06. 10. 2023
Development, DevOps
Recently we had to provision a couple of NetEye machines on Azure for production purposes.
Our procedure essentially creates a RedHat 8.10 VM starting with an official RedHat image, and adds the NetEye repositories to install the required software. This procedure is what we usually follow to create training environments, but these machines are usually not meant to have a long life and we never update them.
During an upgrade of productive machines we spotted an issue related to dnf which found conflicts with grafana and ansible-core. After some investigation we found out that the issue was related to Azure, which was adding its own repository definition because it was exploiting RHUI functionalities.
Red Hat Update Infrastructure is officially supported by Red Hat and allows a Cloud provider to handle updates via its own repositories, both mirroring Red Hat repositories themselves and also adding custom repositories.
In the specific case of Azure those repos are defined in /etc/yum.repos.d/rh-cloud.repo which supersedes Red Hat’s official repos.
For our specific case we need a “recent but not bleeding edge” updated version of some elements of the software (grafana and ansible-core), and so we exclude these software packages from the official Red Hat repos during our setup procedures by using the following command:
subscription-manager repo-override --repo=rhel-8-for-x86_64-appstream-rpms --add=exclude:grafana*,ansible-core*Unfortunately, RHUI repos are supported by Red Hat but not handled by subscription-manager, meaning that this exclude will not work for them.
Possible Solutions
After some investigation and confirmation from Red Hat support, it turned out that we have several options:
- Exclude the unwanted software by adding an exclude in
/etc/dnf/dnf.conf - Uninstall the package rhui-azure-rhel8 which provides repository definitions, alongside other files
- Disable the file
/etc/yum.repos.d/rh-cloud.reporenaming it for example to rh-cloud.repo.disable - Add an exclude in
/etc/yum.repos.d/rh-cloud.repoforrhel-8-for-x86_64-appstream-rhui-rpms
Each solution has its pro and cons, but none of them are perfect for our situation:
- It’s not applicable because it will affect all repos including NetEye ones, and therefore we immediately discarded it
- It means switching to a standard Red Hat edition, but possibly excluding future updates provided by Azure and therefore we decided to keep it as a last resort
- It has same drawbacks as the previous two solutions, and in addition an update of
rhui-azure-rhel8may re-enable repos at any time
We opted for the fourth solution: it still poses the issue related to possible updates of rhui-azure-rhel8 packages but at least it doesn’t disable Azure repos.
The solution is also relatively simple to automate to guarantee that, during upgrades, the exclusion line is present.
Conclusion
In general RHUI repos don’t cause any issues and can be used safely to achieve better performance and provider-side cluster customization. In some specific cases, however, they can interfere with usual operations and unfortunately they cannot be managed via subscription-manager.
In those specific cases you should apply some workarounds like those described above and understand which solution is best for your specific case.
References
- https://access.redhat.com/products/red-hat-update-infrastructure
- https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/3.0/html/system_administrators_guide/about_red_hat_update_infrastructure
- https://learn.microsoft.com/en-us/azure/virtual-machines/workloads/redhat/redhat-rhui?tabs=rhel8
Alessandro Valentini
DevOps Engineer at Wuerth Phoenix
DevOps Engineer at Würth Phoenix
Author
Latest posts by Alessandro Valentini
01. 12. 2023
Development, DevOps
How to Install Matomo on OpenShift