How does yum with Red Hat Network Subscription work inside the rhel Docker images?

docker redhat yum rhel7

Red Hat Enterprise Linux 7 includes official support for running Docker containers, and Red Hat offer a set of official rhel Docker images. An interesting feature of these images is that packages can be installed via the host's Red Hat Network Subscription without having to perform any configuration within the container.

To quote https://access.redhat.com/articles/881893#createimage:

"For the current Red Hat Docker release, the default RHEL 7 Docker image you pull from Red Hat will be able to draw on RHEL 7 entitlements available from the host system. So, as long as your Docker host is properly subscribed and the repositories are enabled that you need to get the software you want in your container (and have Internet access from your Docker host), you should be able to install packages from RHEL 7 software repositories."

My concern is that the mechanism by which this is achieved is rather opaque. When starting a new container with the rhel7.1 image, for example, it is possible to run yum install foo without even configuring the http proxy environment variables. Without understanding this mechanism, the system administrator is potentially at the mercy of unknown interactions between the host system, the Docker daemon, and running containers. This also suggests that the normal isolation between the host and container is in some way compromised (albeit in a benign fashion).

To put a point on it: How is this subscription support achieved, and is it dependent on the custom build of the Docker daemon provided by Red Hat via the Subscription Network?


Solution 1:

Red Hat carries a patch to docker called the 'secrets' patch which mounts the entitlement information into containers when they are run.

You can see the a better description of the patch and a link to the upstream PR in the projectatomic/docker repo:

https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel#add-rhel-super-secrets-patchpatch

Note, you'll need to select one of the branches (the link goes to the 'docker-1.3.1-rhel' branch) to see all the carried patch information.

Solution 2:

Knowing how virtual machines managed by Red Hat Satellite are licensed, and going off @Leynos's comment, I would expect that there is something similar to virt-who, which is a service that talks to the virtualization host (vSphere, KVM, etc) and queries it to find details of VMs. It then does the necessary API calls in Satellite to allow the VM to use the host's datacenter license.

I would expect that the Red Hat docker daemon provides something similar, allowing the container to know that it's running from a subscribed Docker host and therefore make use of that subscription.

Also from here:

IMPORTANT: Running containers with the docker command, as described in this topic, does not specifically require you to register the RHEL Atomic Host system and attach a subscription. However, if you want to run yum install commands within a container, the container must get valid subscription information from the RHEL Atomic Host or it will fail.

So, there's something either in the container or the daemon that can query the host to find subscription info (and probably repo info as well).

Related

Why only a single loopback address on IPv6?
Enable error logging on PHP-FPM 7 with Nginx?
How to forcibly completely clear PHP7 opcache?
How to rewrite paths in Amazon Application Load Balancer?
Postfix/postfix-script warning symlink leaves directory: /etc/postfix/./makedefs.out
Backup solution for 10TB of data and 3 servers
Find's -true option: what for?
Should I create a new private ssh key on each system?
Experiences with BIRD for BGP?
Why are my MongoDB queries really, really slow?
How to setup a NNTP server for Usenet?
Too many TIME_WAIT state connections! [duplicate]