Bug 479439
Summary: | Satellite cert activation needs to handle case where entitlements has been discontinued/removed: ideally warn user to cancel and purchase subscriptions, or proceed and force-unentitle | |||
---|---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Travis Kepley <tkepley> | |
Component: | Registration | Assignee: | Justin Sherrill <jsherril> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Corey Welton <cwelton> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 520 | CC: | bperkins, cperry, mdavis, tao, xdmoon | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sat530 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 489584 (view as bug list) | Environment: | ||
Last Closed: | 2009-09-10 20:31:48 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 456985, 487993 |
Description
Travis Kepley
2009-01-09 16:30:46 UTC
Closed. This was already implemented in Satellite 5.1.0. Please follow the instructions below: 1. In the /etc/rhn/rhn.conf file, set web.force_unentitlement=1 2. Restart Satellite (needed one time only) You should then be able to active your new Satellite certificate. Note that modifying the web.force_unentitlement variable is only necessary to decrement an organization's allocated entitlemetns below what they are using. If an organization has more entitlements than are being actively used, you do not need to set this variable to remove them. You can read more about it at: http://www.redhat.com/f/pdf/rhn/Multiorg-whitepaper_final.pdf Specifically look at the "Certificate Has Less Entitlements Than I Am Using" section. I know in this situation its not Multi-Org related, but the solution above should work for this situation. Please reopen if this does not cover your particular situation. It still seems to be a bug--it still fails: [root@XXXXX ~]# cat /etc/rhn/rhn.conf|grep -i web.force_ web.force_unentitlement=1 [root@XXXXX ~]# rhn-satellite-activate --rhn-cert=break.cert RHN_PARENT: satellite.rhn.redhat.com ERROR:: You do not have enough entitlements in the base org. And, of course, the satellite was restarted. This is a big deal that a lot of our customers are hitting. If they let their old cert expire, we have to issue them a temporary cert with enough entitlements to login just to unentitle enough machines to use their new, permanent certificate. This is after the time wasted trying the new cert that fails. Thus resulting in a lengthy time without a Satellite. Let me know if I can be of any other help. The whitepaper is completely wrong. web.force_unentitlement doesn't affect rhn-satellite-activate at all. It will always fail if there are not enough entitlements in the base org. Actually i missread the whitepaper after reading brandon's comment. The whitepaper is correct. Leaving on -triage - following up to comment #2 by emailing Matt Davis asking for specifics to be gathered. If we have no bug in our code, but our code is not flexible enough - we need to understand so we can look to make improvements in 530 if needed. Cliff Still waiting for data. For now - leaving on -triage Xixi, It appears that monitoring is the source of the problem. All of the old certs had monitoring, and had systems using monitoring, while none of the new certs have Monitoring Entitlements. I think we have 2 issues here: 1. Should the satellite code be robust enough to forcibly unentitle machines that lose appropriate entitlements? I know that there is that new tunable in rhn.conf, but it does not appear to work. 2. Why did we stop giving customer's the 20 complementary Monitoring entitlements? I remember vaguely this happening a few months ago, but as it may lead to many issues being created, should this be re-addressed? Thanks for finding the culprit : ) Now to find out the appropriate way to proceed. -- Brian Internal Status set to 'Waiting on SEG' This event sent from IssueTracker by bhamrick issue 264584 (In reply to comment #13) > I think we have 2 issues here: > 1. Should the satellite code be robust enough to forcibly unentitle > machines that lose appropriate entitlements? I know that there is that > new tunable in rhn.conf, but it does not appear to work. > Per Engineering, the rhn.conf configuration works, this is just an edge case it needs to handle, so that's the main issue with this BZ right now. I.e., if you don't have an entitlement anymore for some reason, we shouldn't block you from activating but instead activate while unentitling the existing ones being used if they're no longer entitled. Satellite Engineering: Would it be possible to either add an option to satellite-activate - telling user what's about to be unentitled, and giving them an option to choose not to activate for the time being and to purchase the entitlements instead? B/c it's alot harder if at all possible to track down what had been unentitled and to restore entitlements. It's also possible that occasionally certificates have wrong slots by mistake, in which case, this will alert the user and prevent unnecessary pain. > 2. Why did we stop giving customer's the 20 complementary Monitoring > entitlements? I remember vaguely this happening a few months ago, but as > it may lead to many issues being created, should this be re-addressed? > As discussed on IRC earlier, we're no longer giving away the 20 complementary each of Monitoring and Provisioning entitlements. Looking into official/public-facing statements. Thanks, Xixi So after speaking with Todd Sanders, for the short term we're just going to add a message to rhn-satellite-activate to tell the user what entitlement is the problem. Here's some example text: ERROR: You do not have enough unused 'monitoring_entitled' entitlements in the base org. Please un-entitle systems from this entitlement until there are at most 0 used. Long term, we need to add logic to actually un-entitle systems after some warning. I'm going to clone this bz to another for the long term fix. commit 36328970c7b054675ed733585cb7ea5e610430f6 tree a92fee1dbc3a64feaff18f16483305d0da3f8c83 tree | snapshot parent 9a6c890561f61c47b9de774524fe2f5dd74a203a commit | diff To reproduce issue: 1. activate certificate with monitoring 2. Register a system and add a monitoring entitlement 3. Activate a new certificate without monitoring QA Verified this particular fix. There's a lot else going on with this message right now, but it's all out of scope of this bz. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html |