Disable Simple Content Access

Gokusan31 · April 15, 2024, 7:09am

Problem: Unable to disable SCA in GUI

Foreman and Proxy versions: Latest 3.10

Distribution and version: Alma Linux 9

Other relevant data:

Hello, i’m trying to use the latest foreman 3.10 version in the same way i use the 3.3 version but i have a problem with SCA during activation key creation:


fatal: [foreman]: FAILED! => {"changed": false, "error": {"displayMessage": "The specified organization is in Simple Content Access mode. Attaching subscriptions is disabled", "errors": ["The specified organization is in Simple Content Access mode. Attaching subscriptions is disabled"]}, "msg": "Error while performing add_subscriptions on activation_keys: 400 Client Error: Bad Request for url: https://foreman/katello/api/activation_keys/1/add_subscriptions"}

I import the same manifest from redhat on both servers but it’s not working on the 3.10 version (not SCA toggle to disable this function). Works on 3.3 version with SCA toggle disabled.

As i read in the documention, SCA is enabled by default but i can’t find a way to disable it on latest version.

Could you help me please ?

From the nighlty documentation:

Enabling or disabling Simple Content Access from Katello

To turn Simple Content Access on or off, navigate to either of the following places:
Administer > Organizations > (your organization) > Details
    Check or uncheck the Simple Content Access checkbox, then click Submit.
Content > Subscriptions > Manage Manifest
    Toggle the Simple Content Access toggle switch.
If the checkbox is not present, or the toggle switch is disabled, it could be for one of the following reasons:
There is no manifest imported for the organization
The organization administrator has disabled Simple Content Access for the organization

I have also tried with foreman-rake command without success

quba42 · April 15, 2024, 7:16am

Foreman 3.10 pairs with Katello 4.12, checking the release notes:

Simple Content Access (SCA) is now the only content access mode supported. When upgrading Katello, all existing organizations that use entitlement mode will migrate automatically to SCA. This change is not reversible.

Gokusan31 · April 15, 2024, 8:06am

Thanks for your answere !

My actual playbook works like this:

Create AK ALMALINUX 9

name: “Create AK-PRODUCTION-ALMALINUX9 Activation Key”
theforeman.foreman.activation_key:
username: “{{ login }}”
password: “{{ password }}”
server_url: “{{ host_proxy }}”
validate_certs: “{{ certs }}”
organization: “{{ organization }}”
name: “AK-PRODUCTION-ALMALINUX9”
lifecycle_environment: “{{ lifecycle_env }}”
content_view: “CV-ALMALINUX9”
subscriptions:
- name: “AlmaLinux”
- name: “Elrepo”
- name: “RPMFusion”
- name: “EPEL”
override: disabled
state: present

And give me the precedent error.

Is there a documentation to move to the SCA mode for custom repo ?

Thank you

quba42 · April 15, 2024, 8:29am

The only docs I was able to find are for Red Hat Satellite: Simple Content Access - Red Hat Customer Portal

Not sure how useful those are for operating systems/repos other than RHEL.

Gokusan31 · April 15, 2024, 9:14am

I find this documentation to but it seems to not be useful.

It’s strange because SCA seems to be related to Red Hat subscription and for custom repo i read in the documentation i have to use activation key.

My playbook creates the activation key in foreman but it can’t enable the 4 specified subscription. Maybe an other way to to that in the newer version.

When i go to the GUI in activation keys, select my created AK then Repository Sets, i can “enable overide” the listed repo that appears as disabled

gvde · April 15, 2024, 10:04am

There are no subscriptions anymore. Remove the subscriptions part from your playbook and it should work.

SCA is like all hosts have all subscriptions of custom products. Any host can access and enable any repository. Content views filter what hosts can see.

Gokusan31 · April 15, 2024, 12:13pm

No ansible error anymore with the subscription options commented. Thank you man !

If i understand well, my activation key is now useful to only set to which content view attach host. The repository set menu in the activation key is useless now (everything is disabled) ?

Repository are set directly on my content view / repositories menu, correct ? With this part of my playbook:

 #Create AlmaLinux 9 Content View creation
  - name: "Create AlmaLinux 9 content view"
    theforeman.foreman.content_view:
      username: "{{ login }}"
      password: "{{ password }}"
      server_url: "{{ host_proxy }}"
      validate_certs: "{{ certs }}"
      organization: "{{ organization }}"
      name: "CV-ALMALINUX9"
      repositories:
        - name: "almalinux-extras-9-x64"
          product: "AlmaLinux"
        - name: "almalinux-base-9-x64"
          product: "AlmaLinux"
        - name: "almalinux-stream-9-x64"
          product: "AlmaLinux"
        - name: "elrepo-9-x64"
          product: "Elrepo"
        - name: "rpmfusion-el9-x64"
          product: "RPMFusion"
        - name: "epel-9-x64"
          product: "EPEL"

Gokusan31 · April 15, 2024, 2:37pm

Find an other difference while registering host to foreman server.

My previous task was:

  - name: Register content host in Foreman for El9
     redhat_subscription:
       activationkey: "AK-{{ ForemanSubscriptionKeyType }}-ALMALINUX9"
       org_id: "myorg"
       force_register: "{{ ForemanForceSubscriptionRegister }}"
     changed_when: False
     throttle: 1
     ignore_errors: yes

It give me an error:

FAILED! => {“changed”: false, “cmd”: “/sbin/subscription-manager register --force --org myorg --activationkey VALUE_SPECIFIED_IN_NO_LOG_PARAMETER”, “msg”: “Couldn’t find Organization ‘’. (HTTP error code 404: Not Found)”

I update my task to use username password and environment and now registration is working:

 - name: Register content host in Foreman for El9
    redhat_subscription:
      username: admin
      password: changeme
      environment: "LC-PRODUCTION/CV-ALMALINUX9"
      force_register: "{{ ForemanForceSubscriptionRegister }}"
    changed_when: False
    throttle: 1
    ignore_errors: yes

So, activation key is completely useless with these modifications

gvde · April 15, 2024, 2:44pm

An activation key is a used for “activation”, i.e. to connect a new host to the repositories and give it an initial configuration. It defines which content views it uses and the repository set (which repositories are enabled/disabled by default). After activation the activation key doesn’t matter any more to the host. Changes to the activation key won’t affect hosts which used the key before the change.

You can later change the content view and disable or enable repositories for each host as you need in the web frontend or using subscription-manager.

jeremylenz · April 15, 2024, 2:51pm

Activation keys can also assign content overrides (“override to enabled”) for repository sets. There is an option in Ansible to do it when you are creating the activation key: theforeman.foreman.activation_key module – Manage Activation Keys — Ansible Community Documentation

Gokusan31 · April 16, 2024, 7:47am

I don’t want to enable override manually on each host that’s why i’m trying to do it with AK as i did on my actual foreman.

I manage to enable custom repo on my AK with ansible by removing the subscription part of my playbook then switch the content_overrides part to enabling wanted repos instead of disabling unwanted one.

Now when i register new host, custom repos are well enabled by AK

Thank you