Bug 2091269
| Summary: | Subscription manager fails when run with rootless Buildah | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Daniel Walsh <dwalsh> | |
| Component: | subscription-manager | Assignee: | Pino Toscano <ptoscano> | |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 8.6 | CC: | cdonnell, jhnidek, nalin, redakkan, zpetrace | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.9 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | subscription-manager-1.28.39-1.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2093291 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:47:57 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2093291 | |||
|
Description
Daniel Walsh
2022-05-28 11:19:59 UTC
The issue here is the subscription manager realizing that it is running within a rootless environment. The subscription manager is assuming it is running as root, where it should be fully able to run in non root environments. BTW I am seeing the same symptoms, subscription manager thinks it is running as root in a user namespace and attempts to write to /run as if it was real root. It should be using XDG_RUNTIME_DIR if it is set, and then the user would be able to write the content. XDG_RUNTIME_DIR=/run/user/$UID Reproducing the bug on a SUBMAN version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password:
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.37-1.el8
Reproducing the bug:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)
[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
2023-06-08 13:53:55,900 [ERROR] dnf:19128:MainThread @logutil.py:236 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Updating Subscription Management repositories.
Unable to read consumer identity
2023-06-08 13:53:55,901 [ERROR] dnf:19128:MainThread @lock.py:152 - [Errno 13] Permission denied: '/run/rhsm/cert.pid'
Traceback (most recent call last):
File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
f.open()
File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/run/rhsm/cert.pid'
could not create lock
This system is not registered with an entitlement server. You can use subscription-manager to register.
^^ Errors appeared -> bug reproduced
Pre-verifying on version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password:
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+6.g76d589b9a-1.git.0.e3e938d
Verification process:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)
[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
beaker-AppStream 50 MB/s | 8.1 MB 00:00
beaker-AppStream-debuginfo 43 MB/s | 6.0 MB 00:00
beaker-BaseOS 27 MB/s | 2.4 MB 00:00
beaker-BaseOS-debuginfo 22 MB/s | 1.8 MB 00:00
beaker-CRB 25 MB/s | 2.3 MB 00:00
beaker-CRB-debuginfo 99 kB/s | 529 kB 00:05
beaker-HighAvailability 8.1 MB/s | 600 kB 00:00
beaker-HighAvailability-debuginfo 306 kB/s | 18 kB 00:00
beaker-NFV 12 MB/s | 886 kB 00:00
beaker-NFV-debuginfo 4.9 MB/s | 329 kB 00:00
beaker-RT 12 MB/s | 884 kB 00:00
beaker-RT-debuginfo 5.3 MB/s | 329 kB 00:00
beaker-ResilientStorage 8.7 MB/s | 603 kB 00:00
beaker-ResilientStorage-debuginfo 326 kB/s | 18 kB 00:00
beaker-SAP 136 kB/s | 8.0 kB 00:00
beaker-SAP-debuginfo 244 kB/s | 13 kB 00:00
beaker-SAPHANA 200 kB/s | 13 kB 00:00
beaker-SAPHANA-debuginfo 203 kB/s | 13 kB 00:00
beaker-harness 333 kB/s | 524 kB 00:01
beaker-tasks 432 kB/s | 5.8 MB 00:13
Dependencies resolved.
==================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================
Installing:
httpd x86_64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 beaker-AppStream 1.4 M
...
redhat-release-8.9-0.0.el8.x86_64 redhat-release-eula-8.9-0.0.el8.x86_64
rpm-4.14.3-26.el8.x86_64 rpm-libs-4.14.3-26.el8.x86_64
sed-4.5-5.el8.x86_64 setup-2.12.2-9.el8.noarch
shadow-utils-2:4.6-18.el8.x86_64 shared-mime-info-1.9-3.el8.x86_64
sqlite-libs-3.26.0-18.el8_8.x86_64 systemd-239-75.el8.x86_64
systemd-libs-239-75.el8.x86_64 systemd-pam-239-75.el8.x86_64
systemd-udev-239-75.el8.x86_64 trousers-0.3.15-1.el8.x86_64
trousers-lib-0.3.15-1.el8.x86_64 tzdata-2023c-1.el8.noarch
util-linux-2.32.1-42.el8_8.x86_64 which-2.21-20.el8.x86_64
xkeyboard-config-2.28-1.el8.noarch xz-5.2.4-4.el8_6.x86_64
xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64
Complete!
^^ pre-verification PASSED
Final verification done on SUBMAN version:
[testuser@kvm-01-guest06 ~]$ rpm -qa | grep subscription-manager
python3-subscription-manager-rhsm-1.28.39-1.el8.x86_64
subscription-manager-1.28.39-1.el8.x86_64
dnf-plugin-subscription-manager-1.28.39-1.el8.x86_64
subscription-manager-rhsm-certificates-20220623-1.el8.noarch
[testuser@kvm-01-guest06 ~]$ buildah unshare
[root@localhost ~]# ctr=$(buildah from scratch)
[root@localhost ~]# mnt=$(buildah mount $ctr)
The system is unregistered:
[root@kvm-01-guest06 ~]# subscription-manager status
+-------------------------------------------+
System Status Details
+-------------------------------------------+
Overall Status: Unknown
System Purpose Status: Unknown
[root@kvm-01-guest06 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
...
Installed:
acl-2.2.53-1.el8.x86_64 apr-1.6.3-12.el8.x86_64
apr-util-1.6.1-9.el8.x86_64 apr-util-bdb-1.6.1-9.el8.x86_64
apr-util-openssl-1.6.1-9.el8.x86_64 audit-libs-3.0.7-5.el8.x86_64
basesystem-11-5.el8.noarch bash-4.4.20-4.el8_6.x86_64
brotli-1.0.6-3.el8.x86_64 bzip2-libs-1.0.6-26.el8.x86_64
ca-certificates-2022.2.54-80.2.el8_6.noarch chkconfig-1.19.2-1.el8.x86_64
...
lua-libs-5.3.4-12.el8.x86_64 lz4-libs-1.8.3-3.el8_4.x86_64
mailcap-2.1.48-3.el8.noarch memstrack-0.2.5-2.el8.x86_64
mod_http2-1.15.7-8.module+el8.9.0+19080+567b90f8.3.x86_64 mpfr-3.1.6-1.el8.x86_64
ncurses-6.1-10.20180224.el8.x86_64 ncurses-base-6.1-10.20180224.el8.noarch
ncurses-libs-6.1-10.20180224.el8.x86_64 nettle-3.4.1-7.el8.x86_64
openldap-2.4.46-18.el8.x86_64 openssl-1:1.1.1k-9.el8_7.x86_64
openssl-libs-1:1.1.1k-9.el8_7.x86_64 openssl-pkcs11-0.4.10-3.el8.x86_64
xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64
Complete!
^^ Final Verification PASSED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7092 |