Simple Content Access

Updated -

What is Simple Content Access and Why should I use it?

Simple Content Access (SCA) is a capability in Red Hat’s subscription tools which simplifies the behavior of the entitlement tooling, making it easier to consume the content provided by your Red Hat subscriptions without the complexity of configuring subscription tooling.

By doing so, Simple Content Access removes processes which are

  • Time consuming
  • Overly complex, especially for the systems administration persona.
  • Business impacting. (The penalty for 'getting it wrong' is high)

Simple Content Access simplifies the entitlement experience so that the Linux administrator does not have a complex workflow that needs to be completed when adding, removing, and renewing subscriptions. SCA gives the administrator back valuable time (on average 10 hours a week) to spend doing things other than subscription management. At its core, it does this by removing the need to attach subscriptions at a per system level. Without needing to attach subscriptions, much of the complexity of the subscription tools is reduced or removed:

  • You no longer need to have complex activation key setups to ensure that a system gets the correct subscription (which grants access to the repositories). Simply register and enable the repositories that you need.
  • You no longer need to run virt-who as frequently to support fresh host-guest mappings to support newly provisioned hosts. Run virt-who as needed for reporting.
  • Challenges with auto-attach assigning a subscription that you didn’t intend are eliminated.
  • The requirement to attach a subscription to a new hypervisor (or remove one from an old hypervisor) is removed.
  • Reattaching subscriptions after a renewal is no longer required.

Simple Content Access is an optional feature of Red Hat Subscription Management(RHSM) and Red Hat Satellite 6, and in the case of Satellite 6, can be enabled on a per Subscription Allocation basis by an Organization Administrator.

  • As of 15-Jul-2022, newly created Red Hat accounts default to having Simple Content Access enabled.

When enabling Simple Content Access, you are enabling a new subscription experience that happens to use the existing subscription tools that already exist. As such, these tools will behave very differently than before. The “What Operational Changes do I have to make after enabling Simple Content Access?” section of this document covers exactly what these changes are.

While it is not mandatory to use both (or either), Simple Content Access is best paired with Subscription Watch, as Subscription Watch provides the visibility and governance that is needed to get the most out of SCA. The videos below cover more about why Red Hat built Subscription Watch and Simple Content Access, and how both of the capabilities qualitatively improve your subscription experience.

Modernizing the Registration Experience

Introduction to Subscription Watch

How do I enable Simple Content Access for Red Hat Subscription Management?

Simple Content Access can be enabled or disabled by an Organizational Administrator in Red Hat Subscription Management by setting the Simple content access for Red Hat Subscription Management slider.

SCA RHSM Slide

Once enabled for your account, systems simply need to be registered (via subscription-manager), and additional repositories enabled if necessary.

Example:

To register a system.

subscription-manager register --username <$INSERT_USERNAME_HERE>

OR (if using activation keys)

subscription-manager register --org <$INSERT_ORG_ID_HERE> --activationkey <$INSERT_ACTIVATION_KEY_HERE>

then, (if necessary) enable additional repos

subscription-manager repos --enable rhel-7-server-ansible-2.9-rpms

NOTE commands to attach subscriptions (such as subscription-manager attach --auto and/or subscription-manager attach --pool <$POOLID>) are obsolete and no longer required.

How do I enable Simple Content Access for Red Hat Satellite?

SCA can be enabled per manifest in the Red Hat Cloud Services platform.
NOTE: Newly created Subscription Allocations default to having Simple Content Access enabled.

However, to disable/enable Simple Content Access for any existing allocation, perform the following procedure:
1. In the Satellite web UI, navigate to Administer > Organizations.
2. Click on your organization.
3. On the Primary tab, check or uncheck the Simple Content Access checkbox and click Submit.

Enabling SCA

What Operational Changes do I have to make after enabling Simple Content Access?

When Simple Content Access is enabled, the ‘laws of physics’ in the world of Subscription Management change. Even though the same tools (subscription-manager, virt-who, Satellite) are used, they behave very differently. Fundamentally the switch to Simple Content Access should be treated like a new operating model, which is incompatible with most workflows related to Subscription Management.

First and foremost, when Simple Content Access is enabled, attaching subscriptions is not required, so (as an example), if you had a workflow which checked that a system had a valid subscription as part of a post-provisioning workflow, it would need to change. Listed below are other workflows that drastically change when SCA is enabled.

  • Manifest generation
  • Subscription Status
  • Activation keys
  • auto-attach
  • Virt-who
  • System purpose status.
  • UI changes
  • Reporting and understanding subscription utilization.

Manifest generation

When SCA is disabled:

When SCA is disabled, a subscription manifest needed to contain (at a minimum) enough subscriptions to cover every system registered to the Satellite.

When SCA is enabled:

When SCA is enabled, a subscription manifest only needs to contain enough subscriptions to provide access to repositories needed by your systems. 1 of each subscription is sufficient.

Subscription Status

When SCA is disabled:

System level subscription status (as reported by the subscription-manager tool) was used to understand if a system has a valid subscription, and if a status of insufficient or invalid was reported, it could be addressed by attaching a different (or additional) subscription(s)

subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Current

System Purpose Status: Matched

Subscription status could also be used as an indicator of ‘did this system get properly registered?’.

When SCA is enabled:

System level subscription status (as reported by the subscription-manager tool) is now disabled.

subscription-manager status
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Overall Status: Disabled
Content Access Mode is set to Simple Content Access. This host has access to content, regardless of subscription status.

System Purpose Status: Disabled

As subscriptions are no longer required to be attached to the host, the very concept of ‘does THIS host have a valid subscription’ is obsolete. If you want to confirm ‘did this system get properly registered?’, use the output of subscription-manager identity instead of the output of subscription-manager status.

Note: Subscription Status shows as ‘unknown’ in Satellite versions 6.7 and below

Sub Status 1

This can be safely ignored and is addressed in Satellite 6.8 and will show ‘disabled’ similar to the CLI tools.

Sub Status 2

Activation Keys

When SCA is disabled:

Activation keys, which are used in lieu of username/password as a means to register to a Satellite server, generally contain a number of attributes to configure a host as registration. These include (but are not limited to):

  • Which subscriptions to attach?
  • Which repositories to enable?
  • Which environment & content view to configure the system with?
  • Which host collection to join?

The subscription related aspects of activation keys are where activation keys have generally had their complexity. Previously, it was suggested (such as in Subscription-manager for the former Red Hat Network User: Part 9 - A Case Study with activation keys ) to use 1-3 activation keys to configure a system (1 key to grant a virtual sub, 1 key to configure content [like repositories], and 1 to configure custom or layered subscriptions)

When SCA is enabled:

Activation keys continue to be used to register systems, however, their subscription related aspects are obsolete. As a result, the number of activation keys required to register a system is simplified and should optimally be 1 key per host to configure the content related aspects (repositories and content views).

Additionally it is recommended to set the ‘content host limit’ attribute, which sets the maximum number of times an activation key can be used. This can be used to help limit the number of systems which can be registered.

It is STRONGLY recommended to revisit your activation key design as the number of activation keys required to register a host can likely be simplified.

Auto-attach

When SCA is disabled:

The auto-attach function is generally used to attach appropriate subscriptions to a system, either at registration time or subscription expiry.

When SCA is enabled:

As subscriptions are not required to be attached to hosts when SCA is enabled, workflows related to auto-attach are obsolete. You no longer need to:

  • Run ‘subscription-manager attach --auto’
  • Run ‘hammer host subscription auto-attach’
  • Set activation keys to ‘auto-attach’

Running the above commands will result in either a no-op (no change) or explicitly error.

Virt-who

When SCA is disabled:

Virt-who, the utility which gathers host/guest mappings from hypervisors and reports them to Satellite, was a mandatory tool which was required to be used to consume content provided by subscriptions which support multiple guests (such as RHEL vDC). Virt-who was typically configured to run every 1-4 hours to provide refreshed host/guest mappings.

When SCA is enabled:

Virt-who is no longer in the ‘critical path’ of content access (again, since subscriptions no longer have to be attached to hosts). However, virt-who is an extremely important tool to support Subscription Watch. The host/guest mappings which are gathered by virt-who are critical information used to render accurate charts in Subscription Watch. However, the frequency at which virt-who needs to run can be limited to be less frequent. Without a correctly configured installation of both virt-who and the installation/enablement of the Satellite Inventory Plugin, Satellite users will not have accurate reporting in Subscription Watch

It is recommended when Satellite has SCA enabled, virt-who configurations should be configured to run no more frequently than twice daily.

System Purpose (and System Purpose Status)

When SCA is disabled:

System purpose allows you to set various parameters about how the system is being used, which are persistent and are used by the subscription tooling to better guide a system to a proper subscription. By providing those technical, business, and operational use-cases, the subscription tooling (particularly auto-attach) can make more informed decisions. You provide:

  • ROLE - What is the workload running on the system
    • E.g. ‘Red Hat Enterprise Linux Server’
  • SLA - What is the expected service level for this system?
    • E.g. Self-Support, Standard (business hours), Premium
  • USAGE - What is the scope of support for this system? Exactly what will we help you with.
    • E.g Development (assistance with design), Production (assistance with installation and runtime issues)

When SCA is not in use, System purpose attributes which are provided are used to better guide auto-attach and when auto-attach is able to match the requested attributes with a valid subscription, the system purpose status is updated to MATCHED (and MISMATCHED otherwise).

When SCA is enabled:

System Purpose status is set to DISABLED, as subscriptions are not required to be attached to systems. However, it is strongly recommended to continue to set system purpose attributes as those are also used by Subscription Watch (https://cloud.redhat.com/subscriptions/) to help filter/identify hosts.

UI Changes

On content related pages in the Satellite UI, there are now banners which inform the user that Simple Content Access is enabled. Examples:

  • Manifest import (Satellite 6.8+)

UI 1

  • Host page:

UI 2

  • Activation Key page:

UI 3

No change is required by the user other than importing a manifest with Simple Content Access enabled. These UI changes are intended to inform the user that SCA is enabled and that subscriptions should not be attached to hosts.

Behavior of the 'subscription-manager' CLI tool.

when SCA is enabled

The subscription-manager CLI tool, in versions less than 1.27.9-1 will display spurious messages when SCA is enabled.

When running yum commands, the user will receive output similar to This system is registered with an entitlement server, but is not receiving updates. You can use subscription-manager to assign subscriptions.

This message can be safely ignored in:

  • RHEL8 - subscription-manager versions less than 1.27.9-1 when SCA is enabled, and will be properly suppressed in versions greater than 1.27.9-1. This is being tracked in BZ1815624
  • RHEL7 - subscription-manager versions less than 1.24.26-1 when SCA is enabled, and will be properly suppressed in versions greater than 1.24.26-1. This is being tracked in BZ1831104

Further Reading

There are a number of documents which are worth reading to further your knowledge and understanding of Simple Content Access and Subscription Watch:

Comments