foreman_maintain 1.0.4 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eee1f58199b0dd709acdfd9095292306de60d75d067edac09d28287caf323439
-  data.tar.gz: bd0b37c9668e6db36895a5a13b1568ea2cd171feacb670d5f5c912b9a7e7e7b6
+  metadata.gz: 1db04c176ed0a5d5293dd9980db6c05e7f2c29c43f7da63d622e917c692d49ce
+  data.tar.gz: 2d41a5d195c217f7c7764b2543ed43ec3bacfac1339aad2162431052286775ca
 SHA512:
-  metadata.gz: 8c4117234bfaf93217d80f8f076b0187c59bb240fd3f8210867c41422d47c3a033d31c2eb2be61252303fe371ce1ab1c33d6f362576ed5a411d5c4c989b58c45
-  data.tar.gz: 97a10cdf47b6838eef3b7d79bc91849bc7d3f991e090f16d7a6a013b377b3a09e46c5ccd23de64f1520c080f7d1d56397468beb0bffe0a4d901e10c327356488
+  metadata.gz: d321a63d2e313db2694dbd70c138c498c829843b5ac891d33e91969a682494f94971b1411dbe81228f1e049bfb35b3a3ba2dc9c59d08629aa4297baff20210ad
+  data.tar.gz: a53ce7c727dbbf92d7257e7024587ba33a1e7db9b27c17fccf5e3ecc9ede63173bdcbcef2cd7f51173a3d88df661b6dd2e0f68fab05ea0983b8f657e9f02beae

data/definitions/checks/maintenance_mode/check_consistency.rb

@@ -22,11 +22,15 @@ module Checks::MaintenanceMode
 
     private
 
+    def firewall
+      @firewall ||= feature(:instance).firewall
+    end
+
     def verify_with_features
       procedure_arr = []
       feature_status_msgs = []
-      is_mode_on = feature(:iptables).maintenance_mode_chain_exist?
-      [:iptables, :sync_plans, :cron].each do |feature_name|
+      is_mode_on = firewall.maintenance_mode_status?
+      [firewall.label, :sync_plans, :cron].each do |feature_name|
         msg, procedures_to_run = send("check_for_#{feature_name}", is_mode_on)
         feature_status_msgs << msg
         procedure_arr.concat(procedures_to_run)
@@ -55,6 +59,10 @@ module Checks::MaintenanceMode
       feature(:iptables).status_for_maintenance_mode
     end
 
+    def check_for_nftables(_is_mode_on)
+      feature(:nftables).status_for_maintenance_mode
+    end
+
     def check_for_sync_plans(is_mode_on)
       feature(:sync_plans).status_for_maintenance_mode(is_mode_on)
     end

data/definitions/features/foreman_tasks.rb

@@ -82,15 +82,22 @@ class Features::ForemanTasks < ForemanMaintain::Feature
   def delete(state)
     tasks_condition = condition(state)
 
-    feature(:foreman_database).psql(<<-SQL)
-     BEGIN;
-       DELETE FROM dynflow_steps USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_steps.execution_plan_uuid::varchar) AND #{tasks_condition};
-       DELETE FROM dynflow_actions USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_actions.execution_plan_uuid::varchar) AND #{tasks_condition};
-       DELETE FROM dynflow_execution_plans USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_execution_plans.uuid::varchar) AND #{tasks_condition};
-       DELETE FROM foreman_tasks_tasks WHERE #{tasks_condition};
-     COMMIT;
+    sql = <<-SQL
+      DELETE FROM dynflow_steps USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_steps.execution_plan_uuid::varchar) AND #{tasks_condition};
+      DELETE FROM dynflow_actions USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_actions.execution_plan_uuid::varchar) AND #{tasks_condition};
+      DELETE FROM dynflow_execution_plans USING foreman_tasks_tasks WHERE (foreman_tasks_tasks.external_id = dynflow_execution_plans.uuid::varchar) AND #{tasks_condition};
+      DELETE FROM foreman_tasks_tasks WHERE #{tasks_condition};
+      -- Delete locks and links which may now be orphaned
+      DELETE FROM foreman_tasks_locks as ftl where ftl.task_id NOT IN (SELECT id FROM foreman_tasks_tasks);
     SQL
 
+    if check_min_version(foreman_plugin_name('foreman-tasks'), '4.0.0')
+      sql += 'DELETE FROM foreman_tasks_links as ftl ' \
+             'where ftl.task_id NOT IN (SELECT id FROM foreman_tasks_tasks);'
+    end
+
+    feature(:foreman_database).psql("BEGIN; #{sql}; COMMIT;")
+
     count(state)
   end
 

data/definitions/features/instance.rb

@@ -70,6 +70,10 @@ class Features::Instance < ForemanMaintain::Feature
     feature(:pulp2) || feature(:pulpcore)
   end
 
+  def firewall
+    feature(:nftables) || feature(:iptables)
+  end
+
   private
 
   # rubocop:disable Metrics/MethodLength, Metrics/AbcSize

data/definitions/features/iptables.rb

@@ -1,6 +1,10 @@
 class Features::Iptables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::IptablesMaintenanceMode
   metadata do
     label :iptables
+    confine do
+      find_package('iptables')
+    end
   end
 
   def add_chain(chain_name, rules, rule_chain = 'INPUT')
@@ -29,27 +33,6 @@ class Features::Iptables < ForemanMaintain::Feature
     execute?("iptables -L #{rule_chain} | tail -n +3 | grep '^#{target_name} '")
   end
 
-  def add_maintenance_mode_chain
-    add_chain(custom_chain_name,
-              ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
-  end
-
-  def remove_maintenance_mode_chain
-    remove_chain(custom_chain_name)
-  end
-
-  def maintenance_mode_chain_exist?
-    chain_exist?(custom_chain_name)
-  end
-
-  def status_for_maintenance_mode
-    if maintenance_mode_chain_exist?
-      ['Iptables chain: present', []]
-    else
-      ['Iptables chain: absent', []]
-    end
-  end
-
   private
 
   def custom_chain_name

data/definitions/features/nftables.rb

@@ -0,0 +1,51 @@
+class Features::Nftables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::NftablesMaintenanceMode
+  metadata do
+    label :nftables
+    confine do
+      find_package('nftables')
+    end
+  end
+
+  def add_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft add table #{options}")
+  end
+
+  def delete_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft delete table #{options}")
+  end
+
+  def add_chain(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    chain_options = options.fetch(:chain_options)
+    execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
+  end
+
+  def add_rule(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    rule = options.fetch(:rule) # needs validation
+    execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+  end
+
+  def table_exist?(name = table_name)
+    execute!('nft list tables').include?(name)
+  end
+
+  def table_name
+    'FOREMAN_MAINTAIN_TABLE'
+  end
+
+  def chain_name
+    'FOREMAN_MAINTAIN_CHAIN'
+  end
+
+  def ip_family
+    'inet'
+  end
+end

data/definitions/procedures/content/fix_pulpcore_artifact_permissions.rb

@@ -0,0 +1,30 @@
+module Procedures::Content
+  class FixPulpcoreArtifactOwnership < ForemanMaintain::Procedure
+    metadata do
+      description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+      param :assumeyes, 'Do not ask for confirmation', :default => false
+
+      confine do
+        check_min_version(foreman_plugin_name('katello'), '4.0')
+      end
+    end
+
+    def ask_to_proceed
+      question = "\nWARNING: Only proceed if your system is fully switched to Pulp 3.\n"
+      question += "\n\nDo you want to proceed?"
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      abort! if answer != :yes
+    end
+
+    def run
+      assumeyes_val = @assumeyes.nil? ? assumeyes? : @assumeyes
+
+      ask_to_proceed unless assumeyes_val
+
+      with_spinner('Updating artifact ownership for Pulp 3') do |spinner|
+        spinner.update('# chown -hR pulp.pulp /var/lib/pulp/media/artifact')
+        FileUtils.chown_R 'pulp', 'pulp', '/var/lib/pulp/media/artifact'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/disable_maintenance_mode.rb

@@ -0,0 +1,18 @@
+module Procedures::MaintenanceMode
+  class DisableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :disable_maintenance_mode
+      description 'Remove maintenance mode table/chain from nftables/iptables'
+      tags :post_migrations, :maintenance_mode_off
+      after :sync_plans_enable
+    end
+
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.disable_maintenance_mode
+      else
+        warn! 'Unable to find nftables or iptables'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/enable_maintenance_mode.rb

@@ -0,0 +1,48 @@
+module Procedures::MaintenanceMode
+  class EnableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :enable_maintenance_mode
+      description 'Add maintenance_mode tables/chain to nftables/iptables'
+      tags :pre_migrations, :maintenance_mode_on
+      after :sync_plans_disable
+    end
+
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.enable_maintenance_mode
+      else
+        notify_and_ask_to_install_firewall_utility
+      end
+    end
+
+    def notify_and_ask_to_install_firewall_utility
+      puts 'Unable to find nftables or iptables!'
+      question, pkg = question_and_pkg_name
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      if answer == :yes
+        packages_action(:install, pkg)
+        feature(:instance).firewall.enable_maintenance_mode
+      end
+    end
+
+    def can_install_nft?
+      nft_kernel_version = Gem::Version.new('3.13')
+      installed_kernel_version = Gem::Version.new(execute!('uname -r').split('-').first)
+      installed_kernel_version >= nft_kernel_version
+    end
+
+    def question_and_pkg_name
+      question = 'Do you want to install missing netfilter utility '
+      pkg_to_install = []
+      if can_install_nft?
+        question << 'nftables?'
+        pkg_to_install << 'nftables'
+      else
+        question << 'iptables?'
+        pkg_to_install << 'iptables'
+      end
+      question << "\nand start maintenance mode?"
+      [question, pkg_to_install]
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/is_enabled.rb

@@ -2,14 +2,16 @@ module Procedures::MaintenanceMode
   class IsEnabled < ForemanMaintain::Procedure
     metadata do
       description 'Showing status code for maintenance_mode'
-      for_feature :iptables
       advanced_run false
+      confine do
+        feature(:nftables) || feature(:iptables)
+      end
     end
 
     attr_reader :status_code
 
     def run
-      @status_code = feature(:iptables).maintenance_mode_chain_exist? ? 0 : 1
+      @status_code = feature(:instance).firewall.maintenance_mode_status? ? 0 : 1
       puts "Maintenance mode is #{@status_code == 1 ? 'Off' : 'On'}"
     end
   end

data/definitions/procedures/pulp/remove.rb

@@ -17,6 +17,7 @@ module Procedures::Pulp
 
     def pulp_data_dirs
       [
+        '/etc/pki/pulp/content',
         '/var/lib/pulp/published',
         '/var/lib/pulp/content',
         '/var/lib/pulp/importers',

data/definitions/scenarios/content.rb

@@ -129,10 +129,29 @@ module ForemanMaintain::Scenarios
 
       def set_context_mapping
         context.map(:assumeyes, Procedures::Pulp::Remove => :assumeyes)
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
       end
 
       def compose
         add_step_with_context(Procedures::Pulp::Remove)
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
+      end
+    end
+
+    class FixPulpcoreArtifactOwnership < ContentBase
+      metadata do
+        label :content_fix_pulpcore_artifact_ownership
+        description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+        param :assumeyes, 'Do not ask for confirmation'
+        manual_detection
+      end
+
+      def set_context_mapping
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
+      end
+
+      def compose
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
       end
     end
   end

data/definitions/scenarios/self_upgrade.rb

@@ -13,15 +13,22 @@ module ForemanMaintain::Scenarios
     end
 
     def target_version
-      @target_version ||= context.get(:target_version)
+      current_full_version = feature(:instance).downstream.current_version
+      @target_version ||= current_full_version.bump
     end
 
     def current_version
       feature(:instance).downstream.current_minor_version
     end
 
+    def maintenance_repo_label
+      @maintenance_repo_label ||= context.get(:maintenance_repo_label)
+    end
+
     def maintenance_repo_id(version)
-      if (repo = ENV['maintenance_repo'])
+      if maintenance_repo_label
+        return maintenance_repo_label
+      elsif (repo = ENV['MAINTENANCE_REPO_LABEL'])
         return repo unless repo.empty?
       end
 
@@ -64,7 +71,9 @@ module ForemanMaintain::Scenarios
     end
 
     def use_rhsm?
-      if (repo = ENV['maintenance_repo'])
+      return false if maintenance_repo_label
+
+      if (repo = ENV['MAINTENANCE_REPO_LABEL'])
         return false unless repo.empty?
       end
 

data/definitions/scenarios/{upgrade_to_capsule_7_0.rb → upgrade_to_capsule_6_11.rb}

@@ -1,4 +1,4 @@
-module Scenarios::Capsule_7_0
+module Scenarios::Capsule_6_11
   class Abstract < ForemanMaintain::Scenario
     def self.upgrade_metadata(&block)
       metadata do
@@ -6,20 +6,20 @@ module Scenarios::Capsule_7_0
         confine do
           feature(:capsule) &&
             (feature(:capsule).current_minor_version == '6.10' || \
-            ForemanMaintain.upgrade_in_progress == '7.0')
+            ForemanMaintain.upgrade_in_progress == '6.11')
         end
         instance_eval(&block)
       end
     end
 
     def target_version
-      '7.0'
+      '6.11'
     end
   end
 
   class PreUpgradeCheck < Abstract
     upgrade_metadata do
-      description 'Checks before upgrading to Capsule 7.0'
+      description 'Checks before upgrading to Capsule 6.11'
       tags :pre_upgrade_checks
       run_strategy :fail_slow
     end
@@ -27,25 +27,26 @@ module Scenarios::Capsule_7_0
     def compose
       add_steps(find_checks(:default))
       add_steps(find_checks(:pre_upgrade))
-      add_step(Checks::Repositories::Validate.new(:version => '7.0'))
+      add_step(Checks::Repositories::Validate.new(:version => '6.11'))
     end
   end
 
   class PreMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures before migrating to Capsule 7.0'
+      description 'Procedures before migrating to Capsule 6.11'
       tags :pre_migrations
     end
 
     def compose
       add_steps(find_procedures(:pre_migrations))
+      add_step(Procedures::Pulp::Remove.new(:assumeyes => true))
       add_step(Procedures::Service::Stop.new)
     end
   end
 
   class Migrations < Abstract
     upgrade_metadata do
-      description 'Migration scripts to Capsule 7.0'
+      description 'Migration scripts to Capsule 6.11'
       tags :migrations
     end
 
@@ -54,7 +55,7 @@ module Scenarios::Capsule_7_0
     end
 
     def compose
-      add_step(Procedures::Repositories::Setup.new(:version => '7.0'))
+      add_step(Procedures::Repositories::Setup.new(:version => '6.11'))
       add_step(Procedures::Packages::UnlockVersions.new)
       add_step(Procedures::Packages::Update.new(:assumeyes => true))
       add_step_with_context(Procedures::Installer::Upgrade)
@@ -63,7 +64,7 @@ module Scenarios::Capsule_7_0
 
   class PostMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures after migrating to Capsule 7.0'
+      description 'Procedures after migrating to Capsule 6.11'
       tags :post_migrations
     end
 
@@ -76,7 +77,7 @@ module Scenarios::Capsule_7_0
 
   class PostUpgradeChecks < Abstract
     upgrade_metadata do
-      description 'Checks after upgrading to Capsule 7.0'
+      description 'Checks after upgrading to Capsule 6.11'
       tags :post_upgrade_checks
       run_strategy :fail_slow
     end

data/definitions/scenarios/{upgrade_to_capsule_7_0_z.rb → upgrade_to_capsule_6_11_z.rb}

@@ -1,25 +1,25 @@
-module Scenarios::Capsule_7_0_z
+module Scenarios::Capsule_6_11_z
   class Abstract < ForemanMaintain::Scenario
     def self.upgrade_metadata(&block)
       metadata do
         tags :upgrade_scenario
         confine do
           feature(:capsule) &&
-            (feature(:capsule).current_minor_version == '7.0' || \
-              ForemanMaintain.upgrade_in_progress == '7.0.z')
+            (feature(:capsule).current_minor_version == '6.11' || \
+              ForemanMaintain.upgrade_in_progress == '6.11.z')
         end
         instance_eval(&block)
       end
     end
 
     def target_version
-      '7.0.z'
+      '6.11.z'
     end
   end
 
   class PreUpgradeCheck < Abstract
     upgrade_metadata do
-      description 'Checks before upgrading to Capsule 7.0.z'
+      description 'Checks before upgrading to Capsule 6.11.z'
       tags :pre_upgrade_checks
       run_strategy :fail_slow
     end
@@ -27,13 +27,13 @@ module Scenarios::Capsule_7_0_z
     def compose
       add_steps(find_checks(:default))
       add_steps(find_checks(:pre_upgrade))
-      add_step(Checks::Repositories::Validate.new(:version => '7.0'))
+      add_step(Checks::Repositories::Validate.new(:version => '6.11'))
     end
   end
 
   class PreMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures before migrating to Capsule 7.0.z'
+      description 'Procedures before migrating to Capsule 6.11.z'
       tags :pre_migrations
     end
 
@@ -45,7 +45,7 @@ module Scenarios::Capsule_7_0_z
 
   class Migrations < Abstract
     upgrade_metadata do
-      description 'Migration scripts to Capsule 7.0.z'
+      description 'Migration scripts to Capsule 6.11.z'
       tags :migrations
     end
 
@@ -54,7 +54,7 @@ module Scenarios::Capsule_7_0_z
     end
 
     def compose
-      add_step(Procedures::Repositories::Setup.new(:version => '7.0'))
+      add_step(Procedures::Repositories::Setup.new(:version => '6.11'))
       add_step(Procedures::Packages::UnlockVersions.new)
       add_step(Procedures::Packages::Update.new(:assumeyes => true))
       add_step_with_context(Procedures::Installer::Upgrade)
@@ -63,7 +63,7 @@ module Scenarios::Capsule_7_0_z
 
   class PostMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures after migrating to Capsule 7.0.z'
+      description 'Procedures after migrating to Capsule 6.11.z'
       tags :post_migrations
     end
 
@@ -76,7 +76,7 @@ module Scenarios::Capsule_7_0_z
 
   class PostUpgradeChecks < Abstract
     upgrade_metadata do
-      description 'Checks after upgrading to Capsule 7.0.z'
+      description 'Checks after upgrading to Capsule 6.11.z'
       tags :post_upgrade_checks
       run_strategy :fail_slow
     end

data/definitions/scenarios/{upgrade_to_satellite_7_0.rb → upgrade_to_satellite_6_11.rb}

@@ -1,4 +1,4 @@
-module Scenarios::Satellite_7_0
+module Scenarios::Satellite_6_11
   class Abstract < ForemanMaintain::Scenario
     def self.upgrade_metadata(&block)
       metadata do
@@ -6,20 +6,20 @@ module Scenarios::Satellite_7_0
         confine do
           feature(:satellite) &&
             (feature(:satellite).current_minor_version == '6.10' || \
-            ForemanMaintain.upgrade_in_progress == '7.0')
+            ForemanMaintain.upgrade_in_progress == '6.11')
         end
         instance_eval(&block)
       end
     end
 
     def target_version
-      '7.0'
+      '6.11'
     end
   end
 
   class PreUpgradeCheck < Abstract
     upgrade_metadata do
-      description 'Checks before upgrading to Satellite 7.0'
+      description 'Checks before upgrading to Satellite 6.11'
       tags :pre_upgrade_checks
       run_strategy :fail_slow
     end
@@ -29,13 +29,13 @@ module Scenarios::Satellite_7_0
       add_steps(find_checks(:pre_upgrade))
 
       add_step(Checks::Foreman::CheckpointSegments)
-      add_step(Checks::Repositories::Validate.new(:version => '7.0'))
+      add_step(Checks::Repositories::Validate.new(:version => '6.11'))
     end
   end
 
   class PreMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures before migrating to Satellite 7.0'
+      description 'Procedures before migrating to Satellite 6.11'
       tags :pre_migrations
     end
 
@@ -48,7 +48,7 @@ module Scenarios::Satellite_7_0
 
   class Migrations < Abstract
     upgrade_metadata do
-      description 'Migration scripts to Satellite 7.0'
+      description 'Migration scripts to Satellite 6.11'
       tags :migrations
       run_strategy :fail_fast
     end
@@ -58,7 +58,7 @@ module Scenarios::Satellite_7_0
     end
 
     def compose
-      add_step(Procedures::Repositories::Setup.new(:version => '7.0'))
+      add_step(Procedures::Repositories::Setup.new(:version => '6.11'))
       add_step(Procedures::Packages::UnlockVersions.new)
       add_step(Procedures::Packages::Update.new(:assumeyes => true))
       add_step_with_context(Procedures::Installer::Upgrade)
@@ -68,7 +68,7 @@ module Scenarios::Satellite_7_0
 
   class PostMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures after migrating to Satellite 7.0'
+      description 'Procedures after migrating to Satellite 6.11'
       tags :post_migrations
     end
 
@@ -81,7 +81,7 @@ module Scenarios::Satellite_7_0
 
   class PostUpgradeChecks < Abstract
     upgrade_metadata do
-      description 'Checks after upgrading to Satellite 7.0'
+      description 'Checks after upgrading to Satellite 6.11'
       tags :post_upgrade_checks
       run_strategy :fail_slow
     end

data/definitions/scenarios/{upgrade_to_satellite_7_0_z.rb → upgrade_to_satellite_6_11_z.rb}

@@ -1,25 +1,25 @@
-module Scenarios::Satellite_7_0_z
+module Scenarios::Satellite_6_11_z
   class Abstract < ForemanMaintain::Scenario
     def self.upgrade_metadata(&block)
       metadata do
         tags :upgrade_scenario
         confine do
           feature(:satellite) &&
-            (feature(:satellite).current_minor_version == '7.0' || \
-            ForemanMaintain.upgrade_in_progress == '7.0.z')
+            (feature(:satellite).current_minor_version == '6.11' || \
+            ForemanMaintain.upgrade_in_progress == '6.11.z')
         end
         instance_eval(&block)
       end
     end
 
     def target_version
-      '7.0.z'
+      '6.11.z'
     end
   end
 
   class PreUpgradeCheck < Abstract
     upgrade_metadata do
-      description 'Checks before upgrading to Satellite 7.0.z'
+      description 'Checks before upgrading to Satellite 6.11.z'
       tags :pre_upgrade_checks
       run_strategy :fail_slow
     end
@@ -27,13 +27,13 @@ module Scenarios::Satellite_7_0_z
     def compose
       add_steps(find_checks(:default))
       add_steps(find_checks(:pre_upgrade))
-      add_step(Checks::Repositories::Validate.new(:version => '7.0'))
+      add_step(Checks::Repositories::Validate.new(:version => '6.11'))
     end
   end
 
   class PreMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures before migrating to Satellite 7.0.z'
+      description 'Procedures before migrating to Satellite 6.11.z'
       tags :pre_migrations
     end
 
@@ -45,7 +45,7 @@ module Scenarios::Satellite_7_0_z
 
   class Migrations < Abstract
     upgrade_metadata do
-      description 'Migration scripts to Satellite 7.0.z'
+      description 'Migration scripts to Satellite 6.11.z'
       tags :migrations
     end
 
@@ -54,7 +54,7 @@ module Scenarios::Satellite_7_0_z
     end
 
     def compose
-      add_step(Procedures::Repositories::Setup.new(:version => '7.0'))
+      add_step(Procedures::Repositories::Setup.new(:version => '6.11'))
       add_step(Procedures::Packages::UnlockVersions.new)
       add_step(Procedures::Packages::Update.new(:assumeyes => true))
       add_step_with_context(Procedures::Installer::Upgrade)
@@ -64,7 +64,7 @@ module Scenarios::Satellite_7_0_z
 
   class PostMigrations < Abstract
     upgrade_metadata do
-      description 'Procedures after migrating to Satellite 7.0.z'
+      description 'Procedures after migrating to Satellite 6.11.z'
       tags :post_migrations
     end
 
@@ -77,7 +77,7 @@ module Scenarios::Satellite_7_0_z
 
   class PostUpgradeChecks < Abstract
     upgrade_metadata do
-      description 'Checks after upgrading to Satellite 7.0.z'
+      description 'Checks after upgrading to Satellite 6.11.z'
       tags :post_upgrade_checks
       run_strategy :fail_slow
     end

data/lib/foreman_maintain/cli/content_command.rb

@@ -54,6 +54,16 @@ module ForemanMaintain
           )
         end
       end
+
+      subcommand 'fix-pulpcore-artifact-ownership',
+                 'Update filesystem ownership for Pulpcore artifacts' do
+        interactive_option(%w[assumeyes plaintext])
+        def execute
+          run_scenarios_and_exit(
+            Scenarios::Content::FixPulpcoreArtifactOwnership.new(:assumeyes => assumeyes?)
+          )
+        end
+      end
     end
   end
 end

data/lib/foreman_maintain/cli/self_upgrade_command.rb

@@ -1,38 +1,23 @@
 module ForemanMaintain
   module Cli
     class SelfUpgradeCommand < Base
-      option ['--target-version'], 'TARGET_VERSION',\
-             'Major version of the Satellite or Capsule'\
-           	', e.g 7.0', :required => true
+      option ['--maintenance-repo-label'], 'REPOSITORY_LABEL',\
+             'Repository label from which packages should be updated.'\
+             'This can be used when standard CDN repositories are unavailable.'
       def execute
-        allow_major_version_upgrade_only
         run_scenario(upgrade_scenario, upgrade_rescue_scenario)
       end
 
       def upgrade_scenario
-        Scenarios::SelfUpgrade.new(target_version: target_version)
+        Scenarios::SelfUpgrade.new(
+          maintenance_repo_label: maintenance_repo_label
+        )
       end
 
       def upgrade_rescue_scenario
-        Scenarios::SelfUpgradeRescue.new(target_version: target_version)
-      end
-
-      def current_downstream_version
-        ForemanMaintain.detector.feature(:instance).downstream.current_version
-      end
-
-      def allow_major_version_upgrade_only
-        begin
-          next_version = Gem::Version.new(target_version)
-        rescue ArgumentError => err
-          raise Error::UsageError, "Invalid version! #{err}"
-        end
-        if current_downstream_version >= next_version
-          message = "The target-version #{target_version} should be "\
-                    "greater than existing version #{current_downstream_version},"\
-                    "\nand self-upgrade should be used for major version upgrades only!"
-          raise Error::UsageError, message
-        end
+        Scenarios::SelfUpgradeRescue.new(
+          maintenance_repo_label: maintenance_repo_label
+        )
       end
     end
   end

data/lib/foreman_maintain/concerns/downstream.rb

@@ -116,7 +116,7 @@ module ForemanMaintain
       end
 
       def common_repos(full_version)
-        sat_maint_version = if version(full_version) >= version('7.0') && !use_beta_repos?
+        sat_maint_version = if version(full_version) >= version('6.11') && !use_beta_repos?
                               full_version
                             else
                               full_version[0]

data/lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb

@@ -0,0 +1,28 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module IptablesMaintenanceMode
+        def disable_maintenance_mode
+          remove_chain(custom_chain_name)
+        end
+
+        def enable_maintenance_mode
+          add_chain(custom_chain_name,
+                    ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
+        end
+
+        def maintenance_mode_status?
+          chain_exist?(custom_chain_name)
+        end
+
+        def status_for_maintenance_mode
+          if maintenance_mode_status?
+            ['Iptables chain: present', []]
+          else
+            ['Iptables chain: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb

@@ -0,0 +1,39 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module NftablesMaintenanceMode
+        def disable_maintenance_mode
+          delete_table if table_exist?
+        end
+
+        def enable_maintenance_mode
+          unless table_exist?
+            add_table
+            add_chain(:chain_options => nftables_chain_options)
+            add_rule(rule: nftables_rule)
+          end
+        end
+
+        def maintenance_mode_status?
+          table_exist?
+        end
+
+        def nftables_chain_options
+          '{type filter hook input priority 0\\;}'
+        end
+
+        def nftables_rule
+          'tcp dport https reject'
+        end
+
+        def status_for_maintenance_mode
+          if table_exist?
+            ['Nftables table: present', []]
+          else
+            ['Nftables table: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.0.4'.freeze
+  VERSION = '1.0.7'.freeze
 end

data/lib/foreman_maintain.rb

@@ -24,6 +24,8 @@ module ForemanMaintain
   require 'foreman_maintain/concerns/downstream'
   require 'foreman_maintain/concerns/primary_checks'
   require 'foreman_maintain/concerns/pulp_common'
+  require 'foreman_maintain/concerns/firewall/iptables_maintenance_mode'
+  require 'foreman_maintain/concerns/firewall/nftables_maintenance_mode'
   require 'foreman_maintain/top_level_modules'
   require 'foreman_maintain/yaml_storage'
   require 'foreman_maintain/config'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.7
 platform: ruby
 authors:
 - Ivan Nečas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-09 00:00:00.000000000 Z
+date: 2022-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -206,6 +206,7 @@ files:
 - definitions/features/iptables.rb
 - definitions/features/katello.rb
 - definitions/features/mongo.rb
+- definitions/features/nftables.rb
 - definitions/features/pulp2.rb
 - definitions/features/pulpcore.rb
 - definitions/features/pulpcore_database.rb
@@ -244,6 +245,7 @@ files:
 - definitions/procedures/backup/snapshot/mount_pulpcore_db.rb
 - definitions/procedures/backup/snapshot/prepare_mount.rb
 - definitions/procedures/candlepin/delete_orphaned_records_from_env_content.rb
+- definitions/procedures/content/fix_pulpcore_artifact_permissions.rb
 - definitions/procedures/content/migration_reset.rb
 - definitions/procedures/content/migration_stats.rb
 - definitions/procedures/content/prepare.rb
@@ -267,9 +269,9 @@ files:
 - definitions/procedures/installer/run.rb
 - definitions/procedures/installer/upgrade.rb
 - definitions/procedures/installer/upgrade_rake_task.rb
-- definitions/procedures/iptables/add_maintenance_mode_chain.rb
-- definitions/procedures/iptables/remove_maintenance_mode_chain.rb
 - definitions/procedures/knowledge_base_article.rb
+- definitions/procedures/maintenance_mode/disable_maintenance_mode.rb
+- definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
 - definitions/procedures/maintenance_mode/is_enabled.rb
 - definitions/procedures/packages/check_update.rb
 - definitions/procedures/packages/enable_version_locking.rb
@@ -332,14 +334,16 @@ files:
 - definitions/scenarios/services.rb
 - definitions/scenarios/upgrade_to_capsule_6_10.rb
 - definitions/scenarios/upgrade_to_capsule_6_10_z.rb
+- definitions/scenarios/upgrade_to_capsule_6_11.rb
+- definitions/scenarios/upgrade_to_capsule_6_11_z.rb
 - definitions/scenarios/upgrade_to_capsule_6_8.rb
 - definitions/scenarios/upgrade_to_capsule_6_8_z.rb
 - definitions/scenarios/upgrade_to_capsule_6_9.rb
 - definitions/scenarios/upgrade_to_capsule_6_9_z.rb
-- definitions/scenarios/upgrade_to_capsule_7_0.rb
-- definitions/scenarios/upgrade_to_capsule_7_0_z.rb
 - definitions/scenarios/upgrade_to_satellite_6_10.rb
 - definitions/scenarios/upgrade_to_satellite_6_10_z.rb
+- definitions/scenarios/upgrade_to_satellite_6_11.rb
+- definitions/scenarios/upgrade_to_satellite_6_11_z.rb
 - definitions/scenarios/upgrade_to_satellite_6_2.rb
 - definitions/scenarios/upgrade_to_satellite_6_2_z.rb
 - definitions/scenarios/upgrade_to_satellite_6_3.rb
@@ -356,8 +360,6 @@ files:
 - definitions/scenarios/upgrade_to_satellite_6_8_z.rb
 - definitions/scenarios/upgrade_to_satellite_6_9.rb
 - definitions/scenarios/upgrade_to_satellite_6_9_z.rb
-- definitions/scenarios/upgrade_to_satellite_7_0.rb
-- definitions/scenarios/upgrade_to_satellite_7_0_z.rb
 - extras/foreman-maintain.sh
 - extras/foreman_protector/foreman-protector.conf
 - extras/foreman_protector/foreman-protector.py
@@ -389,6 +391,8 @@ files:
 - lib/foreman_maintain/concerns/directory_marker.rb
 - lib/foreman_maintain/concerns/downstream.rb
 - lib/foreman_maintain/concerns/finders.rb
+- lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb
+- lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb
 - lib/foreman_maintain/concerns/hammer.rb
 - lib/foreman_maintain/concerns/logger.rb
 - lib/foreman_maintain/concerns/metadata.rb

data/definitions/procedures/iptables/add_maintenance_mode_chain.rb

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class AddMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_add_maintenance_mode_chain
-      for_feature :iptables
-      description 'Add maintenance_mode chain to iptables'
-      tags :pre_migrations, :maintenance_mode_on
-      after :sync_plans_disable
-    end
-
-    def run
-      feature(:iptables).add_maintenance_mode_chain
-    end
-  end
-end

data/definitions/procedures/iptables/remove_maintenance_mode_chain.rb

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class RemoveMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_remove_maintenance_mode_chain
-      for_feature :iptables
-      description 'Remove maintenance_mode chain from iptables'
-      tags :post_migrations, :maintenance_mode_off
-      after :sync_plans_enable
-    end
-
-    def run
-      feature(:iptables).remove_maintenance_mode_chain
-    end
-  end
-end