1272148 – Attaching a subscription with a pool-id auto enabled auto-attach aka auto-healing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1272148 - Attaching a subscription with a pool-id auto enabled auto-attach aka auto-healing

Summary: Attaching a subscription with a pool-id auto enabled auto-attach aka auto-hea...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-15 14:56 UTC by Kathryn Dixon
Modified:	2019-09-12 09:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-04 20:21:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1282617	0	medium	CLOSED	[RFE] deprecate the "auto-attach" module in favor of "healing" to improve the customer's experience	2023-09-14 03:13:08 UTC
Red Hat Bugzilla	1282630	0	medium	CLOSED	[RFE] add a new register option "--no-healing" to disable the automatic healing functionality	2021-02-22 00:41:40 UTC

Internal Links: 1282617 1282630

Description Kathryn Dixon 2015-10-15 14:56:19 UTC

Description of problem:

When registering, then subscribing a system with a pool id, the system is automatically defaulted to "auto-attach"

This can be an issue due to customers with virutal data center licenses because when a random system because unsubscribed it will "auto-attach" itself to any subscription, including ones that will not work on the system.

This also hurts because random systems will "auto-heal" and steal any subscription available ie Satellite subscription.

This will then cause issues when a customer is trying to register a satellite, and they get an error saying " no entitlement for satellite available"

Then you have to search through 100s of systems on the customer portal and find which system "auto-healed" itself with a Satellite entitlement and then remove it.

Version-Release number of selected component (if applicable):

How reproducible:

100%

Steps to Reproduce:
1. subscription-manager register
2. subscription-manager attach --pool= pool.id.here
3. subscription-manager auto-attach --show
subscription-manager auto-attach enabled
4. subscription-manager auto-attach --disable
this will disable the "auto-healing"

Actual results:

subscription-manager auto-attach --show
subscription-manager auto-attach enabled

Expected results:

subscription-manager auto-attach --show
subscription-manager auto-attach disabled

Additional info:

Myself and the customer believe this should not be enabled by default. When a system is registered with a pool id that is us saying, no I CHOSE what subscription I wanted, please do not take a random sub if anything ever happens.

Why this is important, the auto-healing can "eat" up almost anything, satellite skus, capsules, virtual data center physical skus.

Comment 2 John Sefler 2015-10-16 18:52:56 UTC

Adding some info for historical reference...
  Bug 710172 - [RFE] Provide automated healing of expiring subscriptions
  Bug 726411 - [RFE] Support for certificate healing
  ^^^
  These are the two RFE bugs from the pm Mike Khusid that introduced the desire for default auto healing

  Bug 976867 - subscription-manager autoheal needs feedback and a review of options
  ^^^
  This is the bug where the term auto-heal was replaced by auto-attach after a review with UXD Matt Reid.

Comment 3 John Sefler 2015-10-16 19:20:19 UTC

Currently the auto-attach preference is enabled by default which means that when the rhsmcertd runs (defaults to once every 4 hours - see autoAttachInterval=1440) the candlepin server will check the installed products to see that they are fully Subscribed.  If the system is not fully covered by valid subscriptions, then candlepin will do it's best with the subscriptions available to satisfy coverage of the installed products in need of coverage.  If multiple subscriptions are available (e.g. Subscription A provides coverage for product X and Y, and Subscription B provides coverage for X, while the system only needs additional coverage for product X), it is possible that candlepin will grant an entitlement from the heavier subscription (Subscription A which provides for product X (which is needed) and product Y (which is effectively wasted).   Maybe this is what is being observed in the problem description.


Some more info is need to understand exactly what is happing in the following two statements from the problem description.  As written, something feels wrong because the "auto-attach" feature will not consume a subscription unless it provides coverage for at least one installed product.  I have a feeling that your only available subscription provides content for both RHEL and Satellite and your RHEL system is auto-attaching to it.

> This can be an issue due to customers with virutal data center licenses because when a random system because unsubscribed it will "auto-attach" itself to any subscription, including ones that will not work on the system.

> This also hurts because random systems will "auto-heal" and steal any subscription available ie Satellite subscription.

Please show a list --available so we can seen exactly what is provided by your virutal data center subscription.

Comment 4 John Sefler 2015-10-16 19:33:05 UTC

Regardless of comment 3, it sounds like this RFE is to effectively issue an automatic call to "subscription-manager auto-attach --disable" whenever a call is made to "subscription-manager attach --pool=<POOLID>"

IMHO, this request will cause future problems down the road when the subscription expires leaving the system with installed products that are not covered by a valid subscription.

However if the user consciously wants to turn off the healing daemon, then they can manually call "subscription-manager auto-attach --disable".

I'm curious what the developers think.

Comment 7 Kathryn Dixon 2015-10-22 16:54:41 UTC

Just a side note "auto-heal" is causing 


example..

customer has 50 systems registered in the customer portal RHSM. 

They all become registered but not subscribed, within minutes they begin to grab subscriptions.

Customer is now on the phone with us.. 

Our phone specialists are trying to help through c-service to detach subscriptions, so that the customer can add the correct subscription to the correct system.

"RHEL for virtual datacenters"

As soon as the customer or RH was detaching the subscription from a host, it would immediately come back.. They then had to disable autoattach on all the registered but not subscribed systems to force them to stop, so they could att the RHEL for virtual datacenter onto the hypervisor.

I'm not saying with should end auto-heal.. it is good in some situations. I'm more so saying, virtual systems shouldn't "eat" or auto-heal themselves with PHYSICAL entitlements. They can heal all day with normal subs, but they are healing with subs that specifically go on very specific systems ( satellite, capsule, vdc, rhel for unlimited guests) ect.

I'll respond to the need info stuff soon. I just happen to catch this situation yesterday.

Comment 9 Barnaby Court 2016-01-04 20:21:56 UTC

Closed in favor of RFEs referenced in Comment 8

Comment 10 Jenny Severance 2016-07-11 16:02:21 UTC

@Barnaby and @John ... how are the two RFE's mentioned addressing the obvious issues with auto-attach referenced in Comment 1 and Comment 7 ?  I am not sure this bug should be closed.  It seems to me that 'auto-attach' is, many times, grabbing incorrect subscriptions that cause the customers to have to painfully - manually correct things.

With expiring subscriptions, rhsm should easily be able find a matching subscription to 'auto-heal'.

Comment 11 Kathryn Dixon 2016-12-28 18:19:25 UTC

closing this in favor of 
https://bugzilla.redhat.com/show_bug.cgi?id=1400655

Note You need to log in before you can comment on or make changes to this bug.