Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-03-31T20:31:18ZPulp
Planio Pulp - Story #8491 (NEW): As a user I only download needed collections dependencieshttps://pulp.plan.io/issues/84912021-03-31T20:31:18Zfao89
<p>As some modules are leaving ansible core to collections, we need to declare collections as dependencies so ansible-galaxy can install them.</p>
<p>pulp_installer provides a set of roles, and the user may not use all the roles, pulp_database role needs community.postgresql for example.</p>
<p>How can we deal with these "conditional dependencies"?
"if the user gets pulp_dabase role install community.postgresql else don't install it"</p>
<p><a href="https://github.com/pulp/pulp_installer/pull/567" class="external">https://github.com/pulp/pulp_installer/pull/567</a></p> Pulp - Task #8469 (NEW): Ensure the docker provider can be used for dev setupshttps://pulp.plan.io/issues/84692021-03-29T17:38:12ZdaviddavisPulp - Story #8086 (NEW): pulp_installer should use latest version of pip to install packageshttps://pulp.plan.io/issues/80862021-01-13T13:42:45Zdkliban@redhat.com
<p>The newer versions of pip include an improved dependency resolution mechanism. The pulp_installer needs a task added to upgrade pip before installing any pulp packages.</p> Pulp - Task #7811 (NEW): pulp_installer cron job runs functional tests for multiple plugins in FI...https://pulp.plan.io/issues/78112020-11-10T14:33:28Zdkliban@redhat.com
<p>The pulp_installer CI currently tests that it can deploy pulpcore and pulp_file in a FIPS environment. This cron job needs to install all plugins that support FIPS: pulp_file, pulp_rpm, pulp_container, and pulp_ansible.</p>
<p>After pulp is deployed, the functional tests for pulpcore, pulp_file, pulp_rpm, pulp_container, and pulp_ansible need to be run.</p> Pulp - Task #7724 (NEW): Improve runtime of new installation of Pulphttps://pulp.plan.io/issues/77242020-10-20T14:06:47Zbmbouterbmbouter@redhat.com
<p>The request to make the installer go faster</p>
<pre><code>A tower standalone install with automation hub takes about ~40 mins. Which is almost more than double of a normal
Tower install. It seems the most of the time we spent is on pulp-common role. Is there anything we are planning to do
in terms of making it little faster (not running same tasks many time, which pulp common role does) ?
</code></pre> Pulp - Task #7668 (NEW): remove pid files from the systemd service fileshttps://pulp.plan.io/issues/76682020-10-07T17:05:32Zdkliban@redhat.com
<p>Systemd does not need explicitly defined pid files to keep track of the services. We should make a change the systemd service files similar to the change here: <a href="https://github.com/theforeman/puppet-pulpcore/commit/b3b7c133c513dd2c30b00a81e64b2bb33ca92397" class="external">https://github.com/theforeman/puppet-pulpcore/commit/b3b7c133c513dd2c30b00a81e64b2bb33ca92397</a></p> Pulp - Issue #7443 (ASSIGNED): pulp installer does not set ownership and permissions correctly be...https://pulp.plan.io/issues/74432020-09-02T10:23:03Zipanova@redhat.comipanova@redhat.com
<p>Some steps are skipped because user apache cannot be found and added to the pulp group <a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/install.yml#L107-L133" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/install.yml#L107-L133</a></p>
<pre><code>TASK [pulp_common : Find the nologin executable] *******************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Make sure pulp group exists] *******************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Create user vagrant] ***************************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user vagrant to extra groups] **************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user vagrant to pulp group] ****************************
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Make sure /var/lib/pulp is world executable, and exists] ***
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Create cache dir for Pulp] *********************************
changed: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Check if we have Pulp 2 installed] *************************
ok: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Add user 'apache' to 'pulp' group if it exists] ************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Set permissions on '/var/lib/pulp' if pulp2 is installed] ***
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Find subdirs without setgid] *******************************
skipping: [pulp2-nightly-pulp3-source-centos7]
TASK [pulp_common : Set setgid on the /var/lib/pulp subdirs] *******************
skipping: [pulp2-nightly-pulp3-source-centos7]
</code></pre>
<p>After install finishes</p>
<pre><code>$ stat /var/lib/pulp
File: ‘/var/lib/pulp’
Size: 184 Blocks: 0 IO Block: 4096 directory
Device: fd01h/64769d Inode: 5121737 Links: 9
Access: (0775/drwxrwxr-x) Uid: ( 1000/ vagrant) Gid: ( 1001/ pulp)
Context: system_u:object_r:httpd_sys_rw_content_t:s0
Access: 2020-09-02 09:59:45.951659170 +0000
Modify: 2020-09-02 09:59:39.995633259 +0000
Change: 2020-09-02 09:59:39.995633259 +0000
Birth: -
$ ll /var/lib/pulp
total 8
-rw-r--r--. 1 apache apache 2 Sep 1 19:18 0005_puppet_module_name_change.txt
drwxrwxr-x. 7 vagrant vagrant 103 Sep 1 19:30 assets
-rw-r--r--. 1 root root 0 Sep 1 19:18 db_initialized.flag
drwxrwxr-x. 7 apache pulp 73 Sep 1 19:18 published
drwxr-xr-x. 3 vagrant pulp 25 Sep 1 19:25 pulpcore_static
drwxrwxr-x. 2 apache pulp 25 Sep 1 19:18 static
drwxrwxr-x. 7 vagrant pulp 4096 Sep 1 19:24 tmp
drwxrwxr-x. 2 apache pulp 6 Jul 13 15:40 uploads
</code></pre>
<p>There is no /var/lib/pulp/content because this is a fresh install. I have created and synced a pulp2 repo.
Directory is created however it does not belong to the pulp group, in addition the setgid is missing and there is no write permission for the group.</p>
<pre><code>
$ ll /var//lib/pulp
total 8
-rw-r--r--. 1 apache apache 2 Sep 1 19:18 0005_puppet_module_name_change.txt
drwxrwxr-x. 7 vagrant vagrant 103 Sep 1 19:30 assets
drwxr-xr-x. 3 apache apache 19 Sep 2 07:32 content
-rw-r--r--. 1 root root 0 Sep 1 19:18 db_initialized.flag
drwxrwxr-x. 7 apache pulp 73 Sep 1 19:18 published
drwxr-xr-x. 3 vagrant pulp 25 Sep 1 19:25 pulpcore_static
drwxrwxr-x. 2 apache pulp 25 Sep 1 19:18 static
drwxrwxr-x. 7 vagrant pulp 4096 Sep 1 19:24 tmp
drwxrwxr-x. 2 apache pulp 6 Jul 13 15:40 uploads
</code></pre>
<p>This makes it impossible to create hard link during the migration <a href="https://pulp.plan.io/issues/7244" class="external">https://pulp.plan.io/issues/7244</a></p> Pulp - Task #7281 (NEW): Update docs to state that installer can only install one cluster at a timehttps://pulp.plan.io/issues/72812020-08-05T14:39:19Zdkliban@redhat.com
<p>The documentation needs to have a "Known limitations" section. One of the items should state that that the installer can only install one Pulp cluster at a time.</p> Pulp - Story #7043 (ASSIGNED): As a user, I have pulp_installer compile and install the pulpcore-...https://pulp.plan.io/issues/70432020-06-24T15:52:24Zdkliban@redhat.com
<a name="Overview"></a>
<h2 >Overview<a href="#Overview" class="wiki-anchor">¶</a></h2>
<p>On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].</p>
<p>[0] <a href="https://github.com/pulp/pulpcore-selinux" class="external">https://github.com/pulp/pulpcore-selinux</a>
[1] <a href="https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port" class="external">https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port</a></p>
<a name="File-Path-RequirementsDetails"></a>
<h2 >File Path Requirements/Details<a href="#File-Path-RequirementsDetails" class="wiki-anchor">¶</a></h2>
<p>The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file <a href="https://github.com/pulp/pulpcore-selinux/blob/master/pulpcore.fc" class="external">here</a>.</p>
<p>On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.</p>
<p>On dev systems, a new .fc file will need to be generated as well for the dev environment.</p>
<p>Alternatively, we can call commands/modules to update the label database with these changed paths.</p>
<a name="install-from-RPM-mode"></a>
<h2 >install-from-RPM mode<a href="#install-from-RPM-mode" class="wiki-anchor">¶</a></h2>
<p>Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.</p>
<p>Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)</p>
<a name="Which-version-of-pulpcore-selinux-gets-installed"></a>
<h2 >Which version of pulpcore-selinux gets installed?<a href="#Which-version-of-pulpcore-selinux-gets-installed" class="wiki-anchor">¶</a></h2>
<p>Currently the "master" branch. Alternatives, like tagged releases, are TBD.</p>
<a name="How-to-test-branches-of-pulpcore-selinux"></a>
<h2 >How to test branches of pulpcore-selinux?<a href="#How-to-test-branches-of-pulpcore-selinux" class="wiki-anchor">¶</a></h2>
<p>The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via <code>__pulp_selinux_repo</code> and <code>__pulp_selinux_version.</code> We should set these in molecule vars files for CI when needed.</p>
<a name="Provide-support-for-disabling-SELinux-in-the-installer"></a>
<h2 >Provide support for disabling SELinux in the installer?<a href="#Provide-support-for-disabling-SELinux-in-the-installer" class="wiki-anchor">¶</a></h2>
<p>This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.</p>
<a name="Installing-the-1-package-for-the-ports-should-be-in-pulp_api-amp-pulp_content-roles"></a>
<h2 >Installing the 1 package for the ports should be in pulp_api & pulp_content roles.<a href="#Installing-the-1-package-for-the-ports-should-be-in-pulp_api-amp-pulp_content-roles" class="wiki-anchor">¶</a></h2>
<p>Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)</p>
<a name="Also-install-the-policy-for-the-other-selinux-modes-mls-strict-amp-targeted-not-just-the-current-one"></a>
<h2 >Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.<a href="#Also-install-the-policy-for-the-other-selinux-modes-mls-strict-amp-targeted-not-just-the-current-one" class="wiki-anchor">¶</a></h2>
<p>Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)</p>
<a name="Support-for-dev-mode-installs-with-pulp-source-installed-in-editable-mode"></a>
<h2 >Support for dev mode installs, with pulp source installed in editable mode?<a href="#Support-for-dev-mode-installs-with-pulp-source-installed-in-editable-mode" class="wiki-anchor">¶</a></h2>
<p>Tracked via: <a href="https://pulp.plan.io/issues/97" class="external">https://pulp.plan.io/issues/97</a></p> Pulp - Task #6904 (NEW): Document using https://pypi.org/project/pulpcore-releases/ for the insta...https://pulp.plan.io/issues/69042020-06-03T15:25:07Zbmbouterbmbouter@redhat.com
<p>The Pulp Dependency Checker is a great tool to show compatibility between a pulpcore version and various concerns.</p>
<p>We should do three things:</p>
<ol>
<li>
<p>Move the pdc tool to the pulp org.</p>
</li>
<li>
<p>Add a very obvious link to the pulp_installer docs recommending users to use the tool to determine pulpcore and plugin compatibility</p>
</li>
<li>
<p>Update the error message that the installer puts out when the pre-flight check fails. Have that error message point users to specifically check which plugins are compatible with the pulpcore version the installer is trying to install.</p>
</li>
</ol> Pulp - Task #6747 (NEW): Demo video for pulp_installerhttps://pulp.plan.io/issues/67472020-05-14T21:48:07Zfao89
<ul>
<li>Video should not have audio</li>
<li>
<a href="https://asciinema.org/" class="external">https://asciinema.org/</a> - records terminal output and can be embedded in our docs and in the README on github</li>
<li>include RPM and Container plugins</li>
</ul> Pulp - Task #6625 (NEW): document the OSes the installer supportshttps://pulp.plan.io/issues/66252020-04-30T16:27:24Zfao89Pulp - Task #5889 (NEW): Add upgrade information to the docshttps://pulp.plan.io/issues/58892019-12-16T21:06:09Zbmbouterbmbouter@redhat.com
<p>The installer supports upgrading (see <a href="https://pulp.plan.io/issues/5884" class="external">https://pulp.plan.io/issues/5884</a> ) we just need to document it for the user.</p> Pulp - Task #4969 (NEW): Improve documentation on the nginx and apache deployment offered by the ...https://pulp.plan.io/issues/49692019-06-13T19:07:45Zbmbouterbmbouter@redhat.com
<p>These docs should be in the pulp docs, not the ansible installer docs. It should clarify with a diagram the reverse proxy deployment provided by:</p>
<p><a href="https://pulp.plan.io/issues/4966" class="external">https://pulp.plan.io/issues/4966</a><br>
<a href="https://pulp.plan.io/issues/4967" class="external">https://pulp.plan.io/issues/4967</a></p> Pulp - Story #97 (NEW): As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 V...https://pulp.plan.io/issues/972015-01-08T15:50:12Zcduryeecduryee@redhat.com
<p>The real deliverables are in the checklist, but here is some extra info on how to compile it.</p>
<p>To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:</p>
<ul>
<li>Install selinux-policy-devel rpm with ansible</li>
<li>Compile the policy similar to <code>make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24</code> except with ansible</li>
<li>Install the policy using Ansible</li>
<li>Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.[0]</li>
<li>If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.</li>
</ul>
<p>Use the <code>ps -awfuxZ | grep celery</code> to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.</p>
<p>[0]: <a href="https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh" class="external">https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh</a></p>