RubyGems - foreman_maintain - Versions diffs - 1.0.4 → 1.0.5 - Mend

foreman_maintain 1.0.4 → 1.0.5

Files changed (20) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eee1f58199b0dd709acdfd9095292306de60d75d067edac09d28287caf323439
-  data.tar.gz: bd0b37c9668e6db36895a5a13b1568ea2cd171feacb670d5f5c912b9a7e7e7b6
+  metadata.gz: bda89886170f69276ffe2a0fcca046581c62096011e59251f199d451a6e49ddb
+  data.tar.gz: 5f63a1d69ab49281d15e1d4004f1726d9c7b45eccbeeaa0015615176c7973e01
 SHA512:
-  metadata.gz: 8c4117234bfaf93217d80f8f076b0187c59bb240fd3f8210867c41422d47c3a033d31c2eb2be61252303fe371ce1ab1c33d6f362576ed5a411d5c4c989b58c45
-  data.tar.gz: 97a10cdf47b6838eef3b7d79bc91849bc7d3f991e090f16d7a6a013b377b3a09e46c5ccd23de64f1520c080f7d1d56397468beb0bffe0a4d901e10c327356488
+  metadata.gz: a2e1859b3479357698652f5b448e97e9ebe4977b6f71a851efc7498ae8f9e622d4a0a69a6589a8206d00071129345bceacececf04133fb958f85924c9c5ba79b
+  data.tar.gz: 4db6f08840e3767357d0d57a9b32ff61779627e03118396ca41c99f2ea3f7ea355596e7d353dc1352b56290b7c4fc6b81a17bf74dad09cadf76b52af660cfc32

data/definitions/checks/maintenance_mode/check_consistency.rb CHANGED Viewed

@@ -22,11 +22,15 @@ module Checks::MaintenanceMode
     private
+    def firewall
+      @firewall ||= feature(:instance).firewall
+    end
     def verify_with_features
       procedure_arr = []
       feature_status_msgs = []
-      is_mode_on = feature(:iptables).maintenance_mode_chain_exist?
-      [:iptables, :sync_plans, :cron].each do |feature_name|
+      is_mode_on = firewall.maintenance_mode_status?
+      [firewall.label, :sync_plans, :cron].each do |feature_name|
         msg, procedures_to_run = send("check_for_#{feature_name}", is_mode_on)
         feature_status_msgs << msg
         procedure_arr.concat(procedures_to_run)
@@ -55,6 +59,10 @@ module Checks::MaintenanceMode
       feature(:iptables).status_for_maintenance_mode
     end
+    def check_for_nftables(_is_mode_on)
+      feature(:nftables).status_for_maintenance_mode
+    end
     def check_for_sync_plans(is_mode_on)
       feature(:sync_plans).status_for_maintenance_mode(is_mode_on)
     end

data/definitions/features/instance.rb CHANGED Viewed

@@ -70,6 +70,10 @@ class Features::Instance < ForemanMaintain::Feature
     feature(:pulp2) || feature(:pulpcore)
   end
+  def firewall
+    feature(:nftables) || feature(:iptables)
+  end
   private
   # rubocop:disable Metrics/MethodLength, Metrics/AbcSize

data/definitions/features/iptables.rb CHANGED Viewed

@@ -1,6 +1,10 @@
 class Features::Iptables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::IptablesMaintenanceMode
   metadata do
     label :iptables
+    confine do
+      find_package('iptables')
+    end
   end
   def add_chain(chain_name, rules, rule_chain = 'INPUT')
@@ -29,27 +33,6 @@ class Features::Iptables < ForemanMaintain::Feature
     execute?("iptables -L #{rule_chain} | tail -n +3 | grep '^#{target_name} '")
   end
-  def add_maintenance_mode_chain
-    add_chain(custom_chain_name,
-              ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
-  end
-  def remove_maintenance_mode_chain
-    remove_chain(custom_chain_name)
-  end
-  def maintenance_mode_chain_exist?
-    chain_exist?(custom_chain_name)
-  end
-  def status_for_maintenance_mode
-    if maintenance_mode_chain_exist?
-      ['Iptables chain: present', []]
-    else
-      ['Iptables chain: absent', []]
-    end
-  end
   private
   def custom_chain_name

data/definitions/features/nftables.rb ADDED Viewed

@@ -0,0 +1,51 @@
+class Features::Nftables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::NftablesMaintenanceMode
+  metadata do
+    label :nftables
+    confine do
+      find_package('nftables')
+    end
+  end
+  def add_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft add table #{options}")
+  end
+  def delete_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft delete table #{options}")
+  end
+  def add_chain(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    chain_options = options.fetch(:chain_options)
+    execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
+  end
+  def add_rule(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    rule = options.fetch(:rule) # needs validation
+    execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+  end
+  def table_exist?(name = table_name)
+    execute!('nft list tables').include?(name)
+  end
+  def table_name
+    'FOREMAN_MAINTAIN_TABLE'
+  end
+  def chain_name
+    'FOREMAN_MAINTAIN_CHAIN'
+  end
+  def ip_family
+    'inet'
+  end
+end

data/definitions/procedures/content/fix_pulpcore_artifact_permissions.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Procedures::Content
+  class FixPulpcoreArtifactOwnership < ForemanMaintain::Procedure
+    metadata do
+      description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+      param :assumeyes, 'Do not ask for confirmation', :default => false
+      confine do
+        check_min_version(foreman_plugin_name('katello'), '4.0')
+      end
+    end
+    def ask_to_proceed
+      question = "\nWARNING: Only proceed if your system is fully switched to Pulp 3.\n"
+      question += "\n\nDo you want to proceed?"
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      abort! if answer != :yes
+    end
+    def run
+      assumeyes_val = @assumeyes.nil? ? assumeyes? : @assumeyes
+      ask_to_proceed unless assumeyes_val
+      with_spinner('Updating artifact ownership for Pulp 3') do |spinner|
+        spinner.update('# chown -hR pulp.pulp /var/lib/pulp/media/artifact')
+        FileUtils.chown_R 'pulp', 'pulp', '/var/lib/pulp/media/artifact'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/disable_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module Procedures::MaintenanceMode
+  class DisableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :disable_maintenance_mode
+      description 'Remove maintenance mode table/chain from nftables/iptables'
+      tags :post_migrations, :maintenance_mode_off
+      after :sync_plans_enable
+    end
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.disable_maintenance_mode
+      else
+        warn! 'Unable to find nftables or iptables'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/enable_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module Procedures::MaintenanceMode
+  class EnableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :enable_maintenance_mode
+      description 'Add maintenance_mode tables/chain to nftables/iptables'
+      tags :pre_migrations, :maintenance_mode_on
+      after :sync_plans_disable
+    end
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.enable_maintenance_mode
+      else
+        notify_and_ask_to_install_firewall_utility
+      end
+    end
+    def notify_and_ask_to_install_firewall_utility
+      puts 'Unable to find nftables or iptables!'
+      question, pkg = question_and_pkg_name
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      if answer == :yes
+        packages_action(:install, pkg)
+        feature(:instance).firewall.enable_maintenance_mode
+      end
+    end
+    def can_install_nft?
+      nft_kernel_version = Gem::Version.new('3.13')
+      installed_kernel_version = Gem::Version.new(execute!('uname -r').split('-').first)
+      installed_kernel_version >= nft_kernel_version
+    end
+    def question_and_pkg_name
+      question = 'Do you want to install missing netfilter utility '
+      pkg_to_install = []
+      if can_install_nft?
+        question << 'nftables?'
+        pkg_to_install << 'nftables'
+      else
+        question << 'iptables?'
+        pkg_to_install << 'iptables'
+      end
+      question << "\nand start maintenance mode?"
+      [question, pkg_to_install]
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/is_enabled.rb CHANGED Viewed

@@ -2,14 +2,16 @@ module Procedures::MaintenanceMode
   class IsEnabled < ForemanMaintain::Procedure
     metadata do
       description 'Showing status code for maintenance_mode'
-      for_feature :iptables
       advanced_run false
+      confine do
+        feature(:nftables) || feature(:iptables)
+      end
     end
     attr_reader :status_code
     def run
-      @status_code = feature(:iptables).maintenance_mode_chain_exist? ? 0 : 1
+      @status_code = feature(:instance).firewall.maintenance_mode_status? ? 0 : 1
       puts "Maintenance mode is #{@status_code == 1 ? 'Off' : 'On'}"
     end
   end

data/definitions/procedures/pulp/remove.rb CHANGED Viewed

@@ -17,6 +17,7 @@ module Procedures::Pulp
     def pulp_data_dirs
       [
+        '/etc/pki/pulp/content',
         '/var/lib/pulp/published',
         '/var/lib/pulp/content',
         '/var/lib/pulp/importers',

data/definitions/scenarios/content.rb CHANGED Viewed

@@ -129,10 +129,29 @@ module ForemanMaintain::Scenarios
       def set_context_mapping
         context.map(:assumeyes, Procedures::Pulp::Remove => :assumeyes)
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
       end
       def compose
         add_step_with_context(Procedures::Pulp::Remove)
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
+      end
+    end
+    class FixPulpcoreArtifactOwnership < ContentBase
+      metadata do
+        label :content_fix_pulpcore_artifact_ownership
+        description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+        param :assumeyes, 'Do not ask for confirmation'
+        manual_detection
+      end
+      def set_context_mapping
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
+      end
+      def compose
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
       end
     end
   end

data/definitions/scenarios/upgrade_to_capsule_7_0.rb CHANGED Viewed

@@ -39,6 +39,7 @@ module Scenarios::Capsule_7_0
     def compose
       add_steps(find_procedures(:pre_migrations))
+      add_step(Procedures::Pulp::Remove.new(:assumeyes => true))
       add_step(Procedures::Service::Stop.new)
     end
   end

data/lib/foreman_maintain/cli/content_command.rb CHANGED Viewed

@@ -54,6 +54,16 @@ module ForemanMaintain
           )
         end
       end
+      subcommand 'fix-pulpcore-artifact-ownership',
+                 'Update filesystem ownership for Pulpcore artifacts' do
+        interactive_option(%w[assumeyes plaintext])
+        def execute
+          run_scenarios_and_exit(
+            Scenarios::Content::FixPulpcoreArtifactOwnership.new(:assumeyes => assumeyes?)
+          )
+        end
+      end
     end
   end
 end

data/lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module IptablesMaintenanceMode
+        def disable_maintenance_mode
+          remove_chain(custom_chain_name)
+        end
+        def enable_maintenance_mode
+          add_chain(custom_chain_name,
+                    ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
+        end
+        def maintenance_mode_status?
+          chain_exist?(custom_chain_name)
+        end
+        def status_for_maintenance_mode
+          if maintenance_mode_status?
+            ['Iptables chain: present', []]
+          else
+            ['Iptables chain: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module NftablesMaintenanceMode
+        def disable_maintenance_mode
+          delete_table if table_exist?
+        end
+        def enable_maintenance_mode
+          unless table_exist?
+            add_table
+            add_chain(:chain_options => nftables_chain_options)
+            add_rule(rule: nftables_rule)
+          end
+        end
+        def maintenance_mode_status?
+          table_exist?
+        end
+        def nftables_chain_options
+          '{type filter hook input priority 0\\;}'
+        end
+        def nftables_rule
+          'tcp dport https reject'
+        end
+        def status_for_maintenance_mode
+          if table_exist?
+            ['Nftables table: present', []]
+          else
+            ['Nftables table: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.0.4'.freeze
+  VERSION = '1.0.5'.freeze
 end

data/lib/foreman_maintain.rb CHANGED Viewed

@@ -24,6 +24,8 @@ module ForemanMaintain
   require 'foreman_maintain/concerns/downstream'
   require 'foreman_maintain/concerns/primary_checks'
   require 'foreman_maintain/concerns/pulp_common'
+  require 'foreman_maintain/concerns/firewall/iptables_maintenance_mode'
+  require 'foreman_maintain/concerns/firewall/nftables_maintenance_mode'
   require 'foreman_maintain/top_level_modules'
   require 'foreman_maintain/yaml_storage'
   require 'foreman_maintain/config'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Ivan Nečas
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-09 00:00:00.000000000 Z
+date: 2022-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -206,6 +206,7 @@ files:
 - definitions/features/iptables.rb
 - definitions/features/katello.rb
 - definitions/features/mongo.rb
+- definitions/features/nftables.rb
 - definitions/features/pulp2.rb
 - definitions/features/pulpcore.rb
 - definitions/features/pulpcore_database.rb
@@ -244,6 +245,7 @@ files:
 - definitions/procedures/backup/snapshot/mount_pulpcore_db.rb
 - definitions/procedures/backup/snapshot/prepare_mount.rb
 - definitions/procedures/candlepin/delete_orphaned_records_from_env_content.rb
+- definitions/procedures/content/fix_pulpcore_artifact_permissions.rb
 - definitions/procedures/content/migration_reset.rb
 - definitions/procedures/content/migration_stats.rb
 - definitions/procedures/content/prepare.rb
@@ -267,9 +269,9 @@ files:
 - definitions/procedures/installer/run.rb
 - definitions/procedures/installer/upgrade.rb
 - definitions/procedures/installer/upgrade_rake_task.rb
-- definitions/procedures/iptables/add_maintenance_mode_chain.rb
-- definitions/procedures/iptables/remove_maintenance_mode_chain.rb
 - definitions/procedures/knowledge_base_article.rb
+- definitions/procedures/maintenance_mode/disable_maintenance_mode.rb
+- definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
 - definitions/procedures/maintenance_mode/is_enabled.rb
 - definitions/procedures/packages/check_update.rb
 - definitions/procedures/packages/enable_version_locking.rb
@@ -389,6 +391,8 @@ files:
 - lib/foreman_maintain/concerns/directory_marker.rb
 - lib/foreman_maintain/concerns/downstream.rb
 - lib/foreman_maintain/concerns/finders.rb
+- lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb
+- lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb
 - lib/foreman_maintain/concerns/hammer.rb
 - lib/foreman_maintain/concerns/logger.rb
 - lib/foreman_maintain/concerns/metadata.rb

data/definitions/procedures/iptables/add_maintenance_mode_chain.rb DELETED Viewed

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class AddMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_add_maintenance_mode_chain
-      for_feature :iptables
-      description 'Add maintenance_mode chain to iptables'
-      tags :pre_migrations, :maintenance_mode_on
-      after :sync_plans_disable
-    end
-    def run
-      feature(:iptables).add_maintenance_mode_chain
-    end
-  end
-end

data/definitions/procedures/iptables/remove_maintenance_mode_chain.rb DELETED Viewed

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class RemoveMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_remove_maintenance_mode_chain
-      for_feature :iptables
-      description 'Remove maintenance_mode chain from iptables'
-      tags :post_migrations, :maintenance_mode_off
-      after :sync_plans_enable
-    end
-    def run
-      feature(:iptables).remove_maintenance_mode_chain
-    end
-  end
-end