RubyGems - foreman_maintain - Versions diffs - 1.0.4 → 1.0.5 - Mend

foreman_maintain 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eee1f58199b0dd709acdfd9095292306de60d75d067edac09d28287caf323439
-  data.tar.gz: bd0b37c9668e6db36895a5a13b1568ea2cd171feacb670d5f5c912b9a7e7e7b6
+  metadata.gz: bda89886170f69276ffe2a0fcca046581c62096011e59251f199d451a6e49ddb
+  data.tar.gz: 5f63a1d69ab49281d15e1d4004f1726d9c7b45eccbeeaa0015615176c7973e01
 SHA512:
-  metadata.gz: 8c4117234bfaf93217d80f8f076b0187c59bb240fd3f8210867c41422d47c3a033d31c2eb2be61252303fe371ce1ab1c33d6f362576ed5a411d5c4c989b58c45
-  data.tar.gz: 97a10cdf47b6838eef3b7d79bc91849bc7d3f991e090f16d7a6a013b377b3a09e46c5ccd23de64f1520c080f7d1d56397468beb0bffe0a4d901e10c327356488
+  metadata.gz: a2e1859b3479357698652f5b448e97e9ebe4977b6f71a851efc7498ae8f9e622d4a0a69a6589a8206d00071129345bceacececf04133fb958f85924c9c5ba79b
+  data.tar.gz: 4db6f08840e3767357d0d57a9b32ff61779627e03118396ca41c99f2ea3f7ea355596e7d353dc1352b56290b7c4fc6b81a17bf74dad09cadf76b52af660cfc32

data/definitions/checks/maintenance_mode/check_consistency.rb CHANGED Viewed

@@ -22,11 +22,15 @@ module Checks::MaintenanceMode
     private
+    def firewall
+      @firewall ||= feature(:instance).firewall
+    end
     def verify_with_features
       procedure_arr = []
       feature_status_msgs = []
-      is_mode_on = feature(:iptables).maintenance_mode_chain_exist?
-      [:iptables, :sync_plans, :cron].each do |feature_name|
+      is_mode_on = firewall.maintenance_mode_status?
+      [firewall.label, :sync_plans, :cron].each do |feature_name|
         msg, procedures_to_run = send("check_for_#{feature_name}", is_mode_on)
         feature_status_msgs << msg
         procedure_arr.concat(procedures_to_run)
@@ -55,6 +59,10 @@ module Checks::MaintenanceMode
       feature(:iptables).status_for_maintenance_mode
     end
+    def check_for_nftables(_is_mode_on)
+      feature(:nftables).status_for_maintenance_mode
+    end
     def check_for_sync_plans(is_mode_on)
       feature(:sync_plans).status_for_maintenance_mode(is_mode_on)
     end

data/definitions/features/instance.rb CHANGED Viewed

@@ -70,6 +70,10 @@ class Features::Instance < ForemanMaintain::Feature
     feature(:pulp2) || feature(:pulpcore)
   end
+  def firewall
+    feature(:nftables) || feature(:iptables)
+  end
   private
   # rubocop:disable Metrics/MethodLength, Metrics/AbcSize

data/definitions/features/iptables.rb CHANGED Viewed

@@ -1,6 +1,10 @@
 class Features::Iptables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::IptablesMaintenanceMode
   metadata do
     label :iptables
+    confine do
+      find_package('iptables')
+    end
   end
   def add_chain(chain_name, rules, rule_chain = 'INPUT')
@@ -29,27 +33,6 @@ class Features::Iptables < ForemanMaintain::Feature
     execute?("iptables -L #{rule_chain} | tail -n +3 | grep '^#{target_name} '")
   end
-  def add_maintenance_mode_chain
-    add_chain(custom_chain_name,
-              ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
-  end
-  def remove_maintenance_mode_chain
-    remove_chain(custom_chain_name)
-  end
-  def maintenance_mode_chain_exist?
-    chain_exist?(custom_chain_name)
-  end
-  def status_for_maintenance_mode
-    if maintenance_mode_chain_exist?
-      ['Iptables chain: present', []]
-    else
-      ['Iptables chain: absent', []]
-    end
-  end
   private
   def custom_chain_name

data/definitions/features/nftables.rb ADDED Viewed

@@ -0,0 +1,51 @@
+class Features::Nftables < ForemanMaintain::Feature
+  include ForemanMaintain::Concerns::Firewall::NftablesMaintenanceMode
+  metadata do
+    label :nftables
+    confine do
+      find_package('nftables')
+    end
+  end
+  def add_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft add table #{options}")
+  end
+  def delete_table(options = '')
+    options = "#{ip_family} #{table_name}" if options.empty?
+    execute!("nft delete table #{options}")
+  end
+  def add_chain(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    chain_options = options.fetch(:chain_options)
+    execute!("nft add chain #{family} #{table} #{chain} #{chain_options}")
+  end
+  def add_rule(options = {})
+    family = options.fetch(:family, ip_family)
+    table = options.fetch(:table, table_name)
+    chain = options.fetch(:chain, chain_name)
+    rule = options.fetch(:rule) # needs validation
+    execute!("nft add rule #{family} #{table} #{chain} #{rule}")
+  end
+  def table_exist?(name = table_name)
+    execute!('nft list tables').include?(name)
+  end
+  def table_name
+    'FOREMAN_MAINTAIN_TABLE'
+  end
+  def chain_name
+    'FOREMAN_MAINTAIN_CHAIN'
+  end
+  def ip_family
+    'inet'
+  end
+end

data/definitions/procedures/content/fix_pulpcore_artifact_permissions.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Procedures::Content
+  class FixPulpcoreArtifactOwnership < ForemanMaintain::Procedure
+    metadata do
+      description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+      param :assumeyes, 'Do not ask for confirmation', :default => false
+      confine do
+        check_min_version(foreman_plugin_name('katello'), '4.0')
+      end
+    end
+    def ask_to_proceed
+      question = "\nWARNING: Only proceed if your system is fully switched to Pulp 3.\n"
+      question += "\n\nDo you want to proceed?"
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      abort! if answer != :yes
+    end
+    def run
+      assumeyes_val = @assumeyes.nil? ? assumeyes? : @assumeyes
+      ask_to_proceed unless assumeyes_val
+      with_spinner('Updating artifact ownership for Pulp 3') do |spinner|
+        spinner.update('# chown -hR pulp.pulp /var/lib/pulp/media/artifact')
+        FileUtils.chown_R 'pulp', 'pulp', '/var/lib/pulp/media/artifact'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/disable_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module Procedures::MaintenanceMode
+  class DisableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :disable_maintenance_mode
+      description 'Remove maintenance mode table/chain from nftables/iptables'
+      tags :post_migrations, :maintenance_mode_off
+      after :sync_plans_enable
+    end
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.disable_maintenance_mode
+      else
+        warn! 'Unable to find nftables or iptables'
+      end
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/enable_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module Procedures::MaintenanceMode
+  class EnableMaintenanceMode < ForemanMaintain::Procedure
+    metadata do
+      label :enable_maintenance_mode
+      description 'Add maintenance_mode tables/chain to nftables/iptables'
+      tags :pre_migrations, :maintenance_mode_on
+      after :sync_plans_disable
+    end
+    def run
+      if feature(:instance).firewall
+        feature(:instance).firewall.enable_maintenance_mode
+      else
+        notify_and_ask_to_install_firewall_utility
+      end
+    end
+    def notify_and_ask_to_install_firewall_utility
+      puts 'Unable to find nftables or iptables!'
+      question, pkg = question_and_pkg_name
+      answer = ask_decision(question, actions_msg: 'y(yes), q(quit)')
+      if answer == :yes
+        packages_action(:install, pkg)
+        feature(:instance).firewall.enable_maintenance_mode
+      end
+    end
+    def can_install_nft?
+      nft_kernel_version = Gem::Version.new('3.13')
+      installed_kernel_version = Gem::Version.new(execute!('uname -r').split('-').first)
+      installed_kernel_version >= nft_kernel_version
+    end
+    def question_and_pkg_name
+      question = 'Do you want to install missing netfilter utility '
+      pkg_to_install = []
+      if can_install_nft?
+        question << 'nftables?'
+        pkg_to_install << 'nftables'
+      else
+        question << 'iptables?'
+        pkg_to_install << 'iptables'
+      end
+      question << "\nand start maintenance mode?"
+      [question, pkg_to_install]
+    end
+  end
+end

data/definitions/procedures/maintenance_mode/is_enabled.rb CHANGED Viewed

@@ -2,14 +2,16 @@ module Procedures::MaintenanceMode
   class IsEnabled < ForemanMaintain::Procedure
     metadata do
       description 'Showing status code for maintenance_mode'
-      for_feature :iptables
       advanced_run false
+      confine do
+        feature(:nftables) || feature(:iptables)
+      end
     end
     attr_reader :status_code
     def run
-      @status_code = feature(:iptables).maintenance_mode_chain_exist? ? 0 : 1
+      @status_code = feature(:instance).firewall.maintenance_mode_status? ? 0 : 1
       puts "Maintenance mode is #{@status_code == 1 ? 'Off' : 'On'}"
     end
   end

data/definitions/procedures/pulp/remove.rb CHANGED Viewed

@@ -17,6 +17,7 @@ module Procedures::Pulp
     def pulp_data_dirs
       [
+        '/etc/pki/pulp/content',
         '/var/lib/pulp/published',
         '/var/lib/pulp/content',
         '/var/lib/pulp/importers',

data/definitions/scenarios/content.rb CHANGED Viewed

@@ -129,10 +129,29 @@ module ForemanMaintain::Scenarios
       def set_context_mapping
         context.map(:assumeyes, Procedures::Pulp::Remove => :assumeyes)
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
       end
       def compose
         add_step_with_context(Procedures::Pulp::Remove)
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
+      end
+    end
+    class FixPulpcoreArtifactOwnership < ContentBase
+      metadata do
+        label :content_fix_pulpcore_artifact_ownership
+        description 'Fix Pulpcore artifact ownership to be pulp:pulp'
+        param :assumeyes, 'Do not ask for confirmation'
+        manual_detection
+      end
+      def set_context_mapping
+        context.map(:assumeyes, Procedures::Content::FixPulpcoreArtifactOwnership => :assumeyes)
+      end
+      def compose
+        add_step_with_context(Procedures::Content::FixPulpcoreArtifactOwnership)
       end
     end
   end

data/definitions/scenarios/upgrade_to_capsule_7_0.rb CHANGED Viewed

@@ -39,6 +39,7 @@ module Scenarios::Capsule_7_0
     def compose
       add_steps(find_procedures(:pre_migrations))
+      add_step(Procedures::Pulp::Remove.new(:assumeyes => true))
       add_step(Procedures::Service::Stop.new)
     end
   end

data/lib/foreman_maintain/cli/content_command.rb CHANGED Viewed

@@ -54,6 +54,16 @@ module ForemanMaintain
           )
         end
       end
+      subcommand 'fix-pulpcore-artifact-ownership',
+                 'Update filesystem ownership for Pulpcore artifacts' do
+        interactive_option(%w[assumeyes plaintext])
+        def execute
+          run_scenarios_and_exit(
+            Scenarios::Content::FixPulpcoreArtifactOwnership.new(:assumeyes => assumeyes?)
+          )
+        end
+      end
     end
   end
 end

data/lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module IptablesMaintenanceMode
+        def disable_maintenance_mode
+          remove_chain(custom_chain_name)
+        end
+        def enable_maintenance_mode
+          add_chain(custom_chain_name,
+                    ['-i lo -j ACCEPT', '-p tcp --dport 443 -j REJECT'])
+        end
+        def maintenance_mode_status?
+          chain_exist?(custom_chain_name)
+        end
+        def status_for_maintenance_mode
+          if maintenance_mode_status?
+            ['Iptables chain: present', []]
+          else
+            ['Iptables chain: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module ForemanMaintain
+  module Concerns
+    module Firewall
+      module NftablesMaintenanceMode
+        def disable_maintenance_mode
+          delete_table if table_exist?
+        end
+        def enable_maintenance_mode
+          unless table_exist?
+            add_table
+            add_chain(:chain_options => nftables_chain_options)
+            add_rule(rule: nftables_rule)
+          end
+        end
+        def maintenance_mode_status?
+          table_exist?
+        end
+        def nftables_chain_options
+          '{type filter hook input priority 0\\;}'
+        end
+        def nftables_rule
+          'tcp dport https reject'
+        end
+        def status_for_maintenance_mode
+          if table_exist?
+            ['Nftables table: present', []]
+          else
+            ['Nftables table: absent', []]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/foreman_maintain/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.0.4'.freeze
+  VERSION = '1.0.5'.freeze
 end

data/lib/foreman_maintain.rb CHANGED Viewed

@@ -24,6 +24,8 @@ module ForemanMaintain
   require 'foreman_maintain/concerns/downstream'
   require 'foreman_maintain/concerns/primary_checks'
   require 'foreman_maintain/concerns/pulp_common'
+  require 'foreman_maintain/concerns/firewall/iptables_maintenance_mode'
+  require 'foreman_maintain/concerns/firewall/nftables_maintenance_mode'
   require 'foreman_maintain/top_level_modules'
   require 'foreman_maintain/yaml_storage'
   require 'foreman_maintain/config'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Ivan Nečas
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-09 00:00:00.000000000 Z
+date: 2022-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -206,6 +206,7 @@ files:
 - definitions/features/iptables.rb
 - definitions/features/katello.rb
 - definitions/features/mongo.rb
+- definitions/features/nftables.rb
 - definitions/features/pulp2.rb
 - definitions/features/pulpcore.rb
 - definitions/features/pulpcore_database.rb
@@ -244,6 +245,7 @@ files:
 - definitions/procedures/backup/snapshot/mount_pulpcore_db.rb
 - definitions/procedures/backup/snapshot/prepare_mount.rb
 - definitions/procedures/candlepin/delete_orphaned_records_from_env_content.rb
+- definitions/procedures/content/fix_pulpcore_artifact_permissions.rb
 - definitions/procedures/content/migration_reset.rb
 - definitions/procedures/content/migration_stats.rb
 - definitions/procedures/content/prepare.rb
@@ -267,9 +269,9 @@ files:
 - definitions/procedures/installer/run.rb
 - definitions/procedures/installer/upgrade.rb
 - definitions/procedures/installer/upgrade_rake_task.rb
-- definitions/procedures/iptables/add_maintenance_mode_chain.rb
-- definitions/procedures/iptables/remove_maintenance_mode_chain.rb
 - definitions/procedures/knowledge_base_article.rb
+- definitions/procedures/maintenance_mode/disable_maintenance_mode.rb
+- definitions/procedures/maintenance_mode/enable_maintenance_mode.rb
 - definitions/procedures/maintenance_mode/is_enabled.rb
 - definitions/procedures/packages/check_update.rb
 - definitions/procedures/packages/enable_version_locking.rb
@@ -389,6 +391,8 @@ files:
 - lib/foreman_maintain/concerns/directory_marker.rb
 - lib/foreman_maintain/concerns/downstream.rb
 - lib/foreman_maintain/concerns/finders.rb
+- lib/foreman_maintain/concerns/firewall/iptables_maintenance_mode.rb
+- lib/foreman_maintain/concerns/firewall/nftables_maintenance_mode.rb
 - lib/foreman_maintain/concerns/hammer.rb
 - lib/foreman_maintain/concerns/logger.rb
 - lib/foreman_maintain/concerns/metadata.rb

data/definitions/procedures/iptables/add_maintenance_mode_chain.rb DELETED Viewed

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class AddMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_add_maintenance_mode_chain
-      for_feature :iptables
-      description 'Add maintenance_mode chain to iptables'
-      tags :pre_migrations, :maintenance_mode_on
-      after :sync_plans_disable
-    end
-    def run
-      feature(:iptables).add_maintenance_mode_chain
-    end
-  end
-end

data/definitions/procedures/iptables/remove_maintenance_mode_chain.rb DELETED Viewed

@@ -1,15 +0,0 @@
-module Procedures::Iptables
-  class RemoveMaintenanceModeChain < ForemanMaintain::Procedure
-    metadata do
-      label :iptables_remove_maintenance_mode_chain
-      for_feature :iptables
-      description 'Remove maintenance_mode chain from iptables'
-      tags :post_migrations, :maintenance_mode_off
-      after :sync_plans_enable
-    end
-    def run
-      feature(:iptables).remove_maintenance_mode_chain
-    end
-  end
-end