Warning message

Log in to add comments.

Subscription-manager for the former Red Hat Network User: Part 1

Rich Jerrido published on 2016-02-06T22:31:46+00:00, last updated 2016-02-15T11:48:58+00:00

One of the first major differences between Satellite 5 & Satellite 6 is the client side tooling. Satellite 5 leveraged the various RHN tools (rhn_register, rhnreg_ks, etc). Satellite 6 uses subscription-manager. Over the next few articles, we'll deep-dive into the various subscription management tools (such as subscription-manager, rct, virt-who, and others ), with the goal of providing a better understanding to how these tools work.

Firstly, some background is in order. There is a major difference in the philosophy between how the classic tools (Satellite <= 5.x, RHN Classic & Proxy) operated compared to the new tools. (SAM, RHSM, Satellite 6.x)

  • The classic (Satellite <= 5.x, RHN Classic & Proxy) tools are very content driven.
  • The certificate based (SAM, RHSM, Satellite 6.x) tools are very subscription driven.

That is, with classic tools, all we did was access content. 'Attaching' the subscription was something that happened asynchronously & in the background. With the certificate tools, to get access to content, you must go through a subscription. And without a proper subscription, the system has no access to content.

Introduction to Red Hat Subscriptions

Red Hat Subscriptions are built based upon a simple hierarchy.

  • Subscription Name. (This is the canonical name of the subscription. Example: 'Red Hat Satellite' or 'Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)'). This is the name of the subscription as you see it in the Customer Portal. It has a Stock Keeping Unit (SKU) and a price associated with it.
    • Products. These are the various basic components such as Red Hat Enterprise Linux, Red Hat Software Collections, etc that are part of the Subscription that is purchased.
      • Content Sets. This is where the software comes from. These are usually yum repositories, as we know and love, but there are other types too. Each Product provides 1 or more Content Sets.

This hierarchy is very important, as it is fundamental to understanding how the Subscription Management tools work.

  • 1 Subscription [Name] provides:
    • 1 or more Products, which each provide:
      • 1 or more Content Sets

To build Subscriptions (again, the things that are sold), we bundle various Products into a cohesive unit. This allows the ability to define "RHEL" in one place, and leverage it in any component that needs it. (RHEL, Satellite, Openshift, etc). This also provides the flexibility to add/remove Components without having to change the SKU.

For example, many Red Hat Enterprise Linux Subscriptions with Premium SLA in the 2013 subscription model include Extended Update Support (EUS). We can see this with via subscription-manager:

# subscription-manager list --all --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
# Name of the Subscription
Subscription Name:   Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)
# Products that are provided by this subscription. 
Provides:            Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                     Red Hat Software Collections (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host Beta
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
                     Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
                     Red Hat Container Images Beta
                     Red Hat Enterprise Linux Server - Extended Update Support
                     Red Hat Beta
                     Oracle Java (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
                     Oracle Java (for RHEL Server)
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
                     Red Hat Container Images
                     Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux Atomic Host
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
                     Red Hat Developer Toolset (for RHEL Server)
SKU:                 RH00003
Contract:            11223344
Pool ID:             809d1a82-ffb0-4a28-b686-3fcc1f55fd41
Provides Management: No
Available:           2
Suggested:           2
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Instance Based
Ends:                10/07/2016
System Type:         Physical

The information above tells me that SKU RH00003 is named
'Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)' and it
provides the following Products:

  • Red Hat Enterprise Linux Server
  • Red Hat Enterprise Linux Server - Extended Update Support

And many others. Note: Content Sets provided by the subscription aren't shown in subscription-manager list output. We'll cover more on this later, but those are the basics.

One of the big advantages of subscription-manager is bringing the ability to see end to end subscription-consumption. In this doc, I'll walk through some tasks that I perform on a day to day basis, whilst drawing an analogue to how things were done in the RHN world.

Registering a System.

This first task is the most basic. I have a system that is not registered. How do I get it registered?

# subscription-manager register
Username: <redacted>
Password:
The system has been registered with ID: 293d8a12-15cd-43fc-be7d-447aa4999bfe

OK, what have I done? Firstly, we've gotten the system registered to Red Hat Subscription Management (RHSM), but we have no access to content. Think of this in the RHN world as having a system registered, but with no base channel assigned. Well that's not very useful. Let's attach a subscription. But I have a problem. Which one do I attach? Let's see what is available.

# subscription-manager list --all --available

Subscription Name:   Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)
Provides:            Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
                     Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
                     Oracle Java (for RHEL Server)
                     Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
                     Oracle Java (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Atomic Host
                     Red Hat Beta
                     Red Hat Container Images
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
                     Red Hat Developer Toolset (for RHEL Server)
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Enterprise Linux Atomic Host Beta
                     Red Hat Software Collections (for RHEL Server)
                     Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support
                     Red Hat Enterprise Linux Server
                     Red Hat Container Images Beta
                     Red Hat Enterprise Linux Server - Extended Update Support
SKU:                 RH00003
Contract:            11223344
Pool ID:             9c675f2bbcd54257a5950047cedfb6ee
Provides Management: No
Available:           92
Suggested:           1
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Instance Based
Ends:                08/04/2016
System Type:         Physical


Subscription Name:   Red Hat Satellite
Provides:            Red Hat Satellite Capsule Beta
                     Red Hat Satellite 6 Beta
                     Red Hat Satellite
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat Software Collections (for RHEL Server)
                     Red Hat Enterprise Linux Server
                     Red Hat Satellite Capsule
                     Red Hat Satellite with Embedded Oracle
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     Red Hat Enterprise Linux High Availability (for RHEL Server)
                     Red Hat Satellite Beta
                     Red Hat Beta
SKU:                 MCT0370
Contract:            11223344
Pool ID:             b9d290725fea4b19b5d611ed7354a450
Provides Management: Yes
Available:           47
Suggested:           1
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Standard
Ends:                08/04/2016
System Type:         Physical

What I can see here, is that I have a couple of subscriptions that I can use for this system. There are more, but I've snipped the output for demonstration purposes. Now, what is great about subscription-manager is that these subscriptions that I am seeing here directly map to the subs that I've purchased. This is how the end-to-end visibility of subscription consumption is provided

Now, let's attach one. There are two ways to attach a subscription. Either explicitly, or via auto-attach. For now, I am going to use the 'Pool ID' to attach a specific subscription. I like Premium subs & EUS, so I'll attach Pool ID 9c675f2bbcd54257a5950047cedfb6ee

# subscription-manager attach --pool 9c675f2bbcd54257a5950047cedfb6ee
Successfully attached a subscription for: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)

Auto-attach.

The example above is the 'long way' of attaching a sub. We could have used auto-attach to properly pick a matching subscription. Instead of explicitly picking a subscription (using the Pool ID), I can have subscription-manager do this for me. First, I'll remove the subscription that I just added.

# subscription-manager remove --all
1 subscription removed at the server.
1 local certificate has been deleted.

And before we proceed, let's ask subscription-manager which products does it think we have installed.

# subscription-manager list

+-------------------------------------------+
        Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        6.5
Arch:           x86_64
Status:         Not Subscribed
Status Details: Not supported by a valid subscription.
Starts:
Ends:

And let's hurry up and tell subscription-manager to attach one automatically.

[root@archer facts]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

Good. The above command tells me that I now have a subscription that adequately covers the product 'Red Hat Enterprise Linux Server'.

Now let's look at what subscription was attached:

# subscription-manager list --consumed
+-------------------------------------------+
          Consumed Subscriptions
+-------------------------------------------+
Subscription Name: Red Hat Satellite
Provides:          Red Hat Satellite
                   Red Hat Enterprise Linux Server
                   Red Hat Beta
                   Red Hat Software Collections (for RHEL Server)
                   Red Hat Satellite Beta
                   Red Hat Satellite 6 Beta
                   Red Hat Software Collections Beta (for RHEL Server)
                   Red Hat Satellite Capsule Beta
                   Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                   Red Hat Satellite Capsule
                   Red Hat Satellite with Embedded Oracle
                   Red Hat Enterprise Linux High Availability (for RHEL Server)
SKU:               MCT0370
Contract:          11223344
Account:           1234567
Serial:            853468513729981513
Pool ID:           b9d290725fea4b19b5d611ed7354a450
Active:            True
Quantity Used:     1
Service Level:     Premium
Service Type:      L1-L3
Status Details:
Starts:            08/05/2013
Ends:              08/04/2016
System Type:       Physical

How did one of my beloved Satellite subscriptions get consumed for this lowly little VM that I haven't (yet) installed Satellite on? Here is how: Auto-attach uses a couple of heuristics to determine which subscription should be attached when the auto-attach process runs. These include:

  • System Facts:
    • Number of sockets / cores.
    • Is the system physical or virtual, etc. I.e., let's try to attach a 2-socket sub to a 2-socket system. These are viewable via subscription-manager facts
    • On which hypervisor does a system run.
  • SLA - Service Level Agreement (which can be specified interactively OR via the subscription management system (Satellite 6.x/SAM/RHSM)
  • Product Certificate - Auto-attach uses the installed Product Certificates (which describe the product you have installed) and will select a subscription that matches.

In our example, my system has the 'Red Hat Enterprise Linux Server' product (based on the subscription-manager list output), and the Satellite sub provides product 'Red Hat Enterprise Linux Server'. Thus, it was an applicable subscription for that system. It may not actually be the sub I want.

Now, I'll remove this sub, and consume the 'Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)' sub that I had before.

# subscription-manager remove --all
1 subscription removed at the server.
1 local certificate has been deleted.

# subscription-manager attach --pool 9c675f2bbcd54257a5950047cedfb6ee
Successfully attached a subscription for: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)

Product Certs.

In our previous example, we used the output of subscription-manager list to see which product was installed. But where does this information come from? This information is derived from a Product certificate, which is an X.509 certificate that is stored in /etc/pki/product. A product certificate represents (you guessed it) a Product that is installed on the system. Let's look at in /etc/pki/product.

# pwd
/etc/pki/product

# ls
69.pem

Notice how the certificate is named (69.pem)? It matches exactly the output of subscription-manager list that we ran before. Now let's further dig into that product cert, to see what it really says. There are two ways to do this. As it is a pretty standard X.509 certificate, I can use an openssl command to inspect it (openssl x509 -text -noout -in), OR I can use the lovely (and preferable) Red Hat Certificate Tool (rct) command, particularly, its cat-cert subcommand.

# rct cat-cert 69.pem
+-------------------------------------------+
      Product Certificate
+-------------------------------------------+

Certificate:
            Path: 69.pem
            Version: 1.0
            Serial: 12750047592154746048
            Start Date: 2013-04-24 13:18:38+00:00
            End Date: 2033-04-19 13:18:38+00:00

Subject:
            CN: Red Hat Product ID [82d8aa4c-b4ae-4293-8526-06e8bd9df3f0]

Issuer:
            C: US
            CN: Red Hat Entitlement Product Authority
            O: Red Hat, Inc.
            OU: Red Hat Network
            ST: North Carolina
            emailAddress: ca-support@redhat.com

Product:
            ID: 69
            Name: Red Hat Enterprise Linux Server
            Version: 6.5
            Arch: x86_64
            Tags: rhel-6,rhel-6-server
            Brand Type:
            Brand Name:

Note, the Start/End Date listed above are a reflection of when the Product cert expires, NOT when the subscription expires. Product certs are a critical part of how subscription-manager works. If they are missing, corrupt or incorrect, systems will not attach the proper subscription, and can potentially lose access to content. But where do they come from? Product certs come one of two ways:

  • They are on the install media and get installed via Anaconda (the Red Hat
    Enterprise Linux installation program)
  • They get installed after additional subscriptions are attached AND content is consumed from the associated repositories.

Now that we've attached an valid sub, let's actually get some content and install it. But first let's look at what repositories we have enabled:

# yum repolist
Loaded plugins: product-id, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-eus-rpms                                                                                                                 | 3.7 kB     00:00
rhel-6-server-rpms                                                                                                                     | 3.7 kB     00:00
rhel-server-dts-6-rpms                                                                                                                 | 2.9 kB     00:00
rhel-server-dts2-6-rpms                                                                                                                | 2.9 kB     00:00
repo id                                             repo name                                                                                           status
rhel-6-server-eus-rpms                              Red Hat Enterprise Linux 6 Server - Extended Update Support (RPMs)                                  12,921
rhel-6-server-rpms                                  Red Hat Enterprise Linux 6 Server (RPMs)                                                            12,919
rhel-server-dts-6-rpms                              Red Hat Developer Toolset RPMs for Red Hat Enterprise Linux 6 Server                                    84
rhel-server-dts2-6-rpms                             Red Hat Developer Toolset 2 RPMs for Red Hat Enterprise Linux 6 Server                                 412
repolist: 26,336

Firstly, I have some repositories that are enabled by default. How did they get enabled? I didn't do them explicitly. Each product has a number of repositories which are enabled by defaults. This is done to provide better
'out of box' experience. I'll cover more on this in a later article.

And let's see what repositories we have available for consumption:

# subscription-manager repos --list

+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+

Repo ID:   rhel-6-server-rpms
Repo Name: Red Hat Enterprise Linux 6 Server (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel/server/6/$releasever/$basearch/os
Enabled:   0

Repo ID:   rhel-6-server-optional-rpms
Repo Name: Red Hat Enterprise Linux 6 Server - Optional (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel/server/6/$releasever/$basearch/optional/os
Enabled:   0

The output above has been snipped. And let's enable those two repos

[root@archer ~]# subscription-manager repos --enable rhel-6-server-rpms --enable rhel-6-server-optional-rpms
Repo rhel-6-server-rpms is enabled for this system.
Repo rhel-6-server-optional-rpms is enabled for this system.

Now Let's install something

[root@archer ~]# yum repolist; yum install ksh
Loaded plugins: product-id, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-optional-rpms                                                                                                            | 3.5 kB     00:00
rhel-6-server-rpms                                                                                                                     | 3.7 kB     00:00
repo id                                                         repo name                                                                               status
rhel-6-server-optional-rpms                                     Red Hat Enterprise Linux 6 Server - Optional (RPMs)                                      7,277
rhel-6-server-rpms                                              Red Hat Enterprise Linux 6 Server (RPMs)                                                12,919
repolist: 20,196
Loaded plugins: product-id, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-optional-rpms                                                                                                            | 3.5 kB     00:00
rhel-6-server-rpms                                                                                                                     | 3.7 kB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ksh.x86_64 0:20120801-10.el6_5.11 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================
Package                      Arch                            Version                                       Repository                                   Size
==============================================================================================================================================================
Installing:
ksh                          x86_64                          20120801-10.el6_5.11                          rhel-6-server-rpms                          758 k

Transaction Summary
==============================================================================================================================================================
Install       1 Package(s)

Total download size: 758 k
Installed size: 1.7 M
Is this ok [y/N]:

Summary

Now that we've played a bit under the hood, let's put it all together into the summarized version:

Register the system

# subscription-manager register

Attach a subscription.

# subscription-manager attach --auto

OR

# subscription-manager attach --pool <UUID>

Note: the subscription-manager register & subscription-manager attach --auto commands can be combined into a single command:

# subscription-manager register --auto-attach

Disable every repo

# subscription-manager repos --disable '*'

Enable only the ones you want:

# subscription-manager repos --enable rhel-6-server-rpms --enable rhel-6-server-optional-rpms

Install Packages

# yum install foo bar baz

Hopefully, this blog post has provided an introduction to subscription-manager. Future articles will cover more!

About The Author

richjerrido's picture

Rich Jerrido

Rich Jerrido, Red Hat Product Manager, is a “doer-of-all-things Red Hat Satellite,” including training, integration, enablement, documentation, and helping to identify product requirements. He serves as a technology expert, frequently speaking in web seminars and at industry events. With mor...