RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1671534 - [WARNING] rhsmcertd-worker:5015:MainThread @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/
Summary: [WARNING] rhsmcertd-worker:5015:MainThread @container.py:140 - Container cert...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: 8.1
Assignee: Jiri Hnidek
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On: 1682763
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-31 20:33 UTC by John Sefler
Modified: 2020-11-14 08:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:15:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy-contrib pull 103 0 'None' 'closed' 'Deamon rhsmcertd is able to install certs for docker again' 2019-11-25 01:01:28 UTC
Red Hat Knowledge Base (Solution) 3901551 0 None None None 2019-02-11 22:10:43 UTC
Red Hat Product Errata RHBA-2019:3561 0 None None None 2019-11-05 22:16:24 UTC

Description John Sefler 2019-01-31 20:33:11 UTC 
Description of problem:

When the rhsmcertd-worker runs to auto heal a system with a subscription that provides content of type "containerImage", the granted entitlement cert and key are supposed to be copied to all the registry_hostnames directories configured in /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf.

The problem on RHEL8 is that rhsm.log indicates a WARNING that "Container cert directory does not exist: /etc/docker/certs.d" when it does indeed exist.  This is blocking the subscription-manager-plugin-container from copying certificates from /etc/pki/entitlement/ to /etc/docker/certs.d/<registry_hostnames>/

Note 1: When manually attaching a subscription that provides "containerImage" content, the subscription-manager-plugin-container successfully copies the entitlement cert&key without any warnings in the rhsm.log.

Note 2: When selinux is running in permissive mode, the rhsmcertd-worker successfully copies the entitlement certs.

Note 3: When selinux is in enforcing mode, rhsmcertd-worker fails to copy entitlement certs, yet I cannot find any denials in the audit log.



Version-Release number of selected component (if applicable):
[root@kvm-01-guest17 ~]# rpm -q subscription-manager-plugin-container selinux-policy
subscription-manager-plugin-container-1.23.8-15.el8.x86_64
selinux-policy-3.14.1-53.el8.noarch


How reproducible:
always


Steps to Reproduce:
This testing is being done against an onpremise candlepin server with the TESTDATA deployed and product certs from the TESTDATA installed.


[root@kvm-01-guest17 ~]# subscription-manager config --rhsmcertd.splay=0 --rhsmcertd.disable=0
[root@kvm-01-guest17 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@kvm-01-guest17 ~]# setenforce 1
[root@kvm-01-guest17 ~]# restorecon -Rv /etc /run /var
Relabeled /etc/dnf/modules.d/virt.module from system_u:object_r:root_t:s0 to system_u:object_r:etc_t:s0
Relabeled /run/user/0 from system_u:object_r:tmpfs_t:s0 to system_u:object_r:user_tmp_t:s0
[root@kvm-01-guest17 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@kvm-01-guest17 ~]# systemctl restart rhsmcertd
[root@kvm-01-guest17 ~]# sleep 120
[root@kvm-01-guest17 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@kvm-01-guest17 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf
[main]
enabled = 1
registry_hostnames=registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io,cdn.rhsm-test.redhat.com,rhsm-test.redhat.com
[root@kvm-01-guest17 ~]# ls /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:

/etc/docker/certs.d/cdn.redhat.com:
redhat-entitlement-authority.crt

/etc/docker/certs.d/cdn.rhsm-test.redhat.com:
redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:

/etc/docker/certs.d/registry.redhat.io:

/etc/docker/certs.d/rhsm-test.redhat.com:
[root@kvm-01-guest17 ~]# 
[root@kvm-01-guest17 ~]# subscription-manager list --consumed | grep "Awesome OS Docker" -A16
Subscription Name:   Awesome OS Docker
Provides:            Awesome OS Docker Bits
SKU:                 awesomeos-docker
Contract:            0
Account:             12331131231
Serial:              3336717941861560708
Pool ID:             8a88714e68a53f5d0168a53fb7f901e6
Provides Management: No
Active:              True
Quantity Used:       1
Service Level:       
Service Type:        
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              01/30/2019
Ends:                01/30/2020
System Type:         Physical

[root@kvm-01-guest17 ~]# rct cat-cert /etc/pki/entitlement/3336717941861560708.pem | grep -i containerImage -A1 -B1
Content:
	Type: containerImage
	Name: awesomeos-docker-images
[root@kvm-01-guest17 ~]# 


FAILED: EXPECTED THE DIRECTORIES DEFINED BY registry_hostnames TO BE POPULATED WITH THE ENTITLEMENT SERIAL FROM Awesome OS Docker BECAUSE IT PROVIDES "containerImage" CONTENT.




Additional info:

[root@kvm-01-guest17 ~]# tail -f /var/log/rhsm/rhsm.log  | grep WARNING
2019-01-31 14:34:49,393 [WARNING] rhsmcertd-worker:4969:MainThread @container.py:140 - Container cert directory does not exist: /etc/docker/certs.d/
2019-01-31 14:34:49,393 [WARNING] rhsmcertd-worker:4969:MainThread @container.py:141 - Exiting plugin



[root@kvm-01-guest17 ~]# tail -f /var/log/rhsm/rhsmcertd.log 
Thu Jan 31 14:32:48 2019 [INFO] rhsmcertd is shutting down...
Thu Jan 31 14:32:48 2019 [INFO] Starting rhsmcertd...
Thu Jan 31 14:32:48 2019 [INFO] Auto-attach interval: 1440.0 minutes [86400 seconds]
Thu Jan 31 14:32:48 2019 [INFO] Cert check interval: 240.0 minutes [14400 seconds]
Thu Jan 31 14:32:48 2019 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first auto-attach.
Thu Jan 31 14:32:48 2019 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first cert check.
Thu Jan 31 14:34:49 2019 [INFO] (Cert Check) Certificates updated.
Thu Jan 31 14:34:51 2019 [INFO] (Auto-attach) Certificates updated.
Comment 1 John Sefler 2019-01-31 20:38:14 UTC 
This is a regression from fixed bug 1344500
Comment 2 John Sefler 2019-01-31 20:43:21 UTC 
setting a NEEDINFO on mgrepl to help troubleshoot
Comment 11 Rehana 2019-05-30 14:21:36 UTC 
Verifying on :
------------

# rpm -qa subscription-manager selinux*
selinux-policy-3.14.3-4.el8.noarch
subscription-manager-1.25.6-1.el8.x86_64
selinux-policy-targeted-3.14.3-4.el8.noarch


[root@dell-r730-001-guest23 ~]# subscription-manager register
Registering to: ansible-candlepin.usersys.redhat.com:8443/candlepin
Username: admin
Password: 
Organization: admin
The system has been registered with ID: 06c96b36-2743-4bb8-ac4d-b3e978487d44
The registered system name is: dell-r730-001-guest23.dsal.lab.eng.rdu2.redhat.com

[root@dell-r730-001-guest23 ~]# subscription-manager config --rhsmcertd.splay=0 --rhsmcertd.disable=0

[root@dell-r730-001-guest23 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@dell-r730-001-guest23 ~]# setenforce 1
[root@dell-r730-001-guest23 ~]# restorecon -Rv /etc /run /var
[root@dell-r730-001-guest23 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dell-r730-001-guest23 ~]# 
[root@dell-r730-001-guest23 ~]# systemctl restart rhsmcertd

wait for 2mins for the auto-attach to complete

[root@dell-r730-001-guest23 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i 
<no matches>
[root@dell-r730-001-guest23 ~]# cat /etc/rhsm/pluginconf.d/container_content.ContainerContentPlugin.conf
[main]
enabled = 1
registry_hostnames = registry.access.redhat.com,cdn.redhat.com,access.redhat.com,registry.redhat.io

[root@dell-r730-001-guest23 ~]# ls /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
549870588193513666.cert  549870588193513666.key

/etc/docker/certs.d/cdn.redhat.com:
549870588193513666.cert  549870588193513666.key  redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
549870588193513666.cert  549870588193513666.key

/etc/docker/certs.d/registry.redhat.io:
549870588193513666.cert  549870588193513666.key

[root@dell-r730-001-guest23 ~]# subscription-manager list --consumed | grep "Awesome OS Docker" -A16
Subscription Name:   Awesome OS Docker
Provides:            Awesome OS Docker Bits
SKU:                 awesomeos-docker
Contract:            1
Account:             12331131231
Serial:              549870588193513666
Pool ID:             8ac6a33e6ad9ab18016ad9afc02d02f0
Provides Management: No
Active:              True
Quantity Used:       1
Service Level:       
Service Type:        
Status Details:      Subscription is current
Subscription Type:   Standard
Starts:              Monday 20 May 2019
Ends:                Tuesday 19 May 2020
System Type:         Physical

[root@dell-r730-001-guest23 ~]# rct cat-cert /etc/pki/entitlement/549870588193513666.pem |  grep -i containerImage -A1 -B1
Content:
	Type: containerImage
	Name: 37090-awesomeos-docker-images

^^ Notice the registry files now have the entitlement cert copied when subscriptions containing  "containerImage" content is attached.

Based on the above observation , moving the bug to verified!!
Comment 13 errata-xmlrpc 2019-11-05 22:15:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3561
Note You need to log in before you can comment on or make changes to this bug.