canonical
subscription-manager attach and attach-auto deprecated on RHEL
Bug report
At least with subscription-manager version 1.30.10, attach and attach-auto dissapear
$ sudo subscription-manager version
server type: Red Hat Subscription Management
subscription management server: Unknown
subscription management rules: Unknown
subscription-manager: 1.30.10-1.el10
$ sudo subscription-manager --help
Usage: subscription-manager MODULE-NAME [MODULE-OPTIONS] [--help]
Primary Modules:
list List subscription and product information for this system
refresh Pull the latest subscription data from the server
register Register this system to the Customer Portal or another subscription management service
release Configure which operating system release to use
status Show status information for this system
unregister Unregister this system from the Customer Portal or another subscription management service
Other Modules:
clean Remove all local system and subscription data without affecting the server
config List, set, or remove the configuration parameters in use by this system
environments Display the environments available for a user
facts View or update the detected system information
identity Display the identity certificate for this system or request a new one
orgs Display the organizations against which a user can register a system
plugins View and configure with 'subscription-manager plugins'
repo-override Manage custom content repository settings
repos List the repositories which this system is entitled to use
syspurpose Convenient module for managing all system purpose settings
version Print version information
Red Hat has moved all the customer to use Simple Content Access (SCA) henceforth you don't have to attach any subscription to any system, just register the system and enable the required repositories.
Steps to reproduce the problem
Using auto-attach = true fails, but I'm unsure how to register repos, just with attach-auto = false (or not setting at all)
running instance has repos configured, but GPG failed
$ sudo yum install -y tree
Updating Subscription Management repositories.
Last metadata expiration check: 0:08:24 ago on Sat Sep 20 22:27:54 2025.
Dependencies resolved.
===============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================================================================
Installing:
tree x86_64 2.1.0-8.el10 baseos 56 k
Transaction Summary
===============================================================================================================================================================================================================================================
Install 1 Package
Total download size: 56 k
Installed size: 108 k
Downloading Packages:
tree-2.1.0-8.el10.x86_64.rpm 1.8 MB/s | 56 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 1.8 MB/s | 56 kB 00:00
Package tree-2.1.0-8.el10.x86_64.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: GPG check FAILED
Environment details
- Cloud-init version: 24.4
- Operating System Distribution: RHEL 10.1
- Cloud provider, platform or installer type: openstack
cloud-init logs
The yum/dnf plugins: /etc/dnf/plugins/subscription-manager.conf, /etc/dnf/plugins/product-id.conf were automatically enabled for the benefit of Red Hat Subscription Management. If not desired, use "subscription-manager config --rhsm.auto_enable_yum_plugins=0" to block this behavior.
2025-09-18 12:51:23,312 - subp.py[DEBUG]: Running command ['subscription-manager', 'attach', '--auto'] with allowed return codes [0] (shell=False, capture=True)
2025-09-18 12:51:23,743 - performance.py[DEBUG]: Running ['subscription-manager', 'attach', '--auto'] took 0.431 seconds
2025-09-18 12:51:23,744 - cc_rh_subscription.py[WARNING]: Auto-attach failed with: Unexpected error while running command.
Command: ['subscription-manager', 'attach', '--auto']
Exit code: 1
Reason: -
Stdout: Usage: subscription-manager MODULE-NAME [MODULE-OPTIONS] [--help]
Primary Modules:
list List subscription and product information for this system
refresh Pull the latest subscription data from the server
register Register this system to the Customer Portal or another subscription management service
release Configure which operating system release to use
status Show status information for this system
unregister Unregister this system from the Customer Portal or another subscription management service
Other Modules:
clean Remove all local system and subscription data without affecting the server
config List, set, or remove the configuration parameters in use by this system
environments Display the environments available for a user
facts View or update the detected system information
identity Display the identity certificate for this system or request a new one
orgs Display the organizations against which a user can register a system
plugins View and configure with 'subscription-manager plugins'
repo-override Manage custom content repository settings
repos List the repositories which this system is entitled to use
syspurpose Convenient module for managing all system purpose settings
version Print version information
Stderr:
2025-09-18 12:51:23,744 - cc_rh_subscription.py[WARNING]: Setting auto-attach failed
2025-09-18 12:51:23,744 - cc_rh_subscription.py[WARNING]: rh_subscription plugin did not complete successfully
2025-09-18 12:51:23,744 - handlers.py[DEBUG]: finish: modules-config/config-rh_subscription: SUCCESS: config-rh_subscription ran successfully and took 4.346 seconds
Hi @albfan , can you share the user-data you used?
Fwiw, I was recently able to successfully register my rh subscription on a 10.0 RHEL image and cloud-init 25.2 .The user-data I used is here
Try removing the auto-attach service-level add_pool auto_attach service_level add_pool properties from your user-data and I think you will be able to bypass this failure.
Looking at the cc_rh_subscription.py module in the main branch (disclosure: I made some recent changes to this file but they will only appear in 25.3 and they did not touch the auto_attach behavior) , I can see that this module tries to execute the attach subcommand of subscription-manager only when you pass one/many of the following 6 keys add-pool add_pool auto-attach auto_attach service_level service-level in the user-data config
My 2 cents is to remove these keys from your user-data if you do not need (when you are using the new subscription-manager) the functionalities that cloud-init was providing with these keys.
Tbh I have yet to look at the cli changes but given that we have a recent example (rhel 10.0) registering fine.... it could be that cloud-init does not need to make any changes and users just need to remove these keys from their user-data. However, if users no longer using these keys will remove functionality that can be done "natively" with the new subscription-manager cli but no longer via cloud-init. Then there will be changes needed in cloud-init to conditionalize the runtime cloudinit behavior based based on the subcription-manager version in the rhel image (or even just the rhel version) based on the cutoff version of when this cli breaking change was introduced so that cloud-init accomodates both old and new subscription-manager.
2025-09-18 12:51:23,744 - cc_rh_subscription.py[WARNING]: Auto-attach failed with: Unexpected error while running command.
Command: ['subscription-manager', 'attach', '--auto']
This part of the logs is interesting. If I am not missing something obvisous in the logic of the cloud-init module, this exact command should run only when the key auto-attach (or auto_attach) is defined in user-data and should not run if the key is not passed to to user-data.
See the set_auto_attach method and when it is alled (I am on my phone so unable to get line-specific permalinks so here is the file permalink)
EDIT: I also chrcked the same file in the cloud-init 24.4 version and the logic of this part is the same: this command can run only when the key auto-attach is defined in user-data
Thanks a lot @mostafaCamel for the triage here. I can confirm that subscription-manager attach --auto ... is only run in either the condition where user-data contains rh_subscription:auto-attach= true and optionally if rh_subscription:service_level is defined with it. In the absence of auto-attach: true the operation and breaking command is not performed.
I'm curious if we have docs on what RH is recommending nowadays for automatically selecting the right service level for a machine. I see manpages pointing to subscription-manager register --auto, but I'm not entirely sure if that's the correct 'new' functional replacement of the subscription-manager attach --auto. Do we have visibility to RedHat release docs that describe this CLI deprecation in release notes somewhere?
I'm seeing the following for RHEL10 release notes which talks about that deprecation
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.0_release_notes/removed-features#removed-features-subscription-management
It also appears that in the redhat support docs about removal of subscription-manager attach that Redhat sub-mgr may now prefer the use of subscription-manager syspurpose service-level Set Standard instead of trying to provide that in a subscription-manager attach --service-level subcommand. It looks like there are a couple of fixes necessary to adapt to RHEL 10's subscription-manager approach.
I want to CC:@jeremycline and @otubo just for visibility as I think this affects newer RedHat images and we'd probably want some eyes more familiar with the RedHat subscription approaches to ascertain the best supported path forward for RHEL.
It looks like RedHat is telling customers to register via username/password or via activation keys. There does not seem to be a direct cli replacement of attach --auto and tehyare moving towarda an account-centric approach (managed via the ui) rather than system-centric approach. At least that's what I understand.
The same page also talks about the subscription-manager attach and subscription-manager auto-attach removal starting from rhel10
EDIT: never mind and discard this comment. Chad also found the same page in an earlier comment with more relevant points.
We are setting up RHEL using terraform: Is a template but you can figure out data I guess: https://github.com/albfan/tstenvs/blob/main/infrastructure/openstack/compute/guests/rhel/cloud-config.j2
From all your feedback I think just removing auto-attach (or set to false) is enough, so probably my GPG problem comes from different issue, thanks for looking into this.
I just download package from our repo and from some other distro:
$ git diff --word-diff --no-index <(rpm -qpi ~/Descargas/tree-2.1.0-8.el10.x86_64.rpm) <(rpm -qpi ~/Descargas/tree-2.1.0-8.el10.x86_64\ \(2\).rpm)
diff --git 1/dev/fd/63 2/dev/fd/62
--- 1/dev/fd/63
+++ 2/dev/fd/62
...
Signature : [-(none)-]{+RSA/SHA256, jue 30 ene 2025 14:08:41, Key ID dee5c11cc2a1e572+}
...
Vendor : [-Red Hat, Inc.-]{+AlmaLinux+}
URL : https://mama.indstate.edu/users/ice/tree/
Summary : File system tree viewer
Description :
I think I can close the issue, but let me know if you need any extra feedack
Thank you for reporting the issue and all the logs by the way. I think we should keep the issue open as it seems we may need code changes in cloud-init (we are still trying to figure out the details/ official rhel guidance) for rhel users who want to setup service level during the registration.
In your case, a config change should bee enough. Given that your user-data is produced via a templater, you can either remove auto-attach: true or put it behind some condition. I doubt %{ if rhel_major < "10" } will work as it is a string comparison. You would need to check your templater api to see how to convert rhel_major to a number before comparing to the number (not the string) 10.