Bug 2231100

Summary: [RFE] change the container detection to check harder for secrets
Product: Red Hat Enterprise Linux 8 Reporter: Pino Toscano <ptoscano>
Component: subscription-managerAssignee: mhorky
Status: POST --- QA Contact: CSI Client Tools Bugs <csi-client-tools-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.9CC: cdonnell, zpetrace
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pino Toscano 2023-08-10 14:53:42 UTC
subscription-manager currently detects whether it is running in a container, and disables itself in that case. This is because the business requirements so far are that RHEL containers get the entitlements from the host. Over the years, more use cases showed up (e.g. UBI running in OCP 4, UBI running on non-RHEL hosts, etc) that are valid for us and for our customers, and they are not easy to get with the current detection in subscription-manager.

Hence, as result of internal discussions, we decided to relax/tweak the existing detection; this will mean the following changes:
- the detection done for secrets will be improved to also check that /etc/pki/entitlement-host exists and it contains entitlement certificates; this way, an empty /etc/rhsm-host will not trigger the container mode anymore

Updates to documentations/KBs/etc will be done separately after this is implemented, and not tracked by this bz.

Related: bug 2203096 (this is a backport of only the changes relevant in RHEL 8).

Comment 2 Zdenek Petracek 2023-08-17 11:46:25 UTC
Pre-verification done on SUBMAN version:
[root@kvm-02-guest03 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

Checking for shared secrets:
[root@kvm-02-guest03 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: b7e30e89-b6d1-4ebc-9d7e-2afdef3dbe7a
The registered system name is: kvm-02-guest03.rhts.eng.brq.redhat.com

[root@kvm-02-guest03 /]# subscription-manager attach
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-02-guest03 /]# ll /etc/pki/entitlement
total 52
-rw-r--r--. 1 root root  3272 Aug 17 13:27 3460476172276112314-key.pem
-rw-r--r--. 1 root root 31710 Aug 17 13:27 3460476172276112314.pem
-rw-r--r--. 1 root root  3272 Aug 17 13:27 5348984623186667049-key.pem
-rw-r--r--. 1 root root  8757 Aug 17 13:27 5348984623186667049.pem
[root@kvm-02-guest03 /]# ll /etc/rhsm
total 8
drwxr-xr-x. 2 root root   68 Aug 17 13:16 ca
drwxr-xr-x. 2 root root    6 Aug 15 16:47 facts
-rw-r--r--. 1 root root 1662 Aug 15 16:47 logging.conf
drwxr-xr-x. 2 root root    6 Aug 15 16:47 pluginconf.d
-rw-r--r--. 1 root root 3147 Aug 17 13:23 rhsm.conf
drwxr-xr-x. 2 root root   54 Aug 17 13:26 syspurpose

[root@kvm-02-guest03 /]# podman pull registry.access.redhat.com/ubi8/ubi:8.8-1032
Trying to pull registry.access.redhat.com/ubi8/ubi:8.8-1032...
Getting image source signatures
Checking if image destination supports signatures
Copying blob bea2a0b08f4f done  
Copying config 7e569fa199 done  
Writing manifest to image destination
Storing signatures
7e569fa199c00a48fc249200463d903ca157a4e965348a845827871f4ede3714

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@398f901aeb56 /]# ls /run/secrets/rhsm/
ca  logging.conf  rhsm.conf  syspurpose

[root@398f901aeb56 /]# ls /run/secrets/etc-pki-entitlement/
3460476172276112314-key.pem  3460476172276112314.pem  5348984623186667049-key.pem  5348984623186667049.pem

Unregistering the system and trying to register from inside of the container:
[root@kvm-02-guest03 /]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@eae165b8da40 /]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

[root@eae165b8da40 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 1d53ff7f-550a-44d2-a659-91d5b9d8d527
The registered system name is: eae165b8da40
^^ the system was able to register from inside of the container as expected --> PRE-VERIFICATION PASSED