Bug 2203096
Summary: | [RFE] change the container detection to only check for secrets | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Pino Toscano <ptoscano> |
Component: | subscription-manager | Assignee: | candlepin-bugs |
Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | jpazdziora, redakkan, weiliu, zpetrace |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | 9.3 | Flags: | pm-rhel:
mirror+
|
Hardware: | All | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | subscription-manager-1.29.36-1.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-11-07 08:51:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pino Toscano
2023-05-11 08:57:37 UTC
*** Bug 2216079 has been marked as a duplicate of this bug. *** Reproducing the issues on SM version: [root@kvm-02-guest05 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.35-1.el9 1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@kvm-02-guest05 ~]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696 Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696... Getting image source signatures Checking if image destination supports signatures Copying blob 7b3dd25bf011 done Copying config 663a35613b done Writing manifest to image destination Storing signatures 663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865 [root@kvm-02-guest05 ~]# podman run -it ubi:9.2-696 /bin/bash [root@7bfe891bb5ae /]# subscription-manager register subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management. ^^ I was not able to register the system inside of the container as expected registering the system: [root@kvm-02-guest05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: bcad4504-374d-46c4-99de-ef46b467339a The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@kvm-02-guest05 product-default]# subscription-manager attach Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed [root@36d161dd8832 /]# ls /etc/pki/product-default/ 479.pem ^^ system is using the host's entitlement as expected 2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@7bfe891bb5ae /]# subscription-manager status subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management. ^^ old message is shown here as expected 3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@7bfe891bb5ae /]# export SMDEV_CONTAINER_OFF=true [root@7bfe891bb5ae /]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 88f93e87-7a2e-4ab2-a660-b1f524fe5882 The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@7bfe891bb5ae /]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown Pre-verification done on the SM version: [root@kvm-02-guest05 sm_new]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.35-1.git.36.455a011.el9 1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets: [root@kvm-02-guest05 sm_new]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696 Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696... Getting image source signatures Checking if image destination supports signatures Copying blob 7b3dd25bf011 skipped: already exists Copying config 663a35613b done Writing manifest to image destination Storing signatures 663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865 [root@kvm-02-guest05 sm_new]# podman run -it ubi:9.2-696 /bin/bash trying to register the system: [root@7ac5ee675ca9 yum.repos.d]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 7115f112-3b25-4e23-be52-689426d0030b The registered system name is: 7ac5ee675ca9 [root@7ac5ee675ca9 yum.repos.d]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed ^^ I was able to register the system even when secrets were not shared by the host system registering the host system and checking for entitlements in the container: [root@kvm-02-guest05 sm_new]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: c3042ea1-7999-48ea-8081-6fe6157b375a The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@kvm-02-guest05 sm_new]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed root@kvm-02-guest05 /]# ll /etc/pki/product-default/ total 4 -rw-r--r--. 1 root root 2172 Jul 31 14:46 479.pem [root@78d2a7642b7f /]# ls /etc/pki/product-default/ 479.pem ^^ inside of the container there is the same file, so secrets are shared with the container as expected 2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed: installing zsh: [root@78d2a7642b7f /]# yum install zsh Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 15 MB/s | 23 MB 00:01 Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 11 MB/s | 13 MB 00:01 ... Installed: zsh-5.8-9.el9.x86_64 Complete! ^^ The system message about containers is present and I was able to download and install zsh package after sharing secrets with the container and running 'subscription-manager version/register' the following message was shown as expected: [root@b71353791b23 /]# subscription-manager version subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@b71353791b23 /]# subscription-manager register subscription-manager is operating in container mode. Use your host system to manage subscriptions. 3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped: there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED [root@kvm-02-guest09 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.36-1.el9 1st scenario: registering subman in a container while secrets are not shared [root@kvm-02-guest09 ~]# podman run -it ubi:9.2-696 /bin/bash [root@335615ca1c26 /]# clear bash: clear: command not found [root@335615ca1c26 /]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.36-1.el9 [root@335615ca1c26 /]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 61a1529e-78bd-41f5-ab05-c29b56bb5864 The registered system name is: 335615ca1c26 [root@335615ca1c26 /]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed ^^ I was able to register subman even without sharing secrets registering the subman on the host system and checking that container uses shared secrets: [root@kvm-02-guest09 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: c5fa9a35-a651-4137-89a4-c9f70e30749f The registered system name is: kvm-02-guest09.rhts.eng.brq.redhat.com [root@kvm-02-guest09 product-default]# ll /etc/pki/product-default/ total 4 -rw-r--r--. 1 root root 2171 Aug 10 16:27 479.pem [root@bf420aa46169 /]# ls /etc/pki/product-default/ 479.pem ^^ container is using the secrets shared by the host system 2nd scenario: the massage "container mode" that is printed will be changed: root@bf420aa46169 /]# yum install zsh Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. <-- message as expected ... Installed: zsh-5.8-9.el9.x86_64 Complete! after running 'subscription-manager version/register' the following message should be also changed [root@bf420aa46169 /]# subscription-manager version subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@bf420aa46169 /]# subscription-manager status subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@bf420aa46169 /]# subscription-manager register subscription-manager is operating in container mode. Use your host system to manage subscriptions. ^^ messages shown are as expected [root@bf420aa46169 /]# ls /etc/pki/product-default/ 479.pem 3rd scenario: there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED (In reply to Zdenek Petracek from comment #3) Regarding comment no. 3 there should be some corrections for better understandment [root@kvm-02-guest05 ~]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696 Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696... Getting image source signatures Checking if image destination supports signatures Copying blob 7b3dd25bf011 done Copying config 663a35613b done Writing manifest to image destination Storing signatures 663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865 [root@kvm-02-guest05 ~]# podman run -it ubi:9.2-696 /bin/bash [root@7bfe891bb5ae /]# subscription-manager register subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management. ^^ I was not able to register the system inside of the container as expected After running the container I pulled the same subscription-manager build to the container system as it is on the host system (steps are not shown) - and that's what was done for everz new running container in the pre-verification steps registering the system: [root@kvm-02-guest05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: bcad4504-374d-46c4-99de-ef46b467339a The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@78d2a7642b7f /]# ls /etc/pki/product-default/ 479.pem ^^ this path is incorrect, we should also look for /etc/rhsm-host/ --> if directory exists, the system IS a container and /etc/pki/entitlement/host/ --> if there is an entitlement in the directory, the container will use the entitlement 2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed: installing zsh: [root@78d2a7642b7f /]# yum install zsh Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. <-- old message was shown before the new sub-man build was pulled Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 15 MB/s | 23 MB 00:01 Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6606 |