RHEL 8.4 On-Demand License - Connector configuration error

Next-generation cloud-hosted OpenVPN business solution.
Post Reply
cautoasato
OpenVpn Newbie
Posts: 2
Joined: Wed Jan 05, 2022 4:43 pm

RHEL 8.4 On-Demand License - Connector configuration error

Post by cautoasato » Fri Mar 04, 2022 9:51 pm

Gi guys, I'm new into the community so bear with me a little, please. :)

I've my OpenVPN Cloud configured and fully functional with a Network (in Azure) receiving network requests according to the DNS that I've set in its configurations. So far so good. I've deployed an RHEL 8.4 as the connector in Azure with NAT forwarding enable and all necessary steps to make it functional.

As I only have one connector in this Network we have decided to deploy a second connector for HA. Yet I'm stuck on the installation of the connector. The script provided by OpenVPN for RHEL 8 considers that you have an active subscription with Red Hat, which is not the case when you have a PAYG (On-Demand) license with Azure.

Whenever you have an instance in PAYG mode, customers should not register these images with Red Hat Subscription Management (RHSM). On-demand clients receive updates from the cloud provider via the Red Hat Update Infrastructure (RHUI) and not Red Hat directly, which makes script misbehave.

Before I add the script provided by OpenVPN, allow me to provide information on my repos and system.

Code: Select all

Linux VMLinuxToolsHA 4.18.0-305.17.1.el8_4.x86_64
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/8/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.4"
Red Hat Enterprise Linux release 8.4 (Ootpa)
Red Hat Enterprise Linux release 8.4 (Ootpa)
RHEL 8.4 (PAYG) in Azure
Repositories configured:
copr:copr.fedorainfracloud.org:dsommers:openvpn3 Copr repo for openvpn3 owned by dsommers
epel Extra Packages for Enterprise Linux 8 - x86_64
epel-modular Extra Packages for Enterprise Linux Modular 8 - x86_64
microsoft-azure-rhel8-eus Microsoft Azure RPMs for RHEL8 Extended Update Support
packages-microsoft-com-prod packages-microsoft-com-prod
rhel-8-for-x86_64-appstream-eus-rhui-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream - Extended Update Support from RHUI (RPMs)
rhel-8-for-x86_64-baseos-eus-rhui-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Extended Update Support from RHUI (RPMs)


As we can see in the script it follows basically the same steps of this procedure: https://openvpn.net/cloud-docs/openvpn- ... for-linux/

Code: Select all

#!/bin/bash

# Install dependencies
sudo yum localinstall https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
sudo yum install yum-plugin-copr

# Add the OpenVPN repository
sudo yum copr enable dsommers/openvpn3

# Install OpenVPN Connector setup tool
sudo yum install python3-openvpn-connector-setup

# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Configure NAT
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -j MASQUERADE
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -j MASQUERADE
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j ACCEPT
sudo systemctl restart firewalld

# Run openvpn-connector-setup to install ovpn profile and connect to VPN.
# You will be asked to enter setup token. You can get setup token from Linux
# Connector configuration page in OpenVPN Cloud Portal
sudo openvpn-connector-setup
All configurations of NAT forwarding, firewall, etc., run well. But I noticed when the script tries to enable the codeready-builder repository, it gets blocked and therefore it fails to install "openvpn3" later in the process.

As mentioned earlier, this is a Pay-as-you-go (aka On-Demand) RHEL license and those shouldn't register these images with Red Hat Subscription Management (RHSM). Therefore, the command snipped in the script to add the repository via the subscription manager doesn't work. Whenever I input this command the following output comes out

Code: Select all

sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms

This system has no repositories available through subscriptions.
​I wonder if there is any way to work around that. whenever I try to manually install openvpn3-client here is what happens:

Code: Select all

sudo yum install openvpn3-client

Last metadata expiration check: 3:21:21 ago on Fri 04 Mar 2022 06:03:48 PM UTC.
Error:
 Problem: package openvpn3-client-17-2.beta1.el8.x86_64 requires openvpn3(x86-64) = 17-2.beta1.el8, but none of the providers can be installed
  - package openvpn3-17-2.beta1.el8.x86_64 requires openvpn3-selinux >= 17-2.beta1.el8, but none of the providers can be installed
  - conflicting requests
  - nothing provides selinux-policy >= 3.14.3-80.el8 needed by openvpn3-selinux-17-2.beta1.el8.noarch
  - nothing provides selinux-policy-base >= 3.14.3-80.el8 needed by openvpn3-selinux-17-2.beta1.el8.noarch
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
My system is up to date and selinux-policy is with its latest version installed

Code: Select all

Last metadata expiration check: 3:24:34 ago on Fri 04 Mar 2022 06:03:48 PM UTC.
Installed Packages
selinux-policy.noarch                            3.14.3-67.el8_4.4                            @rhel-8-for-x86_64-baseos-eus-rhui-rpms
I would appreciate your help.

I also have tried to add the codeready for RHUI found in this link of Amazon, but yet works out for me.
https://aws.amazon.com/premiumsupport/k ... able-epel/

Best,
Top
cautoasato
OpenVpn Newbie
Posts: 2
Joined: Wed Jan 05, 2022 4:43 pm

Re: RHEL 8.4 On-Demand License - Connector configuration error

Post by cautoasato » Wed Mar 16, 2022 3:02 pm

Hi guys, I ended up figuring out.

I've contacted Azure Support to give a little light on this.

It seems by default all PAYG (aka On-demand) images from Azure are version-locked. When we have a version-locked image, we have EUS repos. EUS repos get their specific minor release and codeready is a non-eus repo.

On the mirrors of EPEL and codeready they don't have an specific minor directory for it. This is the "stardard" non-eus repos config.

So when we look for the codeready mirrors (listed below) we will see the variable $releasever that is set to 8.X when you have a version-locked RHEL. Removing the version lock will allow to add codeready repo and proceed with the installation of the connector as the variable $releasever is set now to 8.

[rhui-codeready-builder-for-rhel-8-x86_64-rhui-rpms]
name=Red Hat CodeReady Linux Builder for RHEL 8 x86_64 (RPMs) from RHUI
baseurl=https://rhui-1.microsoft.com/pulp/repos ... builder/os
https://rhui-2.microsoft.com/pulp/repos ... builder/os
https://rhui-3.microsoft.com/pulp/repos ... builder/os
enabled=1

Once I removed the version-lock from my Azure instance, with a simple "yum update" codeready repo was added and I was able to install the connector.

If someone wants to know how to remove a version-lock in Azure VMs: https://docs.microsoft.com/en-us/azure/ ... rsion-lock
Top
Post Reply

Return to “CloudConnexa (previously OpenVPN Cloud)”