Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2091269

Summary: Subscription manager fails when run with rootless Buildah
Product: Red Hat Enterprise Linux 8 Reporter: Daniel Walsh <dwalsh>
Component: subscription-managerAssignee: Pino Toscano <ptoscano>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 8.6CC: cdonnell, jhnidek, nalin, redakkan, zpetrace
Target Milestone: rcKeywords: Triaged
Target Release: 8.9Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.28.39-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2093291 (view as bug list) Environment:
Last Closed: 2023-11-14 15:47:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2093291    

Description Daniel Walsh 2022-05-28 11:19:59 UTC 
Users doing:

$ buildah unshare
# ctr=$(buildah from scratch)
# mnt=$(buildah mount $ctr)
# dnf -y install --installroot=$mnt --releasever=8 httpd

Blows up, because the RedHat Subcription manager plugin attempts to
write to paths in /run and /var/lib that are not writable within the
user namespace.

I think we have to work with the subscription manager people to follow
XDG_RUNTIME_DIR and understand that they are running in a rootless user
namespace environment, to make this work.

This works fine with Fedora and Centos, it only seems to blow up in
RHEL, because of subscription manager.
Comment 5 Daniel Walsh 2022-09-06 19:16:25 UTC 
The issue here is the subscription manager realizing that it is running within a rootless environment. The subscription manager is assuming it is running as root, where it should be fully able to run in non root environments.
Comment 6 Daniel Walsh 2022-09-06 20:56:24 UTC 
BTW I am seeing the same symptoms, subscription manager thinks it is running as root in a user namespace and attempts to write to /run as if it was real root.
It should be using XDG_RUNTIME_DIR if it is set, and then the user would be able to write the content.

XDG_RUNTIME_DIR=/run/user/$UID
Comment 8 Zdenek Petracek 2023-06-08 12:04:45 UTC 
Reproducing the bug on a SUBMAN version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password: 
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.37-1.el8

Reproducing the bug:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)

[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
2023-06-08 13:53:55,900 [ERROR] dnf:19128:MainThread @logutil.py:236 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Updating Subscription Management repositories.
Unable to read consumer identity
2023-06-08 13:53:55,901 [ERROR] dnf:19128:MainThread @lock.py:152 - [Errno 13] Permission denied: '/run/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/run/rhsm/cert.pid'
could not create lock

This system is not registered with an entitlement server. You can use subscription-manager to register.
^^ Errors appeared -> bug reproduced

Pre-verifying on version:
[testuser@kvm-01-guest24 ~]$ subscription-manager version
You are attempting to run "subscription-manager" which requires administrative
privileges, but more information is needed in order to do so.
Authenticating as "root"
Password: 
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+6.g76d589b9a-1.git.0.e3e938d

Verification process:
[testuser@kvm-01-guest24 ~]$ buildah unshare
[root@kvm-01-guest24 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr)

[root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

beaker-AppStream                                                                                                   50 MB/s | 8.1 MB     00:00    
beaker-AppStream-debuginfo                                                                                         43 MB/s | 6.0 MB     00:00    
beaker-BaseOS                                                                                                      27 MB/s | 2.4 MB     00:00    
beaker-BaseOS-debuginfo                                                                                            22 MB/s | 1.8 MB     00:00    
beaker-CRB                                                                                                         25 MB/s | 2.3 MB     00:00    
beaker-CRB-debuginfo                                                                                               99 kB/s | 529 kB     00:05    
beaker-HighAvailability                                                                                           8.1 MB/s | 600 kB     00:00    
beaker-HighAvailability-debuginfo                                                                                 306 kB/s |  18 kB     00:00    
beaker-NFV                                                                                                         12 MB/s | 886 kB     00:00    
beaker-NFV-debuginfo                                                                                              4.9 MB/s | 329 kB     00:00    
beaker-RT                                                                                                          12 MB/s | 884 kB     00:00    
beaker-RT-debuginfo                                                                                               5.3 MB/s | 329 kB     00:00    
beaker-ResilientStorage                                                                                           8.7 MB/s | 603 kB     00:00    
beaker-ResilientStorage-debuginfo                                                                                 326 kB/s |  18 kB     00:00    
beaker-SAP                                                                                                        136 kB/s | 8.0 kB     00:00    
beaker-SAP-debuginfo                                                                                              244 kB/s |  13 kB     00:00    
beaker-SAPHANA                                                                                                    200 kB/s |  13 kB     00:00    
beaker-SAPHANA-debuginfo                                                                                          203 kB/s |  13 kB     00:00    
beaker-harness                                                                                                    333 kB/s | 524 kB     00:01    
beaker-tasks                                                                                                      432 kB/s | 5.8 MB     00:13    
Dependencies resolved.
==================================================================================================================================================
 Package                                Architecture      Version                                               Repository                   Size
==================================================================================================================================================
Installing:
 httpd                                  x86_64            2.4.37-56.module+el8.8.0+18758+b3a9c8da.6             beaker-AppStream            1.4 M
...
  redhat-release-8.9-0.0.el8.x86_64                                            redhat-release-eula-8.9-0.0.el8.x86_64                                 
  rpm-4.14.3-26.el8.x86_64                                                     rpm-libs-4.14.3-26.el8.x86_64                                          
  sed-4.5-5.el8.x86_64                                                         setup-2.12.2-9.el8.noarch                                              
  shadow-utils-2:4.6-18.el8.x86_64                                             shared-mime-info-1.9-3.el8.x86_64                                      
  sqlite-libs-3.26.0-18.el8_8.x86_64                                           systemd-239-75.el8.x86_64                                              
  systemd-libs-239-75.el8.x86_64                                               systemd-pam-239-75.el8.x86_64                                          
  systemd-udev-239-75.el8.x86_64                                               trousers-0.3.15-1.el8.x86_64                                           
  trousers-lib-0.3.15-1.el8.x86_64                                             tzdata-2023c-1.el8.noarch                                              
  util-linux-2.32.1-42.el8_8.x86_64                                            which-2.21-20.el8.x86_64                                               
  xkeyboard-config-2.28-1.el8.noarch                                           xz-5.2.4-4.el8_6.x86_64                                                
  xz-libs-5.2.4-4.el8_6.x86_64                                                 zlib-1.2.11-25.el8.x86_64                                              

Complete!
^^ pre-verification PASSED
Comment 14 Zdenek Petracek 2023-08-25 19:14:38 UTC 
Final verification done on SUBMAN version:
[testuser@kvm-01-guest06 ~]$ rpm -qa | grep subscription-manager
python3-subscription-manager-rhsm-1.28.39-1.el8.x86_64
subscription-manager-1.28.39-1.el8.x86_64
dnf-plugin-subscription-manager-1.28.39-1.el8.x86_64
subscription-manager-rhsm-certificates-20220623-1.el8.noarch

[testuser@kvm-01-guest06 ~]$ buildah unshare
[root@localhost ~]# ctr=$(buildah from scratch)
[root@localhost ~]# mnt=$(buildah mount $ctr)

The system is unregistered:
[root@kvm-01-guest06 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown


[root@kvm-01-guest06 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
...
Installed:
  acl-2.2.53-1.el8.x86_64                                           apr-1.6.3-12.el8.x86_64                                     
  apr-util-1.6.1-9.el8.x86_64                                       apr-util-bdb-1.6.1-9.el8.x86_64                             
  apr-util-openssl-1.6.1-9.el8.x86_64                               audit-libs-3.0.7-5.el8.x86_64                               
  basesystem-11-5.el8.noarch                                        bash-4.4.20-4.el8_6.x86_64                                  
  brotli-1.0.6-3.el8.x86_64                                         bzip2-libs-1.0.6-26.el8.x86_64                              
  ca-certificates-2022.2.54-80.2.el8_6.noarch                       chkconfig-1.19.2-1.el8.x86_64                               
                        
...                            
  lua-libs-5.3.4-12.el8.x86_64                                      lz4-libs-1.8.3-3.el8_4.x86_64                               
  mailcap-2.1.48-3.el8.noarch                                       memstrack-0.2.5-2.el8.x86_64                                
  mod_http2-1.15.7-8.module+el8.9.0+19080+567b90f8.3.x86_64         mpfr-3.1.6-1.el8.x86_64                                     
  ncurses-6.1-10.20180224.el8.x86_64                                ncurses-base-6.1-10.20180224.el8.noarch                     
  ncurses-libs-6.1-10.20180224.el8.x86_64                           nettle-3.4.1-7.el8.x86_64                                   
  openldap-2.4.46-18.el8.x86_64                                     openssl-1:1.1.1k-9.el8_7.x86_64                             
  openssl-libs-1:1.1.1k-9.el8_7.x86_64                              openssl-pkcs11-0.4.10-3.el8.x86_64                          
                                  
  xz-libs-5.2.4-4.el8_6.x86_64                                      zlib-1.2.11-25.el8.x86_64                                   

Complete!
^^ Final Verification PASSED
Comment 16 errata-xmlrpc 2023-11-14 15:47:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7092