Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-11-20T07:34:35ZPulp
Planio Pulp - Issue #9577 (NEW): Add ability to provide list of headers for pulp_webserver nginx templatehttps://pulp.plan.io/issues/95772021-11-20T07:34:35Zjamesmarshall24
<p>Add the ability to specify a list of nginx headers so users can define the headers needed to use the UI installed by pulp_installer.</p>
<p>Example variable structure:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"><span class="na">pulp_nginx_user_headers</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s2">"</span><span class="s">X-Content-Type-Options:</span><span class="nv"> </span><span class="s">nosniff"</span>
<span class="pi">-</span> <span class="s2">"</span><span class="s">X-XSS-Protection:</span><span class="nv"> </span><span class="s">1;</span><span class="nv"> </span><span class="s">mode=block"</span>
</code></pre>
<p>Example templating for <code>/roles/pulp_webserver/templates/nginx.conf.j2</code>:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"> <span class="c1"># headers added with pulp_nginx_user_headers variable</span>
<span class="pi">{</span><span class="err">%</span> <span class="nv">for header in nginx_user_headers %</span><span class="pi">}</span>
<span class="s">add_header {{ header }}</span>
<span class="pi">{</span><span class="err">%</span> <span class="nv">endfor %</span><span class="pi">}</span>
<span class="c1"># end of headers added with pulp_nginx_user_headers variable</span>
</code></pre> Pulp - Issue #9291 (NEW): [Epic] pulp_installer upcoming issueshttps://pulp.plan.io/issues/92912021-08-25T13:26:36Zmdepaulo@redhat.com
<p>Listing misc issues that have been triaged but unassigned.</p>
<p>Issues are added based on:</p>
<ul>
<li>How important to users?</li>
<li>How easy to implement?</li>
</ul> Pulp - Issue #9286 (NEW): Check failed during installation when using vault encrypted variablehttps://pulp.plan.io/issues/92862021-08-24T09:46:13Zbeenje
<p>I tried installing pulp using the Pulp 3 Ansible Installer playbook:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"><span class="nn">---</span>
<span class="na">collections</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pulp.pulp_installer</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">3.14.4</span>
</code></pre>
<p>I encrypted the pulp_default_admin_password and secret_key in my inventory (using ansible-vault encrypt_string -n pulp_default_admin_password xxxxxx).
When running the playbook, 2 tasks failed:</p>
<pre><code class="yaml syntaxhl" data-language="yaml"><span class="s">ASK [pulp.pulp_installer.pulp_common</span> <span class="err">:</span> <span class="s">Check if required variables are set] ************************************************************************************</span>
<span class="na">ok</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">w-v-pulp-0</span><span class="pi">]</span> <span class="s">=> (item=pulp_settings.content_origin) => {</span>
<span class="s">"__pulp_common_req_var"</span><span class="err">:</span> <span class="s2">"</span><span class="s">pulp_settings.content_origin"</span><span class="err">,</span>
<span class="s2">"</span><span class="s">ansible_loop_var"</span><span class="err">:</span> <span class="s2">"</span><span class="s">__pulp_common_req_var"</span><span class="err">,</span>
<span class="s2">"</span><span class="s">changed"</span><span class="err">:</span> <span class="no">false</span><span class="s">,</span>
<span class="s">"msg"</span><span class="err">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">assertions</span><span class="nv"> </span><span class="s">passed"</span>
<span class="err">}</span>
<span class="na">fatal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">w-v-pulp-0</span><span class="pi">]</span><span class="err">:</span> <span class="s">FAILED! => {"msg"</span><span class="err">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">conditional</span><span class="nv"> </span><span class="s">check</span><span class="nv"> </span><span class="s">'pulp_settings.secret_key</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('',</span><span class="nv"> </span><span class="s">true)</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">></span><span class="nv"> </span><span class="s">0'</span><span class="nv"> </span><span class="s">failed.</span><span class="nv"> </span><span class="s">The</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">was:</span><span class="nv"> </span><span class="s">Unexpected</span><span class="nv"> </span><span class="s">templating</span><span class="nv"> </span><span class="s">type</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">occurred</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">({%</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">pulp_settings.secret_key</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('',</span><span class="nv"> </span><span class="s">true)</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">></span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">%}</span><span class="nv"> </span><span class="s">True</span><span class="nv"> </span><span class="s">{%</span><span class="nv"> </span><span class="s">else</span><span class="nv"> </span><span class="s">%}</span><span class="nv"> </span><span class="s">False</span><span class="nv"> </span><span class="s">{%</span><span class="nv"> </span><span class="s">endif</span><span class="nv"> </span><span class="s">%}):</span><span class="nv"> </span><span class="s">object</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">type</span><span class="nv"> </span><span class="s">'AnsibleVaultEncryptedUnicode'</span><span class="nv"> </span><span class="s">has</span><span class="nv"> </span><span class="s">no</span><span class="nv"> </span><span class="s">len()"</span><span class="err">}</span>
<span class="s">TASK [pulp.pulp_installer.pulp_database_config</span> <span class="err">:</span> <span class="s">Check if required variables are set] ***************************************************************************</span>
<span class="na">fatal</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">w-v-pulp-0</span><span class="pi">]</span><span class="err">:</span> <span class="s">FAILED! => {"msg"</span><span class="err">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">conditional</span><span class="nv"> </span><span class="s">check</span><span class="nv"> </span><span class="s">'pulp_default_admin_password</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('',</span><span class="nv"> </span><span class="s">true)</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">></span><span class="nv"> </span><span class="s">0'</span><span class="nv"> </span><span class="s">failed.</span><span class="nv"> </span><span class="s">The</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">was:</span><span class="nv"> </span><span class="s">Unexpected</span><span class="nv"> </span><span class="s">templating</span><span class="nv"> </span><span class="s">type</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">occurred</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">({%</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">pulp_default_admin_password</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('',</span><span class="nv"> </span><span class="s">true)</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">length</span><span class="nv"> </span><span class="s">></span><span class="nv"> </span><span class="s">0</span><span class="nv"> </span><span class="s">%}</span><span class="nv"> </span><span class="s">True</span><span class="nv"> </span><span class="s">{%</span><span class="nv"> </span><span class="s">else</span><span class="nv"> </span><span class="s">%}</span><span class="nv"> </span><span class="s">False</span><span class="nv"> </span><span class="s">{%</span><span class="nv"> </span><span class="s">endif</span><span class="nv"> </span><span class="s">%}):</span><span class="nv"> </span><span class="s">object</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">type</span><span class="nv"> </span><span class="s">'AnsibleVaultEncryptedUnicode'</span><span class="nv"> </span><span class="s">has</span><span class="nv"> </span><span class="s">no</span><span class="nv"> </span><span class="s">len()"</span><span class="err">}</span>
</code></pre>
<p>I had to use plain strings to run the playbook.
It should be possible to use encrypted strings.</p> Pulp - Issue #9274 (NEW): Pulp reports that python cannot access unix_dgram_socket when installin...https://pulp.plan.io/issues/92742021-08-23T14:41:17Zmdepaulo@redhat.com
<p>On CentOS 7, we have errors like the following:</p>
<pre><code>Aug 23 14:24:42 centos7 setroubleshoot: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t. For complete SELinux messages run: sealert -l b988b539-f587-486d-85f6-68f9de3a3cbc
Aug 23 14:24:42 centos7 python: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that python3.8 should be allowed connect access on unix_dgram_socket labeled pulpcore_server_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn#012# semodule -i my-gunicorn.pp#012
</code></pre>
<p>The installer calls:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp</p>
</blockquote>
<p>But both that command and:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>Incorrectly set the context . The context is instead set to:</p>
<blockquote>
<p>unconfined_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>However, the command:</p>
<blockquote>
<p>restorecon -F /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>correctly sets it to:</p>
<blockquote>
<p>system_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>Which makes the error go away.</p> Pulp - Issue #9211 (NEW): Vagrant devel installs have SELinux errorshttps://pulp.plan.io/issues/92112021-08-04T14:14:02Zmdepaulo@redhat.com
<p>Because SELinux installs are in editable mode, the .pyc files produce SELinux errors.</p>
<p>Other SELinux errors may exist too due to the devel installs.</p>
<pre><code class="text syntaxhl" data-language="text">TASK [pulp_devel : SELinux status] *********************************************
ok: [pulp3-source-fedora34] => {
"selinux_analyze.stdout_lines": [
"SELinux is preventing gunicorn from search access on the directory vagrant.",
"SELinux is preventing gunicorn from search access on the directory /.",
"SELinux is preventing gunicorn from getattr access on the directory /home/vagrant/devel/pulpcore.",
"SELinux is preventing gunicorn from read access on the directory models.",
"SELinux is preventing gunicorn from open access on the directory /home/vagrant/devel/pulpcore/pulpcore/app/models.",
"SELinux is preventing gunicorn from getattr access on the directory /home/vagrant.",
"SELinux is preventing gunicorn from getattr access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/app/settings.py.",
"SELinux is preventing gunicorn from read access on the file settings.py.",
"SELinux is preventing gunicorn from open access on the file /home/vagrant/devel/pulpcore/pulpcore/app/settings.py.",
"SELinux is preventing gunicorn from ioctl access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/app/settings.py.",
"SELinux is preventing pulpcore-worker from read access on the file __init__.cpython-39.pyc.",
"SELinux is preventing pulpcore-worker from open access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/__pycache__/__init__.cpython-39.pyc.",
"SELinux is preventing pulpcore-worker from ioctl access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/__pycache__/__init__.cpython-39.pyc.",
"SELinux is preventing pulpcore-worker from name_connect access on the tcp_socket port 5432.",
"SELinux is preventing pulpcore-worker from add_name access on the directory 21847@pulp3-source-fedora34.localhost.example.com.",
"SELinux is preventing pulpcore-worker from remove_name access on the directory 21235@pulp3-source-fedora34.localhost.example.com.",
"SELinux is preventing pulpcore-worker from rmdir access on the directory 21235@pulp3-source-fedora34.localhost.example.com.",
"SELinux is preventing nginx from read access on the file nginx.conf.",
"SELinux is preventing nginx from open access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/app/webserver_snippets/nginx.conf.",
"SELinux is preventing nginx from getattr access on the file /home/vagrant/devel/pulp_ansible/pulp_ansible/app/webserver_snippets/nginx.conf."
]
}
</code></pre> Pulp - Task #9005 (NEW): pulp_installer's molecule CI should not always connect as roothttps://pulp.plan.io/issues/90052021-07-02T18:07:29Zmdepaulo@redhat.com
<p>This seems to be a product of, or the default configuration of, the docker plugin for molecule. (molecule uses <code>docker exec</code> to talk to the container, not SSH.)</p>
<p>We should look into performance options as we solve this. Even if it means eliminating/weakening SSH encryption on the CI environment / molecule containers.</p> Pulp - Issue #8993 (NEW): SELinux: avc: denied pulpcore-worker on Fedora 34https://pulp.plan.io/issues/89932021-06-30T14:02:12ZStephenW
<p>Hello</p>
<p>I installed Pulp3 on Fedora 34 using "ansible-galaxy collection install pulp.pulp_installer"</p>
<p>at the end of the Ansible run:
TASK [pulp.pulp_installer.pulp_health_check : Checking Pulp services]
msg: 'pulpcore-resource-manager.service state: stopped'</p>
<p>On the managed node, I see lots of avc: denied :</p>
<p>fedoraserver ~]# ausearch -m AVC,USER_AVC -ts recent</p>
<p>time->Tue Jun 29 15:59:06 2021
type=AVC msg=audit(1624975146.441:668194): avc: denied { name_connect } for pid=1129665 comm="pulpcore-worker" dest=6379 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0</p>
<p>fedoraserver ~]# sepolgen-ifgen
fedoraserver ~]# audit2allow -Ral</p>
<p>require {
type init_t;
}</p>
<p>#============= init_t ==============
corenet_tcp_connect_postgresql_port(init_t)
corenet_tcp_connect_redis_port(init_t)</p>
<p>Thank you</p> Pulp - Issue #8916 (NEW): Pulp installer hanging on "Ensure Pulp is up and healthy"https://pulp.plan.io/issues/89162021-06-18T09:42:41Zsli720
<p>I tried to install pulp via the pulp installer v3.13.0 (ansible playbooks) in a fresh vagrant environment running CentOS Stream 8 but the install hangs on:</p>
<p>TASK [pulp_health_check : Ensure Pulp is up and healthy] ****************************************************************************************************************************************************
FAILED - RETRYING: Ensure Pulp is up and healthy (30 retries left).</p>
<p>I checked the service states and found pulpcore-resource-manager.service not starting because of:
pulpcore-worker[105999]: Error 13 connecting to localhost:6379. Permission denied.</p>
<p>It sounded for me like a SELinux issue so I deactivated SELinux completely and the installer run through successfully now. Could this be a bug cause in earlier version the installation worked also with SELinux turned on?</p> Pulp - Task #8848 (NEW): pulp_installer to run CI against stable brancheshttps://pulp.plan.io/issues/88482021-06-01T21:20:04Zmdepaulo@redhat.com
<p>Currently, the source molecule tests test the master branch of pulpcore and master branch of plugins, rather than the appropriate branches like pulpcore 3.11 and pulp_rpm 3.11</p>
<p>So effectively we are relying on release jobs on old branches to catch errors, at release time.</p> Pulp - Story #8846 (NEW): As a pulp_installer user, I do not need to use the latest micro release...https://pulp.plan.io/issues/88462021-06-01T21:12:19Zmdepaulo@redhat.com
<p>Basically, this means that pulp_installer 3.14.0 (or possibly 3.13.1 / 3.13.2) will be able to install pulpcore 3.14.z .</p>
<p>The benefit for users is that they will not need to always have the latest micro version of pulp_installer.</p>
<p>And the benefit to the pulp team is that we will not need to do a pulp_installer micro release for every pulpcore micro release.</p>
<p>This is a variation of the 1 year old proposal for versions/branches in pulp_installer, and a variation of the specific micro release policy we implemented originally in <a class="issue tracker-3 status-1 priority-6 priority-default child parent" title="Story: As a user, I can download & run a version of the ansible installer that a specific version of Pulp 3 (NEW)" href="https://pulp.plan.io/issues/5618">#5618</a>.</p>
<p>Reference from <a class="issue tracker-3 status-1 priority-6 priority-default child parent" title="Story: As a user, I can download & run a version of the ansible installer that a specific version of Pulp 3 (NEW)" href="https://pulp.plan.io/issues/5618">#5618</a>:</p>
<pre><code> * Original discussion:
* [mikedep333's proposal](https://github.com/pulp/pulp_installer/pull/203#issue-361269733)
* [bmbouter's couter-proposal to do micro-versioned releases](https://github.com/pulp/pulp_installer/pull/203#issuecomment-577903411)
* [mikedep333's agreement/details for micro-versioned releases](https://github.com/pulp/pulp_installer/pull/203#issuecomment-579450153)
</code></pre> Pulp - Backport #8835 (NEW): Backport pulp_installer FIPS fix to 3.11https://pulp.plan.io/issues/88352021-05-27T18:42:39Zironfroggy
<p>Current open ticket for FIPS issue: <a href="https://pulp.plan.io/issues/8834" class="external">https://pulp.plan.io/issues/8834</a></p> Pulp - Story #8702 (NEW): As a user, the example-use playbook is not cluttered with object storag...https://pulp.plan.io/issues/87022021-05-05T13:31:24Zmdepaulo@redhat.com
<p>We should move the object storage checks from the the example-use playbook to the pulp_common role to solve this.</p>
<p>It will provide a better user experience. (Making the example playbook as small as possible.)</p>
<p>It will also enforce the checks for users that do not use the example-use playbook.</p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml" class="external">https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml</a></p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16</a></p> Pulp - Story #8701 (NEW): As a pulp_installer user, I can use the full logic to add repos to the ...https://pulp.plan.io/issues/87012021-05-05T12:59:40Zmdepaulo@redhat.com
<p>As mentioned in <a class="issue tracker-1 status-11 priority-6 priority-default closed" title="Issue: pulp_installer fails to install redis due to no EPEL7 (CLOSED - CURRENTRELEASE)" href="https://pulp.plan.io/issues/7773">#7773</a> , we should refactor our logic to add repos to the system (in a robust & configurable manner) into another role like <code>pulp_repos</code>.</p>
<p>I propose the following design:</p>
<ol>
<li>This is a dependency role. pulp_common, pulp_redis, pulp_database, will all depend on it.</li>
<li>When a role like pulp_common depends on it, it passes variables like <code>__pulp_repos_epel: true</code> to denote which repos the role needs. It passes variables via roles/pulp_common/meta/main.yml : <code>dependencies:</code>
</li>
<li>If a user wants to disable the logic to add the repo (if they added it manually), they'll pass a variable like <code>pulp_repos_epel: false</code> to disable it.</li>
<li>Existing variables for configuring how we add the repos to the system, like <code>epel_release_packages</code>, should still used.</li>
</ol>
<p>This logic is found in:</p>
<ul>
<li>roles/pulp_common/tasks/ambiguously-named-repo.yml</li>
<li>roles/pulp_common/tasks/repos.yml</li>
</ul> Pulp - Story #8491 (NEW): As a user I only download needed collections dependencieshttps://pulp.plan.io/issues/84912021-03-31T20:31:18Zfao89
<p>As some modules are leaving ansible core to collections, we need to declare collections as dependencies so ansible-galaxy can install them.</p>
<p>pulp_installer provides a set of roles, and the user may not use all the roles, pulp_database role needs community.postgresql for example.</p>
<p>How can we deal with these "conditional dependencies"?
"if the user gets pulp_dabase role install community.postgresql else don't install it"</p>
<p><a href="https://github.com/pulp/pulp_installer/pull/567" class="external">https://github.com/pulp/pulp_installer/pull/567</a></p> Pulp - Task #8469 (NEW): Ensure the docker provider can be used for dev setupshttps://pulp.plan.io/issues/84692021-03-29T17:38:12Zdaviddavis