2203096 – [RFE] change the container detection to only check for secrets

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2203096 - [RFE] change the container detection to only check for secrets

Summary: [RFE] change the container detection to only check for secrets

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	9.3
Assignee:	candlepin-bugs
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2216079 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-11 08:57 UTC by Pino Toscano
Modified:	2023-11-07 11:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:	subscription-manager-1.29.36-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:51:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 3270	None	Merged	ENT-5580: Disable the proper container detection	2023-10-24 04:37:42 UTC
Github	candlepin subscription-manager pull 3292	None	Merged	ENT-5603: Explicitly check for provided entitlement certificates	2023-08-01 10:24:13 UTC
Github	candlepin subscription-manager pull 3293	None	Merged	ENT-5582: Remove container detection envvar overwrite	2023-08-01 10:24:13 UTC
Github	candlepin subscription-manager pull 3294	None	Merged	ENT-5581: Update messaging around the "container mode"	2023-10-24 04:47:06 UTC
Red Hat Issue Tracker	ENT-5548	None	None	None	2023-05-11 08:57:36 UTC
Red Hat Issue Tracker	RHELPLAN-156936	None	None	None	2023-05-11 09:00:58 UTC
Red Hat Product Errata	RHBA-2023:6606	None	None	None	2023-11-07 08:52:11 UTC

Internal Links: 2231100

Description Pino Toscano 2023-05-11 08:57:37 UTC

subscription-manager currently detects whether it is running in a container, and disables itself in that case. This is because the business requirements so far are that RHEL containers get the entitlements from the host. Over the years, more use cases showed up (e.g. UBI running in OCP 4, UBI running on non-RHEL hosts, etc) that are valid for us and for our customers, and they are not easy to get with the current detection in subscription-manager.

Hence, as result of internal discussions, we decided to relax/tweak the existing detection; this will mean the following changes:
- subscription-manager will not check anymore whether it is running under docker or podman; the only detection left will be based on whether secrets (config, identity certs, entitlement certs) are available (usually mounted, in case of containers) in the well-known locations
- the messaging "container mode" that is printed by subscription-manager (directly, and by its dnf plugin) will be changed to mention that secrets are provided, rather than anything related to containers
- the supposed-to-be-internal-but-unfortunately-public environment variable SMDEV_CONTAINER_OFF will be dropped, as the above changes will allow to work OOTB in the very vast majority of the use cases in which that envvar was (sadly) needed

Updates to documentations/KBs/etc will be done separately after this is implemented, and not tracked by this bz.

Comment 2 Pino Toscano 2023-06-29 07:37:08 UTC

*** Bug 2216079 has been marked as a duplicate of this bug. ***

Comment 3 Zdenek Petracek 2023-08-01 10:05:21 UTC

Reproducing the issues on SM version:
[root@kvm-02-guest05 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.29.35-1.el9

1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets:
[root@kvm-02-guest05 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@kvm-02-guest05 ~]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696
Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 7b3dd25bf011 done  
Copying config 663a35613b done  
Writing manifest to image destination
Storing signatures
663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865

[root@kvm-02-guest05 ~]# podman run -it ubi:9.2-696 /bin/bash
[root@7bfe891bb5ae /]# subscription-manager register
subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management.
^^ I was not able to register the system inside of the container as expected 

registering the system:
[root@kvm-02-guest05 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: bcad4504-374d-46c4-99de-ef46b467339a
The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com

[root@kvm-02-guest05 product-default]# subscription-manager attach
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@36d161dd8832 /]# ls /etc/pki/product-default/
479.pem
^^ system is using the host's entitlement as expected


2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed:
[root@kvm-02-guest05 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@7bfe891bb5ae /]# subscription-manager status
subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management.
^^ old message is shown here as expected


3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped:
[root@kvm-02-guest05 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@7bfe891bb5ae /]# export SMDEV_CONTAINER_OFF=true
[root@7bfe891bb5ae /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 88f93e87-7a2e-4ab2-a660-b1f524fe5882
The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com

[root@7bfe891bb5ae /]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown


Pre-verification done on the SM version:
[root@kvm-02-guest05 sm_new]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.29.35-1.git.36.455a011.el9

1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets:
[root@kvm-02-guest05 sm_new]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696
Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 7b3dd25bf011 skipped: already exists  
Copying config 663a35613b done  
Writing manifest to image destination
Storing signatures
663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865
[root@kvm-02-guest05 sm_new]# podman run -it ubi:9.2-696 /bin/bash

trying to register the system:
[root@7ac5ee675ca9 yum.repos.d]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 7115f112-3b25-4e23-be52-689426d0030b
The registered system name is: 7ac5ee675ca9
[root@7ac5ee675ca9 yum.repos.d]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed
^^ I was able to register the system even when secrets were not shared by the host system

registering the host system and checking for entitlements in the container:
[root@kvm-02-guest05 sm_new]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: c3042ea1-7999-48ea-8081-6fe6157b375a
The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com
[root@kvm-02-guest05 sm_new]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

root@kvm-02-guest05 /]# ll /etc/pki/product-default/
total 4
-rw-r--r--. 1 root root 2172 Jul 31 14:46 479.pem

[root@78d2a7642b7f /]# ls /etc/pki/product-default/
479.pem
^^ inside of the container there is the same file, so secrets are shared with the container as expected


2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed:
installing zsh:
[root@78d2a7642b7f /]# yum install zsh
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)                                                                                         15 MB/s |  23 MB     00:01    
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                                                                                            11 MB/s |  13 MB     00:01 
...
Installed:
  zsh-5.8-9.el9.x86_64                                                                                                                                                          

Complete!
^^ The system message about containers is present and I was able to download and install zsh package


after sharing secrets with the container and running 'subscription-manager version/register' the following message was shown as expected:
[root@b71353791b23 /]# subscription-manager version
subscription-manager is operating in container mode. Use your host system to manage subscriptions.

[root@b71353791b23 /]# subscription-manager register
subscription-manager is operating in container mode. Use your host system to manage subscriptions.


3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped:
there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED

Comment 6 Zdenek Petracek 2023-08-10 14:37:59 UTC

[root@kvm-02-guest09 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.29.36-1.el9

1st scenario:
registering subman in a container while secrets are not shared
[root@kvm-02-guest09 ~]# podman run -it ubi:9.2-696 /bin/bash

[root@335615ca1c26 /]# clear
bash: clear: command not found
[root@335615ca1c26 /]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.29.36-1.el9

[root@335615ca1c26 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 61a1529e-78bd-41f5-ab05-c29b56bb5864
The registered system name is: 335615ca1c26

[root@335615ca1c26 /]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed
^^ I was able to register subman even without sharing secrets

registering the subman on the host system and checking that container uses shared secrets:
[root@kvm-02-guest09 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: c5fa9a35-a651-4137-89a4-c9f70e30749f
The registered system name is: kvm-02-guest09.rhts.eng.brq.redhat.com

[root@kvm-02-guest09 product-default]# ll /etc/pki/product-default/
total 4
-rw-r--r--. 1 root root 2171 Aug 10 16:27 479.pem

[root@bf420aa46169 /]# ls /etc/pki/product-default/
479.pem
^^ container is using the secrets shared by the host system


2nd scenario:
the massage "container mode" that is printed will be changed:
root@bf420aa46169 /]# yum install zsh
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode. <-- message as expected
...
Installed:
  zsh-5.8-9.el9.x86_64                                                                                            

Complete!

after running 'subscription-manager version/register' the following message should be also changed
[root@bf420aa46169 /]# subscription-manager version
subscription-manager is operating in container mode. Use your host system to manage subscriptions.

[root@bf420aa46169 /]# subscription-manager status
subscription-manager is operating in container mode. Use your host system to manage subscriptions.

[root@bf420aa46169 /]# subscription-manager register
subscription-manager is operating in container mode. Use your host system to manage subscriptions.
^^ messages shown are as expected

[root@bf420aa46169 /]# ls /etc/pki/product-default/
479.pem

3rd scenario:
there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED

Comment 7 Zdenek Petracek 2023-08-21 16:12:35 UTC

(In reply to Zdenek Petracek from comment #3)

Regarding comment no. 3 there should be some corrections for better understandment

[root@kvm-02-guest05 ~]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696
Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 7b3dd25bf011 done  
Copying config 663a35613b done  
Writing manifest to image destination
Storing signatures
663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865

[root@kvm-02-guest05 ~]# podman run -it ubi:9.2-696 /bin/bash
[root@7bfe891bb5ae /]# subscription-manager register
subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management.
^^ I was not able to register the system inside of the container as expected 

After running the container I pulled the same subscription-manager build to the container system as it is on the host system (steps are not shown) - and that's what was done for everz new running container in the pre-verification steps

registering the system:
[root@kvm-02-guest05 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: bcad4504-374d-46c4-99de-ef46b467339a
The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com

[root@78d2a7642b7f /]# ls /etc/pki/product-default/
479.pem
^^ this path is incorrect, we should also look for /etc/rhsm-host/ --> if directory exists, the system IS a container and /etc/pki/entitlement/host/ --> if there is an entitlement in the directory, the container will use the entitlement

2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed:
installing zsh:
[root@78d2a7642b7f /]# yum install zsh
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode. <-- old message was shown before the new sub-man build was pulled 
Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)                                                                                         15 MB/s |  23 MB     00:01    
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)

Comment 9 errata-xmlrpc 2023-11-07 08:51:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6606

Note You need to log in before you can comment on or make changes to this bug.