Virtual Instances Guide

Red Hat Subscription Management 1

For Use with Red Hat Subscription Management

Red Hat Subscription Management Documentation Team

Abstract

This guide provides information to help users manage virtual instances with Red Hat Subscription Management.

Chapter 1. Introduction

By default, Red Hat Enterprise Linux instances are registered to and obtain their content from the Customer Portal.

Red Hat Enterprise Linux instances under management with Red Hat Subscription Management are instead registered to a Subscription Management server, and obtain their Product subscriptions from it.

Modern IT infrastructure is a mix of physical and virtual hardware, with virtualization providing a level of flexibility and scalability not easily achieved with physical hardware. Red Hat’s subscription model applies to both physical and virtual servers.

A Red Hat subscription provides:

  • Access to support services
  • Content delivery and hosted repositories
  • Access to knowledgebases, forums, videos, and other resources

The Red Hat subscription model requires that for physical servers, subscriptions must cover the physical attributes of the machine, such as the number of sockets or cores. Subscriptions are always applied in sets of two to cover pairs of sockets or cores, and those subscription pairs must be attached to cover all sockets and cores. Subscriptions for virtual servers can also be purchased and applied according to their virtual CPU attributes, but there is another subscription type that might be more suitable - a Virtual Data Center (VDC) subscription, which is a host-based subscription. A host-based subscription is applied to a hypervisor and entitles the hypervisor to provide subscriptions to its virtual machines. With a host-based subscription, each guest requires one subscription, regardless of its virtual CPU configuration.

1.1. Supported Virtualization Platforms

Supported virtualization platforms to which a Virtual Data Center (VDC) subscription can be applied are:

  • Red Hat Virtualization (RHV)
  • Red Hat OpenStack Platform (RHOSP)
  • Red Hat Enterprise Linux hypervisors
  • VMware vSphere
  • Microsoft Hyper-V

    Note

    The virt-who daemon does not currently support Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM). There must be a virt-who configuration file for each Microsoft Hyper-V host to which virt-who is to connect.

A VDC subscription applies only to a hypervisor’s guest virtual machines, not the hypervisor itself. For all virtualization platforms which require a Red Hat Enterprise Linux hypervisor, the hypervisor requires its own subscription.

Virtual Instances

1.2. Choosing a Subscription

Red Hat recommends a subscription that allows virtual machines to inherit subscriptions, since this allows for flexibility when provisioning virtual machines. However the choice is yours, and should be made according to your requirements. If you are unsure which subscription best meets your needs, contact your Red Hat account manager for advice. For more details of the Red Hat subscription model, see Subscription Concepts and Workflows.

The following are example Red Hat subscriptions which provide inheritable subscriptions:

  • Red Hat Enterprise Linux for Virtual Datacenters
  • Red Hat Enterprise Linux with Smart Virtualization and Management

This guide uses a Red Hat Enterprise Linux for Virtual Datacenters (VDC) subscription in all examples. The workflow for all inheritable subscriptions is identical.

Confirming if virt-who is Required

To confirm if the virt-who daemon is required, either use the Red Hat Certificate Tool, or contact Red Hat Support. The command line Red Hat Certificate Tool (rct) reads a Subscription Manifest file and displays details of the manifest in plain text. The Red Hat Certificate Tool is available in subscription-manager-1.17.10 (or later) package, in either Red Hat Enterprise Linux 7.3 or Fedora 24.

Examining a Subscription Manifest with the Red Hat Certificate Tool

  1. Download the Subscription Manifest from the Customer Portal.
  2. Run the command line Red Hat Certificate Tool.

    # rct cat-manifest --no-content manifest_file.zip

    The following extract is from an OpenShift Container Platform, Premium (1-2 Sockets) subscription.

    Subscription:
        Name: OpenShift Container Platform, Premium (1-2 Sockets)
        Quantity: 50
        Created: 2017-09-16T01:47:59.000+0000
        Start Date: 2017-07-04T04:00:00.000+0000
        End Date: 2018-07-04T03:59:59.000+0000
        .
        .
        .
        Virt Limit: unlimited
        Requires Virt-who: True

The virt-who daemon is required if the rct output includes Virt Limit: unlimited, Requires Virt-who: True, or both. In this example, both are included, confirming that the virt-who daemon is required.

1.3. Applying Virtual Guest Subscriptions

A Virtual Data Center (VDC) subscription is one type of host-based subscription offered by Red Hat. Host-based subscriptions are applied to a host and inherited by its guests. Host-based subscriptions consist of two parts, a pool attached to the virtualization manager or hypervisor, and a pool from which virtual guests inherit their subscription. It is important to note that the virtualization manager or hypervisor’s subscription does not provide entitlement to product content.

To successfully provision virtual machines, and ensure they inherit host subscriptions, you must do the following:

  1. Ensure that a manifest including a VDC subscription has been uploaded to Satellite Server. See Importing a Subscription Manifest into the Satellite Server in the Content Management Guide.
  2. Install and configure the virt-who service. See Chapter 5, Configuration and Services.
  3. Attach a VDC subscription to the hypervisor. To attach a VDC subscription to a hypervisor using the web UI, click Hosts → Content Hosts, select a host, and click Subscriptions → Subscriptions. Click Add, select the desired subscription, and click Add Selected.
  4. Restart the virt-who service so that the hypervisor and virtual machine mapping information is sent back to Satellite.
  5. Register virtual machines with an activation key that has auto-attach enabled and no subscriptions attached. This way, the virtual machines will inherit the VDC subscription from the hypervisor.

1.4. Registering temporary virtual guests

When a virtual machine is first registered, Satellite does not know with which virtualization manager or hypervisor the virtual machine is associated and so cannot assign a subscription. In this case a temporary subscription is granted, valid for a maximum period of 24 hours.

When the virt-who daemon next runs and identifies the virtual machine’s host, a permanent subscription is applied, provided the host has available subscriptions of the right type. If a permanent subscription is granted, the virtual machine’s subscription status is changed to Subscribed.

A virtual machine that has been granted a temporary subscription might, after the 24-hour period, automatically select a subscription intended for a physical host and so restrict the number of subscriptions available. When the 24-hour period expires, the host’s status is changed to Not subscribed if it has been unable to request a suitable subscription.

When a virtual machine is granted a temporary subscription, you have several options available:

  • Install virt-who and wait
  • If virt-who has not already been installed and configured, do so, then wait for virt-who to identify the virtualization manager or hypervisor hosting the virtual machine, in which case the subscription will be automatically selected from those available.
  • Manually assign a subscription.
  • If you do not want to wait for up to 24 hours to pass, or you want to assign a specific subscription, install and configure virt-who, then manually assign the desired subscription.
  • Do nothing.

This situation should be avoided as it results in more subscriptions being consumed than would otherwise be consumed. A virtual machine assigned a temporary subscription might be assigned subscriptions intended for physical hosts. For example, a virtual machine with 2 CPUs might be granted two subscriptions instead of a single VDC subscription.

1.5. Virtual Machine Subscription Process

The process of registering a virtual machine is as follows:

  1. A virtual machine is provisioned.
  2. The virtual machine requests a subscription from Subscription Manager.
  3. As the subscription manager doesn’t yet know to which host the virtual machine belongs, a temporary subscription is granted, valid for a maximum 24 hours.
  4. The virt-who daemon connects to the virtualization manager or hypervisor and requests details of the guest virtual machines. By default, this request is made every hour, but the interval is configurable. Red Hat recommends this value remain at the default unless requested by Red Hat Support.
  5. The virtualization manager or hypervisor returns to virt-who the list of guest virtual machines, including each UUID.
  6. The virt-who daemon reports to Subscription Manager the list of guest virtual machines.
  7. Subscription Manager then reconciles the subscriptions required by the virtual machines with those available. If the required subscriptions are available, they are assigned to the virtual machine and its subscription is complete.

1.6. Subscription Status

A registered host, virtual or physical, has a subscription status based on its installed Products and attached subscriptions.

Subscription Status Meanings

  • Red

    • The host has Products installed that valid subscriptions do not cover. Hosts in a Red status cannot access content for Products not covered by subscriptions. Manual intervention is required to resolve a subscription with this status.
  • Yellow

    • Either the host has insufficient subscriptions or an incorrect quantity of subscriptions is attached (for example, a 2-socket subscription is attached to a 4-socket host), or Subscription Management does not know which virtualization manager or hypervisor hosts the virtual machine and has assigned a temporary subscription. Insufficient subscriptions must be resolved manually. Temporary subscriptions will be automatically resolved by Subscription Management, providing there are enough subscriptions available.
  • Green

    • The host is correctly subscribed.
Note

Hypervisors always appear in the Subscription Management web UI as correctly subscribed, regardless of their actual status.

1.6.1. Temporary Subscriptions

When a virtual machine is first registered, Subscription Management does not know with which virtualization manager or hypervisor the virtual machine is associated and so cannot assign a subscription. In this case a temporary subscription is granted, valid for a maximum period of 24 hours. When the virt-who daemon next runs and identifies the virtual machine’s host, a permanent subscription is applied, provided the host has available subscriptions of the right type. If a permanent subscription is granted, the virtual machine’s subscription status is changed to Subscribed. A virtual machine that has been granted a temporary subscription might, after the 24-hour period, automatically select a subscription intended for a physical host and so restrict the number of subscriptions available. When the 24-hour period expires, the host’s status is changed to Not subscribed if it has been unable to request a suitable subscription.

When a virtual machine is granted a temporary subscription, you have several options available:

  • Install virt-who and wait

    If virt-who has not already been installed and configured, do so, then wait for virt-who to identify the virtualization manager or hypervisor hosting the virtual machine, in which case the subscription will be automatically selected from those available.

  • Manually assign a subscription

    If you do not want to wait for up to 24 hours to pass, or you want to assign a specific subscription, install and configure virt-who, then manually assign the desired subscription.

  • Do nothing

    This situation should be avoided as it results in more subscriptions being consumed than would otherwise be consumed. A virtual machine assigned a temporary subscription might be assigned subscriptions intended for physical hosts. For example, a virtual machine with 2 CPUs might be granted two subscriptions instead of a single VDC subscription.

1.6.2. Virtual Machine Migration

When a virtual machine is migrated either automatically or manually to another hypervisor that is registered to Red Hat Satellite, one of the following virtual machine subscription behaviors can occur:

  • If the virtual machine has been reported via virt-who, and the hypervisor has a valid VDC subscription, the virtual machine will consume the virtual guest pool that already exists for the hypervisor. Ideally, all hypervisors that could be hosting the virtual machine should have a valid VDC subscription.
  • If the virtual machine has been reported via virt-who, and there are sufficient subscriptions in Red Hat Satellite, but the hypervisor does not yet have a valid VDC subscription attached, a VDC subscription will get automatically attached to the hypervisor and be inherited by the virtual machine.
  • If there are sufficient subscriptions in Red Hat Satellite, but the virtual machine has not been reported via virt-who, the virtual machine will consume a physical subscription.
  • If the hypervisor does not have a valid VDC subscription attached, and there are insufficient subscriptions in Red Hat Satellite, the virtual machine will not have a valid subscription and lose access to content.

Chapter 2. Installation and Configuration Overview

For a virtual Red Hat Enterprise Linux server to request and be granted a VDC subscription, the virt-who daemon must be configured to connect to each virtualization manager or hypervisor and report hosted virtual machines to Red Hat Subscription Management. To establish these connections, complete the following tasks in order:

  1. Decide on a configuration that suits your environment.
  2. Review the virt-who daemon’s prerequisites and ensure that all have been met.
  3. Install an instance of Red Hat Enterprise Linux for the purpose of running virt-who.
  4. Install the virt-who daemon.
  5. Establish connections between the virt-who daemon and your hypervisors.

Chapter 3. Configuration Options

The simplest configuration requiring virt-who consists of one hypervisor or virtualization manager, one organization and one hypervisor technology, with the virt-who instance reporting directly to the Subscription Management Server. Since most organizations are more complex than this, the installation and configuration of virt-who can be adapted to accommodate the following variables:

  • Multiple hypervisors
  • Multiple hypervisor technologies
  • HTTP proxy

3.1. Multiple Hypervisors

A single virt-who instance can connect to multiple hypervisors and report the virtual machines hosted by each. Individual configuration files are recommended for each hypervisor or virtualization manager as it makes troubleshooting easier. For example, if you suspect a hypervisor is causing a problem, you can move that hypervisor’s configuration file to another directory, stopping virt-who from querying it and so eliminating it from the problem’s scope.

If you have multiple hypervisors, virt-who queries each in parallel. This reduces the chance of virt-who’s queries being stopped or delayed because of an unresponsive hypervisor.

3.2. Multiple Hypervisor Technologies

A single virt-who instance can connect to virtualization platforms of multiple supported technologies. Individual configuration files are recommended for each platform.

3.3. HTTP Proxy

If you use HTTP proxy servers in your environment, additional configuration is required to use virt-who with HTTP proxy:

  • If there is an HTTP proxy between Satellite and the Content Delivery Network (CDN), by default, the virt-who traffic will attempt to go through the proxy server as well. This often fails if the HTTP proxy is configured to allow only external traffic and not internal traffic (virt-who traffic). It is also likely to fail if Subscription Management Server is on the same local network as the hypervisors.
  • If you require virt-who to use a different proxy than what Subscription Management Server uses to connect to external networks, see Section 6.5.2, “Configure virt-who to use an internal proxy” for further details.

Chapter 4. Prerequisites

Before proceeding to install virt-who, ensure the following prerequisites are met.

4.1. Authentication Requirements

Create an account on each virtualization manager, such as VMware vCenter and Red Hat Virtualization Manager, or individual hypervisors so the virt-who agent can retrieve the list of guest virtual machines. Each connection is separate, so you can use different accounts for each connection if required. Each account, generally known as a service account, should be dedicated to this purpose, have read-only access, and have a non-expiring password.

4.2. Software Requirements

The virt-who agent must be installed on a instance of Red Hat Enterprise Linux dedicated to the purpose. The underlying server can be either physical or virtual.

4.3. Subscriptions

Subscriptions are specific to organizations. Although you can configure the virt-who daemon to support multiple organizations, you cannot share subscriptions across organizations.

Note

You must have one virtual data center subscription for each organization and for each hypervisor.

4.4. Preparing the virt-who Host

Before installing the virt-who daemon, a Red Hat Enterprise Linux instance must be installed and configured as follows.

  1. Install Red Hat Enterprise Linux, version 7 (recommended) or 6.

    Only a CLI environment is required. For help with this step, see the Red Hat Enterprise Linux 7 Installation Guide or the Red Hat Enterprise Linux 6 Installation Guide.

  2. Register the Red Hat Enterprise Linux server to the Subscription Management Server:

    # subscription-manager register --username=admin --password=p@sswd \
    --org=organization_label --auto-attach
  3. Open a network port for HTTPS:

    To enable virt-who to communicate with the subscription service, TCP port 443 must be opened.

    On Red Hat Enterprise Linux 7:

    # firewall-cmd --add-port="443/tcp"
    # firewall-cmd --add-port="443/tcp" --permanent

    On Red Hat Enterprise Linux 6:

    # iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
    # service iptables save

4.5. Installing virt-who

  1. Install the virt-who package.

    # yum install virt-who

Chapter 5. Configuration and Services

5.1. Virt-who Configuration Files

The virt-who service requires a minimum of two configuration files:

  • a global configuration file, /etc/sysconfig/virt-who, contains settings which apply to all virt-who connections from that host.
  • an individual configuration file for each hypervisor or virtualization manager to which Subscription Management is to be connected. These must be stored in the /etc/virt-who.d/ directory.
Note
  • The individual configuration files, stored in the /etc/virt-who.d/ directory, must have the .conf suffix when the version of virt-who is virt-who-0.19 or higher.
  • If you add or remove virtualization managers or hypervisors you must update the virt-who daemon’s configuration.
  • When a username is added in the virt-who configuration file before the option rhsm_username, the user must have access to log in to Satellite 6. Users of third-party applications such as Active Directory and IDM might not have access that permits them to log in to Satellite 6.

The following is an extract from the example individual configuration file provided with virt-who. The configuration options for each connection are contained in a stanza. The title of each configuration stanza must be unique. It is recommended, but not required, that the individual configuration files are given the same name as the hypervisor.

#[config name]
#type=               ; insert one of libvirt/esx/hyperv/rhevm/vdsm/fake
#server=             ; insert hostname or ip address of the server to connect to
#username=           ; username for server authentication
#password=           ; password for server authentication
#encrypted_password= ; password encrypted using virt-who-password utility
#owner=              ; owner for use with SAM, Customer Portal, or Satellite 6
#env=                ; environment for use with SAM, Customer Portal, or Satellite 6
#hypervisor_id=      ; how will be the hypervisor identified, one of: uuid, hostname, hwuuid
Note

It is possible, and supported, to combine the global configuration and the hypervisor connections' configuration files into a single file: /etc/sysconfig/virt-who. However, this method will be deprecated in the future. Separating the global and individual configuration files allows for easier troubleshooting.

5.1.1. Limiting the Scope of virt-who Access

If you run a hybrid environment, with virtual machines running Red Hat Enterprise Linux and other operating systems, you might want to limit the scope of virt-who’s access to hosts. For example, if some hypervisors host only Microsoft Windows Server instances, there is no benefit in having those hypervisors reported by the virt-who agent.

To limit virt-who’s access to hosts (hypervisors), use one or both of the following methods. Both methods achieve the same objective, but the include or exclude method should be considered the default since it is a native feature of virt-who.

  • List hosts to be included or excluded.
  • Limit access to only a subset of hosts.

5.1.1.1. List Hosts to be Included or Excluded

To either include or exclude hosts being reported by the virt-who daemon, list them in the virt-who configuration file, separated by commas. If a host’s name contains special characters, enclose it in quotation marks. To include hosts, use the filter_hosts parameter. To exclude hosts, use the exclude_hosts parameter. Only one of these methods can be used in each virt-who configuration file.

The method of identifying hosts to be included or excluded must match the method you specified to have them identified in the Satellite web UI. If you specified hypervisor_id=hostname, then you must list the hosts' names. If you specified hypervisor_id=uuid, or hypervisor_id=hwuuid, then you must list the hosts' UUID or HWUUID respectively.

Note

The filtering parameters filter_host_uuids and exclude_host_uuids have been deprecated.

Example of excluding hosts from virt-who

[vcenterhost1]
type=esx
server=_vsphere.example.com_
username=_test_
password=_test_
owner=_default_organization_
env=Library
hypervisor_id=_hostname_
exclude_hosts=host1.redhat.com,host2.redhat.com

5.1.1.2. Limit Access to Specific Hosts

Grant the account used by virt-who read-only access to only those hosts you want to include. With restricted access to hosts, the virt-who daemon will only find and retrieve those hosts accessible to it.

5.1.2. Configuration Sources

In this guide, all examples use configuration files, but virt-who can accept configuration from several sources. They are listed below in order of precedence. For detailed information about virt-who configuration options, see the virt-who-config and virt-who man pages.

Specifying configuration options at the command line can be useful if you are testing a configuration before implementing it in configuration files. Note that any such options will not persist after the virt-who service is restarted, or the Red Hat Enterprise Linux host is rebooted.

  1. command line
  2. environment variables
  3. /etc/sysconfig/virt-who file
  4. /etc/virt-who.d/*.conf files
  5. /etc/virt-who.conf file

5.2. Creating a User for virt-who

  1. Create a Subscription Management user with Administrator access.

    This account is used to allow virt-who to connect to Subscription Management. Red Hat recommends the account be used for only this purpose. If you have previously created a Subscription Management user for this purpose, skip this step.

  2. Encrypt the user’s password.

    Encrypting the virt-who account password provides greater security compared with storing the password in plain text. The root account must encrypt the password because the encryption key is written into a file that is only readable by the root account. For that reason, only the root account can decrypt the password.

    1. Execute the virt-who-password utility.

      # virt-who-password

      Enter the password of the account to connect to the hypervisor. The encrypted form of the password is output to the screen.

      # virt-who-password
      Password: <virt who account's password>
      Use following as value for encrypted_password key in the configuration file:
      837a5d6a34203e805c998ce02bf84c03
    2. Make a note of the encrypted password.

This is used later in the virt-who daemon’s configuration.

5.3. Configuring virt-who to Connect to Red Hat Enterprise Virtualization Hypervisor

Repeat this procedure for each Red Hat Enterprise Virtualization Hypervisor (RHEV-H) host to which this instance of virt-who is to be connected.

  1. Encrypt the password of the account to be used to connect to the Red Hat Enterprise Virtualization Manager instance.

    Use the virt-who-password command to encrypt the password. For an example, see Section 5.2, “Creating a User for virt-who”.

  2. Copy the template configuration file to a new file.

    On the virt-who host:

    # cp /etc/virt-who.d/template.conf /etc/virt-who.d/rhevmhost1.conf

    To make it easy to identify the configuration file for each hypervisor, use the RHEV-H host’s name as the new file’s name. In this example, the host name is rhevmhost1.

  3. Edit the configuration file you just created, changing the example values with those specific to your configuration.

    [rhevmhost1]              1
    type=rhevm                2
    hypervisor_id=hostname    3
    owner=organization_label           4
    env=Library               5
    server=https://rhevmhost1.example.com:443  6
    username=admin@internal   7
    encrypted_password=bd257f93d@482B76e6390cc54aec1a4d  8
    1
    This must be unique for each virt-who instance. Use the Red Hat Virtualization Manager host’s name to make it easy to identify the configuration file for each hypervisor.
    2
    The type=rhevm specifies that this virt-who connection is to a Red Hat Virtualization Manager.
    3
    Specifies that hypervisors will be identified in the Subscription Management web UI by their host name. The default is to use the hypervisor’s UUID, which is less meaningful.
    4
    Organization’s label.
    5
    This specifies the environment in which the host will be placed and must be Library.
    6
    Red Hat Enterprise Virtualization Manager’s fully qualified host name or IP address. The default port number is 8443, but port 443 is used by Red Hat Enterprise Virtualization Manager after version 3.0.
    7
    Account name by which virt-who is to connect to the Red Hat Enterprise Virtualization Manager instance. The username option requires input in the format username@domain. Note that the read-only access is not sufficient to be able to acquire the Red Hat Virtualization Hypervisor host information via virt-who. It is necessary to create a new role in the Red Hat Enterprise Virtualization environment with the Admin account type and Login Permissions enabled only and assign this role to the user.
    8
    Encrypted password for the account specified by username.

5.4. Configuring virt-who to Connect to a Red Hat Enterprise Linux Hypervisor

Complete this procedure on each Red Hat Enterprise Linux hypervisor.

Configure virt-who to connect to the Red Hat Enterprise Linux hypervisor

  1. Configure the Red Hat Enterprise Linux hypervisor to register to the Subscription Asset Manager instance.

    # yum install http://rhsm.example.com/pub/candlepin-cert-consumer.noarch.rpm
  2. Register the Red Hat Enterprise Linux hypervisor to the Subscription Asset Manager.

    # subscription-manager register --org=organization_label
  3. Attach the VDC subscription to the Red Hat Enterprise Linux hypervisor.

    # subscription-manager attach --pool=subscription_pool_ID

    To find the required subscription pool ID, list all available subscriptions.

    # subscription-manager list --available
  4. Copy the template configuration file to a new file.

    To make it easy to identify the configuration file for each hypervisor, use the hypervisor host’s name as the new file’s name. In this example, the host name is rhelhost1.

    cp /etc/virt-who.d/template.conf /etc/virt-who.d/rhelhost1.conf
  5. Edit the configuration file you just created, changing the example values with those specific to your configuration.

    [rhelhost1.example.com]         1
    type=vdsm                       2
    hypervisor_id=hostname          3
    1
    Red Hat Enterprise Linux Hypervisor’s FQDN.
    2
    The type=vdsm parameter specifies that this virt-who connection is to a Red Hat Enterprise Linux hypervisor.
    3
    Specifies that hypervisors will be identified in the Subscription Management web UI by their host name. The default is to use the hypervisor’s UUID, which is less meaningful.

This completes the configuration required for a Red Hat Enterprise Linux hypervisor instance.

Registering Guest Virtual Machines

When registering a virtual machine hosted on this Red Hat Enterprise Linux host, you need to use an activation key that has auto-attach enabled and no subscriptions attached. This way, the virtual machine will inherit the VDC subscription from the hypervisor.

  1. Configure the virtual machine to register with the Subscription Asset Manager.

    # yum install http://__rhsm.example.com__/pub/candlepin-cert-consumer.noarch.rpm
  2. Register the virtual machine. The activation key created for VDC subscription has to be listed first. Add a secondary key for additional product subscription if required.

    # subscription-manager register --activationkey=VDC_Key,secondaryKey --org=organization_label
  3. Disable any auto-activated repositories.

    # subscription-manager repos --disable=*
  4. Enable the desired repositories for the system.

    # subscription-manager repos --enable=example-repo

5.5. Configuring virt-who to Connect to a Red Hat OpenStack Platform Compute Node

Complete this procedure on each Red Hat OpenStack Platform compute node.

Configure virt-who to connect to the Red Hat OpenStack Platform compute node

  1. Configure the Red Hat OpenStack Platform compute node to register to the Subscription Asset Manager instance.

    # yum install http://rhsm.example.com/pub/candlepin-cert-consumer.noarch.rpm
  2. Register the Red Hat OpenStack Platform compute node to the Subscription Asset Manager.

    # subscription-manager register --org="organizational_label"
  3. Attach the VDC subscription to the Red Hat OpenStack Platform compute node.

    # subscription-manager attach --pool=subscription_pool_ID

    To find the required subscription pool ID, list all available subscriptions.

    # subscription-manager list --available
  4. Copy the template configuration file to a new file.

    To make it easy to identify the configuration file for each hypervisor, use the hypervisor host’s name as the new file’s name. In this example, the host name is rhosphost1.

    cp /etc/virt-who.d/template.conf /etc/virt-who.d/rhosphost1.conf
  5. Edit the configuration file you just created, changing the example values with those specific to your configuration.

    [rhosphost1.example.com]    1
    type=libvirt                2
    hypervisor_id=hostname      3
    1
    Red Hat OpenStack Platform compute node’s FQDN.
    2
    The type=libvirt parameter specifies that this virt-who connection is to a Red Hat OpenStack Platform compute node.
    3
    Specifies that hypervisors (compute nodes) will be identified in the Subscription Management web UI by their host name. The default is to use the hypervisor’s UUID, which is less meaningful.

This completes the configuration required for a Red Hat OpenStack Platform compute node.

Registering Guest Virtual Machines

When registering guest virtual machines hosted on this Red Hat OpenStack Platform compute node, it is important that they use the subscription attached to the compute node.

  1. Configure the virtual machine to register with the Subscription Asset Manager.

    # yum install http://_rhsm.example.com_/pub/candlepin-cert-consumer.noarch.rpm
  2. Register the virtual machine.

    # subscription-manager register --org="organization_label"
  3. Obtain a subscription

    # subscription-manager attach --pool=subscription_pool_ID

    Ensure the subscription pool is the same as that used for the compute node. The virtual machine will obtain a subscription from the Subscription Asset Manager. For details of this process, see Section 1.5, “Virtual Machine Subscription Process”.

5.6. Configuring virt-who to Connect to VMware vCenter

Repeat this procedure for each VMware vCenter host to which this instance of virt-who is to be connected.

  1. Encrypt the password of the account to be used to connect to VMware vCenter.

    Use the virt-who-password command to encrypt the password. For an example, see Section 5.2, “Creating a User for virt-who”.

  2. Copy the template configuration file to a new file.

    To make it easy to identify the configuration file for each hypervisor, use the VMware vCenter host’s name as the new file’s name. In this example, the host name is vcenterhost1.

    # cp /etc/virt-who.d/template.conf /etc/virt-who.d/vcenterhost1.conf
  3. Edit the configuration file you just created, changing the example values with those specific to your configuration.

    [vcenterhost1]          1
    type=esx                2
    hypervisor_id=hostname  3
    owner=organization_label            4
    env=Library             5
    server=vcenterhost1.example.com  6
    username=corporate\svc-virt-who 7
    encrypted_password=bd257f93d@482B76e6390cc54aec1a4d  8
    1
    This must be unique for each virt-who instance. Use the VMware vCenter’s host name to make it easy to identify the configuration file for each hypervisor.
    2
    The type=esx parameter specifies that this virt-who connection is to a VMware vCenter.
    3
    Specifies that hypervisors will be identified in the Subscription Management web UI by their host name. The default is to use the hypervisor’s UUID, which is less meaningful.
    4
    Organization’s label.
    5
    This specifies the environment in which the host will be placed and must be Library.
    6
    VMware vCenter server’s fully qualified host name or IP address.
    7
    Account name by which virt-who is to connect to the hypervisor, in the format domain_name\account_name. Note that only a single backslash separates the values for domain_name and account_name. If you are using a domain account, and the global configuration file /etc/sysconfig/virt-who, then two backslashes are required. For further details, see the Red Hat Knowledgebase solution How to use a windows domain account with virt-who.
    8
    Encrypted password for the account specified by username.

5.7. Configuring virt-who to Connect to Microsoft Hyper-V

Note

The virt-who utility does not currently support Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM). There must be a virt-who configuration file for each Microsoft Hyper-V host to which virt-who is to connect.

Repeat this procedure for each Microsoft Hyper-V host to which this instance of virt-who is to be connected.

  1. Enable Windows Remote Management and either the HTTP or HTTPS listener must be running.

    On the Microsoft Hyper-V server:

    # winrm quickconfig
  2. Enable remote administration on the Microsoft Hyper-V server.

    On the Microsoft Hyper-V server:

    # netsh advfirewall firewall set rule group=Remote Administration new enable=yes
  3. If you are using HTTP, enable the unencrypted connection.

    On the Microsoft Hyper-V server:

    # winrm set winrm/config/service @{AllowUnencrypted="true"}
  4. Verify that the authentication method configured on the Microsoft Hyper-V server is either Basic or NTLM.

    On the Microsoft Hyper-V server:

    # winrm get winrm/config/service/auth
  5. Encrypt the password of the account to be used to connect to the Microsoft Hyper-V server.

    Use the virt-who-password command to encrypt the password. For an example, see Section 5.2, “Creating a User for virt-who”.

  6. Copy the template configuration file to a new file.

    On the virt-who host:

    # cp /etc/virt-who.d/template.conf /etc/virt-who.d/hypervhost1.conf

    To make it easy to identify the configuration file for each hypervisor, use the Microsoft Hyper-V server’s host name as the new file’s name. In this example, the host name is hypervhost1.

  7. Edit the configuration file you just created, changing the example values with those specific to your configuration.

    [hypervhost1]                   1
    type=hyperv                     2
    hypervisor_id=hostname          3
    owner=organization_label                 4
    env=Library                     5
    server=hypervhost1.example.com  6
    username=admin          7
    encrypted_password=bd257f93d@482B76e6390cc54aec1a4d  8
    1
    This must be unique for each virt-who instance. Use the Microsoft Hyper-V host’s name to make it easy to identify the configuration file for each hypervisor.
    2
    The type=hyperv specifies that this virt-who connection is to a Microsoft Hyper-V host.
    3
    Specifies that hypervisors will be identified in the Subscription Management web UI by their host name. The default is to use the hypervisor’s UUID, which is less meaningful.
    4
    Organization’s label.
    5
    This specifies the environment in which the host will be placed and must be Library.
    6
    Microsoft Hyper-V fully qualified host name or IP address.
    7
    Account name by which virt-who is to connect to the hypervisor. By default this is Administrator. To use an alternate account, create a user account and assign that account to the following groups (Windows 2012 Server): Hyper-V Administrators and Remote Management Users.
    8
    Encrypted password for the account specified by username.

5.8. Configuring and Starting virt-who Service

  1. Configure the virt-who service for Subscription Management.

    Edit the global /etc/sysconfig/virt-who configuration file and set the following parameter as shown. This specifies that virt-who is to be communicating with a Subscription Management host.

    VIRTWHO_SAM=1
    Warning

    By default virt-who initiates a scan hourly. The interval is defined by the VIRTWHO_INTERVAL global configuration parameter and measured in seconds. It should ONLY be changed on advice from Red Hat Support.

  2. Allow for an HTTP proxy between virt-who and guest virtual machines.

    If there is an HTTP proxy between the server on which virt-who is running and the hypervisors or virtualization managers, edit the global /etc/sysconfig/virt-who configuration file and set the following parameter as shown.

    http_proxy=http://proxy-ip-or-hostname:port-number
  3. Verify the virt-who configuration.

    Run the command virt-who --one-shot which reads all configuration files, retrieves the list of virtual machines from all sources, then exits immediately. This tests the configuration files, credentials, and connectivity to configured virtualization platforms.

    # virt-who --one-shot

    The output is a list of hypervisors and the hosted guest virtual machines, in JSON format. The following is an extract from virt-who output from a VMware vSphere instance. The output from all hypervisors follows the same structure.

    {
        "guestId": "422f24ed-71f1-8ddf-de53-86da7900df12",
        "state": 5,
        "attributes": {
            "active": 0,
            "virtWhoType": "esx",
            "hypervisorType": "vmware"
        }
    },
  4. Start and enable the virt-who service.

    On Red Hat Enterprise Linux 7:

    # systemctl start virt-who.service
    # systemctl enable virt-who.service

    On Red Hat Enterprise Linux 6:

    # service virt-who start
    # chkconfig virt-who on
  5. Verify that the virt-who service started successfully.

    On Red Hat Enterprise Linux 7:

    # systemctl status virt-who.service

    The output from this command should be similar to the following. The virt-who.service; enabled output confirms it is enabled and Active: active (running) confirms it is started.

    ● virt-who.service - Daemon for reporting virtual guest IDs to subscription-manager
       Loaded: loaded (/usr/lib/systemd/system/virt-who.service; enabled; vendor preset: disabled)
       Active: active (running) since Fri 2016-03-11 14:59:05 AEST; 47s ago

    On Red Hat Enterprise Linux 6:

    # service virt-who status

    The output from this command should be similar to the following.

    virt-who (pid  7474) is running...

5.8.1. Restarting the virt-who Service

If one or more of the virt-who configuration files is changed, or the environment in the Subscription Management configuration changes, the virt-who service must be restarted so the changes can take effect. For example, virt-who must be restarted after changing the virt-who account’s password or moving a hypervisor to a new organization.

On Red Hat Enterprise Linux 7:

# systemctl restart virt-who.service

On Red Hat Enterprise Linux 6:

# service virt-who restart

Chapter 6. Troubleshooting

6.1. Debug Logging

By default, virt-who logs all its activity to the file /var/log/rhsm/rhsm.log. When troubleshooting, check the log file as this might reveal useful information. To enable more detailed logging, change the debugging line in the global configuration file /etc/sysconfig/virt-who to VIRTWHO_DEBUG=1. If virt-who is running as a service, you must restart it for the configuration change to take effect. When you have resolved the underlying issue, disable diagnostic logging by changing the debugging line back to VIRTWHO_DEBUG=0 and restarting the virt-who service.

6.2. Duplicate Configuration Lines

Since there can be multiple configuration files, both global and hypervisor-specific, duplicate configuration lines might result in virt-who behaving differently to what you intend.

To detect duplicate lines in the virt-who configuration files, use the following command. The output of this command is a list of all lines in the specified files, prefixed by the number of times it occurs. Check all instances where the same line is listed as occurring twice or more, remove the duplicate line and restart the virt-who service. For instructions see Section 5.8.1, “Restarting the virt-who Service”.

# cat /etc/sysconfig/virt-who /etc/virt-who.d/* | sort | uniq -c

6.3. Credentials

Incorrect credentials can be a source of virt-who failure. If possible, test the credentials configured for use by virt-who by logging in to the virtualization manager or hypervisor. For example, if you can log in to the VMware vSphere management console and the expected hosts are visible, then credentials are correct.

6.4. Testing Configuration Options

When troubleshooting, a common method of determining the root cause of a problem is to make a change and test the result, repeating as needed. The virt-who agent provides an option to help with this technique.

Run the command virt-who --one-shot which reads all configuration files, retrieves the list of virtual machines from all sources, then exits immediately. This tests the configuration files, credentials and connectivity to configured virtualization platforms.

# virt-who --one-shot

The output you can expect is a list of hypervisors and the hosted guest virtual machines, in JSON format. The following is an extract from virt-who output from a VMware vSphere instance. The output from all hypervisors follows the same structure.

{
    "guestId": "422f24ed-71f1-8ddf-de53-86da7900df12",
    "state": 5,
    "attributes": {
        "active": 0,
        "virtWhoType": "esx",
        "hypervisorType": "vmware"
    }
},

6.5. Example Scenarios

6.5.1. Virt-who fails to connect with the virtualization platform

Check the Red Hat Subscription Manager log file - /var/log/rhsm/rhsm.log - if virt-who fails to connect with the virtualization platform. If you find the message No route to host, one possible reason is that the hypervisor is listening on a port other than what you expect. For example, Red Hat Virtualization Manager defaults to port 8443 for backward compatibility, but virt-who defaults to using port 443. In this case, you would edit the hypervisor’s configuration file in /etc/virt-who.d/ and append :443 to the value for the server line, resulting in the line: server=https://rhevmhost1.example.com:443.

  • You can also consider to configure virt-who to use no proxy by adding NO_PROXY=* to /etc/sysconfig/virt-who. Note that the values in /etc/sysconfig/virt-who are environment variables, and are sourced during daemon runs. If running virt-who in one-shot mode, export the values in /etc/sysconfig/virt-who first. Note that the required package versions are: python-rhsm >= 1.17.9-1 and virt-who >= 0.17-11.

    # set -a
    # source /etc/sysconfig/virt-who
    # virt-who -o

6.5.2. Configure virt-who to use an internal proxy

To configure virt-who to use an internal proxy instead of the external proxy Subscription Management Server uses to connect to the external networks(for example, the CDN), add rhsm_proxy_hostname and rhsm_proxy_port to the virt-who configuration file in /etc/virt-who.d/. Note that the virt-who version must be >= 0.14. For example:

# vi /etc/virt-who.d/fabric-1.conf

rhsm_proxy_hostname = internal-proxy.example.com
rhsm_proxy_port = 3128

Optionally specify rhsm_proxy_user and rhsm_proxy_password in the same configuration file if required.

6.6. Preventing auto-attach from being applied

Complete this procedure to prevent unintended subscriptions from being attached using the auto-attach feature.

  1. Determine if auto-attach is enabled:
# subscription-manager auto-attach --show
  1. Disable auto-attach:
# subscription-manager auto-attach --disable

6.7. Renewing Host Subscriptions

This section covers three methods to reattach subscriptions for multiple hosts. The following use cases apply:

  • When host subscriptions have expired and you need to attach new valid subscriptions.
  • When host subscriptions are still valid but you need to attach additional subscriptions.

If host subscriptions have expired, but you have configured auto-attach and virt-who previously, subscription manager will attempt to reattach a valid subscription that covers the host and its virtual machines based on a set of criteria. No action is required.

6.7.1. Using Web UI

The web UI method allows you to attach multiple subscriptions to multiple hosts at the same time.

  1. Click HostsContent Hosts. If prompted, select the desired organization.
  2. Select the desired hosts. You can use the filter function to narrow down the list of hosts you want to attach subscriptions to. Use the check box at the top to select all hosts listed.
  3. Click Select ActionManage Subscriptions.
  4. Select the desired subscriptions, and click Add Selected.

When all selected subscriptions have been attached, the task result displays success. To confirm, go to HostsContent Hosts and select the desired host. Click SubscriptionsSubscriptions, and verify that the newly attached subscriptions are listed.

6.7.2. Using Hammer CLI

The Hammer CLI method allows you to update the subscriptions iteratively per host, or script and automate the action for multiple hosts.

  1. List available subscriptions in the organization.

    # hammer --output json subscription list --organization example
    
    [
    {
      "ID": 192,
      "UUID": "2c918093561eaa39015630f5cd841d56",
      "Name": "Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)",
       ...
    }]
  2. Search for hosts that do not have a valid subscription.

    # hammer host list --search "subscription_status = invalid"
    
    ---|---------------------------|------------------|---------------
    ID | NAME                      | OPERATING SYSTEM | HOST GROUP
    ---|---------------------------|------------------|---------------
    45 | cloudforms.example.com    | RedHat 7.2       | Infrastructure
    84 | devnode-146.example.com   | RedHat 7.2       | Wordpress
    82 | virt-testing.example.com  | RedHat 7.1       | Development
    ---|---------------------------|------------------|---------------
  3. Attach a subscription to the desired host.

    # hammer host subscription attach --host devnode-146.example.com --quantity 2 --subscription-id 192
    
    Subscription attached to the host successfully
  4. Confirm the subscription has been successfully attached.

    # hammer host list --search "subscription_status = invalid"
    
    ---|---------------------------|------------------|---------------
    ID | NAME                      | OPERATING SYSTEM | HOST GROUP
    ---|---------------------------|------------------|---------------
    45 | cloudforms.example.com    | RedHat 7.2       | Infrastructure
    82 | virt-testing.example.com  | RedHat 7.1       | Development
    ---|---------------------------|------------------|---------------

6.7.3. Using CSV Export and Import

The CSV method also uses the Hammer CLI tool and allows you to back up the mapping information of subscriptions, hosts, and activation keys and import it back to Satellite to ensure that each hosts gets the right subscriptions attached. To use this method for subscription renewal, you need to export the CSV file before the subscriptions expire.

  1. Export the CSV file. It is recommended to add this to a cron job so that the subscription status of all the hosts are always backed up.

    # hammer csv content-hosts --export --file content-hosts-export.csv --itemized-subscriptions --organization example
  2. Edit the CSV file to include new subscription details, for example the new contract numbers.
  3. Import the CSV file back to the host when your hosts' subscriptions expire, and you need to re-attach subscriptions.

    # hammer csv content-hosts --file content-hosts-export.csv --itemized-subscriptions --organization example

Legal Notice

Copyright © 2019 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.