redhat_subscription: use D-Bus for registration if possible

[ptoscano]

SUMMARY

subscription-manager currently does not have a way to get credentials (username, password, activation keys, organization ID) in a secure way: the existing command line parameters can be easily spotted when running a process listing while 'subscription-manager register' runs. There is a D-Bus service, which is used by e.g. cockpit and Anaconda to interface with RHSM (at least for registration and common queries).

Try to perform the registration using D-Bus, in a way very similar to the work done in convert2rhel [1] (with my help):

• try to do a simple signal test to check whether the system bus works; inspired by the login in the dconf module
• pass most of the options as registration options; for the few that are not part of the registration, execute 'subscription-manager' manually
• add quirks for differently working (or not) registration options for the D-Bus Register*() methods depending on the version of RHEL
• subscription-manager register is used only in case the signal test is not working; silent fallback in case of D-Bus errors during the registration is not done on purpose to avoid silent fallback to a less secure registration

[1] oamg/convert2rhel#540

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

redhat_subscription

ADDITIONAL INFORMATION

There should be no behaviour change for the module.

[ansibullbot]

cc @alikins @barnabycourt @kahowell
click here for bot help

[ptoscano]

Opened as draft because I need to test it on more versions of RHEL, in few more scenarios. Regardless, having few more eyes on it wouldn't certainly hurt.

[github-actions]

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and your docs changes will be incorporated when they are next published.

[richm]

lgtm - have you been able to try this with the rhc system role? If not, I can help with that.

[felixfontein]

Thanks for your contribution! Could you please add a changelog fragment? Thanks!

[ptoscano]

OK, after a bit of more in-depth testing, I think it should work fine in (hopefully :) ) all the cases.

Thanks for your contribution! Could you please add a changelog fragment?

Thanks, done; I wasn't sure whether it was needed in this case. If you want to do a more extensive review, please go ahead :)

lgtm - have you been able to try this with the rhc system role? If not, I can help with that.

Not yet, so far I've been testing directly the module itself. I think that, if you have a quick way to spawn all the testing of the rhc system role with this change applied for it, that'd be great!

[richm]

OK, after a bit of more in-depth testing, I think it should work fine in (hopefully :) ) all the cases.

Thanks for your contribution! Could you please add a changelog fragment?

Thanks, done; I wasn't sure whether it was needed in this case. If you want to do a more extensive review, please go ahead :)

lgtm - have you been able to try this with the rhc system role? If not, I can help with that.

Not yet, so far I've been testing directly the module itself. I think that, if you have a quick way to spawn all the testing of the rhc system role with this change applied for it, that'd be great!

Sure.

Copy the module .py file to rhc/library
Rename it to something like local_redhat_subscription.py
Change community.general.redhat_subscription: to local_redhat_subscription: in tasks/subscription-manager.yml

Then you can run locally, submit a PR and use CI testing, etc.

[ptoscano]

So, I gave it more testing (and fixed small bits):

• on its own: works fine with
  • RHEL 7 (7.9+)
  • RHEL 8.8 (nightly)
  • RHEL 9.2 (nightly)
  • CentOS 9 Stream (up-to-date)
• as part of the rhc system role, running the tests tests_register_unregister.yml & tests_release.yml (which exercise a bit registration and release setting on registration): works fine with
  • RHEL 8.7
  • RHEL 8.8 (nightly)
  • RHEL 9.1
  • RHEL 9.2 (nightly)

Hence, at this point I feel more confident that this should work fine. Of course, I can always fix bugs, in case they are noticed/reported.

The only thing I'm not totally sure (and I simply followed what other Python modules do) is the logging using module.debug(): it looks not exactly straightforward to enable, and it gets logged in the managed nodes rather than being outputted on the ansible/ansible-playbook output (even with -v and more). Maybe there's a way, and I'm dumb enough to have not noticed it.

[richm]

So, I gave it more testing (and fixed small bits):

* on its own: works fine with
  
  * RHEL 7 (7.9+)
  * RHEL 8.8 (nightly)
  * RHEL 9.2 (nightly)
  * CentOS 9 Stream (up-to-date)

* as part of the `rhc` system role, running the tests `tests_register_unregister.yml` & `tests_release.yml` (which exercise a bit registration and release setting on registration): works fine with
  
  * RHEL 8.7
  * RHEL 8.8 (nightly)
  * RHEL 9.1
  * RHEL 9.2 (nightly)

Hence, at this point I feel more confident that this should work fine. Of course, I can always fix bugs, in case they are noticed/reported.

+1

The only thing I'm not totally sure (and I simply followed what other Python modules do) is the logging using module.debug(): it looks not exactly straightforward to enable, and it gets logged in the managed nodes rather than being outputted on the ansible/ansible-playbook output (even with -v and more). Maybe there's a way, and I'm dumb enough to have not noticed it.

No, you are correct, this is the way it is done. You use journalctl on the managed node to view the debug log.
Not really related to logging, but if you want to debug the module on the managed node, see https://docs.ansible.com/ansible/latest/dev_guide/debugging.html#debugging-modules

[richm]

This fix lgtm - is it ready to be merged? If so, when can it be merged?

[felixfontein]

It looks OK to me. If you and @ptoscano are happy I can merge this.

[ptoscano]

It looks OK to me. If you and @ptoscano are happy I can merge this.

My last changes (4 days ago) solved all the few issues I still saw, so currently I'm aware of none. Of course, I'm willing to fix any issue that show up after these changes.

[richm]

It looks OK to me. If you and @ptoscano are happy I can merge this.

Thanks!

[patchback]

Backport to stable-6: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-6/e939cd07ef335e939e901c3ccc76523eab8d5e4a/pr-6122

Backported as #6188

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[felixfontein]

@ptoscano thanks for contributing this!
@richm thanks for reviewing/testing!