Pulp: Issueshttps://pulp.plan.io/https://pulp.plan.io/favicon.ico2021-08-23T14:41:17ZPulp
Planio Pulp - Issue #9274 (NEW): Pulp reports that python cannot access unix_dgram_socket when installin...https://pulp.plan.io/issues/92742021-08-23T14:41:17Zmdepaulo@redhat.com
<p>On CentOS 7, we have errors like the following:</p>
<pre><code>Aug 23 14:24:42 centos7 setroubleshoot: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t. For complete SELinux messages run: sealert -l b988b539-f587-486d-85f6-68f9de3a3cbc
Aug 23 14:24:42 centos7 python: SELinux is preventing /opt/rh/rh-python38/root/usr/bin/python3.8 from connect access on the unix_dgram_socket labeled pulpcore_server_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that python3.8 should be allowed connect access on unix_dgram_socket labeled pulpcore_server_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn#012# semodule -i my-gunicorn.pp#012
</code></pre>
<p>The installer calls:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp</p>
</blockquote>
<p>But both that command and:</p>
<blockquote>
<p>/sbin/fixfiles restore /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>Incorrectly set the context . The context is instead set to:</p>
<blockquote>
<p>unconfined_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>However, the command:</p>
<blockquote>
<p>restorecon -F /usr/local/lib/pulp/bin/gunicorn</p>
</blockquote>
<p>correctly sets it to:</p>
<blockquote>
<p>system_u:object_r:pulpcore_server_exec_t:s0</p>
</blockquote>
<p>Which makes the error go away.</p> Pulp - Issue #8993 (NEW): SELinux: avc: denied pulpcore-worker on Fedora 34https://pulp.plan.io/issues/89932021-06-30T14:02:12ZStephenW
<p>Hello</p>
<p>I installed Pulp3 on Fedora 34 using "ansible-galaxy collection install pulp.pulp_installer"</p>
<p>at the end of the Ansible run:
TASK [pulp.pulp_installer.pulp_health_check : Checking Pulp services]
msg: 'pulpcore-resource-manager.service state: stopped'</p>
<p>On the managed node, I see lots of avc: denied :</p>
<p>fedoraserver ~]# ausearch -m AVC,USER_AVC -ts recent</p>
<p>time->Tue Jun 29 15:59:06 2021
type=AVC msg=audit(1624975146.441:668194): avc: denied { name_connect } for pid=1129665 comm="pulpcore-worker" dest=6379 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0</p>
<p>fedoraserver ~]# sepolgen-ifgen
fedoraserver ~]# audit2allow -Ral</p>
<p>require {
type init_t;
}</p>
<p>#============= init_t ==============
corenet_tcp_connect_postgresql_port(init_t)
corenet_tcp_connect_redis_port(init_t)</p>
<p>Thank you</p> Pulp - Issue #8916 (NEW): Pulp installer hanging on "Ensure Pulp is up and healthy"https://pulp.plan.io/issues/89162021-06-18T09:42:41Zsli720
<p>I tried to install pulp via the pulp installer v3.13.0 (ansible playbooks) in a fresh vagrant environment running CentOS Stream 8 but the install hangs on:</p>
<p>TASK [pulp_health_check : Ensure Pulp is up and healthy] ****************************************************************************************************************************************************
FAILED - RETRYING: Ensure Pulp is up and healthy (30 retries left).</p>
<p>I checked the service states and found pulpcore-resource-manager.service not starting because of:
pulpcore-worker[105999]: Error 13 connecting to localhost:6379. Permission denied.</p>
<p>It sounded for me like a SELinux issue so I deactivated SELinux completely and the installer run through successfully now. Could this be a bug cause in earlier version the installation worked also with SELinux turned on?</p> Pulp - Story #8702 (NEW): As a user, the example-use playbook is not cluttered with object storag...https://pulp.plan.io/issues/87022021-05-05T13:31:24Zmdepaulo@redhat.com
<p>We should move the object storage checks from the the example-use playbook to the pulp_common role to solve this.</p>
<p>It will provide a better user experience. (Making the example playbook as small as possible.)</p>
<p>It will also enforce the checks for users that do not use the example-use playbook.</p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml" class="external">https://github.com/pulp/pulp_installer/blob/master/playbooks/example-use/playbook.yml</a></p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/tasks/main.yml#L16</a></p> Pulp - Issue #8379 (NEW): pulp_installer depends on unsupported community collectionshttps://pulp.plan.io/issues/83792021-03-10T19:59:42Zironfroggy
<p>It has come to the attention of the Ansible Platform team that pulp_installer, which we use to install Hub as part of the platform, depends on community.general, but Platform cannot depend on community collections. We can only depend on supported, official ansible-namespace content.</p>
<p>The current blocker is ini_file from community.general. There may be others.</p>
<p>Ideally, we could get these dependencies moved into a supported collection, ansible.utils, and pulp_installer could depend on that, instead.</p> Pulp - Task #7642 (NEW): Update pulp_installer's list of supported Fedora releaseshttps://pulp.plan.io/issues/76422020-10-01T18:18:58Zmdepaulo@redhat.com
<p>Fedora 32 is supported; pulplift CI tests it. Fedora 30 will probably be dropped in the task that blocks this.</p>
<p>Note that this list is in roles/*/meta/main.yml</p> Pulp - Issue #7641 (NEW): pulp_installer role READMEs should not tell users to set ansible_python...https://pulp.plan.io/issues/76412020-10-01T18:17:29Zmdepaulo@redhat.com
<p>Multiple roles' README.md files list under variables:</p>
<pre><code>ansible_python_interpreter`: **Required**. Path to the Python interpreter.
</code></pre>
<p>It definitely isn't required to be set, since the default behavior is auto_legacy in Ansible 2.8 through 2.11, and auto in 2.12 (planned.)</p>
<p>Furthermore, we probably shouldn't even list it. It is a common built-in Ansible variable that. There are many others, and there seems to be nothing special about it. Perhaps we should list it in case users are running Fedora 30.</p> Pulp - Issue #7640 (NEW): pulp_rpm_prerequisites sets ansible_python_interpreter unnecessarilyhttps://pulp.plan.io/issues/76402020-10-01T18:14:01Zmdepaulo@redhat.com
<p>There is no reason it should be set to:</p>
<pre><code>ansible_python_interpreter: /usr/bin/python
</code></pre>
<p>Since the behavior of auto_legacy and auto is to set it to that (python2) anyway.</p>
<p>It also would only affect the role (and later applied roles) at most, since the role is always (and conditionally) dynamically included. If it has any effect, this makes it harder to test the installer, different interpreter depending on whether or not pulp_rpm is getting installed.</p> Pulp - Task #7575 (NEW): pulp_installer's SELinux support should handle folder paths being changedhttps://pulp.plan.io/issues/75752020-09-25T21:09:08Zmdepaulo@redhat.com
<p>pulp_install_dir, pulp_user_home, etc are currently baked into pulpcore-selinux.</p>
<p>pulp_installer should support accommodating this, such as by replacing the .fc file from pulpcore-selinux, or running label database commands.</p> Pulp - Issue #7472 (NEW): pulp_installer does not apply some tasks to RHEL8 properlyhttps://pulp.plan.io/issues/74722020-09-08T17:18:09Zmdepaulo@redhat.com
<p>A quick glance through the repo shows some tasks that can be easily fixed to support RHEL8 in addition to CentOS 8:
<a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_devel/templates/venv.bashrc.j2" class="external">https://github.com/pulp/pulp_installer/blob/master/roles/pulp_devel/templates/venv.bashrc.j2</a>
<a href="https://github.com/pulp/pulp_installer/search?q=CentOS+path%3Aroles&unscoped_q=CentOS+path%3Aroles" class="external">https://github.com/pulp/pulp_installer/search?q=CentOS+path%3Aroles&unscoped_q=CentOS+path%3Aroles</a></p>
<p><a href="https://github.com/pulp/pulp_installer/blob/master/roles/pulp_database/tasks/install_postgres.yml" class="external">RHEL7 is an issue as well, but would be more difficult.</a></p> Pulp - Story #7100 (NEW): As an admin I want to be able to ratelimit access to the api endpointshttps://pulp.plan.io/issues/71002020-07-07T14:09:57Zmdellweg
<p>In the most simple way, this can be added solely by adjusting the settings.
We should test this and document it with the installer.</p>
<p><a href="https://www.django-rest-framework.org/api-guide/throttling/" class="external">https://www.django-rest-framework.org/api-guide/throttling/</a></p> Pulp - Task #6942 (NEW): Update galaxy_ng docs for the pulp_installer install-from-rpm supporthttps://pulp.plan.io/issues/69422020-06-09T15:45:37Zmdepaulo@redhat.com
<p>Its docs should show the example variables for doing this.</p> Pulp - Story #6914 (NEW): nginx listen port and ip can not be configured with a variablehttps://pulp.plan.io/issues/69142020-06-05T12:18:38ZPixelfool
<p>In an IPV6 environment, it is necessary to configure the port and IP address for binding. <br>
In roles/pulp_webserver/templates/nginx.conf.j2, line 34, the configuration default is:</p>
<pre><code class="text syntaxhl" data-language="text">server {
listen 80 default deferred;
...
}
</code></pre>
<p>One solution could be</p>
<pre><code class="text syntaxhl" data-language="text">server {
listen {{ pulp_nginx_bind }} default deferred;
...
}
</code></pre>
<p>Expected result:</p>
<pre><code class="text syntaxhl" data-language="text">server {
listen [2001:db8::1]:80 default deferred;
...
}
</code></pre> Pulp - Issue #6658 (NEW): Pain points when trying Pulp3 for the first timehttps://pulp.plan.io/issues/66582020-05-05T16:28:58Zxenlo
<a name="Intro"></a>
<h3 >Intro<a href="#Intro" class="wiki-anchor">¶</a></h3>
<p>@dkliban asked me some feedback (pain points) about trying to put Pulp3 in place.</p>
<a name="Background-on-my-use-case"></a>
<h3 >Background on my use case<a href="#Background-on-my-use-case" class="wiki-anchor">¶</a></h3>
<p>In the company I work for, we use ansible in our automation process. And in our automated deployment we provision infrastructure with Debian, OpenSuse and SLES. So for now we manage a server that mirror repos for all those distro. This is a collection of different tools apt-mirror, createrepo, RMT, wget and rsync glued with shell scripts and published with half thousand(for now) of soft links.</p>
<p>So I was interested to put in place Pulp3 with deb, rpm and file plugin on a Debian 10 host, installed with Ansible playbook <code>pulp_installer</code>.</p>
<a name="Pain-Point-List"></a>
<h3 >Pain Point List<a href="#Pain-Point-List" class="wiki-anchor">¶</a></h3>
<p>I think that most of all my expectations was something more mature, closer to 'Production ready' tool.</p>
<ul>
<li>I expected some CLI as user interface, as I think that a big part of public for this tool is SysAdmin.
Even API is a great interface, it's not comfortable for SysAdmin to manager repos (even more true we it needs to discover how it works)</li>
<li>The lack of external doc, like "tuto: How I mirror Centos and Debian with Pulp"…</li>
<li>Some confusion if the doc/tool is for Pulp2 or Pulp3</li>
<li>Yet another issue tracker to rise issues
(I didn't try really hard but my attempt to auth with github failed…)</li>
<li>The doc to install doc tells you that the prefered method is with Ansible but don't explain you how. Just redirect you to a git repo where you have to found the corresponding doc, which is not easy to find and which is not in line with the latest version on the repo (already explaned that point)</li>
<li>The pulp_installer don't list the system prereq. That's sad because, at least on a fresh installed Debian 10, the playbook fails. I had to add some packages and force the ansible_python_interpreter get the work done.</li>
<li>On the project page you tells that Pulp can manage plainty of repo type, but in fact if you take a fresh version only few plugins are working. Is there at least a compatibility/status matrix explaining that?</li>
</ul>
<a name="Thanks"></a>
<h3 >Thanks<a href="#Thanks" class="wiki-anchor">¶</a></h3>
<p>Nevertheless, I wanted to close on a more positive point, the IRC channel is highly responsive, and people hanging out there are full of goodwill.
Thanks for that!</p> Pulp - Story #97 (NEW): As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 V...https://pulp.plan.io/issues/972015-01-08T15:50:12Zcduryeecduryee@redhat.com
<p>The real deliverables are in the checklist, but here is some extra info on how to compile it.</p>
<p>To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:</p>
<ul>
<li>Install selinux-policy-devel rpm with ansible</li>
<li>Compile the policy similar to <code>make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24</code> except with ansible</li>
<li>Install the policy using Ansible</li>
<li>Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.[0]</li>
<li>If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.</li>
</ul>
<p>Use the <code>ps -awfuxZ | grep celery</code> to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.</p>
<p>[0]: <a href="https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh" class="external">https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh</a></p>