foreman_maintain 1.0.6 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 41c40d80a596e78552a9e066e6d769db4fe57cd9e7c7368a7d64cf21f68edefa
-  data.tar.gz: 4908652d3cc57dde9b08081b0d5fa20fac5cc9f8ab41f19778243a29b0963002
+  metadata.gz: d333d2c850308e6bf590acee0dfd55d4b257cdebebb7b148e4ef49fe48f001dd
+  data.tar.gz: eac9b73a13ff0f7829ddf0cea8380491884d6631e3d42ca42b9b88e76bbd4698
 SHA512:
-  metadata.gz: aa7003129978adaa2e1798c3fa191a5be628403b1d86df618bd92110829de5b8f0cd81a2f6c97b1df2befeeda693ba950acdf985c843482d2d027d333e771957
-  data.tar.gz: 1c16a69c401058063919df5c8b8a595a4b04d17c5662f93e12b9999bfa5e566f6276b1b4a1998ffb5a3d3f964af76a8275eae68554826a22b4aef8f3ca7b81fb
+  metadata.gz: 8f402842dfca9d32804e9825f9a7552c2eac13e81244b80436d46b51a79e8330ce208fcf91c9bf0d5d0bafd3b46ea868916bb54e6c3b8a486273cfed2cb672d2
+  data.tar.gz: 20f99acb920a6a6cd1496e3b9429f635dc24275ce9bd8a70bceb44202147cc8ce9f9930de631a3e0ffac3b80c80b2526ada9ce3e88fe4b690dff0d9fa6aa101c

data/definitions/checks/package_manager/yum/validate_yum_config.rb

@@ -41,9 +41,7 @@ module Checks::PackageManager
 
       def yum_config_options
         @yum_config_options ||= {
-          'exclude' => '^exclude\s*=\s*\S+.*$',
-          'clean_requirements_on_remove' =>
-            '^clean_requirements_on_remove\s*=\S*(1|yes|true)$'
+          'exclude' => '^exclude\s*=\s*\S+.*$'
         }
       end
     end

data/definitions/features/nftables.rb

@@ -25,12 +25,14 @@ class Features::Nftables < ForemanMaintain::Feature
     execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
   end
 
-  def add_rule(options = {})
+  def add_rules(options = {})
     family = options.fetch(:family, ip_family)
     table = options.fetch(:table, table_name)
     chain = options.fetch(:chain, chain_name)
-    rule = options.fetch(:rule) # needs validation
-    execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+    rules = options.fetch(:rules) # needs validation
+    rules.each do |rule|
+      execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+    end
   end
 
   def table_exist?(name = table_name)

data/definitions/procedures/content/prepare.rb

@@ -4,6 +4,7 @@ module Procedures::Content
       description 'Prepare content for Pulp 3'
       for_feature :pulpcore
       param :quiet, 'Keep the output on a single line', :flag => true, :default => false
+      do_not_whitelist
     end
 
     def run

data/definitions/procedures/content/switchover.rb

@@ -9,6 +9,7 @@ module Procedures::Content
       end
 
       param :skip_deb, 'Do not run debian options in installer.'
+      do_not_whitelist
     end
 
     def run

data/definitions/procedures/packages/lock_versions.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class LockVersions < ForemanMaintain::Procedure
     metadata do
       description 'Lock packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/packages/locking_status.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class LockingStatus < ForemanMaintain::Procedure
     metadata do
       description 'Check status of version locking of packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/packages/unlock_versions.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class UnlockVersions < ForemanMaintain::Procedure
     metadata do
       description 'Unlock packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/restore/candlepin_reset_migrations.rb

@@ -0,0 +1,14 @@
+module Procedures::Restore
+  class CandlepinResetMigrations < ForemanMaintain::Procedure
+    metadata do
+      description 'Ensure Candlepin runs all migrations after restoring the database'
+      confine do
+        feature(:candlepin_database)
+      end
+    end
+
+    def run
+      FileUtils.rm_f('/var/lib/candlepin/.puppet-candlepin-rpm-version')
+    end
+  end
+end

data/definitions/scenarios/restore.rb

@@ -46,7 +46,8 @@ module ForemanMaintain::Scenarios
       end
       restore_mongo_dump(backup)
       add_steps_with_context(Procedures::Pulp::Migrate,
-                             Procedures::Pulpcore::Migrate)
+                             Procedures::Pulpcore::Migrate,
+                             Procedures::Restore::CandlepinResetMigrations)
 
       add_steps_with_context(Procedures::Restore::RegenerateQueues) if backup.online_backup?
       add_steps_with_context(Procedures::Service::Start,

data/definitions/scenarios/self_upgrade.rb

@@ -13,15 +13,22 @@ module ForemanMaintain::Scenarios
     end
 
     def target_version
-      @target_version ||= context.get(:target_version)
+      current_full_version = feature(:instance).downstream.current_version
+      @target_version ||= current_full_version.bump
     end
 
     def current_version
       feature(:instance).downstream.current_minor_version
     end
 
+    def maintenance_repo_label
+      @maintenance_repo_label ||= context.get(:maintenance_repo_label)
+    end
+
     def maintenance_repo_id(version)
-      if (repo = ENV['maintenance_repo'])
+      if maintenance_repo_label
+        return maintenance_repo_label
+      elsif (repo = ENV['MAINTENANCE_REPO_LABEL'])
         return repo unless repo.empty?
       end
 
@@ -64,7 +71,9 @@ module ForemanMaintain::Scenarios
     end
 
     def use_rhsm?
-      if (repo = ENV['maintenance_repo'])
+      return false if maintenance_repo_label
+
+      if (repo = ENV['MAINTENANCE_REPO_LABEL'])
         return false unless repo.empty?
       end
 

data/extras/foreman_protector/dnf/foreman-protector.py

@@ -0,0 +1,77 @@
+import dnf
+import dnf.exceptions
+from dnfpluginscore import _, logger
+
+import configparser
+
+class ForemanProtector(dnf.Plugin):
+    name = 'foreman-protector'
+    config_name = 'foreman-protector'
+
+    def __init__(self,base,cli):
+        self.base = base
+        self.cli = cli
+
+    def _get_whitelist_file_url(self):
+        try:
+             parser = self.read_config(self.base.conf)
+        except Exception as e:
+            raise dnf.exceptions.Error(_("Parsing file failed: {}").format(str(e)))
+
+        if parser.has_section('main'):
+            fileurl = parser.get('main', 'whitelist')
+        else:
+            raise dnf.exceptions.Error(_('Incorrect plugin configuration!'))
+        return fileurl
+
+    def _load_whitelist(self):
+        fileurl = self._get_whitelist_file_url()
+        package_whitelist = set()
+        try:
+            if fileurl:
+                llfile = open(fileurl, 'r')
+                for line in llfile.readlines():
+                    if line.startswith('#') or line.strip() == '':
+                        continue
+
+                    package_whitelist.add(line.rstrip())
+                llfile.close()
+        except IOError as e:
+            raise dnf.exceptions.Error('Unable to read Foreman protector"s configuration: %s' % e)
+        return package_whitelist
+
+    def _add_obsoletes(self):
+        package_whitelist = self._load_whitelist()
+        final_query = self.base.sack.query()
+        if package_whitelist:
+        #  If anything obsoletes something that we have whitelisted ... then
+        # whitelist that too.
+            whitelist_query = self.base.sack.query().filterm(name=package_whitelist)
+            obsoletes_query = self.base.sack.query().filterm(obsoletes=list(whitelist_query))
+
+            final_query = whitelist_query.union(obsoletes_query)
+        return final_query
+
+    def sack(self):
+        whitelist_and_obsoletes = self._add_obsoletes()
+        all_available_packages = self.base.sack.query().available()
+        excluded_pkgs_query = all_available_packages.difference(whitelist_and_obsoletes)
+        total = len(excluded_pkgs_query)
+        logger.info(_('Reading Foreman protector configuration'))
+        self.base.sack.add_excludes(excluded_pkgs_query)
+
+        logger.info(_('*** Excluded total: %s' % total))
+        if total:
+            if total > 1:
+                suffix = 's'
+            else:
+                suffix = ''
+            logger.info(_('\n'
+                            'WARNING: Excluding %d package%s due to foreman-protector. \n'
+                            'Use foreman-maintain packages install/update <package> \n'
+                            'to safely install packages without restrictions.\n'
+                            'Use foreman-maintain upgrade run for full upgrade.\n'
+                            % (total, suffix)))
+        else:
+            logger.info(_('\n'
+                            'Nothing excluded by foreman-protector!\n'))

data/extras/foreman_protector/foreman-protector.whitelist

@@ -17,5 +17,8 @@ boost-random
 boost-iostreams
 boost-thread
 yum-utils
+# el8 yum-utils dependencies
+dnf-plugins-core
+python3-dnf-plugins-core
 # foreman-maintain
 rubygem-foreman_maintain

data/lib/foreman_maintain/cli/self_upgrade_command.rb

@@ -1,38 +1,23 @@
 module ForemanMaintain
   module Cli
     class SelfUpgradeCommand < Base
-      option ['--target-version'], 'TARGET_VERSION',\
-             'Major version of the Satellite or Capsule'\
-             ', e.g 6.11', :required => true
+      option ['--maintenance-repo-label'], 'REPOSITORY_LABEL',\
+             'Repository label from which packages should be updated.'\
+             'This can be used when standard CDN repositories are unavailable.'
       def execute
-        allow_major_version_upgrade_only
         run_scenario(upgrade_scenario, upgrade_rescue_scenario)
       end
 
       def upgrade_scenario
-        Scenarios::SelfUpgrade.new(target_version: target_version)
+        Scenarios::SelfUpgrade.new(
+          maintenance_repo_label: maintenance_repo_label
+        )
       end
 
       def upgrade_rescue_scenario
-        Scenarios::SelfUpgradeRescue.new(target_version: target_version)
-      end
-
-      def current_downstream_version
-        ForemanMaintain.detector.feature(:instance).downstream.current_version
-      end
-
-      def allow_major_version_upgrade_only
-        begin
-          next_version = Gem::Version.new(target_version)
-        rescue ArgumentError => err
-          raise Error::UsageError, "Invalid version! #{err}"
-        end
-        if current_downstream_version >= next_version
-          message = "The target-version #{target_version} should be "\
-                    "greater than existing version #{current_downstream_version},"\
-                    "\nand self-upgrade should be used for major version upgrades only!"
-          raise Error::UsageError, message
-        end
+        Scenarios::SelfUpgradeRescue.new(
+          maintenance_repo_label: maintenance_repo_label
+        )
       end
     end
   end

data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb

@@ -10,7 +10,7 @@ module ForemanMaintain
           unless table_exist?
             add_table
             add_chain(:chain_options => nftables_chain_options)
-            add_rule(rule: nftables_rule)
+            add_rules(rules: nftables_rules)
           end
         end
 
@@ -22,8 +22,8 @@ module ForemanMaintain
           '{type filter hook input priority 0\\;}'
         end
 
-        def nftables_rule
-          'tcp dport https reject'
+        def nftables_rules
+          ['iifname "lo" accept', 'tcp dport 443 reject']
         end
 
         def status_for_maintenance_mode

data/lib/foreman_maintain/concerns/metadata.rb

@@ -100,6 +100,10 @@ module ForemanMaintain
           @data[:advanced_run] = advanced_run
         end
 
+        def do_not_whitelist
+          @data[:do_not_whitelist] = true
+        end
+
         def self.eval_dsl(metadata, &block)
           new(metadata).tap do |dsl|
             dsl.instance_eval(&block)

data/lib/foreman_maintain/package_manager/base.rb

@@ -1,13 +1,8 @@
 module ForemanMaintain::PackageManager
   # rubocop:disable Lint/UnusedMethodArgument
   class Base
-    # check tools are installed and enabled
-    def version_locking_enabled?
-      raise NotImplementedError
-    end
-
-    # make sure the version locking tools are configured
-    def install_version_locking(assumeyes: false)
+    # confirms that Package Manager supports the locking mechanism
+    def version_locking_supported?
       raise NotImplementedError
     end
 

data/lib/foreman_maintain/package_manager/dnf.rb

@@ -5,6 +5,10 @@ module ForemanMaintain::PackageManager
       super
     end
 
+    def version_locking_supported?
+      true
+    end
+
     private
 
     def dnf_action(action, packages, with_status: false, assumeyes: false)

data/lib/foreman_maintain/package_manager/yum.rb

@@ -2,7 +2,6 @@ module ForemanMaintain::PackageManager
   class Yum < Base
     PROTECTOR_CONFIG_FILE = '/etc/yum/pluginconf.d/foreman-protector.conf'.freeze
     PROTECTOR_WHITELIST_FILE = '/etc/yum/pluginconf.d/foreman-protector.whitelist'.freeze
-    PROTECTOR_PLUGIN_FILE = '/usr/lib/yum-plugins/foreman-protector.py'.freeze
 
     def self.parse_envra(envra)
       # envra format: 0:foreman-1.20.1.10-1.el7sat.noarch
@@ -19,18 +18,17 @@ module ForemanMaintain::PackageManager
     end
 
     def versions_locked?
-      !!(protector_config =~ /^\s*enabled\s*=\s*1/)
+      !!(protector_config =~ /^\s*enabled\s*=\s*1/) &&
+        protector_whitelist_file_nonzero?
     end
 
-    def version_locking_enabled?
-      File.exist?(PROTECTOR_PLUGIN_FILE) && File.exist?(PROTECTOR_CONFIG_FILE) &&
-        File.exist?(PROTECTOR_WHITELIST_FILE)
+    def protector_whitelist_file_nonzero?
+      File.exist?(PROTECTOR_WHITELIST_FILE) &&
+        !File.zero?(PROTECTOR_WHITELIST_FILE)
     end
 
-    def install_version_locking(*)
-      install_extras('foreman_protector/foreman-protector.py', PROTECTOR_PLUGIN_FILE)
-      install_extras('foreman_protector/foreman-protector.conf', PROTECTOR_CONFIG_FILE)
-      install_extras('foreman_protector/foreman-protector.whitelist', PROTECTOR_WHITELIST_FILE)
+    def version_locking_supported?
+      true
     end
 
     def installed?(packages)
@@ -49,6 +47,10 @@ module ForemanMaintain::PackageManager
       yum_action('install', packages, :assumeyes => assumeyes)
     end
 
+    def reinstall(packages, assumeyes: false)
+      yum_action('reinstall', packages, :assumeyes => assumeyes)
+    end
+
     def remove(packages, assumeyes: false)
       yum_action('remove', packages, :assumeyes => assumeyes)
     end
@@ -129,14 +131,5 @@ module ForemanMaintain::PackageManager
                      :interactive => !assumeyes, :valid_exit_statuses => valid_exit_statuses)
       end
     end
-
-    def install_extras(src, dest, override: false)
-      extras_src = File.expand_path('../../../../extras', __FILE__)
-      if override ||
-         (File.directory?(dest) && !File.exist?(File.join(dest, src))) ||
-         !File.exist?(dest)
-        FileUtils.cp(File.join(extras_src, src), dest)
-      end
-    end
   end
 end

data/lib/foreman_maintain/reporter/cli_reporter.rb

@@ -317,7 +317,11 @@ module ForemanMaintain
 
         steps_with_error = scenario.steps_with_error(:whitelisted => false)
         steps_with_skipped = scenario.steps_with_skipped(:whitelisted => true)
-        steps_to_whitelist = steps_with_error + steps_with_skipped
+        not_skippable_steps = scenario.steps_with_error.select do |step|
+          step.metadata[:do_not_whitelist] == true
+        end
+
+        steps_to_whitelist = steps_with_error + steps_with_skipped - not_skippable_steps
         unless steps_with_error.empty?
           message << format(<<-MESSAGE.strip_heredoc, format_steps(steps_with_error, "\n", 2))
           The following steps ended up in failing state:
@@ -325,11 +329,25 @@ module ForemanMaintain
           %s
           MESSAGE
           whitelist_labels = steps_to_whitelist.map(&:label_dashed).join(',')
-          recommend << format(<<-MESSAGE.strip_heredoc, whitelist_labels)
-          Resolve the failed steps and rerun
-          the command. In case the failures are false positives,
-          use --whitelist="%s"
-          MESSAGE
+          unless whitelist_labels.empty?
+            recommend << if scenario.detector.feature(:instance).downstream
+                           format(<<-MESSAGE.strip_heredoc, whitelist_labels)
+              Resolve the failed steps and rerun the command.
+
+              If the situation persists and, you are unclear what to do next,
+              contact Red Hat Technical Support.
+
+              In case the failures are false positives, use
+              --whitelist="%s"
+              MESSAGE
+                         else
+                           format(<<-MESSAGE.strip_heredoc, whitelist_labels)
+              Resolve the failed steps and rerun the command.
+              In case the failures are false positives, use
+              --whitelist="%s"
+              MESSAGE
+                         end
+          end
         end
 
         steps_with_warning = scenario.steps_with_warning(:whitelisted => false)

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.0.6'.freeze
+  VERSION = '1.0.9'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.9
 platform: ruby
 authors:
 - Ivan Nečas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-30 00:00:00.000000000 Z
+date: 2022-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -184,7 +184,6 @@ files:
 - definitions/checks/server_ping.rb
 - definitions/checks/services_up.rb
 - definitions/checks/system_registration.rb
-- definitions/checks/version_locking_enabled.rb
 - definitions/features/apache.rb
 - definitions/features/candlepin.rb
 - definitions/features/candlepin_database.rb
@@ -274,7 +273,6 @@ files:
 - definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
 - definitions/procedures/maintenance_mode/is_enabled.rb
 - definitions/procedures/packages/check_update.rb
-- definitions/procedures/packages/enable_version_locking.rb
 - definitions/procedures/packages/install.rb
 - definitions/procedures/packages/installer_confirmation.rb
 - definitions/procedures/packages/lock_versions.rb
@@ -299,6 +297,7 @@ files:
 - definitions/procedures/repositories/enable.rb
 - definitions/procedures/repositories/setup.rb
 - definitions/procedures/restore/candlepin_dump.rb
+- definitions/procedures/restore/candlepin_reset_migrations.rb
 - definitions/procedures/restore/configs.rb
 - definitions/procedures/restore/confirmation.rb
 - definitions/procedures/restore/drop_databases.rb
@@ -361,9 +360,10 @@ files:
 - definitions/scenarios/upgrade_to_satellite_6_9.rb
 - definitions/scenarios/upgrade_to_satellite_6_9_z.rb
 - extras/foreman-maintain.sh
+- extras/foreman_protector/dnf/foreman-protector.py
 - extras/foreman_protector/foreman-protector.conf
-- extras/foreman_protector/foreman-protector.py
 - extras/foreman_protector/foreman-protector.whitelist
+- extras/foreman_protector/yum/foreman-protector.py
 - extras/passenger-recycler.cron
 - lib/foreman_maintain.rb
 - lib/foreman_maintain/check.rb

data/definitions/checks/version_locking_enabled.rb

@@ -1,14 +0,0 @@
-module Checks
-  class VersionLockingEnabled < ForemanMaintain::Check
-    metadata do
-      description 'Check if tooling for package locking is installed'
-    end
-
-    def run
-      enabled = package_manager.version_locking_enabled?
-      enable_locking = Procedures::Packages::EnableVersionLocking.new(:assumeyes => assumeyes?)
-      assert(enabled, 'Tools for package version locking are not available on this system',
-             :next_steps => enable_locking)
-    end
-  end
-end

data/definitions/procedures/packages/enable_version_locking.rb

@@ -1,12 +0,0 @@
-module Procedures::Packages
-  class EnableVersionLocking < ForemanMaintain::Procedure
-    metadata do
-      description 'Install and configure tools for version locking'
-      param :assumeyes, 'Do not ask for confirmation'
-    end
-
-    def run
-      package_manager.install_version_locking(:assumeyes => @assumeyes)
-    end
-  end
-end