2231100 – [RFE] change the container detection to check harder for secrets

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2231100 - [RFE] change the container detection to check harder for secrets

Summary: [RFE] change the container detection to check harder for secrets

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.9
Assignee:	mhorky
QA Contact:	CSI Client Tools Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-10 14:53 UTC by Pino Toscano
Modified:	2023-11-14 17:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:	subscription-manager-1.28.39-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:48:09 UTC
Type:	Story
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 3307	None	Merged	[1.28] ENT-5610: Explicitly check for provided entitlement certificates	2023-08-10 14:53:42 UTC
Red Hat Bugzilla	2203096	high	CLOSED	[RFE] change the container detection to only check for secrets	2024-05-11 00:30:34 UTC
Red Hat Issue Tracker	RHELPLAN-165522	None	None	None	2023-08-10 14:55:51 UTC
Red Hat Product Errata	RHBA-2023:7092	None	None	None	2023-11-14 15:48:19 UTC

Description Pino Toscano 2023-08-10 14:53:42 UTC

subscription-manager currently detects whether it is running in a container, and disables itself in that case. This is because the business requirements so far are that RHEL containers get the entitlements from the host. Over the years, more use cases showed up (e.g. UBI running in OCP 4, UBI running on non-RHEL hosts, etc) that are valid for us and for our customers, and they are not easy to get with the current detection in subscription-manager.

Hence, as result of internal discussions, we decided to relax/tweak the existing detection; this will mean the following changes:
- the detection done for secrets will be improved to also check that /etc/pki/entitlement-host exists and it contains entitlement certificates; this way, an empty /etc/rhsm-host will not trigger the container mode anymore

Updates to documentations/KBs/etc will be done separately after this is implemented, and not tracked by this bz.

Related: bug 2203096 (this is a backport of only the changes relevant in RHEL 8).

Comment 2 Zdenek Petracek 2023-08-17 11:46:25 UTC

Pre-verification done on SUBMAN version:
[root@kvm-02-guest03 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

Checking for shared secrets:
[root@kvm-02-guest03 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: b7e30e89-b6d1-4ebc-9d7e-2afdef3dbe7a
The registered system name is: kvm-02-guest03.rhts.eng.brq.redhat.com

[root@kvm-02-guest03 /]# subscription-manager attach
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-02-guest03 /]# ll /etc/pki/entitlement
total 52
-rw-r--r--. 1 root root  3272 Aug 17 13:27 3460476172276112314-key.pem
-rw-r--r--. 1 root root 31710 Aug 17 13:27 3460476172276112314.pem
-rw-r--r--. 1 root root  3272 Aug 17 13:27 5348984623186667049-key.pem
-rw-r--r--. 1 root root  8757 Aug 17 13:27 5348984623186667049.pem
[root@kvm-02-guest03 /]# ll /etc/rhsm
total 8
drwxr-xr-x. 2 root root   68 Aug 17 13:16 ca
drwxr-xr-x. 2 root root    6 Aug 15 16:47 facts
-rw-r--r--. 1 root root 1662 Aug 15 16:47 logging.conf
drwxr-xr-x. 2 root root    6 Aug 15 16:47 pluginconf.d
-rw-r--r--. 1 root root 3147 Aug 17 13:23 rhsm.conf
drwxr-xr-x. 2 root root   54 Aug 17 13:26 syspurpose

[root@kvm-02-guest03 /]# podman pull registry.access.redhat.com/ubi8/ubi:8.8-1032
Trying to pull registry.access.redhat.com/ubi8/ubi:8.8-1032...
Getting image source signatures
Checking if image destination supports signatures
Copying blob bea2a0b08f4f done  
Copying config 7e569fa199 done  
Writing manifest to image destination
Storing signatures
7e569fa199c00a48fc249200463d903ca157a4e965348a845827871f4ede3714

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@398f901aeb56 /]# ls /run/secrets/rhsm/
ca  logging.conf  rhsm.conf  syspurpose

[root@398f901aeb56 /]# ls /run/secrets/etc-pki-entitlement/
3460476172276112314-key.pem  3460476172276112314.pem  5348984623186667049-key.pem  5348984623186667049.pem

Unregistering the system and trying to register from inside of the container:
[root@kvm-02-guest03 /]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown

[root@kvm-02-guest03 /]# podman run -it ubi:8.8-1032
[root@eae165b8da40 /]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.38+19.geac279219-1.git.0.5ed9b8d

[root@eae165b8da40 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: 1d53ff7f-550a-44d2-a659-91d5b9d8d527
The registered system name is: eae165b8da40
^^ the system was able to register from inside of the container as expected --> PRE-VERIFICATION PASSED

Comment 5 Zdenek Petracek 2023-08-25 19:31:56 UTC

Final verification done on SUBMAN version:
[testuser@kvm-01-guest06 ~]$ rpm -qa | grep subscription-manager
python3-subscription-manager-rhsm-1.28.39-1.el8.x86_64
subscription-manager-1.28.39-1.el8.x86_64
dnf-plugin-subscription-manager-1.28.39-1.el8.x86_64
subscription-manager-rhsm-certificates-20220623-1.el8.noarch

[root@kvm-01-guest06 ~]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: c9c71c14-9366-434b-afc7-2af095e3d3ac
The registered system name is: kvm-01-guest06.lab.eng.rdu2.redhat.com
[root@kvm-01-guest06 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64 Beta
Status:       Subscribed

[root@kvm-01-guest06 ~]# ll /etc/pki/entitlement
total 16
-rw-r--r--. 1 root root 3272 Aug 25 15:17 7725869388622276044-key.pem
-rw-r--r--. 1 root root 8757 Aug 25 15:17 7725869388622276044.pem
[root@kvm-01-guest06 ~]# ll /etc/rhsm
total 8
drwxr-xr-x. 2 root root   68 Aug 25 14:51 ca
drwxr-xr-x. 2 root root    6 Aug 23 02:54 facts
-rw-r--r--. 1 root root 1662 Aug 23 02:54 logging.conf
drwxr-xr-x. 2 root root    6 Aug 23 02:54 pluginconf.d
-rw-r--r--. 1 root root 3147 Aug 25 15:17 rhsm.conf
drwxr-xr-x. 2 root root   54 Aug 25 15:11 syspurpose

[root@kvm-01-guest06 ~]# podman pull registry.access.redhat.com/ubi8/ubi:latest
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 70de3d8fc2c6 done  
Copying config 62ac1f7ef5 done  
Writing manifest to image destination
Storing signatures
62ac1f7ef5371d1fb6e01abd84f7a6fd80ea1c64a0728fb5f19198b084dea171

[root@kvm-01-guest06 ~]# podman run -it registry.access.redhat.com/ubi8/ubi:latest
[root@db4636dabc6c /]# ls /run/secrets/rhsm/
ca  logging.conf  rhsm.conf  syspurpose
[root@db4636dabc6c /]# ls /run/secrets/etc-pki-entitlement/
7725869388622276044-key.pem  7725869388622276044.pem


Unregistering the system and trying to register from inside of the container:
[root@kvm-01-guest06 ~]# subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Unknown

System Purpose Status: Unknown


[root@kvm-01-guest06 ~]# podman run -it registry.access.redhat.com/ubi8/ubi:latest
[root@9f4be4ba83e0 /]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 4.2.15-1
subscription management rules: 5.43
subscription-manager: 1.28.39-1.el8

Registering from inside of the container:
[root@9f4be4ba83e0 /]# subscription-manager register
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: zpetracek
Password: 
The system has been registered with ID: a3c47104-6628-4ac4-8dde-a7f01838793f
The registered system name is: 9f4be4ba83e0
^^ I was able to registered from inside of the container and shared secrets are as expected --> Final verification PASSED

Comment 9 errata-xmlrpc 2023-11-14 15:48:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7092

Note You need to log in before you can comment on or make changes to this bug.