Bug 2095316

Summary: subscription-manager shouldn't override repo list if it thinks it's in a container
Product: Red Hat Enterprise Linux 9 Reporter: Cédric Jeanneret <cjeanner>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED NOTABUG QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 9.0CC: bdobreli, drosenfe
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-22 13:52:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075080    

Description Cédric Jeanneret 2022-06-09 14:09:51 UTC 
Description of problem:

While testing osp-17 on a rhel9 host, subscribed to a satellite host, we're facing consistent issue with subscription-manager overriding the /etc/yum.repos.d/redhat.repo because it thinks it's running from within a container.

Some more context is available here:
https://bugzilla.redhat.com/show_bug.cgi?id=2058540
as well as our QE hitting that precise issue here:
https://bugzilla.redhat.com/show_bug.cgi?id=2075080

Basically:
- OSP has a "standard" bind-mount or /run:/run in all containers
- podman (container engine) pushes a /run/.containerenv file
- this file is then visible from the host
- dnf has an enabled plugin, "subscription-manager", running before any command (clean, makecache, install, erase, etc)

So, as soon as we have one container with that mount running on the node, and get any dnf command running, subscription-manager kicks in. It then thinks it's in a container and, instead of keeping the repo list as-is, it will override it.
But ONLY a small part: the equivalent of the rhsm "baseurl" - meaning it will be switched to https://cdn.redhat.com/<all the satellite path set during registration>

You can see such example in 2075080#c0.

IMHO, subcription-manager should NOT touch the repository list at all if it thinks it's in a container, especially when there's a valid /etc/rhsm/rhsm.conf file available (with all the correct settings)

Small thoughts about that:
what would happen if we run this:

podman run -v /etc/dnf:/etc/dnf -v /etc/yum.repos.d:/etc/yum.repos.d ubi9 dnf install httpd

Apparently, following what I've seen, it would at least try to edit the repository list (since running in a container), but SHOULD fail, thanks to SELinux (but would succeed on a permissive system - note that ":z" won't apply to those locations afaik).

Note:
- we can, of course, export the SMDEV_CONTAINER_OFF=True as an /etc/profile.d/ thingy (that's what I'm going to propose as a "sensible workaround" within tripleo/osp)
- we may be able to work in order to stop mounting /run, and expose only subdirectories
- or maybe podman can stop exposing that precise file on the host

But, really, subscription-manager shouldn't touch repository files if thinking it's in a container.

Cheers,

C.
Comment 1 Cédric Jeanneret 2022-07-22 13:52:43 UTC 
After discussions, this is expected behavior, and OSP isn't affected anymore (by exporting the variable, and with a podman patch that is coming through https://bugzilla.redhat.com/show_bug.cgi?id=2097694.