"Restrict to OS version" does not filter repo



I have a foreman3.3 + katello install here with some RHEL7.9 hosts attached with SCA enabled.
I mirror two repos (docker yum repos) for EL7 and EL8 respectively.

I put both repos in a CV and that (through a CCV) attached to the hosts.
I’m now setting “Restrict to OS version” to rhel-7 / rhel-8 on the repos, and I’d expect the hosts not to see the docker-el8 repo, but they still do.

Publishing & promoting a new version of the CV+CCV did not make a difference.

Expected outcome

“Restrict to OS version” make the repo vanish from subscription-manager repos etc

Foreman and Proxy versions: 3.3.0-1.el7

Foreman and Proxy plugin versions: katello 4.5.0

Distribution and version: CentOS 7.9

Other relevant data:

The “Restrict to OS version” will only work with RHEL, not CentOS. (Explanation in this post.)

However, it seems odd that both machines can see the repos. For an OS-restricted repo, I would expect neither CentOS machine to see them.

Or maybe I’m misunderstanding and they are both actually RHEL machines? If that’s the case, what do you mean by “see them?” You’ll still see both of them in the Repository Sets tab on the host’s details page in the web UI. But on the actual RHEL system, the non-matching restricted repo should be missing from the output of subscription-manager repos.

foreman runs on CentOS7. The managed machines are true RHEL7.

They “see” the repos e.g. in subscription-manager repos output (or yum repolist etc).

The foreman GUI > Content Hosts > $host > Repository Sets lists the repos:

  • Docker_EL7 as “Enabled (overridden)”
  • Docker_EL8 as “Disabled (overridden)”

In /etc/pki/entitlement, what’s in the output of rct cat-cert xxxxx.pem? (replace xxx with whichever file matches your repo)

We’re looking for something like this line:

Required Tags: rhel-8

Then, let’s compare it to the rct cat-cert output from the .pem file in /etc/pki/product-default or /etc/pki/product. You should see something like this:

	ID: 479
	Name: Red Hat Enterprise Linux for x86_64
	Version: 8.5
	Arch: x86_64
	Tags: rhel-8,rhel-8-x86_64
	Brand Type: 
	Brand Name: 

Thanks for these commands! In the output of /etc/pki/product-default I found a Product: of RHEL7.9, but in /etc/pki/entitlement I found the clue: both repos were listed as Content: with Required Tags: rhel-7 which made me look again at the foreman GUI, and indeed I had tagged the Docker_EL8 repo as “Restrict to” rhel-7.

So sorry for the fuzz! Classical layer 8 problem on my part.
Even more thanks for the prompt replies!