Remove elasticsearch policy and port #6
Conversation
|
DO NOT MERGE upgrade paths do not work, I need to rewrite this totally. |
lzap
force-pushed
the
test
branch
2 times, most recently
from
7925eb2
to
e2fdaf6
Compare
|
@domcleal how about this? I would follow the same startegy in foreman |
|
The only question is now to effectively manage ports for the single port type. When we add docker or openstack, |
|
Maybe it's better to have it per service:
|
|
Yeah, I think you're right that with semanage it's easier to have separate types. Anyway, this style looks better and as long as this is released before the corresponding foreman-selinux change then it gets away from complex upgrade issues. |
|
Oh, simultaneously actually so we don't redefine the same port range as different names. |
|
Ok I have renamed to |
|
@domcleal one question - if we merge this and build into nighlty and katello 2.2, how do we make sure that this is installed before the foreman-selinux update which relies on this? |
|
I mean RC/nightly user can issue just |
|
Why might it fail? Maybe because the current loaded katello policy references the elasticsearch_port_t type that foreman-selinux removes? Maybe it needs more thought and a better solution then. I don't think you can make this ever upgrade before foreman-selinux due to the direction of the dependency, unless you explicitly ask users to upgrade it first. |
|
Ok how about to merge this, release into RC/nightly and then the refactoring in foreman merge later and only into nightly? |
|
How are you going to manage the port conflict? |
|
@domcleal I think I found the solution:
|
| echo "port -a -t elasticsearch_port_t -p tcp 9200-9300" > $TMP | ||
| # Previously elasticsearch_port_t was defined in Foreman - move it | ||
| /usr/sbin/semanage port -E | grep -qE '\s+elasticsearch_port_t\s+' && \ | ||
| semanage port -m -t katello_elasticsearch_port_t -p tcp 9200-9300 |
There was a problem hiding this comment.
Do you need to remove the ports from elasticsearch_port_t here? Maybe echo "port -d -t elasticsearch_port_t" >> $TMP (made up) or similar?
There was a problem hiding this comment.
No, we actually move the port numbers from elasticsearch_port_t to katello_elasticsearch_port_t. Calling -d on elasticsearch_port_t would fail.
Note this is not part of the $TMP transaction as I was not sure if it works in one call. Wanted it outside of it.
There was a problem hiding this comment.
Sorry, what I don't get is that this code doesn't appear to move the ports, it just adds them to katello_*. What removes them from elasticsearch_port_t?
There was a problem hiding this comment.
lzap explained on IRC that semanage will apparently move the port definitions from elasticsearch_port_t to katello_elasticsearch_port_t when running this command. I'm surprised, but haven't tested it.
|
@lzap good idea, I think that makes sense. |
|
I think a change will also be required to foreman-selinux sooner than 1.9. If this works and is active in a Katello 2.1 + Foreman 1.8.0 installation then will a subsequent upgrade of foreman-selinux to 1.8.1 cause foreman-selinux-enable to add elasticsearch_port_t again after this has renamed it? |
lzap
changed the title
|
@lzap what's the status of this PR? Seems it has been sitting for a while |
|
This is still WIP, trying to find a way how to do this. We see issues with upgrades. |
|
@lzap OK, if this is no required for the next set of releases (e.g. 1.9/2.3) then I wouldn't worry to much about it. Katello 2.4 should see the removal of ES from your stack. |
|
Sounds like a plan, unfortunately in 1.9 we will have duplicate elasticsearch policies. |
|
We have removed elasticsearch from our deployments in nightly at this point -- can this be closed in light of? |
|
@lzap ping |
|
Ok can you confirm we no longer start ES or even connect to it in any way? If so, let's close this one and I can go ahead removing this port completely from the codebase. |
|
I can confirm that. |
lzap
changed the title
|
REBASED. This patch now removes the policy completely. |
|
ACK looks good to me. thanks @lzap ! |
Remove elasticsearch policy and port
This patch is needed to be able to actually upgrade via yum, otherwise
elasticsearch_port_t causes issues during yum transaction.
This must be merged ideally in the same time as
theforeman/foreman-selinux#44 otherwise nightly will
not be upgradeable.
EDIT: This patch now removes the policy completely.