Bug 2231100 - [RFE] change the container detection to check harder for secrets
Summary: [RFE] change the container detection to check harder for secrets
Keywords:
Status: POST
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.9
Assignee: mhorky
QA Contact: CSI Client Tools Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-10 14:53 UTC by Pino Toscano
Modified: 2023-08-17 11:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Story
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin subscription-manager pull 3307 0 None Merged [1.28] ENT-5610: Explicitly check for provided entitlement certificates 2023-08-10 14:53:42 UTC
Red Hat Bugzilla 2203096 0 high VERIFIED [RFE] change the container detection to only check for secrets 2023-08-10 14:53:42 UTC
Red Hat Issue Tracker RHELPLAN-165522 0 None None None 2023-08-10 14:55:51 UTC

Description Pino Toscano 2023-08-10 14:53:42 UTC 
subscription-manager currently detects whether it is running in a container, and disables itself in that case. This is because the business requirements so far are that RHEL containers get the entitlements from the host. Over the years, more use cases showed up (e.g. UBI running in OCP 4, UBI running on non-RHEL hosts, etc) that are valid for us and for our customers, and they are not easy to get with the current detection in subscription-manager.

Hence, as result of internal discussions, we decided to relax/tweak the existing detection; this will mean the following changes:
- the detection done for secrets will be improved to also check that /etc/pki/entitlement-host exists and it contains entitlement certificates; this way, an empty /etc/rhsm-host will not trigger the container mode anymore

Updates to documentations/KBs/etc will be done separately after this is implemented, and not tracked by this bz.

Related: bug 2203096 (this is a backport of only the changes relevant in RHEL 8).
Comment 2 Zdenek Petracek 2023-08-17 11:46:25 UTC 
Pre-verification done on SUBMAN version:
[root@kvm-02-guest03 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

Checking for shared secrets:
[root@kvm-02-guest03 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: b7e30e89-b6d1-4ebc-9d7e-2afdef3dbe7a
The registered system name is: kvm-02-guest03.rhts.eng.brq.redhat.com

[root@kvm-02-guest03 /]# subscription-manager attach
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-02-guest03 /]# ll /etc/pki/entitlement
total 52
-rw-r--r--. 1 root root  3272 Aug 17 13:27 3460476172276112314-key.pem
-rw-r--r--. 1 root root 31710 Aug 17 13:27 3460476172276112314.pem
-rw-r--r--. 1 root root  3272 Aug 17 13:27 5348984623186667049-key.pem
-rw-r--r--. 1 root root  8757 Aug 17 13:27 5348984623186667049.pem
[root@kvm-02-guest03 /]# ll /etc/rhsm
total 8
drwxr-xr-x. 2 root root   68 Aug 17 13:16 ca
drwxr-xr-x. 2 root root    6 Aug 15 16:47 facts
-rw-r--r--. 1 root root 1662 Aug 15 16:47 logging.conf
drwxr-xr-x. 2 root root    6 Aug 15 16:47 pluginconf.d
-rw-r--r--. 1 root root 3147 Aug 17 13:23 rhsm.conf
drwxr-xr-x. 2 root root   54 Aug 17 13:26 syspurpose

[root@kvm-02-guest03 /]# podman pull registry.access.redhat.com/ubi8/ubi:8.8-1032
Trying to pull registry.access.redhat.com/ubi8/ubi:8.8-1032...
Getting image source signatures
Checking if image destination supports signatures
Copying blob bea2a0b08f4f done  
Copying config 7e569fa199 done  
Writing manifest to image destination
Storing signatures
7e569fa199c00a48fc249200463d903ca157a4e965348a845827871f4ede3714

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@398f901aeb56 /]# ls /run/secrets/rhsm/
ca  logging.conf  rhsm.conf  syspurpose

[root@398f901aeb56 /]# ls /run/secrets/etc-pki-entitlement/
3460476172276112314-key.pem  3460476172276112314.pem  5348984623186667049-key.pem  5348984623186667049.pem

Unregistering the system and trying to register from inside of the container:
[root@kvm-02-guest03 /]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@eae165b8da40 /]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

[root@eae165b8da40 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 1d53ff7f-550a-44d2-a659-91d5b9d8d527
The registered system name is: eae165b8da40
^^ the system was able to register from inside of the container as expected --> PRE-VERIFICATION PASSED
Note You need to log in before you can comment on or make changes to this bug.