2093291 – Subscription manager fails when run with rootless Buildah

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2093291 - Subscription manager fails when run with rootless Buildah

Summary: Subscription manager fails when run with rootless Buildah

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	9.3
Assignee:	Jiri Hnidek
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:	2091269
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-03 12:59 UTC by Rehana
Modified:	2023-11-07 11:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:	subscription-manager-1.29.34-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2091269
Environment:
Last Closed:	2023-11-07 08:51:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 3134	None	Merged	2093291: Make locking more reliable	2023-03-24 10:07:14 UTC
Red Hat Issue Tracker	RHELPLAN-124199	None	None	None	2022-06-03 13:07:46 UTC
Red Hat Product Errata	RHBA-2023:6606	None	None	None	2023-11-07 08:52:11 UTC

Description Rehana 2022-06-03 12:59:32 UTC

+++ This bug was initially created as a clone of Bug #2091269 +++

Users doing:

$ buildah unshare
# ctr=$(buildah from scratch)
# mnt=$(buildah mount $ctr)
# dnf -y install --installroot=$mnt --releasever=8 httpd

Blows up, because the RedHat Subcription manager plugin attempts to
write to paths in /run and /var/lib that are not writable within the
user namespace.

I think we have to work with the subscription manager people to follow
XDG_RUNTIME_DIR and understand that they are running in a rootless user
namespace environment, to make this work.

This works fine with Fedora and Centos, it only seems to blow up in
RHEL, because of subscription manager.

Comment 3 Jan Stavel 2023-04-11 11:34:41 UTC

[test@sweetpig-10 ~]$ buildah unshare
[root@sweetpig-10 ~]# ctr=$(buildah from scratch)
[root@sweetpig-10 ~]# mnt=$(buildah mount $ctr)
[root@sweetpig-10 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
2023-04-11 07:21:44,414 [ERROR] dnf:21088:MainThread @logutil.py:241 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Updating Subscription Management repositories.
Unable to read consumer identity
2023-04-11 07:21:44,415 [INFO] dnf:21088:MainThread @lock.py:155 - Unable to create lock/write to directory /run/rhsm: [Errno 13] Permission denied: '/run/rhsm/tmp4ksomy3i'
2023-04-11 07:21:44,415 [INFO] dnf:21088:MainThread @lock.py:308 - Trying to use user lock directory: /run/user/1000/rhsm/cert.pid (influenced by $XDG_RUNTIME_DIR)

This system is not registered with an entitlement server. You can use subscription-manager to register.

  Verifying        : systemd-pam-252-13.el9_2.x86_64                                                                                                                                                                                    85/91 
  Verifying        : systemd-rpm-macros-252-13.el9_2.noarch                                                                                                                                                                             86/91 
  Verifying        : tzdata-2022g-2.el9.noarch                                                                                                                                                                                          87/91 
  Verifying        : util-linux-2.37.4-10.el9.x86_64                                                                                                                                                                                    88/91 
  Verifying        : util-linux-core-2.37.4-10.el9.x86_64                                                                                                                                                                               89/91 
  Verifying        : xz-libs-5.2.5-8.el9_0.x86_64                                                                                                                                                                                       90/91 
  Verifying        : zlib-1.2.11-39.el9.x86_64                                                                                                                                                                                          91/91 
2023-04-11 07:22:15,275 [WARNING] dnf:21088:MainThread @logutil.py:175 - logging already initialized
2023-04-11 07:22:15,277 [ERROR] dnf:21088:MainThread @product-id.py:192 - Unable to read cache: /var/lib/rhsm/cache/productid_repo_mapping.json
2023-04-11 07:22:15,277 [ERROR] dnf:21088:MainThread @product-id.py:193 - [Errno 13] Permission denied: '/var/lib/rhsm/cache/productid_repo_mapping.json'
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf-plugins/product-id.py", line 185, in __read_cache_file
    with open(file_name) as file:
PermissionError: [Errno 13] Permission denied: '/var/lib/rhsm/cache/productid_repo_mapping.json'
2023-04-11 07:22:15,292 [ERROR] dnf:21088:MainThread @product-id.py:179 - Unable to write cache: /var/lib/rhsm/cache/productid_repo_mapping.json
2023-04-11 07:22:15,292 [ERROR] dnf:21088:MainThread @product-id.py:180 - [Errno 13] Permission denied: '/var/lib/rhsm/cache'
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/dnf-plugins/product-id.py", line 174, in __write_cache_file
    os.makedirs(dir_name)
  File "/usr/lib64/python3.9/os.py", line 225, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/var/lib/rhsm/cache'
2023-04-11 07:22:15,322 [INFO] dnf:21088:MainThread @productid.py:556 - Updating product db with 486 -> beaker-AppStream
2023-04-11 07:22:15,322 [INFO] dnf:21088:MainThread @productid.py:556 - Updating product db with 486 -> beaker-BaseOS
Installed products updated.

Installed:
  acl-2.3.1-3.el9.x86_64                                 alternatives-1.20-2.el9.x86_64               apr-1.7.0-11.el9.x86_64                   apr-util-1.6.1-20.el9.x86_64                 apr-util-bdb-1.6.1-20.el9.x86_64               
  apr-util-openssl-1.6.1-20.el9.x86_64                   audit-libs-3.0.7-103.el9.x86_64              basesystem-11-13.el9.noarch               bash-5.1.8-6.el9_1.x86_64                    bzip2-libs-1.0.8-8.el9.x86_64                





[root@sweetpig-10 ~]# rpm -qa | grep subscription
subscription-manager-rhsm-certificates-20220623-1.el9.noarch
python3-subscription-manager-rhsm-1.29.33+34.gcbc3efc7e-1.git.0.b1abf6c.x86_64
libdnf-plugin-subscription-manager-1.29.33+34.gcbc3efc7e-1.git.0.b1abf6c.x86_64
subscription-manager-1.29.33+34.gcbc3efc7e-1.git.0.b1abf6c.x86_64
subscription-manager-cockpit-6^25.g7c697ca-1.el9.noarch

Comment 6 Zdenek Petracek 2023-04-27 17:46:42 UTC

Final verification done on SUBMAN version:
[root@kvm-01-guest13 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.29.34-1.el9

Verification process:
[root@kvm-01-guest13 ~]# buildah unshare
[root@kvm-01-guest13 ~]# ctr=$(buildah from scratch)
[root@kvm-01-guest13 ~]# mnt=$(buildah mount $ctr)

[root@kvm-01-guest13 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

beaker-AppStream                                          62 MB/s | 6.3 MB     00:00    
beaker-AppStream-debuginfo                                66 MB/s | 5.3 MB     00:00    
beaker-BaseOS                                             42 MB/s | 1.7 MB     00:00    
beaker-BaseOS-debuginfo                                   40 MB/s | 1.5 MB     00:00    
beaker-CRB                                                55 MB/s | 2.0 MB     00:00    
beaker-CRB-debuginfo                                      23 MB/s | 354 kB     00:00    
beaker-HighAvailability                                   16 MB/s | 235 kB     00:00    
beaker-HighAvailability-debuginfo                        2.2 MB/s |  24 kB     00:00    
...
  p11-kit-trust-0.24.1-2.el9.x86_64             pam-1.5.1-14.el9.x86_64                           
  pcre-8.44-3.el9.3.x86_64                      pcre2-10.40-2.el9.x86_64                          
  pcre2-syntax-10.40-2.el9.noarch               readline-8.1-4.el9.x86_64                         
  redhat-logos-httpd-90.4-1.el9.noarch          redhat-release-9.3-0.0.el9.x86_64                 
  redhat-release-eula-9.3-0.0.el9.x86_64        sed-4.8-9.el9.x86_64                              
  setup-2.13.7-9.el9.noarch                     shadow-utils-2:4.9-6.el9.x86_64                   
  systemd-252-13.el9_2.x86_64                   systemd-libs-252-13.el9_2.x86_64                  
  systemd-pam-252-13.el9_2.x86_64               systemd-rpm-macros-252-13.el9_2.noarch            
  tzdata-2023c-1.el9.noarch                     util-linux-2.37.4-10.el9.x86_64                   
  util-linux-core-2.37.4-10.el9.x86_64          xz-libs-5.2.5-8.el9_0.x86_64                      
  zlib-1.2.11-39.el9.x86_64                    

Complete!

^^ Final verification PASSED

Comment 8 errata-xmlrpc 2023-11-07 08:51:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6606

Note You need to log in before you can comment on or make changes to this bug.