Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1201663 - The default multi-user.target configured in rhel7.1 images runs /usr/bin/rhsmcertd
Summary: The default multi-user.target configured in rhel7.1 images runs /usr/bin/rhsm...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rhel-server-container
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Václav Pavlín
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On: 1094932 1209382 1382308
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-13 08:46 UTC by Jan Pazdziora
Modified: 2020-12-15 07:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1299908 (view as bug list)
Environment:
Last Closed: 2020-12-15 07:33:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2015-03-13 08:46:27 UTC 
Description of problem:

Create minimal image which runs systemd(-container) based on rhel7.1, using Dockerfile

   FROM rhel7.1
   RUN yum install -y /usr/bin/ps
   ENV container docker
   CMD [ "/usr/sbin/init" ]

Run a container and inspect running processes -- /usr/bin/rhsmcertd will be there. It's because

   rhsmcertd.service

service is enabled in

   /etc/systemd/system/multi-user.target.wants/rhsmcertd.service

The man rhsmcertd(1) says

        Periodically scans and updates the entitlement certificates on
        a registered system.

but in a container, entitlement certificates are inherited from the
host. It seems this service should be removed from the target.

Version-Release number of selected component (if applicable):

Image rhel7.1
docker-1.5.0-16.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Dockerfile as shown above.
2. Build, run a container.
3. Check the processes running in the container using

   docker exec <the-container-id> ps axuwwf

Actual results:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        70  0.0  0.0  19760  1132 ?        R    04:39   0:00 ps axuwwf
root         1  0.5  0.0  44752  2800 ?        Ss   04:39   0:00 /usr/sbin/init
root        63  0.0  0.0  32144  2640 ?        Ss   04:39   0:00 /usr/lib/systemd/systemd-journald
root        68  0.0  0.0   9740   668 ?        Ss   04:39   0:00 /usr/bin/rhsmcertd
root        69  0.0  0.0   6424   840 ?        Ss   04:39   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600


Expected results:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        70  0.0  0.0  19760  1132 ?        R    04:39   0:00 ps axuwwf
root         1  0.5  0.0  44752  2800 ?        Ss   04:39   0:00 /usr/sbin/init
root        63  0.0  0.0  32144  2640 ?        Ss   04:39   0:00 /usr/lib/systemd/systemd-journald
root        69  0.0  0.0   6424   840 ?        Ss   04:39   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600

Additional info:
Comment 2 Jan Pazdziora 2015-03-13 08:51:35 UTC 
Adding

   RUN rm -f /etc/systemd/system/multi-user.target.wants/rhsmcertd.service

to my Dockerfile helps but I believe it should be in the base image, unless there is a strong reason to run rhsmcertd by default.
Comment 3 Václav Pavlín 2015-03-13 15:42:56 UTC 
Can we change this in systemd-container? I would like to keep kickstart files clean from init process modifications.
Comment 4 Lukáš Nykrýn 2015-03-13 17:36:56 UTC 
How can I change this is systemd package? That service is enabled after instalation and it seems not to use presets.
Comment 5 Frantisek Kluknavsky 2016-01-19 14:24:08 UTC 
Let's rm the symlink for now but leave this bug open waiting for a proper solution. https://bugzilla.redhat.com/show_bug.cgi?id=1299908
Comment 6 Daniel Walsh 2016-10-18 15:48:08 UTC 
Any movement on this bug?
Comment 7 Jan Pazdziora 2017-10-18 08:20:44 UTC 
It looks like bug 1299908 mentioned waiting for bug 1209382 which was marked as duplicate of bug 1271839 which was resolved in RHEL 7.4.

So the question is, can the "workaround" introduced in bug 1299908 be reverted with proper preset-based approach now available?
Comment 8 Frantisek Kluknavsky 2018-04-17 13:48:14 UTC 
As far as I know, we do not have a packaged container-specific preset file. We almost had one two years ago, but the idea was intentionally canceled without explanation. See bug 1382308.
We can try to get a new rpm into rhel7 but that requires an unlikely agreement of a lot of people. Do you have a better suggestion?
Comment 9 Jan Pazdziora 2018-04-17 14:04:57 UTC 
Can you verify that the problem is still present with current images?

IIRC, you can make things conditional in the .service, not to run it in containers.

The systemd environment in containers should have sane defaults, so minimize the amount of work that needs to be done to the image by its users.
Comment 10 James Cassell 2020-06-19 07:41:49 UTC 
Would be properly solved for all cases by adding to the rhsmcertd.service file:

ConditionPathIsDirectoryNotEmpty=!/etc/pki/entitlement-host

Problem is that `ConditionPathIsDirectoryNotEmpty` is currently broken: https://github.com/systemd/systemd/issues/16220
Comment 11 James Cassell 2020-06-19 16:20:28 UTC 
It was very late in the evening when I said "ConditionPathIsDirectoryNotEmpty" was broken... that's because the actual option is called "ConditionDirectoryNotEmpty", and it works just fine.


I see 2 workable solutions to this issue:

1. Set `ConditionDirectoryNotEmpty=!/etc/pki/entitlement-host` in the [Unit] section of rhsmcertd to avoid service activation when host entitlements are available, or

2. Have a separate set of container presets that avoid enabling this service at all.
Comment 13 RHEL Program Management 2020-12-15 07:33:39 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.