New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove elasticsearch policy and port #6
Conversation
DO NOT MERGE upgrade paths do not work, I need to rewrite this totally. |
7925eb2
to
e2fdaf6
Compare
@domcleal how about this? I would follow the same startegy in foreman |
The only question is now to effectively manage ports for the single port type. When we add docker or openstack, |
Maybe it's better to have it per service:
|
Yeah, I think you're right that with semanage it's easier to have separate types. Anyway, this style looks better and as long as this is released before the corresponding foreman-selinux change then it gets away from complex upgrade issues. |
Oh, simultaneously actually so we don't redefine the same port range as different names. |
Ok I have renamed to |
@domcleal one question - if we merge this and build into nighlty and katello 2.2, how do we make sure that this is installed before the foreman-selinux update which relies on this? |
I mean RC/nightly user can issue just |
Why might it fail? Maybe because the current loaded katello policy references the elasticsearch_port_t type that foreman-selinux removes? Maybe it needs more thought and a better solution then. I don't think you can make this ever upgrade before foreman-selinux due to the direction of the dependency, unless you explicitly ask users to upgrade it first. |
Ok how about to merge this, release into RC/nightly and then the refactoring in foreman merge later and only into nightly? |
How are you going to manage the port conflict? |
@domcleal I think I found the solution:
|
echo "port -a -t elasticsearch_port_t -p tcp 9200-9300" > $TMP | ||
# Previously elasticsearch_port_t was defined in Foreman - move it | ||
/usr/sbin/semanage port -E | grep -qE '\s+elasticsearch_port_t\s+' && \ | ||
semanage port -m -t katello_elasticsearch_port_t -p tcp 9200-9300 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need to remove the ports from elasticsearch_port_t here? Maybe echo "port -d -t elasticsearch_port_t" >> $TMP
(made up) or similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we actually move the port numbers from elasticsearch_port_t
to katello_elasticsearch_port_t
. Calling -d
on elasticsearch_port_t
would fail.
Note this is not part of the $TMP
transaction as I was not sure if it works in one call. Wanted it outside of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, what I don't get is that this code doesn't appear to move the ports, it just adds them to katello_*. What removes them from elasticsearch_port_t?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lzap explained on IRC that semanage will apparently move the port definitions from elasticsearch_port_t to katello_elasticsearch_port_t when running this command. I'm surprised, but haven't tested it.
@lzap good idea, I think that makes sense. |
I think a change will also be required to foreman-selinux sooner than 1.9. If this works and is active in a Katello 2.1 + Foreman 1.8.0 installation then will a subsequent upgrade of foreman-selinux to 1.8.1 cause foreman-selinux-enable to add elasticsearch_port_t again after this has renamed it? |
@lzap what's the status of this PR? Seems it has been sitting for a while |
This is still WIP, trying to find a way how to do this. We see issues with upgrades. |
@lzap OK, if this is no required for the next set of releases (e.g. 1.9/2.3) then I wouldn't worry to much about it. Katello 2.4 should see the removal of ES from your stack. |
Sounds like a plan, unfortunately in 1.9 we will have duplicate elasticsearch policies. |
We have removed elasticsearch from our deployments in nightly at this point -- can this be closed in light of? |
@lzap ping |
Ok can you confirm we no longer start ES or even connect to it in any way? If so, let's close this one and I can go ahead removing this port completely from the codebase. |
I can confirm that. |
REBASED. This patch now removes the policy completely. |
ACK looks good to me. thanks @lzap ! |
Remove elasticsearch policy and port
This patch is needed to be able to actually upgrade via yum, otherwise
elasticsearch_port_t causes issues during yum transaction.
This must be merged ideally in the same time as
theforeman/foreman-selinux#44 otherwise nightly will
not be upgradeable.
EDIT: This patch now removes the policy completely.