No option to enable repositories by subscription-manager

[michelmeeuwissen]

General information

• OS: Windows
• Hypervisor: Hyper-V
• Start with crc start -n 8.8.8.8

CRC version

crc version: 1.3.0+918756b
OpenShift version: 4.2.10 (embedded in binary)

CRC status

CRC VM:          Running
OpenShift:       Running (v4.2.10)
Disk Usage:      16.06GB of 32.2GB (Inside the CRC VM)
Cache Usage:     14.78GB
Cache Directory: C:\Users\*****\.crc\cache

CRC config

<empty>

---

How to enable repositories (e.g. rhel-7-server-ansible-2.8-rpms) when run CRC? It seems not an option to run below: (because there is no real host):

subscription-manager repos --enable rhel-7-server-ansible-VERSION-rpms

or use the entitlements method because there is no subscription in https://cloud.redhat.com/openshift/subscriptions :

https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html#builds-strategy-docker-entitled-subman_running-entitled-builds

Just try to install Ansible to a base Jenkins slave with a DockerFile:

FROM registry.redhat.io/openshift4/ose-jenkins-agent-base:latest
RUN yum install -y yum-utils && \
    yum-config-manager --enable rhel-server-rhscl-7-rpms && \
    yum-config-manager --enable rhel-7-server-extras-rpms && \
    yum-config-manager --enable rhel-7-server-rpms && \
    yum-config-manager --enable rhel-7-server-ansible-2.8-rpms && \
    yum-config-manager --enable rhel-7-server-ose-4.2-rpms && \
    yum update -y && \
    yum install -y ansible && \
    yum install -y python-openshift && \
    yum clean all -y

This results in a :

No package ansible available.
Error: Not tolerating missing names on install, stopping.

[gbraad]

What steps did you perform before this? You must have access to Red Hat entitlements through your subscription.

[michelmeeuwissen]

You must have access to Red Hat entitlements through your subscription.

Maybe I miss something? But how or where can I have access? When I look at https://cloud.redhat.com/openshift/subscriptions nothing is listed.

[praveenkumar]

@michelmeeuwissen Have a look to https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html

[michelmeeuwissen]

@michelmeeuwissen Have a look to https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html

Thanks. But this is exactly the URL I posted in the original issue.

The problem is that I don't have / or don't understand the following prerequisites:

You must have access to Red Hat entitlements through your subscription, and the entitlements must have separate public and private key files.

edit not working see next post

[praveenkumar]

But this is exactly the URL I posted in the original issue.

@michelmeeuwissen My mistake, didn't read the issue throughly.

Maybe an option to add a small note in the CRC documentation?

I think, this shouldn't be part of CRC document but handled it in openshift documentation side. Can you please file an issue on openshift doc side https://github.com/openshift/openshift-docs

[praveenkumar]

I found my CRC virtual system under https://access.redhat.com/management/systems

@michelmeeuwissen when you say you found it under systems, does it auto appear there for you or you need to perform any action?

[michelmeeuwissen]

I found my CRC virtual system under https://access.redhat.com/management/systems

@michelmeeuwissen when you say you found it under systems, does it auto appear there for you or you need to perform any action?

Yes it appears as Virtual System . When you click on it will get the option to download the Identity Certificates with private and public keys.

Note: I didn't test it yet if it works in combination with the https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html#builds-strategy-docker-entitled-subman_running-entitled-builds method. Will try to do it later today.

[michelmeeuwissen]

The system I talked earlier about is a different virtual system, unfortunately.

I tried to test some more, but unfortunately, I didn't get it to work. I got some pem files from the Customer Portal, by creating a dummy System and attached my Developer subscription. But none of them seems to fit the needs described in the https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html documentation.

As a developer, I'm currently lost in the whole Subscription Management world. I had hoped these things were already set up or well documented. Am I still missing some online documentation or is what I want simply not possible?

Maybe SSH into the CRC VM is an option? if so... How to do this?

[gbraad]

You are able to SSH into the VM, but this is not the proper OpenShift 4.x way. This is why we suggest to report this against the openshift repo. Understand that this scenario is not something we usually test, but I will also bring this up, as it is a gap in our development story/stories

On Fri, Jan 3, 2020 at 4:03 AM Michel Meeuwissen notifications@github.com wrote:

The system I talked about earlier about is a different virtual system, unfortunately.

I tried to test it, but unfortunately, I didn't get it to work. I got some pem files from the Customer Portal, by creating a dummy System and attached my Develop subscription. But none of them seems to fit the needs described in the https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html documentation.

As a developer, I'm currently lost in the whole Subscription Management world. I had hoped these things were already set up or well documented. Am I still missing some online documentation or is what I want simply not possible?

Maybe SSH into the CRC VM is an option? if so... How to do this?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/code-ready/crc/issues/914?email_source=notifications&email_token=AAAAOZTRJPG7Z43WPL47RT3Q3ZCB3A5CNFSM4KBURNC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH7H45I#issuecomment-570326645, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAOZW45XUZYSOLOUJP45TQ3ZCB3ANCNFSM4KBURNCQ .

--

Gerard Braad | http://gbraad.nl [ Doing Open Source Matters ]

[michelmeeuwissen]

I understand. thanks.

I don't think this is a problem with the Openshift repo. Because normally (what we did with the Openshift 3.11 system) you can register the subscription with the subscription manager on the host system of the Openshift cluster and enable the needed Ansible repositories with the same subscription manager tool with the commando:

subscription-manager repos --enable rhel-7-server-ansible-VERSION-rpms

But with the CRC environment, you are not able to access the host system and enable repositories out of the box. And to make the migration from 3 to 4 easier I want to test some of our pipelines (with Ansible playbooks) on CRC .

But thanks in advance for bringing this up. Please let me know if I can help you with information or reproduction steps.

[gbraad]

But with the CRC environment, you are not able to access the host system and enable repositories out of the box.

This is actually not CRC specific, but how things have changed for OpenShift 4.x. The host runs RHCOS (CoreOS) which is maintained by the operators from the cluster.

@code-ready/crc-devel who best to ask about this?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[michelmeeuwissen]

The problem still occurs. See following example

crc version: 1.6.0+8ef676f OpenShift version: 4.3.0 (embedded in binary)

Dockerfile

FROM registry.redhat.io/openshift4/ose-jenkins-agent-base
USER root
RUN yum-config-manager --enable rhel-7-server-ansible-2.8-rpms && \
    yum install -y ansible && \
USER 1001

Commando's

$ oc login -u kubeadmin -p *****-qmTth-oxaoD-p3xQF https://api.crc.testing:6443
$ oc new-project sandbox
$ oc new-build --name ansible-slave --binary --strategy docker
$ docker login registry.redhat.io -u <RH_LOGIN> -p <RH_PASSWORD>
$ oc create secret generic redhat-registry --from-file=.dockerconfigjson=/home/<USERNAME>/.docker/config.json --$ type=kubernetes.io/dockerconfigjson
$ oc secrets link builder redhat-registry
$ oc set build-secret --pull bc/ansible-slave redhat-registry
$ oc start-build ansible-slave --from-dir=. --follow

Result

Uploading directory "." as binary input for the build .....
Uploading finished
build.build.openshift.io/ansible-slave-1 started
Receiving source from STDIN as archive ...
Caching blobs under "/var/cache/blobs".

Pulling image registry.redhat.io/openshift4/ose-jenkins-agent-base ...
Getting image source signatures
Copying blob sha256:edf561fefe181b648d6502acfd17fd6a6bb8d378057dae272f36ffc850f65bf8
Copying blob sha256:bb13d92caffa705f32b8a7f9f661e07ddede310c6ccfa78fb53a49539740e29b
Copying blob sha256:e1f7ef81f6300ddeb927955e07d9dfd51b768729fb1630a881bc0bd9418a4f9b
Copying blob sha256:13be0effd90b69b59a7109cbb6133186be48c386dfb5a69e99965ad383451789
Copying blob sha256:455ea8ab06218495bbbcb14b750a0d644897b24f8c5dcf9e8698e27882583412
Copying blob sha256:2a69f56e08208bf952d5307e8b47f8aa4642ff1e5102675330909c99f033827d
Copying config sha256:01a612ddb4ba8fa10b4914cd1c276c6c9e29824264936c66e90d7f240075651f
Writing manifest to image destination
Storing signatures
STEP 1: FROM registry.redhat.io/openshift4/ose-jenkins-agent-base
STEP 2: USER root
d1afe43b1a71f7c2534cdb00758fb0769901b783e422a592f3b1ad2347c278d3
STEP 3: RUN yum-config-manager --enable rhel-7-server-ansible-2.8-rpms &&     yum install -y ansible && USER 1001
Loaded plugins: ovl, product-id, subscription-manager
This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.
No package ansible available.
Error: Not tolerating missing names on install, stopping.
subprocess exited with status 1
subprocess exited with status 1
error: build error: error building at STEP "RUN yum-config-manager --enable rhel-7-server-ansible-2.8-rpms &&     yum install -y ansible && USER 1001": exit status 1

See No package ansible available.

This wouldn't happen if I'm able to run a command like this on the CRC host: $ subscription-manager repos --enable rhel-7-server-ansible-VERSION-rpms

Running subscription-manager register on the RHCOS 4.3 results in subscription-manager: command not found

See: https://access.redhat.com/articles/3174981

[cfergeau]

This wouldn't happen if I'm able to run a command like this on the CRC host: $ subscription-manager repos --enable rhel-7-server-ansible-VERSION-rpms

Running subscription-manager register on the RHCOS 4.3 results in subscription-manager: command not found

As indicated by Gerard https://github.com/code-ready/crc/issues/914#issuecomment-571064763 I don't think running subscription-manager on the crc VM is the correct way of configuring additional repositories. Looking again at https://docs.openshift.com/container-platform/4.2/builds/running-entitled-builds.html#builds-strategy-docker-entitled-subman_running-entitled-builds , for the COPY parameters, I'd use /etc/pki/entitlement , /etc/rhsm/rhsm.conf and /etc/rhsm/ca from a machine already configured to access the ansible channel that you need (I checked that they exist on my devel machine which uses subscription manager)

Your Dockerfile would become:

FROM registry.redhat.io/openshift4/ose-jenkins-agent-base
USER root
# Copy entitlements
COPY ./etc-pki-entitlement /etc/pki/entitlement
# Copy subscription manager configurations
COPY ./rhsm-conf /etc/rhsm
COPY ./rhsm-ca /etc/rhsm/ca
# Delete /etc/rhsm-host to use entitlements from the build container
RUN rm /etc/rhsm-host && \
    # Initialize /etc/yum.repos.d/redhat.repo
    # See https://access.redhat.com/solutions/1443553
    yum repolist --disablerepo=* && \
    subscription-manager repos --enable rhel-7-server-ansible-2.8-rpms && \
    yum -y update && \
    yum -y install ansible && \
    # Remove entitlements and Subscription Manager configs
    rm -rf /etc/pki/entitlement && \
    rm -rf /etc/rhsm
# OpenShift requires images to run as non-root by default
USER 1001
ENTRYPOINT ["/bin/bash"]

[michelmeeuwissen]

Great! Got it working with a, in my opinion, workaround:

To get some entitlement certificates you need of course a RedHat Subscription and a RHEL system to run the subscription-manager.

• Downloaded DVD ISO RHEL 7.7 from https://developers.redhat.com/products/rhel/download

• Install RHEL 7.7 in Hyper-V and start the VM and login with the root user setup during installation (maybe you need to setup a new virtual external network switch to make an external connection)

• Run: $ subscription-manager register --username <rh-username> --password <rh-password> --auto-attach

• Setup Samba share on the RHEL 7.7 Virtual Machine

• Copy the two pem files (create by the RHSM command from above) from /etc/pki/entitlement to the Samba share directory

• Pick the two files from the Samba share. Called them ent.pem and ent-key.pem

• Create directory with the following structure:

  ├── Dockerfile
  └── etc-pki-entitlement
  ├── ent-key.pem
  └── ent.pem

• Dockerfile contains:

  
  FROM registry.redhat.io/openshift4/ose-jenkins-agent-base

USER root

COPY ./etc-pki-entitlement /etc/pki/entitlement

RUN rm /etc/rhsm-host && \ yum repolist --disablerepo=* && \ subscription-manager repos --enable rhel-7-server-ansible-2.9-rpms && \ yum -y update && \ yum -y install ansible && \ rm -rf /etc/pki/entitlement

USER 1001 ENTRYPOINT ["/bin/bash"]

- Start CRC:
- Run commands:

$ oc login -u kubeadmin -p *****-qmTth-oxaoD-p3xQF https://api.crc.testing:6443 $ oc new-project sandbox $ oc new-build --name ansible-slave --binary --strategy docker $ docker login registry.redhat.io -u -p $ oc create secret generic redhat-registry --from-file=.dockerconfigjson=/home//.docker/config.json --type=kubernetes.io/dockerconfigjson $ oc secrets link builder redhat-registry $ oc set build-secret --pull bc/ansible-slave redhat-registry $ oc start-build ansible-slave --from-dir=. --follow

Which results in the following result:

`Push successful` 🍀

It would be great to get the entitlement files from the [RedHat Portal](https://cloud.redhat.com/openshift/install/crc/installer-provisioned). Just like the Pull-Secret

[cfergeau]

Improvements to this are being discussed in https://github.com/openshift/enhancements/pull/214 See also https://blog.openshift.com/how-to-use-entitled-image-builds-to-build-drivercontainers-with-ubi-on-openshift/ for a slightly different way of setting up these entitlements. There is nothing which is CRC-specific though, so I'll close this issue.

[michelmeeuwissen]

Related:

https://bugzilla.redhat.com/show_bug.cgi?id=1823710