Bug 1328729 - Docker client doesn't link entitlements certs
Summary: Docker client doesn't link entitlements certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 7.3
Assignee: vritant
QA Contact: John Sefler
URL:
Whiteboard:
: 1328869 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 07:45 UTC by Stanislav Graf
Modified: 2016-11-03 20:28 UTC (History)
13 users (show)

Fixed In Version: subscription-manager-plugin-container-1.17.7-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 20:28:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1328869 None None None Never
Red Hat Bugzilla 1339753 None None None Never
Red Hat Bugzilla 1342776 None None None Never
Red Hat Product Errata RHSA-2016:2592 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2016-11-03 12:10:42 UTC

Internal Links: 1328869 1339753 1342776

Description Stanislav Graf 2016-04-20 07:45:41 UTC
# Description of problem:

To be able to perform entitlement certificate/client certificate based authentication in Crane one needs to have following linked to
/etc/docker/certs.d/${domain.name}/
* CA certificate
* entitlements certificates (from /etc/pki/entitlement/)

Entitlements certificates are not linked which blocks performing entitlement certificate/client certificate based authentication in Crane.

# Version-Release number of selected component (if applicable):
docker-1.9.1-25.el7

# How reproducible:
100%

# Steps to Reproduce:
1. subscription-manager register / attach
2. subscription-manager repos --enable...
3. install docker
4. ls -l /etc/docker/certs.d/${domain.name}/

# Actual results:
Only CA certificate is linked

# Expected results:
Both CA end entitlements certificates are linked

# Additional info:
-

Comment 1 Daniel Walsh 2016-04-20 13:21:29 UTC
Lokesh is this something we do in the docker package install?

Stansislav, how should we handle this if the order is reversed?

Docker installed then you do subscription-manager?

Comment 2 Daniel Walsh 2016-04-20 13:22:21 UTC
Adding subscription-manager guys to this, because I am not sure how we should handle this.

Comment 3 John Sefler 2016-04-20 14:29:43 UTC
I suspect you have not configured /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf to include your ${domain.name}s in the comma separated list of registry_hostnames

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c2

Comment 4 Adrian Likins 2016-04-20 14:58:35 UTC
> # Steps to Reproduce:
> 1. subscription-manager register / attach
> 2. subscription-manager repos --enable...
> 3. install docker
> 4. ls -l /etc/docker/certs.d/${domain.name}/

Not sure I understand this flow. The subscription-manager docker/container support only runs inside of a container. But the 'install docker' step implies this is not in a container (and at the time of running subman, not even a 'host').

Afaik, The subscription-manager container plugin that sets up /etc/docker/certs.d/${domain.name}/ is only invoked when subman is ran from inside a container.

Comment 5 Stanislav Graf 2016-04-20 15:52:35 UTC
(In reply to John Sefler from comment #3)
> I suspect you have not configured
> /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf to
> include your ${domain.name}s in the comma separated list of
> registry_hostnames
> 
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c2

Thanks for the info, so I've retested:
vvvvv
* install subscription-manager-plugin-container

* check /etc/docker/certs.d/

/etc/docker/certs.d/:
total 0
drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com

/etc/docker/certs.d/cdn.redhat.com:
total 4
-rw-r--r--. 1 root root 2626 Oct 13  2015 redhat-entitlement-authority.crt

* install docker

* check /etc/docker/certs.d/

/etc/docker/certs.d/:
total 0
drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com
drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.com
drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.io

/etc/docker/certs.d/cdn.redhat.com:
total 4
-rw-r--r--. 1 root root 2626 Oct 13  2015 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com:
total 0
lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io:
total 0
lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

* add ',redhat.com' to /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf

* restart rhsm and docker service
systemctl restart rhsmcertd.service
systemctl docker restart

* list again

# ls -lR /etc/docker/certs.d/
/etc/docker/certs.d/:
total 0
drwxr-xr-x. 2 root root 45 Apr 20 11:13 cdn.redhat.com
drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.com
drwxr-xr-x. 2 root root 26 Apr 20 11:23 redhat.io

/etc/docker/certs.d/cdn.redhat.com:
total 4
-rw-r--r--. 1 root root 2626 Oct 13  2015 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com:
total 0
lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io:
total 0
lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

* check there is containerimage in my entitlement:

rct cat-cert /etc/pki/entitlement/8125772367146128011.pem | grep -i containerimage
	Type: containerimage
	Type: containerimage
^^^^^

1) subscription-manager-plugin-container was not installed by default on my machine, should be added to product specific install guide
2) editing container_content.ContainerContentPlugin.conf does nothing - maybe I missed some step?
3) editing container_content.ContainerContentPlugin.conf should be added also to product specific install guide until it's fixed between docker and subscription-manager

Comment 6 John Sefler 2016-04-20 16:11:37 UTC
The update to the registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf should be done *before* you attach the subscription to the system.

Comment 7 Stanislav Graf 2016-04-20 16:22:06 UTC
(In reply to John Sefler from comment #6)
> The update to the registry_hostnames in
> /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf should
> be done *before* you attach the subscription to the system.

Thanks, that works!

4) I need to attach entitlements to install subscription-manager-plugin-container, change config and then detach and attach again to get config applied

5) Linking/copying of CA cert is not consistent

/etc/docker/certs.d/access.redhat.com:
(none)

/etc/docker/certs.d/cdn.redhat.com:
-rw-r--r--. 1 root root  2626 Oct 13  2015 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com:
lrwxrwxrwx. 1 root root    27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io:
lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.access.redhat.com:
(none)

Comment 8 John Sefler 2016-04-20 18:39:01 UTC
(In reply to Stanislav Graf from comment #7)
> 4) I need to attach entitlements to install
> subscription-manager-plugin-container, change config and then detach and
> attach again to get config applied

Or you could wait for up to 4 hours for rhsmcertd to automatically run and sync container certificates to /etc/docker/certs.d/<registry_hostnames> from /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf

UGLY: attach (to install subscription-manager-plugin-container), remove, and re-attach (to sync container certificates) is a terrible customer experience.

However, I believe subscription-manager-plugin-container is installed by default on RHEL Atomic which was the intended product for docker delivery.

> 
> 5) Linking/copying of CA cert is not consistent
> 
> /etc/docker/certs.d/access.redhat.com:
> (none)
> 
> /etc/docker/certs.d/cdn.redhat.com:
> -rw-r--r--. 1 root root  2626 Oct 13  2015 redhat-entitlement-authority.crt
> 
> /etc/docker/certs.d/redhat.com:
> lrwxrwxrwx. 1 root root    27 Apr 20 11:23 redhat-ca.crt ->
> /etc/rhsm/ca/redhat-uep.pem
> 
> /etc/docker/certs.d/redhat.io:
> lrwxrwxrwx. 1 root root 27 Apr 20 11:23 redhat-ca.crt ->
> /etc/rhsm/ca/redhat-uep.pem
> 
> /etc/docker/certs.d/registry.access.redhat.com:
> (none)


You are right... they are not consistent because they were all provided by different packages/teams...

[root@jsefler-7 ~]# ls -d1 /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com
/etc/docker/certs.d/cdn.redhat.com
/etc/docker/certs.d/redhat.com
/etc/docker/certs.d/redhat.io
/etc/docker/certs.d/registry.access.redhat.com
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/access.redhat.com
file /etc/docker/certs.d/access.redhat.com is not owned by any package
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/cdn.redhat.com
subscription-manager-plugin-container-1.15.9-15.el7.x86_64
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/redhat.com
docker-1.8.2-2.el7.x86_64
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/redhat.io
docker-1.8.2-2.el7.x86_64
[root@jsefler-7 ~]# 
[root@jsefler-7 ~]# rpm -q --whatprovides /etc/docker/certs.d/registry.access.redhat.com
file /etc/docker/certs.d/registry.access.redhat.com is not owned by any package
[root@jsefler-7 ~]# 

The two not owned by any package are because they were included in the default registry_hostnames in container_content.ContainerContentPlugin.conf and will therefore be absent of a CA cert (not sure if that is a problem).

Comment 9 Daniel Walsh 2016-04-21 05:19:49 UTC
Is there anything needed to be done in the docker package to make this work better?

Comment 10 John Sefler 2016-04-21 12:39:08 UTC
(In reply to John Sefler from comment #8)
> (In reply to Stanislav Graf from comment #7)
> > 4) I need to attach entitlements to install
> > subscription-manager-plugin-container, change config and then detach and
> > attach again to get config applied
> 
> UGLY: attach (to install subscription-manager-plugin-container), remove, and
> re-attach (to sync container certificates) is a terrible customer experience.

After a good night sleep, here are the best two options to avoid the ugly subscription re-attachment steps:

  1. do nothing and wait for up to 4 hours for the rhsmcertd to run automatically which will sync the entitlements to the new redhat.com redhat.io directories, OR...
  2. run /usr/libexec/rhsmcertd-worker as root which will immediately run the container plugin that syncs the entitlements to the new redhat.com redhat.io directories.

Remember that these two options are only relevant if you have already attached a subscription that provides containerimage content without first appending ,redhat.com,redhat.io to registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf.

Comment 11 Aaron Weitekamp 2016-04-21 13:14:59 UTC
(In reply to John Sefler from comment #10)
> Remember that these two options are only relevant if you have already
> attached a subscription that provides containerimage content without first
> appending ,redhat.com,redhat.io to registry_hostnames in
> /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf.

Couldn't we pre-populate the redhat.* domains in the file /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we ship?

Comment 12 John Sefler 2016-04-21 14:23:15 UTC
(In reply to Aaron Weitekamp from comment #11)
> Couldn't we pre-populate the redhat.* domains in the file
> /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we
> ship?

Are you asking the sub-man dev team to build a new subscription-manager package with additional default registry_hostnames (with appropriate CA cert) everytime the docker team has new ones?  That does not sound efficient.  That's why it is a configuration.

As sgraf has learned the hard way, there is an order of operations needed to get a RHEL7 system configured to run docker images with access to "containerimage" content.  I'll try to re-cap what I think the order is (without looking at any docs)...

1. Install a bare RHEL7 system (probably from an iso)

2. Entitle the system with a RHEL subscription using subscription-manager

3. enable the rhel-7-server-extras-rpms repo and then yum install docker

4. enable the rhel-7-server-optional-rpms repo and then yum install subscription-manager-plugin-container

5. append ",redhat.com,redhat.io" to registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf

6. THE NEXT STEP DEPENDS ON WHETHER OR NOT THE RHEL SUBSCRIPTION ATTACHED IN STEP 2 ALSO PROVIDES "Red Hat Software Collections (for RHEL Server)" WHICH APPEARS TO BE THE SOURCE FOR THE "containerimage" CONTENT YOU WANT ACCESS TO
  If yes - then either wait for up to four hours OR run /usr/libexec/rhsmcertd-worker as root which will immediately run the container plugin that syncs the entitlements to the new redhat.com redhat.io registry_hostname directories.
  If no - then attach another subscription that provides "Red Hat Software Collections (for RHEL Server)"


I assume there is a customer facing document that contains this workflow. Maybe it needs a few tweaks.  I don't think the docker or subscription-manager-plugin-container packages need any changes.

One last thing that could still be an issue is to make sure the correct CA cert is being provided in the registry_hostnames directories.  I noticed that the redhat-ca.crt packaged with docker and the redhat-entitlement-authority.crt packaged with subscription-manager-plugin-container are not the same.

Comment 13 John Sefler 2016-04-21 15:00:09 UTC
cbredesen mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1328869#c5 registry hostnames (registry.access.redhat.com / registry.redhat.io).  Beware... I think subscription-manager-plugin-container requires the configurations to be fully qualified.  That means that in comment 12 you should change redhat.io to registry.redhat.io and redhat.com to registry.access.redhat.com and include CA certs.  This needs to be tested.  I think sgraf can help test this concern.  If true, then some changes to the docker package could be needed.

Comment 14 vritant 2016-04-21 20:38:27 UTC
*** Bug 1328869 has been marked as a duplicate of this bug. ***

Comment 15 Daniel Walsh 2016-04-22 17:34:24 UTC
Tell us what we need to change in the docker package?

Comment 17 Barnaby Court 2016-04-25 20:27:53 UTC
Dan & Aaron,

Is there a reason we would not want to automatically load all the directories under /etc/docker/certs.d/* as registry_hostnames? 

If there is a concern about opening it up entirely we could support wildcard masks *.redhat.com *.redhat.io if that would be helpful. 

If we did either of those two things that then as changes are made from docker side the content_container plugin would not need to have it's configuration updated.

As a short term fix, if you give us the updated list of registry hostname values we can update the list in the default config file.

Comment 18 Aaron Weitekamp 2016-04-28 12:49:57 UTC
(In reply to John Sefler from comment #12)
> (In reply to Aaron Weitekamp from comment #11)
> > Couldn't we pre-populate the redhat.* domains in the file
> > /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf that we
> > ship?
> 
> Are you asking the sub-man dev team to build a new subscription-manager
> package with additional default registry_hostnames (with appropriate CA
> cert) everytime the docker team has new ones?  That does not sound
> efficient.  That's why it is a configuration.
> 

Yes, this is what I am asking. As you know, /etc/rhsm/rhsm.conf ships configured so a new system registers with production.
  hostname = subscription.rhn.redhat.com
  baseurl= https://cdn.redhat.com

I view this as the same thing. The registry hostnames are stable.

> As sgraf has learned the hard way, there is an order of operations needed to
> get a RHEL7 system configured to run docker images with access to
> "containerimage" content.

Remember, our goal is to support an atomic host workflow which must be able to register and start RHEL-based containers to be functional (using cloud-init, for example). There is no waiting 4 hours. There is no special config. A subscribed system can install applications via docker by default.

Comment 19 Chris Bredesen 2016-04-28 12:52:54 UTC
I agree 100% with comment 18. Thanks, Aaron.

Comment 20 John Sefler 2016-04-28 13:09:32 UTC
I agree too.  Then a subscription-manager-plugin-container design changed based on comment 17 should be pursued.

Comment 21 Tom Butt 2016-04-28 13:52:10 UTC
I think we should only need registry.redhat.io as that was intended to replace registry.access.redhat.com, we simply kept that in place for backwards compat.  registry.redhat.io is meant to be THE ONE.

Comment 22 Sushma 2016-04-29 12:40:57 UTC
I checked installing AH VM to understand more about the experience with docker entitlement certs. I noticed that, after I register to subscription-manager and attach the required entitlements it still does not reflect the entitlement certs under /etc/docker/certs.d 

@John, does it require 4Hrs even on AH? 
Running /usr/libexec/rhsmcerts-worker helped as you suggested in comment 10

Comment 23 John Sefler 2016-04-29 14:32:33 UTC
reply to Sushma from comment #22)

If you configured registry_hostnames in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf on your Atomic Host with all of the /etc/docker/certs.d/<registry_hostnames> that you will be pulling docker images from *BEFORE* you attached the Atomic subscription, then you should see the entitlement certs/keys appear in the /etc/docker/certs.d/<registry_hostnames>/ directories *immediately* after attaching the Atomic subscription.

If you attached the Atomic subscription *before* you configure container_content.ContainerContentPlugin.conf, then you will need to wait up to 4 hrs OR manually run /usr/libexec/rhsmcertd-worker as root to see the entitlement certs/keys appear in the /etc/docker/certs.d/<registry_hostnames>/ directories(In

Comment 24 Sushma 2016-05-02 14:32:49 UTC
Thanks John, the steps and order mentioned above in comment #23 works on AtomicHost VM
To be clear, this is what I did
> I  installed AH (from iso) on VM
> Created /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf with the below details
------
[main]
enabled = 1
registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com
------
> subscription-manager register --auto-attach

I found the entitlement certs created for each registry_hostnames mentioned above under /etc/docker/certs.d/.

Comment 27 Sushma 2016-06-03 14:15:18 UTC
@Chris, John

This is regarding another issue that was noticed for protected repos in live 
+ For the protected repos, we had to update the redirect URLs point to protected CDN https://cdn.redhat.com instead of the default unprotected CDN https://access.redhat.com/webassets/docker/ because entitlement certs expect it to be so
+ Following which docker client does not seem to work fine with cacert:
  - with the CA cert which is found under /etc/docker/certs.d/cdn.redhat.com
  - OR with redhat-uep.pem which is located at /etc/rhsm/ca/ (tried manaully linking to this cert) 
  - neither with ca-bundle.crt which is located at /etc/pki/tls/certs (tried manually linking to this cert)

We are getting the error "x509: certificate signed by unknown authority" when we try to "docker pull" the image from registry.access.redhat.com which redirects to cdn.redhat.com to locate the image.

This needs to be investigated. This is blocker for RHMAP GA release. 

At this point, IT Crane team is working/investigating on a patch at crane end.

Comment 29 John Sefler 2016-06-21 20:47:56 UTC
Verifying Version....
[root@jsefler-rhel7 ~]# rpm -q subscription-manager subscription-manager-plugin-container
subscription-manager-1.17.7-1.el7.x86_64
subscription-manager-plugin-container-1.17.7-1.el7.x86_64

As indicated in comment 21 and comment 25, the subscription-manager dev team has updated the subscription-manager-plugin-container to include registry.redhat.io in the default registry_hostnames of /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf

[root@jsefler-rhel7 ~]# rpm -q subscription-manager --changelog | grep 1328729
- 1328729: add registry.redhat.io to default registry_hostnames

[root@jsefler-rhel7 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf 
[main]
enabled = 1
registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io

VERIFIED: THE DEFAULT CONFIG FOR registry_hostnames IN /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf NOW INCLUDES "registry.redhat.io"

Comment 30 John Sefler 2016-06-21 20:50:19 UTC
I'll also demonstrate that when a RHEL7 system is registered and subscribed to a subscription that provides "containerimage" content, the entitlement will land in directory /etc/docker/certs.d/registry.redhat.io/ as desired.

[root@jsefler-rhel7 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 Beta (Maipo)

[root@jsefler-rhel7 ~]# ls -lR /etc/docker/certs.d/
/etc/docker/certs.d/:
total 0
drwxr-xr-x. 2 root root 45 Jun 21 15:09 cdn.redhat.com

/etc/docker/certs.d/cdn.redhat.com:
total 4
-rw-r--r--. 1 root root 2626 Jun  3 19:06 redhat-entitlement-authority.crt

[root@jsefler-rhel7 ~]# subscription-manager register --serverurl subscription.rhsm.stage.redhat.com:443/subscription
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: stage_auto_testuser1
Password: 
The system has been registered with ID: 4df923bc-8fea-4a52-b933-044011352010 

[root@jsefler-rhel7 ~]# subscription-manager list --available --matches "*Container*"
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Enterprise Linux Server, Standard (Physical or Virtual Nodes)
Provides:            Red Hat Beta
                     Red Hat Container Images Beta
                     dotNET on RHEL Beta (for RHEL Server)
                     Red Hat Software Collections (for RHEL Server)
                     Oracle Java (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host Beta
                     Red Hat Container Images
                     Red Hat Enterprise Linux Server
                     dotNET on RHEL (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Developer Toolset (for RHEL Server)
SKU:                 RH00004
Contract:            
Pool ID:             8a99f986553a7fbb01553c03870624c3
Provides Management: No
Available:           400
Suggested:           1
Service Level:       Standard
Service Type:        L1-L3
Subscription Type:   Instance Based
Ends:                05/27/2017
System Type:         Physical

[root@jsefler-rhel7 ~]# subscription-manager attach --pool 8a99f986553a7fbb01553c03870624c3
Successfully attached a subscription for: Red Hat Enterprise Linux Server, Standard (Physical or Virtual Nodes)

[root@jsefler-rhel7 ~]# rct cat-cert /etc/pki/entitlement/9015880968579070254.pem | grep "containerimage" -A1
	Type: containerimage
	Name: Red Hat Enterprise Linux 6 Server - Beta (Containers)
--
	Type: containerimage
	Name: Red Hat Enterprise Linux 6 Server (Containers)
--
	Type: containerimage
	Name: Red Hat Enterprise Linux 7 Server - Beta (Containers)
--
	Type: containerimage
	Name: Red Hat Enterprise Linux 7 Server (Containers)
--
	Type: containerimage
	Name: dotNET on RHEL Beta (Containers) for Red Hat Enterprise Linux 7 Server
--
	Type: containerimage
	Name: dotNET on RHEL (Containers) for Red Hat Enterprise Linux 7 Server
--
	Type: containerimage
	Name: Red Hat Software Collections Beta (Containers) for Red Hat Enterprise Linux 7 Server
--
	Type: containerimage
	Name: Red Hat Software Collections (Containers) for Red Hat Enterprise Linux 7 Server

[root@jsefler-rhel7 ~]# ls -lR /etc/docker/certs.d/
/etc/docker/certs.d/:
total 4
drwxr-xr-x. 2 root root   67 Jun 21 15:12 access.redhat.com
drwxr-xr-x. 2 root root 4096 Jun 21 15:12 cdn.redhat.com
drwxr-xr-x. 2 root root   67 Jun 21 15:12 registry.access.redhat.com
drwxr-xr-x. 2 root root   67 Jun 21 15:12 registry.redhat.io

/etc/docker/certs.d/access.redhat.com:
total 20
-rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert
-rw-------. 1 root root  1679 Jun 21 15:12 9015880968579070254.key

/etc/docker/certs.d/cdn.redhat.com:
total 24
-rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert
-rw-------. 1 root root  1679 Jun 21 15:12 9015880968579070254.key
-rw-r--r--. 1 root root  2626 Jun  3 19:06 redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
total 20
-rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert
-rw-------. 1 root root  1679 Jun 21 15:12 9015880968579070254.key

/etc/docker/certs.d/registry.redhat.io:
total 20
-rw-r--r--. 1 root root 16362 Jun 21 15:12 9015880968579070254.cert
-rw-------. 1 root root  1679 Jun 21 15:12 9015880968579070254.key

VERIFIED: THE ENTITLEMENT FROM SUBSCRIPTION SKU RH00004 WHICH PROVIDES "containerimage" CONTENT LANDED IN /etc/docker/certs.d/registry.redhat.io AS WELL AS ALL THE OTHER CONFIGURED registry_hostnames


[root@jsefler-rhel7 ~]# rpm -q docker
package docker is not installed

[root@jsefler-rhel7 ~]# subscription-manager repos | grep extras-rpms -A4
Repo ID:   rhel-7-server-extras-rpms
Repo Name: Red Hat Enterprise Linux 7 Server - Extras (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel/server/7/7Server/$basearch/extras/os
Enabled:   0

[root@jsefler-rhel7 ~]# subscription-manager repos --enable rhel-7-server-extras-rpms
Repository 'rhel-7-server-extras-rpms' is enabled for this system.

[root@jsefler-rhel7 ~]# yum install -q -y docker
This system is not registered with RHN Classic or Red Hat Satellite.
You can use rhn_register to register.
Red Hat Satellite or RHN Classic support will be disabled.
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at line 147 of /etc/selinux/targeted/tmp/modules/100/virt/cil
/usr/sbin/semodule:  Failed!
libsemanage.semanage_direct_install_info: Overriding docker module at lower priority 100 with module at priority 400.

[root@jsefler-rhel7 ~]# rpm -q docker
docker-1.9.1-40.el7.x86_64

[root@jsefler-rhel7 ~]# systemctl start docker.service 

[root@jsefler-rhel7 ~]# docker pull registry.redhat.io/rhel7:latest
c453594215e4: Download complete 
Status: Downloaded newer image for registry.redhat.io/rhel7:latest
registry.redhat.io/rhel7: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.

[root@jsefler-rhel7 ~]# docker images
REPOSITORY                 TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry.redhat.io/rhel7   latest              c453594215e4        6 weeks ago         203.4 MB

[root@jsefler-rhel7 ~]# setenforce 0
[root@jsefler-rhel7 ~]# docker run --rm registry.redhat.io/rhel7:latest yum repolist
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
repo id                           repo name                               status
rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs 10871
repolist: 10871


VERIFIED: I successfully registered, subscribed, installed docker, pulled an image from registry.redhat.io and ran a command inside a container that demonstrates the container has yum access through the entitlement on the host.

NOTE: I had to disable selinux (setenforce 0) to workaround current policy issues.

Comment 32 Stanislav Graf 2016-06-23 13:59:29 UTC
Great job!

(1) subscription-manager-plugin-container preinstalled

Take a clean system. I prepared my system with latest RHEL 7.2 with updates and following extra packages:
# rpm -qa '*rhsm*' '*subscription*' | sort
python-rhsm-1.17.2-1.el7.x86_64
subscription-manager-1.17.7-1.el7.x86_64
subscription-manager-plugin-container-1.17.7-1.el7.x86_64

I didn't need to edit anything, I didn't need any hacks. I just registered to production with account that can pull protected images, installed docker and I was able to pull images.

(2) subscription-manager-plugin-container installed later

Take a clean system. I prepared my system with RHEL 7.2 and registered to production. Update to latest, update subscription-manager and install container plugin.
# rpm -qa '*rhsm*' '*subscription*' | sort
python-rhsm-1.17.2-1.el7.x86_64
subscription-manager-1.17.7-1.el7.x86_64
subscription-manager-plugin-container-1.17.7-1.el7.x86_64

I didn't need to edit anything, I didn't need any hacks. I was able to pull images.

Note: I did also negative testing - that without proper entitlements I wasn't able to pull images - just to be sure I'm not downloading unprotected images.

Comment 35 errata-xmlrpc 2016-11-03 20:28:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2592.html


Note You need to log in before you can comment on or make changes to this bug.