Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-08-25T13:26:36ZPulp
Planio Pulp - Issue #9291 (NEW): [Epic] pulp_installer upcoming issueshttps://pulp.plan.io/issues/92912021-08-25T13:26:36Zmdepaulo@redhat.com
<p>Listing misc issues that have been triaged but unassigned.</p>
<p>Issues are added based on:</p>
<ul>
<li>How important to users?</li>
<li>How easy to implement?</li>
</ul> Pulp - Issue #9274 (NEW): Pulp reports that python cannot access unix_dgram_socket when installin...https://pulp.plan.io/issues/92742021-08-23T14:41:17Zmdepaulo@redhat.com
<p>On CentOS 7, we have errors like the following:</p>
<pre><code>Aug 23 14:24:42 centos7 setroubleshoot: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t. For complete SELinux messages run: sealert -l b988b539-f587-486d-85f6-68f9de3a3cbc
Aug 23 14:24:42 centos7 python: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that python3.8 should be allowed connect access on unix_dgram_socket labeled pulpcore_server_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn#012# semodule -i my-gunicorn.pp#012
</code></pre>
<p>The installer calls:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp</p>
</blockquote>
<p>But both that command and:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>Incorrectly set the context . The context is instead set to:</p>
<blockquote>
<p>unconfined_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>However, the command:</p>
<blockquote>
<p>restorecon -F /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>correctly sets it to:</p>
<blockquote>
<p>system_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>Which makes the error go away.</p> Pulp - Task #9005 (NEW): pulp_installer's molecule CI should not always connect as roothttps://pulp.plan.io/issues/90052021-07-02T18:07:29Zmdepaulo@redhat.com
<p>This seems to be a product of, or the default configuration of, the docker plugin for molecule. (molecule uses <code>docker exec</code> to talk to the container, not SSH.)</p>
<p>We should look into performance options as we solve this. Even if it means eliminating/weakening SSH encryption on the CI environment / molecule containers.</p> Pulp - Issue #8916 (NEW): Pulp installer hanging on "Ensure Pulp is up and healthy"https://pulp.plan.io/issues/89162021-06-18T09:42:41Zsli720
<p>I tried to install pulp via the pulp installer v3.13.0 (ansible playbooks) in a fresh vagrant environment running CentOS Stream 8 but the install hangs on:</p>
<p>TASK [pulp_health_check : Ensure Pulp is up and healthy] ****************************************************************************************************************************************************
FAILED - RETRYING: Ensure Pulp is up and healthy (30 retries left).</p>
<p>I checked the service states and found pulpcore-resource-manager.service not starting because of:
pulpcore-worker[105999]: Error 13 connecting to localhost:6379. Permission denied.</p>
<p>It sounded for me like a SELinux issue so I deactivated SELinux completely and the installer run through successfully now. Could this be a bug cause in earlier version the installation worked also with SELinux turned on?</p> Pulp - Story #8702 (NEW): As a user, the example-use playbook is not cluttered with object storag...https://pulp.plan.io/issues/87022021-05-05T13:31:24Zmdepaulo@redhat.com
<p>We should move the object storage checks from the the example-use playbook to the pulp_common role to solve this.</p>
<p>It will provide a better user experience. (Making the example playbook as small as possible.)</p>
<p>It will also enforce the checks for users that do not use the example-use playbook.</p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml" class="external">https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml</a></p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16</a></p> Pulp - Story #8491 (NEW): As a user I only download needed collections dependencieshttps://pulp.plan.io/issues/84912021-03-31T20:31:18Zfao89
<p>As some modules are leaving ansible core to collections, we need to declare collections as dependencies so ansible-galaxy can install them.</p>
<p>pulp_installer provides a set of roles, and the user may not use all the roles, pulp_database role needs community.postgresql for example.</p>
<p>How can we deal with these "conditional dependencies"?
"if the user gets pulp_dabase role install community.postgresql else don't install it"</p>
<p><a href="https://github.com/pulp/pulp_installer/pull/567" class="external">https://github.com/pulp/pulp_installer/pull/567</a></p> Pulp - Issue #8379 (NEW): pulp_installer depends on unsupported community collectionshttps://pulp.plan.io/issues/83792021-03-10T19:59:42Zironfroggy
<p>It has come to the attention of the Ansible Platform team that pulp_installer, which we use to install Hub as part of the platform, depends on community.general, but Platform cannot depend on community collections. We can only depend on supported, official ansible-namespace content.</p>
<p>The current blocker is ini_file from community.general. There may be others.</p>
<p>Ideally, we could get these dependencies moved into a supported collection, ansible.utils, and pulp_installer could depend on that, instead.</p> Pulp - Issue #7993 (NEW): pulp_installer fails to create the database on EL7 when LANG=C.UTF-8https://pulp.plan.io/issues/79932020-12-11T18:14:24Zmdepaulo@redhat.com
<p>If the managed system is EL7 and has LANG=C.UTF-8, it fails.</p>
<p>This includes when the Vagrant host (Github Actions CI) has LANG=C.UTF-8, it bleeds over to the managed guest by Vagrant design:</p>
<pre><code>fatal: [pulp3-source-centos7]: FAILED! => {"changed": true, "cmd": ["/opt/rh/rh-postgresql96/root/bin/initdb", "-D", "/var/opt/rh/rh-postgresql96/lib/pgsql/data"], "delta": "0:00:08.709082", "end": "2020-12-09 03:28:35.519257", "msg": "non-zero return code", "rc": 1, "start": "2020-12-09 03:28:26.810175", "stderr": "FATAL: invalid input syntax for integer: \"NAMEDATALEN\"
child process exited with exit code 1
initdb: removing contents of data directory \"/var/opt/rh/rh-postgresql96/lib/pgsql/data\"", "stderr_lines": ["FATAL: invalid input syntax for integer: \"NAMEDATALEN\"", "child process exited with exit code 1", "initdb: removing contents of data directory \"/var/opt/rh/rh-postgresql96/lib/pgsql/data\""], "stdout": "The files belonging to this database system will be owned by user \"postgres\".
This user must also own the server process.
The database cluster will be initialized with locale \"C\".
The default database encoding has accordingly been set to \"SQL_ASCII\".
The default text search configuration will be set to \"english\".
Data page checksums are disabled.
fixing permissions on existing directory /var/opt/rh/rh-postgresql96/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ", "stdout_lines": ["The files belonging to this database system will be owned by user \"postgres\".", "This user must also own the server process.", "", "The database cluster will be initialized with locale \"C\".", "The default database encoding has accordingly been set to \"SQL_ASCII\".", "The default text search configuration will be set to \"english\".", "", "Data page checksums are disabled.", "", "fixing permissions on existing directory /var/opt/rh/rh-postgresql96/lib/pgsql/data ... ok", "creating subdirectories ... ok", "selecting default max_connections ... 100", "selecting default shared_buffers ... 128MB", "selecting dynamic shared memory implementation ... posix", "creating configuration files ... ok", "running bootstrap script ... "]}
</code></pre>
<p>I have an incomplete fix here:</p>
<p><a href="https://gist.github.com/mikedep333/c70a1da4230af5da3daec545e304ffa2" class="external">https://gist.github.com/mikedep333/c70a1da4230af5da3daec545e304ffa2</a></p>
<p>(It's not working properly, LANG is still C.UTF-8 in the postgresql role when I added debug statements to said role.)</p>
<p>I will workaround this on Github Actions CI by changing LANG on the host.</p>
<p>The permanent fix will be to just upgrade CentOS 7 systems to PostgreSQL 10 instead.</p> Pulp - Issue #7479 (NEW): pulp_installer source-upgrade CI is failing on pkg_resources.Contextual...https://pulp.plan.io/issues/74792020-09-09T13:50:14Zmdepaulo@redhat.com
<p>This occurs in debian-10 when running collect static after pulp_devel, not when running it after installing pulp via <code>pulp_all_services</code>.</p>
<p>It started occurring on daily CI and pull requests on 2020-09-8. I re-ran the overnight CI from the prior day (which originally succeeded), and when it did, it failed.</p>
<p>This error stands out as a dependency issue. Sometimes a package other than toml is listed though:</p>
<pre><code>pkg_resources.ContextualVersionConflict: (toml 0.10.1 (/usr/local/lib/pulp/lib/python3.7/site-packages), Requirement.parse('toml<=0.10.0'), {'dynaconf'})
</code></pre>
<p><a href="https://github.com/pulp/pulp_installer/runs/1091080108?check_suite_focus=true#step:7:1467" class="external">https://github.com/pulp/pulp_installer/runs/1091080108?check_suite_focus=true#step:7:1467</a></p>
<p>Full error:</p>
<pre><code> RUNNING HANDLER [pulp_common : Collect static content] *************************
Wednesday 09 September 2020 12:42:43 +0000 (0:00:02.148) 0:08:16.417 ***
fatal: [debian-10]: FAILED! => {
"changed": true,
"cmd": [
"/usr/local/lib/pulp/bin/django-admin",
"collectstatic",
"--noinput",
"--link"
],
"delta": "0:00:00.358256",
"end": "2020-09-09 12:42:43.925665",
"rc": 1,
"start": "2020-09-09 12:42:43.567409"
}
STDERR:
Traceback (most recent call last):
File "/usr/local/lib/pulp/bin/django-admin", line 8, in <module>
sys.exit(execute_from_command_line())
File "/usr/local/lib/pulp/lib/python3.7/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
utility.execute()
File "/usr/local/lib/pulp/lib/python3.7/site-packages/django/core/management/__init__.py", line 325, in execute
settings.INSTALLED_APPS
File "/usr/local/lib/pulp/lib/python3.7/site-packages/django/conf/__init__.py", line 79, in __getattr__
self._setup(name)
File "/usr/local/lib/pulp/lib/python3.7/site-packages/django/conf/__init__.py", line 66, in _setup
self._wrapped = Settings(settings_module)
File "/usr/local/lib/pulp/lib/python3.7/site-packages/django/conf/__init__.py", line 157, in __init__
mod = importlib.import_module(self.SETTINGS_MODULE)
File "/usr/lib/python3.7/importlib/__init__.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
File "<frozen importlib._bootstrap>", line 983, in _find_and_load
File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 728, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/usr/local/lib/pulp/lib/python3.7/site-packages/pulpcore/app/settings.py", line 76, in <module>
plugin_app_config = entry_point.load()
File "/usr/local/lib/pulp/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2410, in load
self.require(*args, **kwargs)
File "/usr/local/lib/pulp/lib/python3.7/site-packages/pkg_resources/__init__.py", line 2433, in require
items = working_set.resolve(reqs, env, installer, extras=self.extras)
File "/usr/local/lib/pulp/lib/python3.7/site-packages/pkg_resources/__init__.py", line 791, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (toml 0.10.1 (/usr/local/lib/pulp/lib/python3.7/site-packages), Requirement.parse('toml<=0.10.0'), {'dynaconf'})
MSG:
non-zero return code
changed: [fedora-31]
</code></pre> Pulp - Issue #7443 (ASSIGNED): pulp installer does not set ownership and permissions correctly be...https://pulp.plan.io/issues/74432020-09-02T10:23:03Zipanova@redhat.comipanova@redhat.com
<p>Some steps are skipped because user apache cannot be found and added to the pulp group <a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/install.yml#L107-L133" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/install.yml#L107-L133</a></p>
<pre><code>TASK [pulp_common : Find the nologin executable] *******************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Make sure pulp group exists] *******************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Create user vagrant] ***************************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user vagrant to extra groups] **************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user vagrant to pulp group] ****************************
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Make sure /var/lib/pulp is world executable, and exists] ***
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Create cache dir for Pulp] *********************************
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Check if we have Pulp 2 installed] *************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user 'apache' to 'pulp' group if it exists] ************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Set permissions on '/var/lib/pulp' if pulp2 is installed] ***
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Find subdirs without setgid] *******************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Set setgid on the /var/lib/pulp subdirs] *******************
skipping: [pulp2-nightly-pulp3-source-centos7]
</code></pre>
<p>After install finishes</p>
<pre><code>$ stat /var/lib/pulp
File: ‘/var/lib/pulp’
Size: 184 Blocks: 0 IO Block: 4096 directory
Device: fd01h/64769d Inode: 5121737 Links: 9
Access: (0775/drwxrwxr-x) Uid: ( 1000/ vagrant) Gid: ( 1001/ pulp)
Context: system_u:object_r:httpd_sys_rw_content_t:s0
Access: 2020-09-02 09:59:45.951659170 +0000
Modify: 2020-09-02 09:59:39.995633259 +0000
Change: 2020-09-02 09:59:39.995633259 +0000
Birth: -
$ ll /var/lib/pulp
total 8
-rw-r--r--. 1 apache apache 2 Sep 1 19:18 0005_puppet_module_name_change.txt
drwxrwxr-x. 7 vagrant vagrant 103 Sep 1 19:30 assets
-rw-r--r--. 1 root root 0 Sep 1 19:18 db_initialized.flag
drwxrwxr-x. 7 apache pulp 73 Sep 1 19:18 published
drwxr-xr-x. 3 vagrant pulp 25 Sep 1 19:25 pulpcore_static
drwxrwxr-x. 2 apache pulp 25 Sep 1 19:18 static
drwxrwxr-x. 7 vagrant pulp 4096 Sep 1 19:24 tmp
drwxrwxr-x. 2 apache pulp 6 Jul 13 15:40 uploads
</code></pre>
<p>There is no /var/lib/pulp/content because this is a fresh install. I have created and synced a pulp2 repo.
Directory is created however it does not belong to the pulp group, in addition the setgid is missing and there is no write permission for the group.</p>
<pre><code>
$ ll /var//lib/pulp
total 8
-rw-r--r--. 1 apache apache 2 Sep 1 19:18 0005_puppet_module_name_change.txt
drwxrwxr-x. 7 vagrant vagrant 103 Sep 1 19:30 assets
drwxr-xr-x. 3 apache apache 19 Sep 2 07:32 content
-rw-r--r--. 1 root root 0 Sep 1 19:18 db_initialized.flag
drwxrwxr-x. 7 apache pulp 73 Sep 1 19:18 published
drwxr-xr-x. 3 vagrant pulp 25 Sep 1 19:25 pulpcore_static
drwxrwxr-x. 2 apache pulp 25 Sep 1 19:18 static
drwxrwxr-x. 7 vagrant pulp 4096 Sep 1 19:24 tmp
drwxrwxr-x. 2 apache pulp 6 Jul 13 15:40 uploads
</code></pre>
<p>This makes it impossible to create hard link during the migration <a href="https://pulp.plan.io/issues/7244" class="external">https://pulp.plan.io/issues/7244</a></p> Pulp - Story #7247 (NEW): As a pulp_installer developer-user, the pulp_rpm signing service will b...https://pulp.plan.io/issues/72472020-07-30T19:56:47Zmdepaulo@redhat.com
<p>The current way pulp_rpm's signing service needs to be installed is a temporary.</p>
<p>So let's add the current ansible-based solution I already developed. I developed it as part of the selinux el8 dev env, and it's in the pulp_devel (not meant for end users.)</p> Pulp - Issue #7136 (ASSIGNED): Requirement conflict when running RUNNING HANDLER [pulp.pulp_insta...https://pulp.plan.io/issues/71362020-07-14T17:07:05Zzen42@linux.com
<p>Tried to follow the install instructions here: <a href="https://docs.pulpproject.org/installation/instructions.html" class="external">https://docs.pulpproject.org/installation/instructions.html</a></p>
<p>I have done so on 2 diffrent boxes, one was RHEL7.8 the other a vagrant centos7</p>
<p>On both I hit the below error during the ansible run:</p>
<p>RUNNING HANDLER [pulp.pulp_installer.pulp_common : Collect static content] **********************************************************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["/usr/local/lib/pulp/bin/django-admin", "collectstatic", "--noinput", "--link"], "delta": "0:00:00.262311", "end": "2020-07-14 16:46:52.375639", "msg": "non-zero return code", "rc": 1, "start": "2020-07-14 16:46:52.113328", "stderr": "Traceback (most recent call last):\n File "/usr/local/lib/pulp/bin/django-admin", line 8, in \n sys.exit(execute_from_command_line())\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/<strong>init</strong>.py", line 381, in execute_from_command_line\n utility.execute()\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/<strong>init</strong>.py", line 325, in execute\n settings.INSTALLED_APPS\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 79, in <strong>getattr</strong>\n self._setup(name)\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 66, in _setup\n self._wrapped = Settings(settings_module)\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 157, in <strong>init</strong>\n mod = importlib.import_module(self.SETTINGS_MODULE)\n File "/usr/lib64/python3.6/importlib/<strong>init</strong>.py", line 126, in import_module\n return _bootstrap._gcd_import(name[level:], package, level)\n File "", line 994, in _gcd_import\n File "", line 971, in _find_and_load\n File "", line 955, in _find_and_load_unlocked\n File "", line 665, in _load_unlocked\n File "", line 678, in exec_module\n File "", line 219, in _call_with_frames_removed\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pulpcore/app/settings.py", line 73, in \n plugin_app_config = entry_point.load()\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 2317, in load\n self.require(*args, **kwargs)\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 2340, in require\n items = working_set.resolve(reqs, env, installer, extras=self.extras)\n File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 779, in resolve\n raise VersionConflict(dist, req).with_context(dependent_req)\npkg_resources.VersionConflict: (pulpcore 3.5.0 (/usr/local/lib/pulp/lib/python3.6/site-packages), Requirement.parse('pulpcore<3.5,>=3.4'))", "stderr_lines": ["Traceback (most recent call last):", " File "/usr/local/lib/pulp/bin/django-admin", line 8, in ", " sys.exit(execute_from_command_line())", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/<strong>init</strong>.py", line 381, in execute_from_command_line", " utility.execute()", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/<strong>init</strong>.py", line 325, in execute", " settings.INSTALLED_APPS", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 79, in <strong>getattr</strong>", " self._setup(name)", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 66, in _setup", " self._wrapped = Settings(settings_module)", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/conf/<strong>init</strong>.py", line 157, in <strong>init</strong>", " mod = importlib.import_module(self.SETTINGS_MODULE)", " File "/usr/lib64/python3.6/importlib/<strong>init</strong>.py", line 126, in import_module", " return _bootstrap._gcd_import(name[level:], package, level)", " File "", line 994, in _gcd_import", " File "", line 971, in _find_and_load", " File "", line 955, in _find_and_load_unlocked", " File "", line 665, in _load_unlocked", " File "", line 678, in exec_module", " File "", line 219, in _call_with_frames_removed", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pulpcore/app/settings.py", line 73, in ", " plugin_app_config = entry_point.load()", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 2317, in load", " self.require(*args, **kwargs)", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 2340, in require", " items = working_set.resolve(reqs, env, installer, extras=self.extras)", " File "/usr/local/lib/pulp/lib64/python3.6/site-packages/pkg_resources/<strong>init</strong>.py", line 779, in resolve", " raise VersionConflict(dist, req).with_context(dependent_req)", "pkg_resources.VersionConflict: (pulpcore 3.5.0 (/usr/local/lib/pulp/lib/python3.6/site-packages), Requirement.parse('pulpcore<3.5,>=3.4'))"], "stdout": "", "stdout_lines": []}</p>
<p>The interesting bit is on the last line: Requirement.parse('pulpcore<3.5,>=3.4'))"]</p>
<p>I have tried and failed to find where this requirement is being stored but clearly it need updated for 3.5</p> Pulp - Story #7043 (ASSIGNED): As a user, I have pulp_installer compile and install the pulpcore-...https://pulp.plan.io/issues/70432020-06-24T15:52:24Zdkliban@redhat.com
<a name="Overview"></a>
<h2 >Overview<a href="#Overview" class="wiki-anchor">¶</a></h2>
<p>On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].</p>
<p>[0] <a href="https://github.com/pulp/pulpcore-selinux" class="external">https://github.com/pulp/pulpcore-selinux</a>
[1] <a href="https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port" class="external">https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port</a></p>
<a name="File-Path-RequirementsDetails"></a>
<h2 >File Path Requirements/Details<a href="#File-Path-RequirementsDetails" class="wiki-anchor">¶</a></h2>
<p>The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file <a href="https://github.com/pulp/pulpcore-selinux/blob/master/pulpcore.fc" class="external">here</a>.</p>
<p>On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.</p>
<p>On dev systems, a new .fc file will need to be generated as well for the dev environment.</p>
<p>Alternatively, we can call commands/modules to update the label database with these changed paths.</p>
<a name="install-from-RPM-mode"></a>
<h2 >install-from-RPM mode<a href="#install-from-RPM-mode" class="wiki-anchor">¶</a></h2>
<p>Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.</p>
<p>Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)</p>
<a name="Which-version-of-pulpcore-selinux-gets-installed"></a>
<h2 >Which version of pulpcore-selinux gets installed?<a href="#Which-version-of-pulpcore-selinux-gets-installed" class="wiki-anchor">¶</a></h2>
<p>Currently the "master" branch. Alternatives, like tagged releases, are TBD.</p>
<a name="How-to-test-branches-of-pulpcore-selinux"></a>
<h2 >How to test branches of pulpcore-selinux?<a href="#How-to-test-branches-of-pulpcore-selinux" class="wiki-anchor">¶</a></h2>
<p>The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via <code>__pulp_selinux_repo</code> and <code>__pulp_selinux_version.</code> We should set these in molecule vars files for CI when needed.</p>
<a name="Provide-support-for-disabling-SELinux-in-the-installer"></a>
<h2 >Provide support for disabling SELinux in the installer?<a href="#Provide-support-for-disabling-SELinux-in-the-installer" class="wiki-anchor">¶</a></h2>
<p>This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.</p>
<a name="Installing-the-1-package-for-the-ports-should-be-in-pulp_api-amp-pulp_content-roles"></a>
<h2 >Installing the 1 package for the ports should be in pulp_api & pulp_content roles.<a href="#Installing-the-1-package-for-the-ports-should-be-in-pulp_api-amp-pulp_content-roles" class="wiki-anchor">¶</a></h2>
<p>Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)</p>
<a name="Also-install-the-policy-for-the-other-selinux-modes-mls-strict-amp-targeted-not-just-the-current-one"></a>
<h2 >Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.<a href="#Also-install-the-policy-for-the-other-selinux-modes-mls-strict-amp-targeted-not-just-the-current-one" class="wiki-anchor">¶</a></h2>
<p>Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)</p>
<a name="Support-for-dev-mode-installs-with-pulp-source-installed-in-editable-mode"></a>
<h2 >Support for dev mode installs, with pulp source installed in editable mode?<a href="#Support-for-dev-mode-installs-with-pulp-source-installed-in-editable-mode" class="wiki-anchor">¶</a></h2>
<p>Tracked via: <a href="https://pulp.plan.io/issues/97" class="external">https://pulp.plan.io/issues/97</a></p> Pulp - Issue #6696 (ASSIGNED): pulp_installer fails to run "Collect static content" task when pul...https://pulp.plan.io/issues/66962020-05-08T19:25:22Zironfroggy
<p>Either needs to be a documented incompatibility and issue an error, or needs to run the correct steps when galaxy_ng is installed and the UI must be part of the installation.</p>
<p>This is not a problem for most uses but will be an issue if we need to test unreleased changes in pulpcore for QA purposes.</p>
<p>Working:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"><span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span>
<span class="na">vars</span><span class="pi">:</span>
<span class="na">pulp_settings</span><span class="pi">:</span>
<span class="na">secret_key</span><span class="pi">:</span> <span class="s">secret</span>
<span class="na">content_origin</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://{{</span><span class="nv"> </span><span class="s">ansible_fqdn</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">pulp_default_admin_password</span><span class="pi">:</span> <span class="s">password</span>
<span class="na">pulp_install_plugins</span><span class="pi">:</span>
<span class="na">pulp-ansible</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">galaxy-ng</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">pulp-container</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">roles</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">pulp-database</span>
<span class="pi">-</span> <span class="s">pulp-workers</span>
<span class="pi">-</span> <span class="s">pulp-resource-manager</span>
<span class="pi">-</span> <span class="s">pulp-webserver</span>
<span class="pi">-</span> <span class="s">pulp-content</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="na">DJANGO_SETTINGS_MODULE</span><span class="pi">:</span> <span class="s">pulpcore.app.settings</span>
</code></pre>
<p>Not Working:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"><span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span>
<span class="na">vars</span><span class="pi">:</span>
<span class="na">pulp_settings</span><span class="pi">:</span>
<span class="na">secret_key</span><span class="pi">:</span> <span class="s">secret</span>
<span class="na">content_origin</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://{{</span><span class="nv"> </span><span class="s">ansible_fqdn</span><span class="nv"> </span><span class="s">}}"</span>
<span class="na">pulp_default_admin_password</span><span class="pi">:</span> <span class="s">password</span>
<span class="na">pulp_install_plugins</span><span class="pi">:</span>
<span class="na">pulp-ansible</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">galaxy-ng</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">pulp-container</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">pulp_source_dir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">git+https://github.com/pulp/pulpcore.git@3.3.0#egg=pulpcore"</span>
<span class="na">roles</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s">pulp-database</span>
<span class="pi">-</span> <span class="s">pulp-workers</span>
<span class="pi">-</span> <span class="s">pulp-resource-manager</span>
<span class="pi">-</span> <span class="s">pulp-webserver</span>
<span class="pi">-</span> <span class="s">pulp-content</span>
<span class="na">environment</span><span class="pi">:</span>
<span class="na">DJANGO_SETTINGS_MODULE</span><span class="pi">:</span> <span class="s">pulpcore.app.settings</span>
</code></pre> Pulp - Story #6688 (NEW): pulp_installer: preflight check and system-wide packages are incompatiblehttps://pulp.plan.io/issues/66882020-05-08T14:40:15Zmdepaulo@redhat.com
<p>Part of the pre-flight check does not understand system-wide packages, but another part is still affected by them.</p>
<p>This leads to false positives (enforcements) in addition to false negatives in the preflight check.</p>
<p>We no longer need system-wide packages, so we should remove support for it, and migrate user installs off of it, as safely as possible.</p>