foreman_maintain 1.0.7 → 1.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1db04c176ed0a5d5293dd9980db6c05e7f2c29c43f7da63d622e917c692d49ce
-  data.tar.gz: 2d41a5d195c217f7c7764b2543ed43ec3bacfac1339aad2162431052286775ca
+  metadata.gz: 6f3b029d12907c373c22b065792200ff3c8087051d1d3573da149124c4a7b9d4
+  data.tar.gz: d70220606c7f0c5af7ea9115b16d5f9cb248765f2420f01f72482031495dc980
 SHA512:
-  metadata.gz: d321a63d2e313db2694dbd70c138c498c829843b5ac891d33e91969a682494f94971b1411dbe81228f1e049bfb35b3a3ba2dc9c59d08629aa4297baff20210ad
-  data.tar.gz: a53ce7c727dbbf92d7257e7024587ba33a1e7db9b27c17fccf5e3ecc9ede63173bdcbcef2cd7f51173a3d88df661b6dd2e0f68fab05ea0983b8f657e9f02beae
+  metadata.gz: 657e8536192d1fa4ac0a9ec16161a1ce128e9747a827ea4d87869049f35d1cae8683a691efd3ab629b82fdc3ca1251153768cf208444daa412780061f0fb0862
+  data.tar.gz: '039b4a5cb9389ca78a2497f05e14bfb2ee9e7f1f4298025ee254cbbc02f4317f4bdfe9a5e71722e6bfb75e4b6679d3473fe7d080d9f55d811fe1d554549b2da1'

data/definitions/checks/package_manager/yum/validate_yum_config.rb

@@ -41,9 +41,7 @@ module Checks::PackageManager
 
       def yum_config_options
         @yum_config_options ||= {
-          'exclude' => '^exclude\s*=\s*\S+.*$',
-          'clean_requirements_on_remove' =>
-            '^clean_requirements_on_remove\s*=\S*(1|yes|true)$'
+          'exclude' => '^exclude\s*=\s*\S+.*$'
         }
       end
     end

data/definitions/features/installer.rb

@@ -64,7 +64,9 @@ class Features::Installer < ForemanMaintain::Feature
   def config_files
     Dir.glob(File.join(config_directory, '**/*')) +
       [
-        '/usr/local/bin/validate_postgresql_connection.sh'
+        '/usr/local/bin/validate_postgresql_connection.sh',
+        '/opt/puppetlabs/puppet/cache/foreman_cache_data',
+        '/opt/puppetlabs/puppet/cache/pulpcore_cache_data'
       ]
   end
 

data/definitions/features/nftables.rb

@@ -25,12 +25,14 @@ class Features::Nftables < ForemanMaintain::Feature
     execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
   end
 
-  def add_rule(options = {})
+  def add_rules(options = {})
     family = options.fetch(:family, ip_family)
     table = options.fetch(:table, table_name)
     chain = options.fetch(:chain, chain_name)
-    rule = options.fetch(:rule) # needs validation
-    execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+    rules = options.fetch(:rules) # needs validation
+    rules.each do |rule|
+      execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+    end
   end
 
   def table_exist?(name = table_name)

data/definitions/features/puppet_server.rb

@@ -11,8 +11,6 @@ class Features::PuppetServer < ForemanMaintain::Feature
     [
       '/etc/puppet',
       '/etc/puppetlabs',
-      '/opt/puppetlabs/puppet/cache/foreman_cache_data',
-      '/var/lib/puppet/foreman_cache_data',
       '/opt/puppetlabs/puppet/ssl/',
       '/var/lib/puppet/ssl',
       '/var/lib/puppet',

data/definitions/procedures/content/prepare.rb

@@ -4,6 +4,7 @@ module Procedures::Content
       description 'Prepare content for Pulp 3'
       for_feature :pulpcore
       param :quiet, 'Keep the output on a single line', :flag => true, :default => false
+      do_not_whitelist
     end
 
     def run

data/definitions/procedures/content/switchover.rb

@@ -9,6 +9,7 @@ module Procedures::Content
       end
 
       param :skip_deb, 'Do not run debian options in installer.'
+      do_not_whitelist
     end
 
     def run

data/definitions/procedures/packages/lock_versions.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class LockVersions < ForemanMaintain::Procedure
     metadata do
       description 'Lock packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/packages/locking_status.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class LockingStatus < ForemanMaintain::Procedure
     metadata do
       description 'Check status of version locking of packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/packages/unlock_versions.rb

@@ -2,7 +2,9 @@ module Procedures::Packages
   class UnlockVersions < ForemanMaintain::Procedure
     metadata do
       description 'Unlock packages'
-      preparation_steps { [Checks::VersionLockingEnabled.new] }
+      confine do
+        package_manager.version_locking_supported?
+      end
     end
 
     def run

data/definitions/procedures/restore/candlepin_reset_migrations.rb

@@ -0,0 +1,14 @@
+module Procedures::Restore
+  class CandlepinResetMigrations < ForemanMaintain::Procedure
+    metadata do
+      description 'Ensure Candlepin runs all migrations after restoring the database'
+      confine do
+        feature(:candlepin_database)
+      end
+    end
+
+    def run
+      FileUtils.rm_f('/var/lib/candlepin/.puppet-candlepin-rpm-version')
+    end
+  end
+end

data/definitions/scenarios/restore.rb

@@ -46,7 +46,8 @@ module ForemanMaintain::Scenarios
       end
       restore_mongo_dump(backup)
       add_steps_with_context(Procedures::Pulp::Migrate,
-                             Procedures::Pulpcore::Migrate)
+                             Procedures::Pulpcore::Migrate,
+                             Procedures::Restore::CandlepinResetMigrations)
 
       add_steps_with_context(Procedures::Restore::RegenerateQueues) if backup.online_backup?
       add_steps_with_context(Procedures::Service::Start,

data/definitions/scenarios/self_upgrade.rb

@@ -1,5 +1,6 @@
 module ForemanMaintain::Scenarios
   class SelfUpgradeBase < ForemanMaintain::Scenario
+    include ForemanMaintain::Concerns::Downstream
     def enabled_system_repos_id
       repository_manager.enabled_repos.keys
     end
@@ -67,7 +68,10 @@ module ForemanMaintain::Scenarios
 
     def repos_ids_to_reenable
       repos_ids_to_reenable = stored_enabled_repos_ids - all_maintenance_repos
-      repos_ids_to_reenable << maintenance_repo(maintenance_repo_version)
+      if use_rhsm?
+        repos_ids_to_reenable << maintenance_repo(maintenance_repo_version)
+      end
+      repos_ids_to_reenable
     end
 
     def use_rhsm?
@@ -79,6 +83,10 @@ module ForemanMaintain::Scenarios
 
       true
     end
+
+    def req_repos_to_update_pkgs
+      main_rh_repos + [maintenance_repo_id(target_version)]
+    end
   end
 
   class SelfUpgrade < SelfUpgradeBase
@@ -94,9 +102,10 @@ module ForemanMaintain::Scenarios
         pkgs_to_update = %w[satellite-maintain rubygem-foreman_maintain]
         add_step(Procedures::Repositories::BackupEnabledRepos.new)
         disable_repos
-        add_step(Procedures::Repositories::Enable.new(repos: [maintenance_repo_id(target_version)],
+        add_step(Procedures::Repositories::Enable.new(repos: req_repos_to_update_pkgs,
                                                       use_rhsm: use_rhsm?))
         add_step(Procedures::Packages::Update.new(packages: pkgs_to_update, assumeyes: true))
+        disable_repos('*')
         enable_repos(repos_ids_to_reenable)
       end
     end
@@ -113,6 +122,7 @@ module ForemanMaintain::Scenarios
 
     def compose
       if check_min_version('foreman', '2.5') || check_min_version('foreman-proxy', '2.5')
+        disable_repos('*')
         enable_repos(repos_ids_to_reenable)
       end
     end

data/extras/foreman_protector/dnf/foreman-protector.py

@@ -0,0 +1,77 @@
+import dnf
+import dnf.exceptions
+from dnfpluginscore import _, logger
+
+import configparser
+
+class ForemanProtector(dnf.Plugin):
+    name = 'foreman-protector'
+    config_name = 'foreman-protector'
+
+    def __init__(self,base,cli):
+        self.base = base
+        self.cli = cli
+
+    def _get_whitelist_file_url(self):
+        try:
+             parser = self.read_config(self.base.conf)
+        except Exception as e:
+            raise dnf.exceptions.Error(_("Parsing file failed: {}").format(str(e)))
+
+        if parser.has_section('main'):
+            fileurl = parser.get('main', 'whitelist')
+        else:
+            raise dnf.exceptions.Error(_('Incorrect plugin configuration!'))
+        return fileurl
+
+    def _load_whitelist(self):
+        fileurl = self._get_whitelist_file_url()
+        package_whitelist = set()
+        try:
+            if fileurl:
+                llfile = open(fileurl, 'r')
+                for line in llfile.readlines():
+                    if line.startswith('#') or line.strip() == '':
+                        continue
+
+                    package_whitelist.add(line.rstrip())
+                llfile.close()
+        except IOError as e:
+            raise dnf.exceptions.Error('Unable to read Foreman protector"s configuration: %s' % e)
+        return package_whitelist
+
+    def _add_obsoletes(self):
+        package_whitelist = self._load_whitelist()
+        final_query = self.base.sack.query()
+        if package_whitelist:
+        #  If anything obsoletes something that we have whitelisted ... then
+        # whitelist that too.
+            whitelist_query = self.base.sack.query().filterm(name=package_whitelist)
+            obsoletes_query = self.base.sack.query().filterm(obsoletes=list(whitelist_query))
+
+            final_query = whitelist_query.union(obsoletes_query)
+        return final_query
+
+    def sack(self):
+        whitelist_and_obsoletes = self._add_obsoletes()
+        all_available_packages = self.base.sack.query().available()
+        excluded_pkgs_query = all_available_packages.difference(whitelist_and_obsoletes)
+        total = len(excluded_pkgs_query)
+        logger.info(_('Reading Foreman protector configuration'))
+        self.base.sack.add_excludes(excluded_pkgs_query)
+
+        logger.info(_('*** Excluded total: %s' % total))
+        if total:
+            if total > 1:
+                suffix = 's'
+            else:
+                suffix = ''
+            logger.info(_('\n'
+                            'WARNING: Excluding %d package%s due to foreman-protector. \n'
+                            'Use foreman-maintain packages install/update <package> \n'
+                            'to safely install packages without restrictions.\n'
+                            'Use foreman-maintain upgrade run for full upgrade.\n'
+                            % (total, suffix)))
+        else:
+            logger.info(_('\n'
+                            'Nothing excluded by foreman-protector!\n'))

data/extras/foreman_protector/foreman-protector.whitelist

@@ -17,5 +17,8 @@ boost-random
 boost-iostreams
 boost-thread
 yum-utils
+# el8 yum-utils dependencies
+dnf-plugins-core
+python3-dnf-plugins-core
 # foreman-maintain
 rubygem-foreman_maintain

data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb

@@ -10,7 +10,7 @@ module ForemanMaintain
           unless table_exist?
             add_table
             add_chain(:chain_options => nftables_chain_options)
-            add_rule(rule: nftables_rule)
+            add_rules(rules: nftables_rules)
           end
         end
 
@@ -22,8 +22,8 @@ module ForemanMaintain
           '{type filter hook input priority 0\\;}'
         end
 
-        def nftables_rule
-          'tcp dport https reject'
+        def nftables_rules
+          ['iifname "lo" accept', 'tcp dport 443 reject']
         end
 
         def status_for_maintenance_mode

data/lib/foreman_maintain/concerns/metadata.rb

@@ -100,6 +100,10 @@ module ForemanMaintain
           @data[:advanced_run] = advanced_run
         end
 
+        def do_not_whitelist
+          @data[:do_not_whitelist] = true
+        end
+
         def self.eval_dsl(metadata, &block)
           new(metadata).tap do |dsl|
             dsl.instance_eval(&block)

data/lib/foreman_maintain/package_manager/base.rb

@@ -1,13 +1,8 @@
 module ForemanMaintain::PackageManager
   # rubocop:disable Lint/UnusedMethodArgument
   class Base
-    # check tools are installed and enabled
-    def version_locking_enabled?
-      raise NotImplementedError
-    end
-
-    # make sure the version locking tools are configured
-    def install_version_locking(assumeyes: false)
+    # confirms that Package Manager supports the locking mechanism
+    def version_locking_supported?
       raise NotImplementedError
     end
 

data/lib/foreman_maintain/package_manager/dnf.rb

@@ -5,6 +5,10 @@ module ForemanMaintain::PackageManager
       super
     end
 
+    def version_locking_supported?
+      true
+    end
+
     private
 
     def dnf_action(action, packages, with_status: false, assumeyes: false)

data/lib/foreman_maintain/package_manager/yum.rb

@@ -2,7 +2,6 @@ module ForemanMaintain::PackageManager
   class Yum < Base
     PROTECTOR_CONFIG_FILE = '/etc/yum/pluginconf.d/foreman-protector.conf'.freeze
     PROTECTOR_WHITELIST_FILE = '/etc/yum/pluginconf.d/foreman-protector.whitelist'.freeze
-    PROTECTOR_PLUGIN_FILE = '/usr/lib/yum-plugins/foreman-protector.py'.freeze
 
     def self.parse_envra(envra)
       # envra format: 0:foreman-1.20.1.10-1.el7sat.noarch
@@ -19,18 +18,17 @@ module ForemanMaintain::PackageManager
     end
 
     def versions_locked?
-      !!(protector_config =~ /^\s*enabled\s*=\s*1/)
+      !!(protector_config =~ /^\s*enabled\s*=\s*1/) &&
+        protector_whitelist_file_nonzero?
     end
 
-    def version_locking_enabled?
-      File.exist?(PROTECTOR_PLUGIN_FILE) && File.exist?(PROTECTOR_CONFIG_FILE) &&
-        File.exist?(PROTECTOR_WHITELIST_FILE)
+    def protector_whitelist_file_nonzero?
+      File.exist?(PROTECTOR_WHITELIST_FILE) &&
+        !File.zero?(PROTECTOR_WHITELIST_FILE)
     end
 
-    def install_version_locking(*)
-      install_extras('foreman_protector/foreman-protector.py', PROTECTOR_PLUGIN_FILE)
-      install_extras('foreman_protector/foreman-protector.conf', PROTECTOR_CONFIG_FILE)
-      install_extras('foreman_protector/foreman-protector.whitelist', PROTECTOR_WHITELIST_FILE)
+    def version_locking_supported?
+      true
     end
 
     def installed?(packages)
@@ -49,6 +47,10 @@ module ForemanMaintain::PackageManager
       yum_action('install', packages, :assumeyes => assumeyes)
     end
 
+    def reinstall(packages, assumeyes: false)
+      yum_action('reinstall', packages, :assumeyes => assumeyes)
+    end
+
     def remove(packages, assumeyes: false)
       yum_action('remove', packages, :assumeyes => assumeyes)
     end
@@ -129,14 +131,5 @@ module ForemanMaintain::PackageManager
                      :interactive => !assumeyes, :valid_exit_statuses => valid_exit_statuses)
       end
     end
-
-    def install_extras(src, dest, override: false)
-      extras_src = File.expand_path('../../../../extras', __FILE__)
-      if override ||
-         (File.directory?(dest) && !File.exist?(File.join(dest, src))) ||
-         !File.exist?(dest)
-        FileUtils.cp(File.join(extras_src, src), dest)
-      end
-    end
   end
 end

data/lib/foreman_maintain/reporter/cli_reporter.rb

@@ -317,7 +317,11 @@ module ForemanMaintain
 
         steps_with_error = scenario.steps_with_error(:whitelisted => false)
         steps_with_skipped = scenario.steps_with_skipped(:whitelisted => true)
-        steps_to_whitelist = steps_with_error + steps_with_skipped
+        not_skippable_steps = scenario.steps_with_error.select do |step|
+          step.metadata[:do_not_whitelist] == true
+        end
+
+        steps_to_whitelist = steps_with_error + steps_with_skipped - not_skippable_steps
         unless steps_with_error.empty?
           message << format(<<-MESSAGE.strip_heredoc, format_steps(steps_with_error, "\n", 2))
           The following steps ended up in failing state:
@@ -325,11 +329,25 @@ module ForemanMaintain
           %s
           MESSAGE
           whitelist_labels = steps_to_whitelist.map(&:label_dashed).join(',')
-          recommend << format(<<-MESSAGE.strip_heredoc, whitelist_labels)
-          Resolve the failed steps and rerun
-          the command. In case the failures are false positives,
-          use --whitelist="%s"
-          MESSAGE
+          unless whitelist_labels.empty?
+            recommend << if scenario.detector.feature(:instance).downstream
+                           format(<<-MESSAGE.strip_heredoc, whitelist_labels)
+              Resolve the failed steps and rerun the command.
+
+              If the situation persists and, you are unclear what to do next,
+              contact Red Hat Technical Support.
+
+              In case the failures are false positives, use
+              --whitelist="%s"
+              MESSAGE
+                         else
+                           format(<<-MESSAGE.strip_heredoc, whitelist_labels)
+              Resolve the failed steps and rerun the command.
+              In case the failures are false positives, use
+              --whitelist="%s"
+              MESSAGE
+                         end
+          end
         end
 
         steps_with_warning = scenario.steps_with_warning(:whitelisted => false)

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.0.7'.freeze
+  VERSION = '1.0.10'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.0.7
+  version: 1.0.10
 platform: ruby
 authors:
 - Ivan Nečas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-06 00:00:00.000000000 Z
+date: 2022-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -184,7 +184,6 @@ files:
 - definitions/checks/server_ping.rb
 - definitions/checks/services_up.rb
 - definitions/checks/system_registration.rb
-- definitions/checks/version_locking_enabled.rb
 - definitions/features/apache.rb
 - definitions/features/candlepin.rb
 - definitions/features/candlepin_database.rb
@@ -274,7 +273,6 @@ files:
 - definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
 - definitions/procedures/maintenance_mode/is_enabled.rb
 - definitions/procedures/packages/check_update.rb
-- definitions/procedures/packages/enable_version_locking.rb
 - definitions/procedures/packages/install.rb
 - definitions/procedures/packages/installer_confirmation.rb
 - definitions/procedures/packages/lock_versions.rb
@@ -299,6 +297,7 @@ files:
 - definitions/procedures/repositories/enable.rb
 - definitions/procedures/repositories/setup.rb
 - definitions/procedures/restore/candlepin_dump.rb
+- definitions/procedures/restore/candlepin_reset_migrations.rb
 - definitions/procedures/restore/configs.rb
 - definitions/procedures/restore/confirmation.rb
 - definitions/procedures/restore/drop_databases.rb
@@ -361,9 +360,10 @@ files:
 - definitions/scenarios/upgrade_to_satellite_6_9.rb
 - definitions/scenarios/upgrade_to_satellite_6_9_z.rb
 - extras/foreman-maintain.sh
+- extras/foreman_protector/dnf/foreman-protector.py
 - extras/foreman_protector/foreman-protector.conf
-- extras/foreman_protector/foreman-protector.py
 - extras/foreman_protector/foreman-protector.whitelist
+- extras/foreman_protector/yum/foreman-protector.py
 - extras/passenger-recycler.cron
 - lib/foreman_maintain.rb
 - lib/foreman_maintain/check.rb

data/definitions/checks/version_locking_enabled.rb

@@ -1,14 +0,0 @@
-module Checks
-  class VersionLockingEnabled < ForemanMaintain::Check
-    metadata do
-      description 'Check if tooling for package locking is installed'
-    end
-
-    def run
-      enabled = package_manager.version_locking_enabled?
-      enable_locking = Procedures::Packages::EnableVersionLocking.new(:assumeyes => assumeyes?)
-      assert(enabled, 'Tools for package version locking are not available on this system',
-             :next_steps => enable_locking)
-    end
-  end
-end

data/definitions/procedures/packages/enable_version_locking.rb

@@ -1,12 +0,0 @@
-module Procedures::Packages
-  class EnableVersionLocking < ForemanMaintain::Procedure
-    metadata do
-      description 'Install and configure tools for version locking'
-      param :assumeyes, 'Do not ask for confirmation'
-    end
-
-    def run
-      package_manager.install_version_locking(:assumeyes => @assumeyes)
-    end
-  end
-end