Managing Special Deployment Scenarios

There are different types of consumers and different ways of organizing consumers. The simplest environment has physical machines grouped together in one single, homogeneous group, connecting to CentOS's hosted content and subscription services. While this is an easy arrangement to maintain, it does not accurately describe many enterprise environments, which have a lively mix of physical and virtual machines, divided across disparate organizational units and even subunits within those organizations and accessing locally-controlled content and subscription services.

The first change is the ability to group systems into divisions and subdivisions. This is called multi-tenancy, the ability create unrelated groups beneath the primary umbrella account. Multi-tenant (or multi-org) structures are for infrastructures which may have multiple content repositories or subscription services, and systems within the organization need to be grouped according to access to those repositories and services.

The other part of heterogeneous environments is recognizing consumers other than physical machines. Two special consumer types are common: virtual guests and server domains. The difference between these consumer types and physical, single-machine consumers is only in the type of information that the CentOS Subscription Service uses and stores - not in any special configuration or management tasks.

Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations

As "Subscription and Content Architecture" outlines, the subscription service, content repository, and client tools and inventory all work together to define the entitlements structure for a customer. The way that these elements are organized depends on a lot of factors, like who is maintaining the individual services, how systems in the inventory are group, and how user access to the different services is controlled.

The most simplistic structure is the hosted structure. The content and subscription services are hosted by CentOS, and all systems within the inventory are contained in one monolithic group. User access is defined only by CentOS Customer Portal account access.

Figure 14.8. Hosted Structure

The next step allows a customer to have its own, local subscription service (Subscription Asset Manager), while still using CentOS's hosted content delivery network. At this point, user access can be defined locally, within the Subscription Asset Manager configuration. Subscription Asset Manager can define independent groups, called organizations. Systems belong to those organizations, and users are granted access to those organizations. Systems and users in one organization are essentially invisible to systems and users in other organizations.

Figure 14.9. Hosted Content/Local Subscriptions Structure

The last style of infrastructure is almost entirely local, with a Subscription Asset Manager that provides locally-hosted content providers and an integrated local subscription service.

Figure 14.10. Local Subscriptions and Local Content Provider Structure

This allows the most control over how systems are grouped within the subscriptions/content. A customer's main account can be divided into separate and independent organizations. These organizations can use different content provider, can have different subscriptions allocated to them, and can have different users assigned to them with levels of access set per organization. Access control in this scenario is controlled entirely locally. The local Subscription Asset Manager, not the remote CentOS Customer Portal, processes user authentication requests and applies local access control policies.

A system is assigned to one organization. Within an organization, there can be different environments which define access to product versions and content sets. There can be overlap between environments, with a system belonging to multiple environments.

Figure 14.11. Multi-Org

When there is only one organization - such as a hosted environment (where the single organization is implicit) - then the systems all default to use that one organization. When there are multiple organizations, then the organization for a system to use must be defined for that system. This affects register operations, where the system is registered to subscription service and then joined to the organization. It also affects other operations tangentially. It may affect subscribe operations because it affects repository availability and subscription allocations, and it affects redeem operations (activation of existing subscriptions) because subscriptions must be redeemed from the organization which issued the subscription.

For more information on configuring and managing organizations, environments, and content repositories, see the Subscription Asset Manager documentation.

Virtual Guests and Hosts

When the CentOS Subscription Manager process checks the system facts, it attempts to identify whether the system is a physical machine or a virtual guest. The Subscription Manager can detect guests for several different virtualization services, including:

Xen
HyperV
VMWare ESX

Subscription Manager records a unique identifier called a guest ID as one of the system facts for a virtual guest. A special process, libvirt-rhsm, checks VMWare, KVM, and Xen processes and then relays that information to Subscription Manager and any configured subscription service (Certificate-based CentOS Network or a local Subscription Asset Manager). Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.

Some Community Enterprise Linux variants are specifically planned for virtual hosts and guests. The corresponding subscriptions are divided into a certain quantity of physical hosts and then a quantity of allowed guests. Community Enterprise Linux add-ons may even be inherited, so that when a host machine is subscribed to that entitlement, all of its guests are automatically included in that subscription. (CentOS layered products usually do not draw any distinction between virtual and physical systems; the same type of subscription is used for both.) If the system is a guest, then virtual entitlements are listed with the available subscriptions. If no more virtual entitlements are available, then the subscription service will apply physical entitlements.

Virtual and physical subscriptions are identified in the Type column.

Figure 14.12. Virtual and Physical Subscription

The distinction of being a physical machine versus virtual machine matters only in the priority of how entitlements are consumed. Virtual machines are recorded in the subscription service inventory as a regular system type of consumer.

Virtual guests are registered to the subscription service inventory as regular systems and subscribe to entitlements just like any other consumer.

Virtual entitlements can only be used by virtual machines. Physical entitlements can be used by both physical and virtual machines. When ascertaining what subscriptions are available for autosubscription, preference is given first to virtual entitlements (which are more restrictive in the type of consumer which can use them), and then to physical entitlements.

Domains

Consumers in the subscription service inventory are identified by type. Most consumers will have a type of system, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the domain type. domain-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)

There are two things to keep in mind about domain entitlements:

Each member of the domain is still registered to the subscription service as a system consumer and added to the inventory individually.

The domain entitlements apply to the behavior of the entire server group, not to any one system.

The domain entitlement simply governs the behavior of the domain. A domain entitlement is not limited to a specific type of behavior. Domain entitlements can describe a variety of types of behavior, such as storage quotas or the maximum number of messages to process per day. The entire domain is bound to the subscriptions when one of the domain servers subscribes to the domain entitlements using the CentOS Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.