Disable Simple Content Access

Support
1

Problem: Unable to disable SCA in GUI

Foreman and Proxy versions: Latest 3.10

Distribution and version: Alma Linux 9

Other relevant data:

Hello, i’m trying to use the latest foreman 3.10 version in the same way i use the 3.3 version but i have a problem with SCA during activation key creation:


fatal: [foreman]: FAILED! => {"changed": false, "error": {"displayMessage": "The specified organization is in Simple Content Access mode. Attaching subscriptions is disabled", "errors": ["The specified organization is in Simple Content Access mode. Attaching subscriptions is disabled"]}, "msg": "Error while performing add_subscriptions on activation_keys: 400 Client Error: Bad Request for url: https://foreman/katello/api/activation_keys/1/add_subscriptions"}

I import the same manifest from redhat on both servers but it’s not working on the 3.10 version (not SCA toggle to disable this function). Works on 3.3 version with SCA toggle disabled.

As i read in the documention, SCA is enabled by default but i can’t find a way to disable it on latest version.

Could you help me please ?

From the nighlty documentation:

Enabling or disabling Simple Content Access from Katello

To turn Simple Content Access on or off, navigate to either of the following places:

Administer > Organizations > (your organization) > Details
    Check or uncheck the Simple Content Access checkbox, then click Submit.
Content > Subscriptions > Manage Manifest
    Toggle the Simple Content Access toggle switch.

If the checkbox is not present, or the toggle switch is disabled, it could be for one of the following reasons:

There is no manifest imported for the organization
The organization administrator has disabled Simple Content Access for the organization

I have also tried with foreman-rake command without success

2

Foreman 3.10 pairs with Katello 4.12, checking the release notes:

Simple Content Access (SCA) is now the only content access mode supported. When upgrading Katello, all existing organizations that use entitlement mode will migrate automatically to SCA. This change is not reversible.

1 Like
3

Thanks for your answere !

My actual playbook works like this:

Create AK ALMALINUX 9

  • name: “Create AK-PRODUCTION-ALMALINUX9 Activation Key”
    theforeman.foreman.activation_key:
    username: “{{ login }}”
    password: “{{ password }}”
    server_url: “{{ host_proxy }}”
    validate_certs: “{{ certs }}”
    organization: “{{ organization }}”
    name: “AK-PRODUCTION-ALMALINUX9”
    lifecycle_environment: “{{ lifecycle_env }}”
    content_view: “CV-ALMALINUX9”
    subscriptions:
    - name: “AlmaLinux”
    - name: “Elrepo”
    - name: “RPMFusion”
    - name: “EPEL”
    override: disabled
    state: present

And give me the precedent error.

Is there a documentation to move to the SCA mode for custom repo ?

Thank you

4

The only docs I was able to find are for Red Hat Satellite: Simple Content Access - Red Hat Customer Portal

Not sure how useful those are for operating systems/repos other than RHEL.

5

I find this documentation to but it seems to not be useful.

It’s strange because SCA seems to be related to Red Hat subscription and for custom repo i read in the documentation i have to use activation key.

My playbook creates the activation key in foreman but it can’t enable the 4 specified subscription. Maybe an other way to to that in the newer version.

When i go to the GUI in activation keys, select my created AK then Repository Sets, i can “enable overide” the listed repo that appears as disabled

6

There are no subscriptions anymore. Remove the subscriptions part from your playbook and it should work.

SCA is like all hosts have all subscriptions of custom products. Any host can access and enable any repository. Content views filter what hosts can see.

2 Likes
7

No ansible error anymore with the subscription options commented. Thank you man !

If i understand well, my activation key is now useful to only set to which content view attach host. The repository set menu in the activation key is useless now (everything is disabled) ?

Repository are set directly on my content view / repositories menu, correct ? With this part of my playbook:

 #Create AlmaLinux 9 Content View creation
  - name: "Create AlmaLinux 9 content view"
    theforeman.foreman.content_view:
      username: "{{ login }}"
      password: "{{ password }}"
      server_url: "{{ host_proxy }}"
      validate_certs: "{{ certs }}"
      organization: "{{ organization }}"
      name: "CV-ALMALINUX9"
      repositories:
        - name: "almalinux-extras-9-x64"
          product: "AlmaLinux"
        - name: "almalinux-base-9-x64"
          product: "AlmaLinux"
        - name: "almalinux-stream-9-x64"
          product: "AlmaLinux"
        - name: "elrepo-9-x64"
          product: "Elrepo"
        - name: "rpmfusion-el9-x64"
          product: "RPMFusion"
        - name: "epel-9-x64"
          product: "EPEL"
8

Find an other difference while registering host to foreman server.

My previous task was:

  - name: Register content host in Foreman for El9
     redhat_subscription:
       activationkey: "AK-{{ ForemanSubscriptionKeyType }}-ALMALINUX9"
       org_id: "myorg"
       force_register: "{{ ForemanForceSubscriptionRegister }}"
     changed_when: False
     throttle: 1
     ignore_errors: yes

It give me an error:

FAILED! => {“changed”: false, “cmd”: “/sbin/subscription-manager register --force --org myorg --activationkey VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”, “msg”: “Couldn’t find Organization ‘’. (HTTP error code 404: Not Found)”

I update my task to use username password and environment and now registration is working:

 - name: Register content host in Foreman for El9
    redhat_subscription:
      username: admin
      password: changeme
      environment: "LC-PRODUCTION/CV-ALMALINUX9"
      force_register: "{{ ForemanForceSubscriptionRegister }}"
    changed_when: False
    throttle: 1
    ignore_errors: yes

So, activation key is completely useless with these modifications

9

An activation key is a used for “activation”, i.e. to connect a new host to the repositories and give it an initial configuration. It defines which content views it uses and the repository set (which repositories are enabled/disabled by default). After activation the activation key doesn’t matter any more to the host. Changes to the activation key won’t affect hosts which used the key before the change.

You can later change the content view and disable or enable repositories for each host as you need in the web frontend or using subscription-manager.

1 Like
10

Activation keys can also assign content overrides (“override to enabled”) for repository sets. There is an option in Ansible to do it when you are creating the activation key: theforeman.foreman.activation_key module – Manage Activation Keys — Ansible Community Documentation

12

I don’t want to enable override manually on each host that’s why i’m trying to do it with AK as i did on my actual foreman.

I manage to enable custom repo on my AK with ansible by removing the subscription part of my playbook then switch the content_overrides part to enabling wanted repos instead of disabling unwanted one.

Now when i register new host, custom repos are well enabled by AK

Thank you

1 Like
13

Update to share my playbook with community:


  # Create AK ALMALINUX 9
  - name: "Create AK-PRODUCTION-ALMALINUX9 Activation Key"
    theforeman.foreman.activation_key:
      username: "{{ login }}"
      password: "{{ password }}"
      server_url: "{{ host_proxy }}"
      validate_certs: "{{ certs }}"
      organization: "{{ organization }}"
      name: "AK-ALMALINUX9"
      #auto_attach: "off"
      lifecycle_environment: "{{ lifecycle_env }}"
      content_view: "CV-ALMALINUX9"
      content_overrides:
          - label: "AlmaLinux_almalinux-base-9-x64"
            override: enabled
          - label: "AlmaLinux_almalinux-extras-9-x64"
            override: enabled  
          - label: "AlmaLinux_almalinux-stream-9-x64"
            override: enabled  
          - label: "Elrepo_elrepo-9-x64"
            override: enabled  
          - label: "RPMFusion_rpmfusion-el9-x64"
            override: enabled 
          - label: "EPEL_epel-9-x64"
            override: enabled   
      state: present
1 Like
14

Hello,

Some updates about my problem which is not solved i think

When i register an host which was previously registered to my old foreman. My AK works and i get the specified repositories.
But when a i register a fresh new host, i don’t have the redhat.repo file in /etc/yum.repo.d and no repo available via yum repolist command. In the foreman GUI i see them enabled on the host details.

Any idea ?

Thank you

15

What command are you using to register the host? Are you using global registration or another method? Are you using the same activation key for the hosts that work and the hosts that don’t work?

Check your /etc/rhsm/rhsm.conf or subscription-manager config. Does the server configuration point to the correct Foreman server? Are any values changed from the defaults?

16

Hello Jeremy,

I use both method:

  • ansible with redhat_subscription module
  • command line subscription-manager register --org=“MYORG” --activationkey=“AK-PRODUCTION-ALMALINUX9”

The AK has two parameters: my alma9 content view + somes alma9 repositories set to override enabled.

Yes i use the same command for both new host and migrated hosts from old foreman but without the same result.

No difference between the two subscription-manager config and yes they point to the same server. :

diff config1 config2
27d26
<    progress_messages = [1]
17

I can’t edit my message.

I find something strange. When i register the host, no redhat.repo file is created in /etc/yum.repo.d. But many hours later the file appears with the overrided repositories set is the AK.

Is there a paramater somewhere to force synchronization ?

18

Sorry for this new message !

I found why the redhat.repo wasn’t created when joining foreman. My fresh machine had a bad time configuration. I set ntp before joigning foreman and yes redhat.repo is created.

I’m now investigating on why the repositories set by the AK are set to disabled by default on the fresh new host and not to enabled as i config it in the AK :slight_smile:

19

edit: problem solved with this registration method with ansible. Use activationkey value:

  - name: Register content host in Foreman for El9
    redhat_subscription:
      activationkey: "AK-{{ ForemanSubscriptionKeyType }}-ALMALINUX9"
      org_id: "MYORG"
      force_register: "{{ ForemanForceSubscriptionRegister }}"
    changed_when: False
    throttle: 1
    ignore_errors: yes

Thank you for your help.

My main problem was the NTP unconfigured on my fresh new host. Don’t forget to configure it before foreman registration.

1 Like
20

Keep in mind the redhat_subscription module is for registering to RHSM, not Katello, and will not configure your sub-man with Katello’s certificates or correct config. To do that with Ansible, generate a registration command to use for global registration using theforeman.foreman.registration_command: theforeman.foreman.registration_command module – Manage Registration Command — Ansible Community Documentation

1 Like