Bug 2214451
| Summary: | Running inside a container where rhsm.conf is missing on RHCOS, repo_ca_cert gets set to a bogus value: /etc/rhsm-host-host/ca/redhat-uep.pem | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | HuijingHei <hhei> |
| Component: | librhsm | Assignee: | Packaging Maintenance Team <packaging-team-maint> |
| Status: | CLOSED MIGRATED | QA Contact: | swm-qe |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.2 | CC: | amatej, dornelas, jmracek, mcurlej, ptoscano, walters, weiliu |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-02 00:58:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
HuijingHei
2023-06-13 03:01:48 UTC
Additional info: Same issue https://github.com/rpm-software-management/librhsm/issues/9 Simple workaround in https://github.com/rpm-software-management/librhsm/pull/10: - Print debug log and skip replacing ca certificate dir if config file not found We do not have the final solution for the issue now, it might be working for rhcos base image, but I have concern if it will make regression for BZ#2108549, and if it works for ubi8? I build the scratch build https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/7640/2407640/librhsm-0.0.3-8.el9.x86_64.rpm with https://github.com/rpm-software-management/librhsm/pull/10, which works on rhcos9 image: $ oc logs bc-coreos-rhsm-5-build ... Storing signatures Adding transient rw bind mount for /run/secrets/rhsm STEP 1/5: FROM registry.ci.openshift.org/coreos/hhei-rhcos-test:rhsm STEP 2/5: RUN ls -la /etc/pki/entitlement/ total 0 drwxrwxrwt. 3 root root 120 Jun 27 12:45 . drwxr-xr-x. 1 root root 25 Jun 27 12:46 .. drwxr-xr-x. 2 root root 80 Jun 27 12:45 ..2023_06_27_12_45_51.88737879 lrwxrwxrwx. 1 root root 30 Jun 27 12:45 ..data -> ..2023_06_27_12_45_51.88737879 lrwxrwxrwx. 1 root root 26 Jun 27 12:45 entitlement-key.pem -> ..data/entitlement-key.pem lrwxrwxrwx. 1 root root 22 Jun 27 12:45 entitlement.pem -> ..data/entitlement.pem --> cf50b34652f STEP 3/5: RUN rpm-ostree install libreswan Enabled rpm-md repositories: rhel-9-for-x86_64-baseos-rpms rhel-9-for-x86_64-appstream-rpms Updating metadata for 'rhel-9-for-x86_64-baseos-rpms'...done Updating metadata for 'rhel-9-for-x86_64-appstream-rpms'...done Importing rpm-md...done rpm-md repo 'rhel-9-for-x86_64-baseos-rpms'; generated: 2023-06-26T13:51:40Z solvables: 4570 rpm-md repo 'rhel-9-for-x86_64-appstream-rpms'; generated: 2023-06-22T18:53:12Z solvables: 14255 Resolving dependencies...done Will download: 9 packages (3.8?MB) Downloading from 'rhel-9-for-x86_64-appstream-rpms'...done Installing 9 packages: ... Installing: libreswan-4.9-4.el9_2.x86_64 (rhel-9-for-x86_64-appstream-rpms) I would like to ask you for verification of the issue. The bug is reported for RHEL9, but in #Comment0 there is written that `For latest ubi9 container image, the issue is gone`. It sounds to me like the issue is fixed. Even if we deliver the patch to RHEL9 it will not fix old RHEL9 images and it cannot fix RHEL8 images. I would like to ask you for detailed clarification why we need to deliver the patch? (In reply to Jaroslav Mracek from comment #3) > I would like to ask you for verification of the issue. The bug is reported > for RHEL9, but in #Comment0 there is written that `For latest ubi9 container > image, the issue is gone`. It sounds to me like the issue is fixed. Even if > we deliver the patch to RHEL9 it will not fix old RHEL9 images and it cannot > fix RHEL8 images. I would like to ask you for detailed clarification why we > need to deliver the patch? This is a little complicated, the patch is to fix coreos image based on RHEL9 which ships subscription-manager-rhsm-certificates (but not subscription-manager), and ubi9 container image include full subscription-manager. When this bug was created, the ubi9 container worked well (fixed by BZ#2108549), now it does not work well (tracked by BZ#2216079, and dup to BZ#2203096). In summary, rhcos9 container image has the issue is because of none rhsm.conf which is included in subscription-manager(but rhcos image only includes subscription-manager-rhsm-certificates). But I have no idea about the current problem with the ubi9 container which using subscription-manager, maybe someone from subscription has more context? (In reply to HuijingHei from comment #4) > When this bug was created, the ubi9 container worked well (fixed by > BZ#2108549), now it does not work well (tracked by BZ#2216079, and dup to > BZ#2203096). (In reply to HuijingHei from comment #5) > But I have no idea about the current problem with the ubi9 container which > using subscription-manager, maybe someone from subscription has more context? Not sure what do you mean with - "does not work well" - "problem with the ubi9 container which using subscription-manager" you please explain a bit more in detail what problematic situation do you see with subscription-manager? Please specify what is the exact environment, and what is the wanted goal. > (In reply to HuijingHei from comment #5) > > But I have no idea about the current problem with the ubi9 container which > > using subscription-manager, maybe someone from subscription has more context? > > Not sure what do you mean with > - "does not work well" Sorry for the confusion, this means for ubi9 container image, `running entitled builds using SharedSecret objects` does not work as expected, see BZ#2216079 Could you help to review whether the subscription-manager will be affected by https://github.com/rpm-software-management/librhsm/pull/10 ? Just want to make sure the change will not make regression for entitled builds for ubi9. Thanks! (In reply to HuijingHei from comment #7) > Could you help to review whether the subscription-manager will be affected > by https://github.com/rpm-software-management/librhsm/pull/10 ? Just want to > make sure the change will not make regression for entitled builds for ubi9. TTBOMK, subscription-manager does not use that code at all. FYI:
> The issue is for entitlement build on OCP, and the workaround is to remove `/etc/rhsm-host`
In case your goal is to make sure that, no matter whether there are secrets available either when running a container or when doing a container build, it is possible to run subscription-manager (e.g. to register a container), then removing that symlink hopefully will be the official solution for it. This way, subscription-manager will never see the provided secrets.
> subscription-manager does not use that code at all. Thanks for the confirmation, the patch https://github.com/rpm-software-management/librhsm/pull/10 is to fix coreos image based on RHEL9 for entitled builds, and will not make any regression (for entitled builds) for ubi container. (In reply to Pino Toscano from comment #9) > FYI: > > > The issue is for entitlement build on OCP, and the workaround is to remove `/etc/rhsm-host` > > In case your goal is to make sure that, no matter whether there are secrets > available either when running a container or when doing a container build, > it is possible to run subscription-manager (e.g. to register a container), > then removing that symlink hopefully will be the official solution for it. > This way, subscription-manager will never see the provided secrets. Thanks Pino for the info, the problem is coreos image based on RHEL9/8 which only ships subscription-manager-rhsm-certificates (but not subscription-manager), see https://github.com/rpm-software-management/librhsm/pull/10#discussion_r1223092580 One thing I want to confirm is that, by default the conf path is set to /etc/rhsm-host/rhsm.conf, but it does not exist on rhcos image, in the fixed PR just add checking whether rhsm.conf is existed when replace the ca cert dir and repo dir, if no, skip; if yes, replace. Maybe it is more safe to check whether ca cert dir (or repo dir) is already under /etc/rhsm-host/ instead of check rhsm.conf existed, if yes, skip; if no, replace. Before replace: conf=/etc/rhsm-host/rhsm.conf, ca=/etc/rhsm-host/ca, repo=/etc/rhsm-host/ca/redhat-uep.pem After replace: conf=/etc/rhsm-host/rhsm.conf, ca=/etc/rhsm-host-host/ca, repo=/etc/rhsm-host-host/ca/redhat-uep.pem > by default the conf path is set to /etc/rhsm-host/rhsm.conf
when running rhcos container on OCP, by default the conf path is set to /etc/rhsm-host/rhsm.conf,
Hi Jaroslav, is there any updates for this? Thanks! Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |