foreman_maintain 1.0.2 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/definitions/checks/check_hotfix_installed.rb +11 -3
- data/definitions/checks/foreman_proxy/check_tftp_storage.rb +5 -5
- data/definitions/checks/maintenance_mode/check_consistency.rb +10 -2
- data/definitions/features/instance.rb +10 -2
- data/definitions/features/iptables.rb +4 -21
- data/definitions/features/nftables.rb +51 -0
- data/definitions/procedures/content/fix_pulpcore_artifact_permissions.rb +30 -0
- data/definitions/procedures/maintenance_mode/disable_maintenance_mode.rb +18 -0
- data/definitions/procedures/maintenance_mode/enable_maintenance_mode.rb +48 -0
- data/definitions/procedures/maintenance_mode/is_enabled.rb +4 -2
- data/definitions/procedures/pulp/remove.rb +1 -0
- data/definitions/procedures/puppet/remove_puppet_data.rb +3 -1
- data/definitions/procedures/repositories/enable.rb +7 -1
- data/definitions/scenarios/content.rb +19 -0
- data/definitions/scenarios/puppet.rb +1 -0
- data/definitions/scenarios/self_upgrade.rb +14 -5
- data/definitions/scenarios/upgrade_to_capsule_7_0.rb +1 -0
- data/definitions/scenarios/upgrade_to_satellite_7_0.rb +1 -0
- data/lib/foreman_maintain/cli/content_command.rb +10 -0
- data/lib/foreman_maintain/cli/self_upgrade_command.rb +2 -1
- data/lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb +28 -0
- data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb +39 -0
- data/lib/foreman_maintain/version.rb +1 -1
- data/lib/foreman_maintain.rb +2 -0
- metadata +8 -4
- data/definitions/procedures/iptables/add_maintenance_mode_chain.rb +0 -15
- data/definitions/procedures/iptables/remove_maintenance_mode_chain.rb +0 -15
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bda89886170f69276ffe2a0fcca046581c62096011e59251f199d451a6e49ddb
|
|
4
|
+
data.tar.gz: 5f63a1d69ab49281d15e1d4004f1726d9c7b45eccbeeaa0015615176c7973e01
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a2e1859b3479357698652f5b448e97e9ebe4977b6f71a851efc7498ae8f9e622d4a0a69a6589a8206d00071129345bceacececf04133fb958f85924c9c5ba79b
|
|
7
|
+
data.tar.gz: 4db6f08840e3767357d0d57a9b32ff61779627e03118396ca41c99f2ea3f7ea355596e7d353dc1352b56290b7c4fc6b81a17bf74dad09cadf76b52af660cfc32
|
|
@@ -45,16 +45,24 @@ class Checks::CheckHotfixInstalled < ForemanMaintain::Check
|
|
|
45
45
|
|
|
46
46
|
def installed_packages
|
|
47
47
|
packages = []
|
|
48
|
-
|
|
49
|
-
IO.popen([repoquery_cmd, '-a', '--installed', '--qf', '%{ui_from_repo} %{nvra}']) do |io|
|
|
48
|
+
IO.popen(['repoquery', '-a', '--installed', '--qf', query_format]) do |io|
|
|
50
49
|
io.each do |line|
|
|
51
50
|
repo, pkg = line.chomp.split
|
|
52
|
-
|
|
51
|
+
next if repo.nil? || pkg.nil?
|
|
52
|
+
packages << pkg if /satellite|rhscl/ =~ repo.downcase
|
|
53
53
|
end
|
|
54
54
|
end
|
|
55
55
|
packages
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
+
def query_format
|
|
59
|
+
if el7?
|
|
60
|
+
return '%{ui_from_repo} %{name}-%{evr}.%{arch}'
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
'%{from_repo} %{name}-%{evr}.%{arch}'
|
|
64
|
+
end
|
|
65
|
+
|
|
58
66
|
def find_hotfix_packages
|
|
59
67
|
output = execute!('rpm -qa release="*HOTFIX*"').strip
|
|
60
68
|
return [] if output.empty?
|
|
@@ -6,12 +6,12 @@ module Checks::ForemanProxy
|
|
|
6
6
|
tags :default
|
|
7
7
|
confine do
|
|
8
8
|
feature(:satellite) && feature(:foreman_proxy) &&
|
|
9
|
-
feature(:foreman_proxy).features.include?('tftp')
|
|
9
|
+
feature(:foreman_proxy).features.include?('tftp')
|
|
10
10
|
end
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def run
|
|
14
|
-
if Dir.exist?(tftp_boot_directory)
|
|
14
|
+
if non_zero_token_duration? && Dir.exist?(tftp_boot_directory)
|
|
15
15
|
files = old_files_from_tftp_boot
|
|
16
16
|
assert(files.empty?,
|
|
17
17
|
'There are old initrd and vmlinuz files present in tftp',
|
|
@@ -29,7 +29,7 @@ module Checks::ForemanProxy
|
|
|
29
29
|
end.compact
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
-
def
|
|
32
|
+
def non_zero_token_duration?
|
|
33
33
|
lookup_token_duration != 0
|
|
34
34
|
end
|
|
35
35
|
|
|
@@ -38,10 +38,10 @@ module Checks::ForemanProxy
|
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
def token_duration
|
|
41
|
-
@token_duration ||=
|
|
41
|
+
@token_duration ||= lookup_token_duration
|
|
42
42
|
end
|
|
43
43
|
|
|
44
|
-
def
|
|
44
|
+
def lookup_token_duration
|
|
45
45
|
data = feature(:foreman_database). \
|
|
46
46
|
query("select s.value, s.default from settings s \
|
|
47
47
|
where category IN ('Setting::Provisioning','Setting') \
|
|
@@ -22,11 +22,15 @@ module Checks::MaintenanceMode
|
|
|
22
22
|
|
|
23
23
|
private
|
|
24
24
|
|
|
25
|
+
def firewall
|
|
26
|
+
@firewall ||= feature(:instance).firewall
|
|
27
|
+
end
|
|
28
|
+
|
|
25
29
|
def verify_with_features
|
|
26
30
|
procedure_arr = []
|
|
27
31
|
feature_status_msgs = []
|
|
28
|
-
is_mode_on =
|
|
29
|
-
[
|
|
32
|
+
is_mode_on = firewall.maintenance_mode_status?
|
|
33
|
+
[firewall.label, :sync_plans, :cron].each do |feature_name|
|
|
30
34
|
msg, procedures_to_run = send("check_for_#{feature_name}", is_mode_on)
|
|
31
35
|
feature_status_msgs << msg
|
|
32
36
|
procedure_arr.concat(procedures_to_run)
|
|
@@ -55,6 +59,10 @@ module Checks::MaintenanceMode
|
|
|
55
59
|
feature(:iptables).status_for_maintenance_mode
|
|
56
60
|
end
|
|
57
61
|
|
|
62
|
+
def check_for_nftables(_is_mode_on)
|
|
63
|
+
feature(:nftables).status_for_maintenance_mode
|
|
64
|
+
end
|
|
65
|
+
|
|
58
66
|
def check_for_sync_plans(is_mode_on)
|
|
59
67
|
feature(:sync_plans).status_for_maintenance_mode(is_mode_on)
|
|
60
68
|
end
|
|
@@ -70,6 +70,10 @@ class Features::Instance < ForemanMaintain::Feature
|
|
|
70
70
|
feature(:pulp2) || feature(:pulpcore)
|
|
71
71
|
end
|
|
72
72
|
|
|
73
|
+
def firewall
|
|
74
|
+
feature(:nftables) || feature(:iptables)
|
|
75
|
+
end
|
|
76
|
+
|
|
73
77
|
private
|
|
74
78
|
|
|
75
79
|
# rubocop:disable Metrics/MethodLength, Metrics/AbcSize
|
|
@@ -142,11 +146,15 @@ class Features::Instance < ForemanMaintain::Feature
|
|
|
142
146
|
def component_features_map
|
|
143
147
|
{
|
|
144
148
|
'candlepin_auth' => %w[candlepin candlepin_database],
|
|
149
|
+
'candlepin_events' => %w[candlepin candlepin_database],
|
|
145
150
|
'candlepin' => %w[candlepin candlepin_database],
|
|
146
151
|
'pulp_auth' => %w[pulp2 mongo],
|
|
147
152
|
'pulp' => %w[pulp2 mongo],
|
|
148
153
|
'pulp3' => %w[pulpcore pulpcore_database],
|
|
149
|
-
'
|
|
154
|
+
'pulp3_content' => %w[pulpcore pulpcore_database],
|
|
155
|
+
'foreman_tasks' => %w[foreman_tasks],
|
|
156
|
+
'katello_agent' => %w[katello],
|
|
157
|
+
'katello_events' => %w[katello]
|
|
150
158
|
}
|
|
151
159
|
end
|
|
152
160
|
|
|
@@ -154,7 +162,7 @@ class Features::Instance < ForemanMaintain::Feature
|
|
|
154
162
|
components = Array(components)
|
|
155
163
|
cf_map = component_features_map
|
|
156
164
|
# map ping components to features
|
|
157
|
-
features = components.map { |component| cf_map[component] }.flatten.uniq
|
|
165
|
+
features = components.map { |component| cf_map[component] }.flatten.uniq.compact
|
|
158
166
|
# map features to existing services
|
|
159
167
|
services_of_features = features.map do |name|
|
|
160
168
|
feature(name.to_sym) ? feature(name.to_sym).services : []
|
|
@@ -1,6 +1,10 @@
|
|
|
1
1
|
class Features::Iptables < ForemanMaintain::Feature
|
|
2
|
+
include ForemanMaintain::Concerns::Firewall::IptablesMaintenanceMode
|
|
2
3
|
metadata do
|
|
3
4
|
label :iptables
|
|
5
|
+
confine do
|
|
6
|
+
find_package('iptables')
|
|
7
|
+
end
|
|
4
8
|
end
|
|
5
9
|
|
|
6
10
|
def add_chain(chain_name, rules, rule_chain = 'INPUT')
|
|
@@ -29,27 +33,6 @@ class Features::Iptables < ForemanMaintain::Feature
|
|
|
29
33
|
execute?("iptables -L #{rule_chain} | tail -n +3 | grep '^#{target_name} '")
|
|
30
34
|
end
|
|
31
35
|
|
|
32
|
-
def add_maintenance_mode_chain
|
|
33
|
-
add_chain(custom_chain_name,
|
|
34
|
-
['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
def remove_maintenance_mode_chain
|
|
38
|
-
remove_chain(custom_chain_name)
|
|
39
|
-
end
|
|
40
|
-
|
|
41
|
-
def maintenance_mode_chain_exist?
|
|
42
|
-
chain_exist?(custom_chain_name)
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
def status_for_maintenance_mode
|
|
46
|
-
if maintenance_mode_chain_exist?
|
|
47
|
-
['Iptables chain: present', []]
|
|
48
|
-
else
|
|
49
|
-
['Iptables chain: absent', []]
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
|
|
53
36
|
private
|
|
54
37
|
|
|
55
38
|
def custom_chain_name
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
class Features::Nftables < ForemanMaintain::Feature
|
|
2
|
+
include ForemanMaintain::Concerns::Firewall::NftablesMaintenanceMode
|
|
3
|
+
metadata do
|
|
4
|
+
label :nftables
|
|
5
|
+
confine do
|
|
6
|
+
find_package('nftables')
|
|
7
|
+
end
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def add_table(options = '')
|
|
11
|
+
options = "#{ip_family} #{table_name}" if options.empty?
|
|
12
|
+
execute!("nft add table #{options}")
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def delete_table(options = '')
|
|
16
|
+
options = "#{ip_family} #{table_name}" if options.empty?
|
|
17
|
+
execute!("nft delete table #{options}")
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def add_chain(options = {})
|
|
21
|
+
family = options.fetch(:family, ip_family)
|
|
22
|
+
table = options.fetch(:table, table_name)
|
|
23
|
+
chain = options.fetch(:chain, chain_name)
|
|
24
|
+
chain_options = options.fetch(:chain_options)
|
|
25
|
+
execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def add_rule(options = {})
|
|
29
|
+
family = options.fetch(:family, ip_family)
|
|
30
|
+
table = options.fetch(:table, table_name)
|
|
31
|
+
chain = options.fetch(:chain, chain_name)
|
|
32
|
+
rule = options.fetch(:rule) # needs validation
|
|
33
|
+
execute!("nft add rule #{family} #{table} #{chain} #{rule}")
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def table_exist?(name = table_name)
|
|
37
|
+
execute!('nft list tables').include?(name)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def table_name
|
|
41
|
+
'FOREMAN_MAINTAIN_TABLE'
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def chain_name
|
|
45
|
+
'FOREMAN_MAINTAIN_CHAIN'
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def ip_family
|
|
49
|
+
'inet'
|
|
50
|
+
end
|
|
51
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Procedures::Content
|
|
2
|
+
class FixPulpcoreArtifactOwnership < ForemanMaintain::Procedure
|
|
3
|
+
metadata do
|
|
4
|
+
description 'Fix Pulpcore artifact ownership to be pulp:pulp'
|
|
5
|
+
param :assumeyes, 'Do not ask for confirmation', :default => false
|
|
6
|
+
|
|
7
|
+
confine do
|
|
8
|
+
check_min_version(foreman_plugin_name('katello'), '4.0')
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def ask_to_proceed
|
|
13
|
+
question = "\nWARNING: Only proceed if your system is fully switched to Pulp 3.\n"
|
|
14
|
+
question += "\n\nDo you want to proceed?"
|
|
15
|
+
answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
|
|
16
|
+
abort! if answer != :yes
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def run
|
|
20
|
+
assumeyes_val = @assumeyes.nil? ? assumeyes? : @assumeyes
|
|
21
|
+
|
|
22
|
+
ask_to_proceed unless assumeyes_val
|
|
23
|
+
|
|
24
|
+
with_spinner('Updating artifact ownership for Pulp 3') do |spinner|
|
|
25
|
+
spinner.update('# chown -hR pulp.pulp /var/lib/pulp/media/artifact')
|
|
26
|
+
FileUtils.chown_R 'pulp', 'pulp', '/var/lib/pulp/media/artifact'
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module Procedures::MaintenanceMode
|
|
2
|
+
class DisableMaintenanceMode < ForemanMaintain::Procedure
|
|
3
|
+
metadata do
|
|
4
|
+
label :disable_maintenance_mode
|
|
5
|
+
description 'Remove maintenance mode table/chain from nftables/iptables'
|
|
6
|
+
tags :post_migrations, :maintenance_mode_off
|
|
7
|
+
after :sync_plans_enable
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def run
|
|
11
|
+
if feature(:instance).firewall
|
|
12
|
+
feature(:instance).firewall.disable_maintenance_mode
|
|
13
|
+
else
|
|
14
|
+
warn! 'Unable to find nftables or iptables'
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
module Procedures::MaintenanceMode
|
|
2
|
+
class EnableMaintenanceMode < ForemanMaintain::Procedure
|
|
3
|
+
metadata do
|
|
4
|
+
label :enable_maintenance_mode
|
|
5
|
+
description 'Add maintenance_mode tables/chain to nftables/iptables'
|
|
6
|
+
tags :pre_migrations, :maintenance_mode_on
|
|
7
|
+
after :sync_plans_disable
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def run
|
|
11
|
+
if feature(:instance).firewall
|
|
12
|
+
feature(:instance).firewall.enable_maintenance_mode
|
|
13
|
+
else
|
|
14
|
+
notify_and_ask_to_install_firewall_utility
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def notify_and_ask_to_install_firewall_utility
|
|
19
|
+
puts 'Unable to find nftables or iptables!'
|
|
20
|
+
question, pkg = question_and_pkg_name
|
|
21
|
+
answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
|
|
22
|
+
if answer == :yes
|
|
23
|
+
packages_action(:install, pkg)
|
|
24
|
+
feature(:instance).firewall.enable_maintenance_mode
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def can_install_nft?
|
|
29
|
+
nft_kernel_version = Gem::Version.new('3.13')
|
|
30
|
+
installed_kernel_version = Gem::Version.new(execute!('uname -r').split('-').first)
|
|
31
|
+
installed_kernel_version >= nft_kernel_version
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def question_and_pkg_name
|
|
35
|
+
question = 'Do you want to install missing netfilter utility '
|
|
36
|
+
pkg_to_install = []
|
|
37
|
+
if can_install_nft?
|
|
38
|
+
question << 'nftables?'
|
|
39
|
+
pkg_to_install << 'nftables'
|
|
40
|
+
else
|
|
41
|
+
question << 'iptables?'
|
|
42
|
+
pkg_to_install << 'iptables'
|
|
43
|
+
end
|
|
44
|
+
question << "\nand start maintenance mode?"
|
|
45
|
+
[question, pkg_to_install]
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -2,14 +2,16 @@ module Procedures::MaintenanceMode
|
|
|
2
2
|
class IsEnabled < ForemanMaintain::Procedure
|
|
3
3
|
metadata do
|
|
4
4
|
description 'Showing status code for maintenance_mode'
|
|
5
|
-
for_feature :iptables
|
|
6
5
|
advanced_run false
|
|
6
|
+
confine do
|
|
7
|
+
feature(:nftables) || feature(:iptables)
|
|
8
|
+
end
|
|
7
9
|
end
|
|
8
10
|
|
|
9
11
|
attr_reader :status_code
|
|
10
12
|
|
|
11
13
|
def run
|
|
12
|
-
@status_code = feature(:
|
|
14
|
+
@status_code = feature(:instance).firewall.maintenance_mode_status? ? 0 : 1
|
|
13
15
|
puts "Maintenance mode is #{@status_code == 1 ? 'Off' : 'On'}"
|
|
14
16
|
end
|
|
15
17
|
end
|
|
@@ -2,11 +2,17 @@ module Procedures::Repositories
|
|
|
2
2
|
class Enable < ForemanMaintain::Procedure
|
|
3
3
|
metadata do
|
|
4
4
|
param :repos, 'Array of repositories to enable'
|
|
5
|
+
param :use_rhsm, 'Use RHSM to enable repository',
|
|
6
|
+
:flag => true, :default => false
|
|
5
7
|
description 'Enable repositories'
|
|
6
8
|
end
|
|
7
9
|
def run
|
|
8
10
|
with_spinner('Enabling repositories') do
|
|
9
|
-
|
|
11
|
+
if @use_rhsm
|
|
12
|
+
repository_manager.rhsm_enable_repos(@repos)
|
|
13
|
+
else
|
|
14
|
+
repository_manager.enable_repos(@repos)
|
|
15
|
+
end
|
|
10
16
|
end
|
|
11
17
|
end
|
|
12
18
|
end
|
|
@@ -129,10 +129,29 @@ module ForemanMaintain::Scenarios
|
|
|
129
129
|
|
|
130
130
|
def set_context_mapping
|
|
131
131
|
context.map(:assumeyes, Procedures::Pulp::Remove => :assumeyes)
|
|
132
|
+
context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
|
|
132
133
|
end
|
|
133
134
|
|
|
134
135
|
def compose
|
|
135
136
|
add_step_with_context(Procedures::Pulp::Remove)
|
|
137
|
+
add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
|
|
138
|
+
end
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
class FixPulpcoreArtifactOwnership < ContentBase
|
|
142
|
+
metadata do
|
|
143
|
+
label :content_fix_pulpcore_artifact_ownership
|
|
144
|
+
description 'Fix Pulpcore artifact ownership to be pulp:pulp'
|
|
145
|
+
param :assumeyes, 'Do not ask for confirmation'
|
|
146
|
+
manual_detection
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def set_context_mapping
|
|
150
|
+
context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
def compose
|
|
154
|
+
add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
|
|
136
155
|
end
|
|
137
156
|
end
|
|
138
157
|
end
|
|
@@ -14,6 +14,7 @@ module ForemanMaintain::Scenarios
|
|
|
14
14
|
add_step(Checks::CheckPuppetCapsules) if server?
|
|
15
15
|
add_step(Procedures::Puppet::RemovePuppet)
|
|
16
16
|
add_step(Procedures::Puppet::RemovePuppetData) if context.get(:remove_data)
|
|
17
|
+
add_step(Procedures::Service::Restart)
|
|
17
18
|
end
|
|
18
19
|
end
|
|
19
20
|
end
|
|
@@ -62,13 +62,21 @@ module ForemanMaintain::Scenarios
|
|
|
62
62
|
repos_ids_to_reenable = stored_enabled_repos_ids - all_maintenance_repos
|
|
63
63
|
repos_ids_to_reenable << maintenance_repo(maintenance_repo_version)
|
|
64
64
|
end
|
|
65
|
+
|
|
66
|
+
def use_rhsm?
|
|
67
|
+
if (repo = ENV['maintenance_repo'])
|
|
68
|
+
return false unless repo.empty?
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
true
|
|
72
|
+
end
|
|
65
73
|
end
|
|
66
74
|
|
|
67
75
|
class SelfUpgrade < SelfUpgradeBase
|
|
68
76
|
metadata do
|
|
69
77
|
label :self_upgrade_foreman_maintain
|
|
70
|
-
description "Enables the specified version's maintenance repository and,
|
|
71
|
-
|
|
78
|
+
description "Enables the specified version's maintenance repository and,"\
|
|
79
|
+
"\nupdates the satellite-maintain packages"
|
|
72
80
|
manual_detection
|
|
73
81
|
end
|
|
74
82
|
|
|
@@ -77,7 +85,8 @@ module ForemanMaintain::Scenarios
|
|
|
77
85
|
pkgs_to_update = %w[satellite-maintain rubygem-foreman_maintain]
|
|
78
86
|
add_step(Procedures::Repositories::BackupEnabledRepos.new)
|
|
79
87
|
disable_repos
|
|
80
|
-
add_step(Procedures::Repositories::Enable.new(repos: [maintenance_repo_id(target_version)]
|
|
88
|
+
add_step(Procedures::Repositories::Enable.new(repos: [maintenance_repo_id(target_version)],
|
|
89
|
+
use_rhsm: use_rhsm?))
|
|
81
90
|
add_step(Procedures::Packages::Update.new(packages: pkgs_to_update, assumeyes: true))
|
|
82
91
|
enable_repos(repos_ids_to_reenable)
|
|
83
92
|
end
|
|
@@ -87,8 +96,8 @@ module ForemanMaintain::Scenarios
|
|
|
87
96
|
class SelfUpgradeRescue < SelfUpgradeBase
|
|
88
97
|
metadata do
|
|
89
98
|
label :rescue_self_upgrade
|
|
90
|
-
description 'Disables all version specific maintenance
|
|
91
|
-
|
|
99
|
+
description 'Disables all version specific maintenance repositories and,'\
|
|
100
|
+
"\nenables the repositories which were configured prior to self upgrade"
|
|
92
101
|
manual_detection
|
|
93
102
|
run_strategy :fail_slow
|
|
94
103
|
end
|
|
@@ -54,6 +54,16 @@ module ForemanMaintain
|
|
|
54
54
|
)
|
|
55
55
|
end
|
|
56
56
|
end
|
|
57
|
+
|
|
58
|
+
subcommand 'fix-pulpcore-artifact-ownership',
|
|
59
|
+
'Update filesystem ownership for Pulpcore artifacts' do
|
|
60
|
+
interactive_option(%w[assumeyes plaintext])
|
|
61
|
+
def execute
|
|
62
|
+
run_scenarios_and_exit(
|
|
63
|
+
Scenarios::Content::FixPulpcoreArtifactOwnership.new(:assumeyes => assumeyes?)
|
|
64
|
+
)
|
|
65
|
+
end
|
|
66
|
+
end
|
|
57
67
|
end
|
|
58
68
|
end
|
|
59
69
|
end
|
|
@@ -29,7 +29,8 @@ module ForemanMaintain
|
|
|
29
29
|
end
|
|
30
30
|
if current_downstream_version >= next_version
|
|
31
31
|
message = "The target-version #{target_version} should be "\
|
|
32
|
-
"greater than existing version #{current_downstream_version}
|
|
32
|
+
"greater than existing version #{current_downstream_version},"\
|
|
33
|
+
"\nand self-upgrade should be used for major version upgrades only!"
|
|
33
34
|
raise Error::UsageError, message
|
|
34
35
|
end
|
|
35
36
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module ForemanMaintain
|
|
2
|
+
module Concerns
|
|
3
|
+
module Firewall
|
|
4
|
+
module IptablesMaintenanceMode
|
|
5
|
+
def disable_maintenance_mode
|
|
6
|
+
remove_chain(custom_chain_name)
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def enable_maintenance_mode
|
|
10
|
+
add_chain(custom_chain_name,
|
|
11
|
+
['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def maintenance_mode_status?
|
|
15
|
+
chain_exist?(custom_chain_name)
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def status_for_maintenance_mode
|
|
19
|
+
if maintenance_mode_status?
|
|
20
|
+
['Iptables chain: present', []]
|
|
21
|
+
else
|
|
22
|
+
['Iptables chain: absent', []]
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module ForemanMaintain
|
|
2
|
+
module Concerns
|
|
3
|
+
module Firewall
|
|
4
|
+
module NftablesMaintenanceMode
|
|
5
|
+
def disable_maintenance_mode
|
|
6
|
+
delete_table if table_exist?
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def enable_maintenance_mode
|
|
10
|
+
unless table_exist?
|
|
11
|
+
add_table
|
|
12
|
+
add_chain(:chain_options => nftables_chain_options)
|
|
13
|
+
add_rule(rule: nftables_rule)
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def maintenance_mode_status?
|
|
18
|
+
table_exist?
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def nftables_chain_options
|
|
22
|
+
'{type filter hook input priority 0\\;}'
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def nftables_rule
|
|
26
|
+
'tcp dport https reject'
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def status_for_maintenance_mode
|
|
30
|
+
if table_exist?
|
|
31
|
+
['Nftables table: present', []]
|
|
32
|
+
else
|
|
33
|
+
['Nftables table: absent', []]
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
data/lib/foreman_maintain.rb
CHANGED
|
@@ -24,6 +24,8 @@ module ForemanMaintain
|
|
|
24
24
|
require 'foreman_maintain/concerns/downstream'
|
|
25
25
|
require 'foreman_maintain/concerns/primary_checks'
|
|
26
26
|
require 'foreman_maintain/concerns/pulp_common'
|
|
27
|
+
require 'foreman_maintain/concerns/firewall/iptables_maintenance_mode'
|
|
28
|
+
require 'foreman_maintain/concerns/firewall/nftables_maintenance_mode'
|
|
27
29
|
require 'foreman_maintain/top_level_modules'
|
|
28
30
|
require 'foreman_maintain/yaml_storage'
|
|
29
31
|
require 'foreman_maintain/config'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: foreman_maintain
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ivan Nečas
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-03-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: clamp
|
|
@@ -206,6 +206,7 @@ files:
|
|
|
206
206
|
- definitions/features/iptables.rb
|
|
207
207
|
- definitions/features/katello.rb
|
|
208
208
|
- definitions/features/mongo.rb
|
|
209
|
+
- definitions/features/nftables.rb
|
|
209
210
|
- definitions/features/pulp2.rb
|
|
210
211
|
- definitions/features/pulpcore.rb
|
|
211
212
|
- definitions/features/pulpcore_database.rb
|
|
@@ -244,6 +245,7 @@ files:
|
|
|
244
245
|
- definitions/procedures/backup/snapshot/mount_pulpcore_db.rb
|
|
245
246
|
- definitions/procedures/backup/snapshot/prepare_mount.rb
|
|
246
247
|
- definitions/procedures/candlepin/delete_orphaned_records_from_env_content.rb
|
|
248
|
+
- definitions/procedures/content/fix_pulpcore_artifact_permissions.rb
|
|
247
249
|
- definitions/procedures/content/migration_reset.rb
|
|
248
250
|
- definitions/procedures/content/migration_stats.rb
|
|
249
251
|
- definitions/procedures/content/prepare.rb
|
|
@@ -267,9 +269,9 @@ files:
|
|
|
267
269
|
- definitions/procedures/installer/run.rb
|
|
268
270
|
- definitions/procedures/installer/upgrade.rb
|
|
269
271
|
- definitions/procedures/installer/upgrade_rake_task.rb
|
|
270
|
-
- definitions/procedures/iptables/add_maintenance_mode_chain.rb
|
|
271
|
-
- definitions/procedures/iptables/remove_maintenance_mode_chain.rb
|
|
272
272
|
- definitions/procedures/knowledge_base_article.rb
|
|
273
|
+
- definitions/procedures/maintenance_mode/disable_maintenance_mode.rb
|
|
274
|
+
- definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
|
|
273
275
|
- definitions/procedures/maintenance_mode/is_enabled.rb
|
|
274
276
|
- definitions/procedures/packages/check_update.rb
|
|
275
277
|
- definitions/procedures/packages/enable_version_locking.rb
|
|
@@ -389,6 +391,8 @@ files:
|
|
|
389
391
|
- lib/foreman_maintain/concerns/directory_marker.rb
|
|
390
392
|
- lib/foreman_maintain/concerns/downstream.rb
|
|
391
393
|
- lib/foreman_maintain/concerns/finders.rb
|
|
394
|
+
- lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb
|
|
395
|
+
- lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb
|
|
392
396
|
- lib/foreman_maintain/concerns/hammer.rb
|
|
393
397
|
- lib/foreman_maintain/concerns/logger.rb
|
|
394
398
|
- lib/foreman_maintain/concerns/metadata.rb
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
module Procedures::Iptables
|
|
2
|
-
class AddMaintenanceModeChain < ForemanMaintain::Procedure
|
|
3
|
-
metadata do
|
|
4
|
-
label :iptables_add_maintenance_mode_chain
|
|
5
|
-
for_feature :iptables
|
|
6
|
-
description 'Add maintenance_mode chain to iptables'
|
|
7
|
-
tags :pre_migrations, :maintenance_mode_on
|
|
8
|
-
after :sync_plans_disable
|
|
9
|
-
end
|
|
10
|
-
|
|
11
|
-
def run
|
|
12
|
-
feature(:iptables).add_maintenance_mode_chain
|
|
13
|
-
end
|
|
14
|
-
end
|
|
15
|
-
end
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
module Procedures::Iptables
|
|
2
|
-
class RemoveMaintenanceModeChain < ForemanMaintain::Procedure
|
|
3
|
-
metadata do
|
|
4
|
-
label :iptables_remove_maintenance_mode_chain
|
|
5
|
-
for_feature :iptables
|
|
6
|
-
description 'Remove maintenance_mode chain from iptables'
|
|
7
|
-
tags :post_migrations, :maintenance_mode_off
|
|
8
|
-
after :sync_plans_enable
|
|
9
|
-
end
|
|
10
|
-
|
|
11
|
-
def run
|
|
12
|
-
feature(:iptables).remove_maintenance_mode_chain
|
|
13
|
-
end
|
|
14
|
-
end
|
|
15
|
-
end
|