Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-07-02T18:07:29ZPulp
Planio Pulp - Task #9005 (NEW): pulp_installer's molecule CI should not always connect as roothttps://pulp.plan.io/issues/90052021-07-02T18:07:29Zmdepaulo@redhat.com
<p>This seems to be a product of, or the default configuration of, the docker plugin for molecule. (molecule uses <code>docker exec</code> to talk to the container, not SSH.)</p>
<p>We should look into performance options as we solve this. Even if it means eliminating/weakening SSH encryption on the CI environment / molecule containers.</p> Pulp - Task #8848 (NEW): pulp_installer to run CI against stable brancheshttps://pulp.plan.io/issues/88482021-06-01T21:20:04Zmdepaulo@redhat.com
<p>Currently, the source molecule tests test the master branch of pulpcore and master branch of plugins, rather than the appropriate branches like pulpcore 3.11 and pulp_rpm 3.11</p>
<p>So effectively we are relying on release jobs on old branches to catch errors, at release time.</p> Pulp - Story #8846 (NEW): As a pulp_installer user, I do not need to use the latest micro release...https://pulp.plan.io/issues/88462021-06-01T21:12:19Zmdepaulo@redhat.com
<p>Basically, this means that pulp_installer 3.14.0 (or possibly 3.13.1 / 3.13.2) will be able to install pulpcore 3.14.z .</p>
<p>The benefit for users is that they will not need to always have the latest micro version of pulp_installer.</p>
<p>And the benefit to the pulp team is that we will not need to do a pulp_installer micro release for every pulpcore micro release.</p>
<p>This is a variation of the 1 year old proposal for versions/branches in pulp_installer, and a variation of the specific micro release policy we implemented originally in <a class="issue tracker-3 status-1 priority-6 priority-default child parent" title="Story: As a user, I can download & run a version of the ansible installer that a specific version of Pulp 3 (NEW)" href="https://pulp.plan.io/issues/5618">#5618</a>.</p>
<p>Reference from <a class="issue tracker-3 status-1 priority-6 priority-default child parent" title="Story: As a user, I can download & run a version of the ansible installer that a specific version of Pulp 3 (NEW)" href="https://pulp.plan.io/issues/5618">#5618</a>:</p>
<pre><code> * Original discussion:
* [mikedep333's proposal](https://github.com/pulp/pulp_installer/pull/203#issue-361269733)
* [bmbouter's couter-proposal to do micro-versioned releases](https://github.com/pulp/pulp_installer/pull/203#issuecomment-577903411)
* [mikedep333's agreement/details for micro-versioned releases](https://github.com/pulp/pulp_installer/pull/203#issuecomment-579450153)
</code></pre> Pulp - Story #8702 (NEW): As a user, the example-use playbook is not cluttered with object storag...https://pulp.plan.io/issues/87022021-05-05T13:31:24Zmdepaulo@redhat.com
<p>We should move the object storage checks from the the example-use playbook to the pulp_common role to solve this.</p>
<p>It will provide a better user experience. (Making the example playbook as small as possible.)</p>
<p>It will also enforce the checks for users that do not use the example-use playbook.</p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml" class="external">https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml</a></p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16</a></p> Pulp - Story #8701 (NEW): As a pulp_installer user, I can use the full logic to add repos to the ...https://pulp.plan.io/issues/87012021-05-05T12:59:40Zmdepaulo@redhat.com
<p>As mentioned in <a class="issue tracker-1 status-11 priority-6 priority-default closed" title="Issue: pulp_installer fails to install redis due to no EPEL7 (CLOSED - CURRENTRELEASE)" href="https://pulp.plan.io/issues/7773">#7773</a> , we should refactor our logic to add repos to the system (in a robust & configurable manner) into another role like <code>pulp_repos</code>.</p>
<p>I propose the following design:</p>
<ol>
<li>This is a dependency role. pulp_common, pulp_redis, pulp_database, will all depend on it.</li>
<li>When a role like pulp_common depends on it, it passes variables like <code>__pulp_repos_epel: true</code> to denote which repos the role needs. It passes variables via roles/pulp_common/meta/main.yml : <code>dependencies:</code>
</li>
<li>If a user wants to disable the logic to add the repo (if they added it manually), they'll pass a variable like <code>pulp_repos_epel: false</code> to disable it.</li>
<li>Existing variables for configuring how we add the repos to the system, like <code>epel_release_packages</code>, should still used.</li>
</ol>
<p>This logic is found in:</p>
<ul>
<li>roles/pulp_common/tasks/ambiguously-named-repo.yml</li>
<li>roles/pulp_common/tasks/repos.yml</li>
</ul> Pulp - Story #8491 (NEW): As a user I only download needed collections dependencieshttps://pulp.plan.io/issues/84912021-03-31T20:31:18Zfao89
<p>As some modules are leaving ansible core to collections, we need to declare collections as dependencies so ansible-galaxy can install them.</p>
<p>pulp_installer provides a set of roles, and the user may not use all the roles, pulp_database role needs community.postgresql for example.</p>
<p>How can we deal with these "conditional dependencies"?
"if the user gets pulp_dabase role install community.postgresql else don't install it"</p>
<p><a href="https://github.com/pulp/pulp_installer/pull/567" class="external">https://github.com/pulp/pulp_installer/pull/567</a></p> Pulp - Story #8086 (NEW): pulp_installer should use latest version of pip to install packageshttps://pulp.plan.io/issues/80862021-01-13T13:42:45Zdkliban@redhat.com
<p>The newer versions of pip include an improved dependency resolution mechanism. The pulp_installer needs a task added to upgrade pip before installing any pulp packages.</p> Pulp - Story #7689 (NEW): As a user I want my socket to be backed up by a systemd implementationhttps://pulp.plan.io/issues/76892020-10-12T13:25:04Zspredzy
<p>As a user I want my socket to be backed up by a systemd implementation.</p>
<p>Under its current form, the installer allows one to use unix domain socket, but not to configure them with a native systemd implementation. This is a RFE for this.</p> Pulp - Story #7247 (NEW): As a pulp_installer developer-user, the pulp_rpm signing service will b...https://pulp.plan.io/issues/72472020-07-30T19:56:47Zmdepaulo@redhat.com
<p>The current way pulp_rpm's signing service needs to be installed is a temporary.</p>
<p>So let's add the current ansible-based solution I already developed. I developed it as part of the selinux el8 dev env, and it's in the pulp_devel (not meant for end users.)</p> Pulp - Story #7100 (NEW): As an admin I want to be able to ratelimit access to the api endpointshttps://pulp.plan.io/issues/71002020-07-07T14:09:57Zmdellweg
<p>In the most simple way, this can be added solely by adjusting the settings.
We should test this and document it with the installer.</p>
<p><a href="https://www.django-rest-framework.org/api-guide/throttling/" class="external">https://www.django-rest-framework.org/api-guide/throttling/</a></p> Pulp - Story #7007 (NEW): As a user, I do not have to worry about Pulp being accidentally upgrade...https://pulp.plan.io/issues/70072020-06-18T15:40:06Zmdepaulo@redhat.com
<p>We should pursue using dnf versionlock to accomplish this.</p>
<p>This is needed because handlers/tasks "Run database migrations" will not be run if users run <code>dnf update</code>. Pulp would be broken until users re-run the installer.</p> Pulp - Story #6688 (NEW): pulp_installer: preflight check and system-wide packages are incompatiblehttps://pulp.plan.io/issues/66882020-05-08T14:40:15Zmdepaulo@redhat.com
<p>Part of the pre-flight check does not understand system-wide packages, but another part is still affected by them.</p>
<p>This leads to false positives (enforcements) in addition to false negatives in the preflight check.</p>
<p>We no longer need system-wide packages, so we should remove support for it, and migrate user installs off of it, as safely as possible.</p> Pulp - Story #5832 (NEW): As a developer, ansible-pulp will provide me with the cool postgres WebGUIhttps://pulp.plan.io/issues/58322019-12-03T22:35:56Zmdepaulo@redhat.com
<p>The following PoC was done. For implementation, it can be incorporated into the pulp-devel role, and pulplift.</p>
<p>On the host, reconnect to the pulplift VM pulp3-source-fedora31 with a new SSH tunnel (this will be added to pulplift config during implementation):</p>
<pre><code>vagrant ssh pulp3-source-fedora31 -- -L 8443:127.0.0.1:8443
</code></pre>
<p>On the pulplift VM pulp3-source-fedora31:</p>
<p>Modified /var/lib/pgsql/data/pg_hba.conf to replace the 127.0.0.1 line with:</p>
<pre><code>host all all 0.0.0.0/0 md5
</code></pre>
<p>(Because the container has a NAT'd IP address.)</p>
<p>Modified /var/lib/pgsql/data/postgresql.conf to contain</p>
<pre><code>listen_addresses = '*'
</code></pre>
<p>(Because otherwise it's localhost only; see above.)</p>
<pre><code>sudo systemctl restart postgresql.service
sudo dnf install -y podman-docker
docker pull dpage/pgadmin4
# "--restart always" will be ignored for podman-docker. Only real docker/moby-engine will use it. podman will need a systemd unit to survive VM reboots.
docker run --restart always -p 8443:8443 -e 'PGADMIN_DEFAULT_EMAIL=user@domain.com' -e 'PGADMIN_DEFAULT_PASSWORD=SuperSecret' -e 'PGADMIN_LISTEN_PORT=8443' -d dpage/pgadmin4
</code></pre>
<p>Now back on your host:</p>
<p>Open your browser to:<br>
<a href="http://127.0.0.1:8443/" class="external">http://127.0.0.1:8443/</a><br>
And login with the username/email and password listed above.</p>
<p>Then create a new connection to:<br>
The IP address of the pulplift VM<br>
database: pulp<br>
user: pulp<br>
password: pulp<br>
(These settings will later be set via PGADMIN_SERVER_JSON_FILE)</p>
<p>Rererence:<br>
<a href="https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html#examples" class="external">https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html#examples</a></p> Pulp - Story #5618 (NEW): As a user, I can download & run a version of the ansible installer that...https://pulp.plan.io/issues/56182019-10-25T08:37:28Zmdepaulo@redhat.com
<p>Currently users are encouraged to get the latest ansible-pulp roles via git cloning. Later on, Ansible Galaxy.</p>
<p>The only stable tag ever done was 3.0.0rc1. Presumably we will create them for 3.0.0 and later.<br>
<a href="https://github.com/pulp/ansible-pulp/releases" class="external">https://github.com/pulp/ansible-pulp/releases</a></p>
<p>However, consider the following scenario (hypothetical release dates):<br>
1. They download the roles (either method) on Apr 1. They are versioned as 3.0.3 and install pulp 3.0.3<br>
2. They run them against their test env and it works.<br>
3. Pulp 3.1.0 & ansible-pulp 3.1.0 are released on Apr 15.<br>
4. They run the 3.0.3 roles against their prod env on May 1.<br>
5. The 3.0.3 roles try to install pulp 3.1.0 from pip, but fails due to the lack of new logic.</p>
<p>It would make sense to have a variable for the pulp version to install, that defaults to the same version as the roles, but can be overriden (but doing so is discouraged.)</p>
<p>Plugin versions would also be an issue. Let's discuss how this can be handled.</p>
<p>Also, I am not sure if there is an existing task for publishing the roles (other than pulp_rpm_prerequisites) to Ansible Galaxy (pulp project on it.):<br>
<a href="https://galaxy.ansible.com/pulp" class="external">https://galaxy.ansible.com/pulp</a></p> Pulp - Story #97 (NEW): As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 V...https://pulp.plan.io/issues/972015-01-08T15:50:12Zcduryeecduryee@redhat.com
<p>The real deliverables are in the checklist, but here is some extra info on how to compile it.</p>
<p>To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:</p>
<ul>
<li>Install selinux-policy-devel rpm with ansible</li>
<li>Compile the policy similar to <code>make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24</code> except with ansible</li>
<li>Install the policy using Ansible</li>
<li>Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.[0]</li>
<li>If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.</li>
</ul>
<p>Use the <code>ps -awfuxZ | grep celery</code> to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.</p>
<p>[0]: <a href="https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh" class="external">https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh</a></p>