subscription-manager currently detects whether it is running in a container, and disables itself in that case. This is because the business requirements so far are that RHEL containers get the entitlements from the host. Over the years, more use cases showed up (e.g. UBI running in OCP 4, UBI running on non-RHEL hosts, etc) that are valid for us and for our customers, and they are not easy to get with the current detection in subscription-manager. Hence, as result of internal discussions, we decided to relax/tweak the existing detection; this will mean the following changes: - subscription-manager will not check anymore whether it is running under docker or podman; the only detection left will be based on whether secrets (config, identity certs, entitlement certs) are available (usually mounted, in case of containers) in the well-known locations - the messaging "container mode" that is printed by subscription-manager (directly, and by its dnf plugin) will be changed to mention that secrets are provided, rather than anything related to containers - the supposed-to-be-internal-but-unfortunately-public environment variable SMDEV_CONTAINER_OFF will be dropped, as the above changes will allow to work OOTB in the very vast majority of the use cases in which that envvar was (sadly) needed Updates to documentations/KBs/etc will be done separately after this is implemented, and not tracked by this bz.
*** Bug 2216079 has been marked as a duplicate of this bug. ***
Reproducing the issues on SM version: [root@kvm-02-guest05 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.35-1.el9 1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@kvm-02-guest05 ~]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696 Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696... Getting image source signatures Checking if image destination supports signatures Copying blob 7b3dd25bf011 done Copying config 663a35613b done Writing manifest to image destination Storing signatures 663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865 [root@kvm-02-guest05 ~]# podman run -it ubi:9.2-696 /bin/bash [root@7bfe891bb5ae /]# subscription-manager register subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management. ^^ I was not able to register the system inside of the container as expected registering the system: [root@kvm-02-guest05 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: bcad4504-374d-46c4-99de-ef46b467339a The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@kvm-02-guest05 product-default]# subscription-manager attach Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed [root@36d161dd8832 /]# ls /etc/pki/product-default/ 479.pem ^^ system is using the host's entitlement as expected 2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@7bfe891bb5ae /]# subscription-manager status subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management. ^^ old message is shown here as expected 3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped: [root@kvm-02-guest05 ~]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown [root@7bfe891bb5ae /]# export SMDEV_CONTAINER_OFF=true [root@7bfe891bb5ae /]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 88f93e87-7a2e-4ab2-a660-b1f524fe5882 The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@7bfe891bb5ae /]# subscription-manager status +-------------------------------------------+ System Status Details +-------------------------------------------+ Overall Status: Unknown System Purpose Status: Unknown Pre-verification done on the SM version: [root@kvm-02-guest05 sm_new]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.35-1.git.36.455a011.el9 1st scenario - subscription-manager will not check anymore whether it is running under docker or podman, only detection left will be based on whether secrets: [root@kvm-02-guest05 sm_new]# podman pull registry.access.redhat.com/ubi9/ubi:9.2-696 Trying to pull registry.access.redhat.com/ubi9/ubi:9.2-696... Getting image source signatures Checking if image destination supports signatures Copying blob 7b3dd25bf011 skipped: already exists Copying config 663a35613b done Writing manifest to image destination Storing signatures 663a35613bf10445ee2fd4af90024ccb83aecf3985b7e98c9e9a87f0f3131865 [root@kvm-02-guest05 sm_new]# podman run -it ubi:9.2-696 /bin/bash trying to register the system: [root@7ac5ee675ca9 yum.repos.d]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 7115f112-3b25-4e23-be52-689426d0030b The registered system name is: 7ac5ee675ca9 [root@7ac5ee675ca9 yum.repos.d]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed ^^ I was able to register the system even when secrets were not shared by the host system registering the host system and checking for entitlements in the container: [root@kvm-02-guest05 sm_new]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: c3042ea1-7999-48ea-8081-6fe6157b375a The registered system name is: kvm-02-guest05.rhts.eng.brq.redhat.com [root@kvm-02-guest05 sm_new]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed root@kvm-02-guest05 /]# ll /etc/pki/product-default/ total 4 -rw-r--r--. 1 root root 2172 Jul 31 14:46 479.pem [root@78d2a7642b7f /]# ls /etc/pki/product-default/ 479.pem ^^ inside of the container there is the same file, so secrets are shared with the container as expected 2nd scenario - the messaging "container mode" that is printed by subscription-manager will be changed: installing zsh: [root@78d2a7642b7f /]# yum install zsh Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 15 MB/s | 23 MB 00:01 Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 11 MB/s | 13 MB 00:01 ... Installed: zsh-5.8-9.el9.x86_64 Complete! ^^ The system message about containers is present and I was able to download and install zsh package after sharing secrets with the container and running 'subscription-manager version/register' the following message was shown as expected: [root@b71353791b23 /]# subscription-manager version subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@b71353791b23 /]# subscription-manager register subscription-manager is operating in container mode. Use your host system to manage subscriptions. 3rd scenario - environment variable SMDEV_CONTAINER_OFF will be dropped: there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED
[root@kvm-02-guest09 ~]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.36-1.el9 1st scenario: registering subman in a container while secrets are not shared [root@kvm-02-guest09 ~]# podman run -it ubi:9.2-696 /bin/bash [root@335615ca1c26 /]# clear bash: clear: command not found [root@335615ca1c26 /]# subscription-manager version server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.29.36-1.el9 [root@335615ca1c26 /]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: 61a1529e-78bd-41f5-ab05-c29b56bb5864 The registered system name is: 335615ca1c26 [root@335615ca1c26 /]# subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed ^^ I was able to register subman even without sharing secrets registering the subman on the host system and checking that container uses shared secrets: [root@kvm-02-guest09 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: zpetracek Password: The system has been registered with ID: c5fa9a35-a651-4137-89a4-c9f70e30749f The registered system name is: kvm-02-guest09.rhts.eng.brq.redhat.com [root@kvm-02-guest09 product-default]# ll /etc/pki/product-default/ total 4 -rw-r--r--. 1 root root 2171 Aug 10 16:27 479.pem [root@bf420aa46169 /]# ls /etc/pki/product-default/ 479.pem ^^ container is using the secrets shared by the host system 2nd scenario: the massage "container mode" that is printed will be changed: root@bf420aa46169 /]# yum install zsh Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. <-- message as expected ... Installed: zsh-5.8-9.el9.x86_64 Complete! after running 'subscription-manager version/register' the following message should be also changed [root@bf420aa46169 /]# subscription-manager version subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@bf420aa46169 /]# subscription-manager status subscription-manager is operating in container mode. Use your host system to manage subscriptions. [root@bf420aa46169 /]# subscription-manager register subscription-manager is operating in container mode. Use your host system to manage subscriptions. ^^ messages shown are as expected [root@bf420aa46169 /]# ls /etc/pki/product-default/ 479.pem 3rd scenario: there is no need for testing the 3rd scenario as the 'SMDEV_CONTAINER_OFF' variable was dropped and as we saw we are able to do the actions we were used to do with SMDEV_CONTAINER_OFF before --> PASSED