls /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
549870588193513666.cert  549870588193513666.key

/etc/docker/certs.d/cdn.redhat.com:
549870588193513666.cert  549870588193513666.key  redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
549870588193513666.cert  549870588193513666.key

/etc/docker/certs.d/registry.redhat.io:
549870588193513666.cert  549870588193513666.key

[root@dell-r730-001-guest23 ~]# subscription-manager list --consumed | grep "Awesome OS Docker" -A16
Subscription Name:   Awesome OS Docker
Provides:            Awesome OS Docker Bits
SKU:                 awesomeos-docker
Contract:            1
Account:             12331131231
Serial:              549870588193513666
Pool ID:             8ac6a33e6ad9ab18016ad9afc02d02f0
Provides Management: No
Active:              True
Quantity Used:       1
Service Level:       
Service Type:        
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              Monday 20 May 2019
Ends:                Tuesday 19 May 2020
System Type:         Physical

[root@dell-r730-001-guest23 ~]# rct cat-cert /etc/pki/entitlement/549870588193513666.pem |  grep -i containerImage -A1 -B1
Content:
	Type: containerImage
	Name: 37090-awesomeos-docker-images

^^ Notice the registry files now have the entitlement cert copied when subscriptions containing  "containerImage" content is attached.

Based on the above observation , moving the bug to verified!!
Comment 13 errata-xmlrpc 2019-11-05 22:15:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3561