An Overview of Managing Subscriptions and Content

Community Enterprise Linux and other CentOS products are sold through subscriptions, which make packages available and provide support for a set number of systems. Subscription management clarifies the relationships between local systems and available software resources because it gives a view into where software subscriptions are assigned, apart from installing the packages.

The Purpose of Subscription Management

New government and industry regulations are setting new mandates for businesses to track how their infrastructure assets are used. These changes include legislation like Sarbanes-Oxley in the United States, standards like Payment Card Industry Data Security Standard (PCI-DSS), or accreditation like SAS-70. Software inventory maintenance is increasingly important to meet accounting and governmental standards.

That means that there is increasing pressure on IT administrators to have an accurate, current accounting of the software used on their systems. Generally, this is called software license management; with CentOS's subscription model, this is subscription management.

Figure 14.1. Managing Subscriptions for Software Inventory

Effective subscription management helps organizations achieve four primary goals:

Maintain regulatory compliance. One of the key responsibilities of administrators is software compliance in conformance with legal or industry requirements. Subscription management helps track both subscription assignments and contract expirations, which helps administrators manage both systems and software inventories in accordance to their regulatory requirements.

Simplify IT audits. Having a central and clear inventory of both current subscriptions and current systems, IT administrators can monitor and report on their infrastructure better.
Get better performance by doing better at assigning subscriptions. The subscription service maintains dual inventories of available product subscriptions and registered server systems, with clear associations between subscriptions and systems. This makes it easier for IT administrators to assign relevant subscriptions to systems, because they have a view of what is in the inventory and what the system is currently subscribed to.
Lower costs and streamline procurement. While under-subscribing systems can run afoul of regulations, over- subscribing systems can cause a significant impact on IT budgets. Subscription management helps subscriptions be assigned most efficiently, so costs could actually be lowered.

With CentOS's commitment to free and open software, subscription management is focused on delivering tools that help IT administrators monitor their software/systems inventory for their own benefit. Subscription management does not enforce or restrict access to products.

Most CentOS products are licensed under a GNU General Public License (GPL), which allows free use of the software or code; this a different license than the CentOS license agreement. A CentOS license provides access to CentOS services, like the Customer Portal and Content Delivery Network.

The CentOS subscription requires that, as long as there is any active subscription for a product, then every system which uses the CentOS product must have an active subscription assigned to it. Otherwise, the subscription is violated. See http://www.redhat.com/subscriptions/ and http://www.redhat.com/rhel/renew/faqs/#6 for more information on CentOS's subscription model and terms.

Defining Subscriptions, Entitlements, and Products

The basis of everything is a subscription. A subscription contains both the products that are available, the support levels, and the quantities, or number of servers, that the product can be installed on.

Subscriptions are managed though the Certificate-Based CentOS Network service, which ties into the Subscription and Content Delivery Network (CDN).

The subscription service maintains a complete list of subscriptions for an organization, identified by a unique ID (called a pool ID). A system is registered, or added, to the subscription service to allow it to manage the subscriptions for that system. Like the subscription, the system is also added to the subscription service inventory and is assigned a unique ID within the service. The subscriptions and system entries, together, comprise the inventory.

A system allocates one of the quantities of a product in a subscription to itself. When a subscription is consumed, it is an entitlement. (An entitlement is roughly analogous to a user license, in that it grants all of the rights to that product to that system. Unlike a user license, an entitlement does not grant the right to use the software; with the subscription model, an entitlement grants the ability to download the packages and receive updates.) Because the available quantity in a subscription lowers once a system subscribes to it, the system consumes the subscription.

Figure 14.2. Managing Subscriptions, Illustrated

The repository where the product software is located is organized according to the product. Each product group within the repository may contain the primary software packages and then any required dependencies or associated packages. Altogether, the product and its associated packages are called a content set. (A content set for a product even includes other versions of the product.) When a subscription grants access to a product, it includes access to all of the associated packages in that content set.

A single subscription can have multiple products, and each system can have multiple different subscriptions, depending on how many entitlement certificates are loaded on the machine.

Any number of products, for any number of different architectures, can be contained in a single subscription. The subscription options that are visible to a consumer are filtered, by default, according to whether the architecture for the product matches the architecture of the system. This is compatibility. Depending on compatible subscriptions makes sure that subscriptions are allocated efficiently, only to systems which can actually use the products.

The subscription tools can display even incompatible entitlements. Alternatively, the architecture definition for the system can be overridden by defining custom system facts for the subscription tools to use.

It's important to distinguish between subscribing to a product and installing a product. A subscription is essentially a statement of whatever products an organization has purchased. The act of subscribing to a subscription means that a system is allowed to install the product with a valid certificate, but subscribing doesn't actually perform any installation or updates. In the reverse, a product can also be installed apart from any entitlements for the system; the system is just does not have a valid product certificate. Certificate-Based CentOS Network and the Content Delivery Network harmonize with content delivery and installation by using yum plug-ins that come with the Subscription Manager tools.

Subscription Management Tools

Subscriptions are managed through GUI and CLI tools called CentOS Subscription Manager. The Subscription Manager tracks and displays what entitlements are available to the local system and what entitlements have been consumed by the local system. The Subscription Manager works as a conduit back to the subscription service to synchronize changes like available product quantities or subscription expiration and renewals.

The CentOS Subscription Manager tools are always run as root because of the nature of the changes to the system. However, CentOS Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.

The Subscription Manager handles both registration and subscriptions for a system. The Subscription Manager is part of the firstboot process for configuring content and updates, but the system can be registered at any time through the CentOS Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the CentOS Subscription Manager tools.

The different Subscription Manager clients are covered in "Using CentOS Subscription Manager Tools".

Subscription and Content Architecture

Content includes new downloads, ISOs, updates, and errata, anything that can be installed on a system.

Subscription management helps to clarify and to define the relationships between local server infrastructure and the content delivery systems. Subscription management and content delivery are tightly associated. Entitlements (assigned subscriptions) identify what a system is allowed to install and update. In other words, entitlements define access to content. The content delivery system actually provides the software packages.

There are three parties that are involved in subscriptions and content:

The subscription service

The Content Delivery Network
The system which uses the content

Figure 14.3. Relationship Among Systems, the Subscription Service, and Content Delivery Network

The subscription service handles the system registration (verifying that the system is allowed to access the content). It also supplies the system with information on what products are available and handles a central list of entitlements and remaining quantities for the entire organization.

The content delivery network is responsible for delivering the content to the system when requested. The content server is configured in the CentOS Subscription Manager configuration and then tied into the system's yum service through the CentOS Subscription Manager yum plug-in.

Both the subscription service and the content server used by a system's CentOS Subscription Manager tools can be customized. The default settings use the public subscription service and Content Delivery Network, but either one can be changed to use organization-specific services.

Systems have the option of using the older CentOS Network and Satellite 5.x systems to deliver content. These content delivery mechanisms bypass the subscription service in Certificate-Based CentOS Network, so there is no entitlement management. This is allowed for legacy infrastructures, but CentOS strongly recommends registering new systems with the latest Certificate-based CentOS Network.

Advanced Content Management: Extended Update Support

Sometimes software product installations are straightforward - you want to install a Community Enterprise Linux server, so you install Community Enterprise Linux. However, products can have dependencies with each other (product B is only worthwhile if product A is also installed) or products can interact with each other to provide extended functionality. There are two categories of these kinds of product interactions:

Dependencies, where one product requires or relies on another product directly

Modifiers, where a product provides enhanced functionality or services for existing products

Dependencies are common and can be handled directly when processing content through tools like yum.

Modifiers can be more subtle. A modifier subscription extends another entitlement and provides different repository access and support than the product entitlement alone.

If the system is subscribed to that product entitlement or combination of products, then the modifier subscription brings an enhanced content set for that product. The content set can include additional new products, new functionality, or extended service and support, depending on the product being modified.

One simple example of a modifier is extended update support (EUS), which extends support for a minor release of Community Enterprise Linux from six months to 24 months. An EUS subscription provides an enhanced support path, rather than a new product. EUS works only in conjunction with another product, to extend its support profile; it does not stand alone.

Community Enterprise Linux Add-ons and EUS Subscriptions

Community Enterprise Linux add-ons have access to EUS streams as long as the underlying Community Enterprise Linux product has an EUS subscription. For example, if an administrator has a Community Enterprise Linux 2 Socket subscription, a File System subscription, and a Community Enterprise Linux 2 Socket EUS subscription, then the system can access both non-EUS and EUS content for both the Community Enterprise Linux server and the File System product.

RHN Classic v. Certificate-based CentOS Network

During the firstboot process, there are two options given for the content server: (Certificate-based) CentOS Network and RHN Classic. These systems are mutually exclusive, but they both handle software content and updates as well as subscriptions and system inventory.

In 5.7 and later versions, entitlements and subscriptions are defined by available and installed products. However, in older versions of Community Enterprise Linux, subscriptions were defined by channel access. These are two different approaches to content and entitlement access. CentOS Network uses the product-based subscription model, while RHN Classic uses the channel-based model.

Certificate-based CentOS Network is focused on two things:

Subscription management

Content delivery

Certificate-based CentOS Network integrates the Customer Portal, Content Delivery Network, and subscription service (subscription management). It uses simple and streamlined local tools (the CentOS Subscription Manager client) to give greater visibility into how entitlements and subscriptions are used and assigned and to help control software subscriptions as they are added and expire.

Since the client tools for subscription management (the focus of Certificate-based CentOS Network) are only available in Community Enterprise Operating System.7 systems and later, Certificate-based CentOS Network can only be utilized by 5.7 and later systems.

RHN Classic uses the traditional channel entitlement model, which provides a global view of content access but does not provide insight into system-level subscription uses. Along with content and global subscription management, RHN Classic also provides some systems management functions:

Kickstarting systems

Managing configuration files
Running scripts
Taking system snapshots

Satellite 5.x systems use a channel-based model similar to RHN Classic.

While RHN Classic has an expanded systems management feature set, RHN Classic does not provide the system-level view into installed and subscribed products that the enhanced CentOS Network and subscription service do. RHN Classic is provided for older Community Enterprise Linux systems (Community Enterprise Linux 4.x, Community Enterprise Operating System.x, and Satellite 5.x) to migrate systems over to Community Enterprise Operating System.7 and later versions.

The two subscription services are mututally exclusive, with separate inventories and using separate client tools. Both the RHN Classic and CentOS Subscription Manager tools correctly identify which service a system is registered with. When a system is registered with RHN Classic, then the CentOS Subscription Manager shows an error that the system is already registered and cannot be managed by the Subscription Manager tools. Likewise, similar errors are returned in the RHN Classic tools if a system is registered with CentOS Network and the subscription service.

For information on migrating from RHN Classic to Certificate-based CentOS Network, see "Migrating Systems from RHN Classic to Certificate-based CentOS Network".