Bug 1272148 - Attaching a subscription with a pool-id auto enabled auto-attach aka auto-healing
Attaching a subscription with a pool-id auto enabled auto-attach aka auto-hea...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.1
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: candlepin-bugs
John Sefler
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-15 10:56 EDT by Kathryn Dixon
Modified: 2016-12-28 13:19 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-04 15:21:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kathryn Dixon 2015-10-15 10:56:19 EDT
Description of problem:

When registering, then subscribing a system with a pool id, the system is automatically defaulted to "auto-attach"

This can be an issue due to customers with virutal data center licenses because when a random system because unsubscribed it will "auto-attach" itself to any subscription, including ones that will not work on the system.

This also hurts because random systems will "auto-heal" and steal any subscription available ie Satellite subscription.

This will then cause issues when a customer is trying to register a satellite, and they get an error saying " no entitlement for satellite available"

Then you have to search through 100s of systems on the customer portal and find which system "auto-healed" itself with a Satellite entitlement and then remove it.

Version-Release number of selected component (if applicable):

How reproducible:

100%

Steps to Reproduce:
1. subscription-manager register
2. subscription-manager attach --pool= pool.id.here
3. subscription-manager auto-attach --show
subscription-manager auto-attach enabled
4. subscription-manager auto-attach --disable
this will disable the "auto-healing"

Actual results:

subscription-manager auto-attach --show
subscription-manager auto-attach enabled

Expected results:

subscription-manager auto-attach --show
subscription-manager auto-attach disabled

Additional info:

Myself and the customer believe this should not be enabled by default. When a system is registered with a pool id that is us saying, no I CHOSE what subscription I wanted, please do not take a random sub if anything ever happens.

Why this is important, the auto-healing can "eat" up almost anything, satellite skus, capsules, virtual data center physical skus.
Comment 2 John Sefler 2015-10-16 14:52:56 EDT
Adding some info for historical reference...
  Bug 710172 - [RFE] Provide automated healing of expiring subscriptions
  Bug 726411 - [RFE] Support for certificate healing
  ^^^
  These are the two RFE bugs from the pm Mike Khusid that introduced the desire for default auto healing

  Bug 976867 - subscription-manager autoheal needs feedback and a review of options
  ^^^
  This is the bug where the term auto-heal was replaced by auto-attach after a review with UXD Matt Reid.
Comment 3 John Sefler 2015-10-16 15:20:19 EDT
Currently the auto-attach preference is enabled by default which means that when the rhsmcertd runs (defaults to once every 4 hours - see autoAttachInterval=1440) the candlepin server will check the installed products to see that they are fully Subscribed.  If the system is not fully covered by valid subscriptions, then candlepin will do it's best with the subscriptions available to satisfy coverage of the installed products in need of coverage.  If multiple subscriptions are available (e.g. Subscription A provides coverage for product X and Y, and Subscription B provides coverage for X, while the system only needs additional coverage for product X), it is possible that candlepin will grant an entitlement from the heavier subscription (Subscription A which provides for product X (which is needed) and product Y (which is effectively wasted).   Maybe this is what is being observed in the problem description.


Some more info is need to understand exactly what is happing in the following two statements from the problem description.  As written, something feels wrong because the "auto-attach" feature will not consume a subscription unless it provides coverage for at least one installed product.  I have a feeling that your only available subscription provides content for both RHEL and Satellite and your RHEL system is auto-attaching to it.

> This can be an issue due to customers with virutal data center licenses because when a random system because unsubscribed it will "auto-attach" itself to any subscription, including ones that will not work on the system.

> This also hurts because random systems will "auto-heal" and steal any subscription available ie Satellite subscription.

Please show a list --available so we can seen exactly what is provided by your virutal data center subscription.
Comment 4 John Sefler 2015-10-16 15:33:05 EDT
Regardless of comment 3, it sounds like this RFE is to effectively issue an automatic call to "subscription-manager auto-attach --disable" whenever a call is made to "subscription-manager attach --pool=<POOLID>"

IMHO, this request will cause future problems down the road when the subscription expires leaving the system with installed products that are not covered by a valid subscription.

However if the user consciously wants to turn off the healing daemon, then they can manually call "subscription-manager auto-attach --disable".

I'm curious what the developers think.
Comment 7 Kathryn Dixon 2015-10-22 12:54:41 EDT
Just a side note "auto-heal" is causing 


example..

customer has 50 systems registered in the customer portal RHSM. 

They all become registered but not subscribed, within minutes they begin to grab subscriptions.

Customer is now on the phone with us.. 

Our phone specialists are trying to help through c-service to detach subscriptions, so that the customer can add the correct subscription to the correct system.

"RHEL for virtual datacenters"

As soon as the customer or RH was detaching the subscription from a host, it would immediately come back.. They then had to disable autoattach on all the registered but not subscribed systems to force them to stop, so they could att the RHEL for virtual datacenter onto the hypervisor.

I'm not saying with should end auto-heal.. it is good in some situations. I'm more so saying, virtual systems shouldn't "eat" or auto-heal themselves with PHYSICAL entitlements. They can heal all day with normal subs, but they are healing with subs that specifically go on very specific systems ( satellite, capsule, vdc, rhel for unlimited guests) ect.

I'll respond to the need info stuff soon. I just happen to catch this situation yesterday.
Comment 9 Barnaby Court 2016-01-04 15:21:56 EST
Closed in favor of RFEs referenced in Comment 8
Comment 10 Jenny Galipeau 2016-07-11 12:02:21 EDT
@Barnaby and @John ... how are the two RFE's mentioned addressing the obvious issues with auto-attach referenced in Comment 1 and Comment 7 ?  I am not sure this bug should be closed.  It seems to me that 'auto-attach' is, many times, grabbing incorrect subscriptions that cause the customers to have to painfully - manually correct things.

With expiring subscriptions, rhsm should easily be able find a matching subscription to 'auto-heal'.
Comment 11 Kathryn Dixon 2016-12-28 13:19:25 EST
closing this in favor of 
https://bugzilla.redhat.com/show_bug.cgi?id=1400655

Note You need to log in before you can comment on or make changes to this bug.