Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(MODULES-10996) Fix SLES 11 PE upgrades #551

Merged
merged 4 commits into from
Apr 20, 2021
Merged

(MODULES-10996) Fix SLES 11 PE upgrades #551

merged 4 commits into from
Apr 20, 2021

Conversation

GabrielNagy
Copy link
Contributor

SLES 11 can no longer be upgraded in PE by installing from the repos. To work around this, if we're SLES 11 and PE, download the package and install it directly using rpm, regardless of the value of manage_repo. This is the same approach we take for AIX, macOS and Windows. Because zypper is left in a semi-broken state if our pe_repo is installed, make sure we remove it and don't install it again.

The GPG keys will continue to be imported.

For non-PE agents, installing from the FOSS repos should still be possible, so nothing should change on that part. Additional tests were added to assert the behavior of FOSS vs PE.

@GabrielNagy GabrielNagy requested a review from a team April 15, 2021 14:21
@puppet-community-rangefinder
Copy link

puppet_agent::install is a class

that may have no external impact to Forge modules.

puppet_agent::osfamily::suse is a class

that may have no external impact to Forge modules.

This module is declared in 3 of 576 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch 4 times, most recently from 16e089d to a2a9f11 Compare April 16, 2021 10:44
@GabrielNagy
Copy link
Contributor Author

Updated the GPG key import checks, spec tests will also need to be updated.

@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch 2 times, most recently from 5da189b to baff754 Compare April 19, 2021 17:02
@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch from baff754 to df35318 Compare April 20, 2021 08:25
@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch 3 times, most recently from 749f4ec to bb357cb Compare April 20, 2021 10:55
ciprianbadescu
ciprianbadescu approved these changes Apr 20, 2021
View reviewed changes
Copy link
Contributor

@ciprianbadescu ciprianbadescu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested on sles11/pe 2019.8.5:

  • verified that install shell script -> fails
  • install puppet from rpm and try to upgrade using 4.5.0 version of pa_module -> fails
  • upgrade using this PR version of pa_module -> success

@ciprianbadescu ciprianbadescu requested a review from a team April 20, 2021 11:40
@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch 2 times, most recently from a180f5d to 83bb265 Compare April 20, 2021 12:58
@GabrielNagy
(MODULES-10996) Fix SLES 11 PE upgrades
8256a2c 
SLES 11 can no longer be upgraded in PE by installing from the repos. To
work around this, if we're SLES 11 and PE, download the package and
install it directly using rpm, regardless of the value of `manage_repo`.
This is the same approach we take for AIX, macOS and Windows. Because
zypper is left in a semi-broken state if our pe_repo is installed, make
sure we remove it and don't install it again.

The GPG keys will continue to be imported.

For non-PE agents, installing from the FOSS repos should still be
possible, so nothing should change on that part. Additional tests were
added to assert the behavior of FOSS vs PE.
@GabrielNagy
(MODULES-10996) Add separate class for suse install
64e6530 
The install class was getting a bit complex, so I pulled out the SUSE
logic into a separate file.

This also made it easier to add a GPG check before installing the RPM
file. Since we don't use zypper anymore on SLES 11 in PE, create a
separate `exec` resource to handle the GPG check before upgrading.
@GabrielNagy
(MODULES-10996) Improve GPG key import check
c793fd0 
The puppet GPG signing key with ID 4528b6cd9e61ef26 had a subkey in it
until February 2021. This caused GPG checks on systems with RPM versions
that do not support subkeys[1] (SLES 11 and EL 5) to fail.

We added this GPG key in the puppet_agent module in January, and
included it in the 4.4.0 release of the module.

We discovered the subkey issue in February and promptly removed the
subkey from the existing key. The new key is available since version
4.5.0 of the puppet_agent module.

This module imports GPG keys based on their ID. Since in our case both
the good key and the bad key have the same ID, the module will not
import the correct key if the bad one is already installed (or any other
key with the same ID for that matter).

To circumvent this, we now specifically compare the contents of the GPG
key from the RPM database with the contents of the GPG key laid by
Puppet in `/etc/pki/rpm-gpg`. If any differences are found, the imported
key is purged and reimported, which should ensure that the key shipped
in the module is identical to the from the RPM database.

[1] https://technosorcery.net/blog/2010/10/pitfalls-with-rpm-and-gpg/
@GabrielNagy
(maint) Update acceptance tests to run without service
8bb9628 
By relying on the puppet service to upgrade puppet we lose all logging
info in case something fails, which makes things difficult to debug.
Change to run with puppet agent -t.

We can also fix the logging part by configuring puppet to log to a file,
then printing the contents of the file.
@gimmyxd gimmyxd closed this Apr 20, 2021
@GabrielNagy GabrielNagy reopened this Apr 20, 2021
@puppet-community-rangefinder
Copy link

puppet_agent::install is a class

that may have no external impact to Forge modules.

puppet_agent::install::suse is a class

that may have no external impact to Forge modules.

puppet_agent::osfamily::redhat is a class

that may have no external impact to Forge modules.

puppet_agent::osfamily::suse is a class

that may have no external impact to Forge modules.

This module is declared in 3 of 576 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@GabrielNagy GabrielNagy force-pushed the MODULES-10996/sles-11-pe-fix branch from 83bb265 to 8bb9628 Compare April 20, 2021 14:40
@ciprianbadescu ciprianbadescu merged commit dc030fd into puppetlabs:main Apr 20, 2021
@Rewerson
Copy link

@GabrielNagy what about /tmp with noexec mount option? Suitable for shared hosting servers for security reasons.
So, got an error in puppet_agent/manifests/osfamily/redhat.pp:113:
Could not evaluate: '/tmp/rpm_gpg_import_check.sh' is not executable

@ciprianbadescu
Copy link
Contributor

It should be fixed by: #557

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshcooper joshcooper joshcooper left review comments

@ciprianbadescu ciprianbadescu ciprianbadescu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@GabrielNagy @Rewerson @ciprianbadescu @joshcooper @vchepkov @gimmyxd