Bug 2091269

Summary: Subscription manager fails when run with rootless Buildah
Product: Red Hat Enterprise Linux 8 Reporter: Daniel Walsh <dwalsh>
Component: subscription-managerAssignee: Pino Toscano <ptoscano>
Status: POST --- QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 8.6CC: cdonnell, jhnidek, nalin, redakkan, zpetrace
Target Milestone: rcKeywords: Triaged
Target Release: 8.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2093291 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2093291    

Description Daniel Walsh 2022-05-28 11:19:59 UTC 
Users doing:

$ buildah unshare
# ctr=$(buildah from scratch)
# mnt=$(buildah mount $ctr)
# dnf -y install --installroot=$mnt --releasever=8 httpd

Blows up, because the RedHat Subcription manager plugin attempts to
write to paths in /run and /var/lib that are not writable within the
user namespace.

I think we have to work with the subscription manager people to follow
XDG_RUNTIME_DIR and understand that they are running in a rootless user
namespace environment, to make this work.

This works fine with Fedora and Centos, it only seems to blow up in
RHEL, because of subscription manager.
Comment 5 Daniel Walsh 2022-09-06 19:16:25 UTC 
The issue here is the subscription manager realizing that it is running within a rootless environment. The subscription manager is assuming it is running as root, where it should be fully able to run in non root environments.
Comment 6 Daniel Walsh 2022-09-06 20:56:24 UTC 
BTW I am seeing the same symptoms, subscription manager thinks it is running as root in a user namespace and attempts to write to /run as if it was real root.
It should be using XDG_RUNTIME_DIR if it is set, and then the user would be able to write the content.

XDG_RUNTIME_DIR=/run/user/$UID
Comment 8 Zdenek Petracek 2023-06-08 12:04:45 UTC 
Reproducing the bug on a SUBMAN version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password: 
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.37-1.el8

Reproducing the bug:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)

[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
2023-06-08 13:53:55,900 [ERROR] dnf:19128:MainThread @logutil.py:236 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Updating Subscription Management repositories.
Unable to read consumer identity
2023-06-08 13:53:55,901 [ERROR] dnf:19128:MainThread @lock.py:152 - [Errno 13] Permission denied: '/run/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/run/rhsm/cert.pid'
could not create lock

This system is not registered with an entitlement server. You can use subscription-manager to register.
^^ Errors appeared -> bug reproduced

Pre-verifying on version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password: 
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+6.g76d589b9a-1.git.0.e3e938d

Verification process:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)

[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

beaker-AppStream                                                                                                   50 MB/s | 8.1 MB     00:00    
beaker-AppStream-debuginfo                                                                                         43 MB/s | 6.0 MB     00:00    
beaker-BaseOS                                                                                                      27 MB/s | 2.4 MB     00:00    
beaker-BaseOS-debuginfo                                                                                            22 MB/s | 1.8 MB     00:00    
beaker-CRB                                                                                                         25 MB/s | 2.3 MB     00:00    
beaker-CRB-debuginfo                                                                                               99 kB/s | 529 kB     00:05    
beaker-HighAvailability                                                                                           8.1 MB/s | 600 kB     00:00    
beaker-HighAvailability-debuginfo                                                                                 306 kB/s |  18 kB     00:00    
beaker-NFV                                                                                                         12 MB/s | 886 kB     00:00    
beaker-NFV-debuginfo                                                                                              4.9 MB/s | 329 kB     00:00    
beaker-RT                                                                                                          12 MB/s | 884 kB     00:00    
beaker-RT-debuginfo                                                                                               5.3 MB/s | 329 kB     00:00    
beaker-ResilientStorage                                                                                           8.7 MB/s | 603 kB     00:00    
beaker-ResilientStorage-debuginfo                                                                                 326 kB/s |  18 kB     00:00    
beaker-SAP                                                                                                        136 kB/s | 8.0 kB     00:00    
beaker-SAP-debuginfo                                                                                              244 kB/s |  13 kB     00:00    
beaker-SAPHANA                                                                                                    200 kB/s |  13 kB     00:00    
beaker-SAPHANA-debuginfo                                                                                          203 kB/s |  13 kB     00:00    
beaker-harness                                                                                                    333 kB/s | 524 kB     00:01    
beaker-tasks                                                                                                      432 kB/s | 5.8 MB     00:13    
Dependencies resolved.
==================================================================================================================================================
 Package                                Architecture      Version                                               Repository                   Size
==================================================================================================================================================
Installing:
 httpd                                  x86_64            2.4.37-56.module+el8.8.0+18758+b3a9c8da.6             beaker-AppStream            1.4 M
...
  redhat-release-8.9-0.0.el8.x86_64                                            redhat-release-eula-8.9-0.0.el8.x86_64                                 
  rpm-4.14.3-26.el8.x86_64                                                     rpm-libs-4.14.3-26.el8.x86_64                                          
  sed-4.5-5.el8.x86_64                                                         setup-2.12.2-9.el8.noarch                                              
  shadow-utils-2:4.6-18.el8.x86_64                                             shared-mime-info-1.9-3.el8.x86_64                                      
  sqlite-libs-3.26.0-18.el8_8.x86_64                                           systemd-239-75.el8.x86_64                                              
  systemd-libs-239-75.el8.x86_64                                               systemd-pam-239-75.el8.x86_64                                          
  systemd-udev-239-75.el8.x86_64                                               trousers-0.3.15-1.el8.x86_64                                           
  trousers-lib-0.3.15-1.el8.x86_64                                             tzdata-2023c-1.el8.noarch                                              
  util-linux-2.32.1-42.el8_8.x86_64                                            which-2.21-20.el8.x86_64                                               
  xkeyboard-config-2.28-1.el8.noarch                                           xz-5.2.4-4.el8_6.x86_64                                                
  xz-libs-5.2.4-4.el8_6.x86_64                                                 zlib-1.2.11-25.el8.x86_64                                              

Complete!
^^ pre-verification PASSED