Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Wed, 26 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 21:25, Martin Kosek wrote:
On 08/25/2015 09:22 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17
00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs
because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives
you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to
distinguish
co-requisite (these are not needed to install, only to use, a
package)
from pre-requisite (these are guaranteed to be installed before
the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be
it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the
Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just
make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is
caused by
selinux-policy being installed after freeipa-server package
upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually
changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before
our pre
or post scriptlets are run. With Requires only we are not
guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing
Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency
loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in
all
cases, the right selinux-policy should be there before all the
posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all
supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7,
for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or
some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package
upgrade,
it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 26.8.2015 08:16, Alexander Bokovoy wrote:
On Wed, 26 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 21:25, Martin Kosek wrote:
On 08/25/2015 09:22 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17
00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on
selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs
because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in
Requires, as
Requires(pre) is a superset of guarantees that Requires gives
you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since
2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to
distinguish
co-requisite (these are not needed to install, only to use, a
package)
from pre-requisite (these are guaranteed to be installed before
the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific
version is
installed before pre scripts of freeipa-server would run, be
it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the
Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just
make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is
caused by
selinux-policy being installed after freeipa-server package
upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually
changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before
our pre
or post scriptlets are run. With Requires only we are not
guaranteed to
be installed after selinux-policy, only that it would be
available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing
Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency
loops and
we are only complicating with Requires(pre) if we don't actually
need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in
all
cases, the right selinux-policy should be there before all the
posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all
supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7,
for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or
some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans),
thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package
upgrade,
it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 25.8.2015 21:25, Martin Kosek wrote:
On 08/25/2015 09:22 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17
00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs
because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives
you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to
distinguish
co-requisite (these are not needed to install, only to use, a
package)
from pre-requisite (these are guaranteed to be installed before
the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be
it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the
Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just
make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is
caused by
selinux-policy being installed after freeipa-server package
upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually
changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before
our pre
or post scriptlets are run. With Requires only we are not
guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing
Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency
loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in
all
cases, the right selinux-policy should be there before all the
posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all
supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7,
for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or
some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package
upgrade,
it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
freeipa-server post scriptlet runs
|
v
RPM installs
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Wed, 26 Aug 2015, Jan Pazdziora wrote:
On Tue, Aug 25, 2015 at 03:50:04PM +0300, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
However, this section seems to only apply to loop resolution. Note
that
http://www.rpm.org/wiki/PackagerDocs/MoreOnDependencies
says about Requires(pre)
* It ensures that the package providing /usr/sbin/useradd is
installed before this package. In presence of dependency
loops, scriptlet dependencies are the only way to ensure
correct install order.
* If there are no other dependencies on the package providing
/usr/sbin/useradd, that package is permitted to be removed
from the system after installation(!)
It's a fairly common mistake to replace legacy PreReq
dependencies with Requires(pre), but this is not the
same, due to the latter point above!
So I'd say that Requires(pre) does not imply Requires and if we only
do Requires(pre): selinux-policy = %{selinux_policy_version}, after
the installation, anybody can downgrade the selinux-policy package.
Heck, even in that ipa-server upgrading transaction, there could be
a selinux-policy downgrade operation, which would leave the newer
version for ipa-server's pre but install older version of
selinux-policy after it's done with ipa-server.
Yes, it's just a theoretical situation but we should not shortcut
Requires with Requires(pre), it might teach people reading the .spec
files bad habits.
Well, in that case having both Requires and Requires(post) is a
necessity, it seems.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, Aug 25, 2015 at 10:22:42PM +0300, Alexander Bokovoy wrote: The flow above is not correct. Each scriptlet of the package is executed when package is installed. In particular, there is no period of waiting until end of whole transaction to start executing %posttrans scriptlet of a specific package. RPM only guarantees you that %posttrans scriptlet is executed as the last thing of this package intall, after all %post/%postun scriptlets were executed for this package and all triggers for affected packages were executed. This went against my undertanding of %posttrans, so I asked rpm maintainer and he confirmed that %posttrans scriptlets are executed as the last thing in the transaction. I might be misunderstanding what you say but I'd say that there actually is a period of waiting / postponing execution of %posttrans scriptlets of all packages until the end of the transaction. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, Aug 25, 2015 at 02:18:29PM +0200, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
What is the core issue with
https://fedorahosted.org/freeipa/ticket/5256
? I undestand that we need new selinux-policy, but what does that
policy change?
I ask because if it's about labelling of files installed by rpm, the
(pre) might not help because rpm did not reload the file contexts
mid-transaction
https://bugzilla.redhat.com/show_bug.cgi?id=505066#c9
and I'm not sure things have changed since RHEL 5.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, Aug 25, 2015 at 03:50:04PM +0300, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
However, this section seems to only apply to loop resolution. Note
that
http://www.rpm.org/wiki/PackagerDocs/MoreOnDependencies
says about Requires(pre)
* It ensures that the package providing /usr/sbin/useradd is
installed before this package. In presence of dependency
loops, scriptlet dependencies are the only way to ensure
correct install order.
* If there are no other dependencies on the package providing
/usr/sbin/useradd, that package is permitted to be removed
from the system after installation(!)
It's a fairly common mistake to replace legacy PreReq
dependencies with Requires(pre), but this is not the
same, due to the latter point above!
So I'd say that Requires(pre) does not imply Requires and if we only
do Requires(pre): selinux-policy = %{selinux_policy_version}, after
the installation, anybody can downgrade the selinux-policy package.
Heck, even in that ipa-server upgrading transaction, there could be
a selinux-policy downgrade operation, which would leave the newer
version for ipa-server's pre but install older version of
selinux-policy after it's done with ipa-server.
Yes, it's just a theoretical situation but we should not shortcut
Requires with Requires(pre), it might teach people reading the .spec
files bad habits.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
--
Jan Cholasta
From 8697e0b12b66d4da84e3146baddadbcb2e6523d0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(post) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..46f348e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -140,7 +140,7 @@ Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy = %{selinux_policy_version}
-Requires(post): selinux-policy-base
+Requires(post): selinux-policy-base = %{selinux_policy_version}
Requires: slapi-nis = 0.54.2-1
Requires: pki-ca = 10.2.6
Requires: pki-kra = 10.2.6
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in
all cases, the right selinux-policy should be there before all the
posttrans scripts are being run.
I've looked at the rpm source code and here is the list of all supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7, for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or some
other event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in all
cases, the right selinux-policy should be there before all the posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7, for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package upgrade, it
should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
freeipa-server post scriptlet runs
|
v
RPM installs some dependencies of freeipa-server
|
v
RPM executes posttrans scriptlets, including ipa-server-upgrade.
My question is, if all
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17
00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs
because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a
package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it
in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the
Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just
make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package
upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually
changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our
pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops
and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in all
cases, the right selinux-policy should be there before all the posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7, for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or
some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package
upgrade, it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
freeipa-server post scriptlet runs
|
v
RPM installs some dependencies of freeipa-server
|
v
RPM executes posttrans scriptlets, including ipa-server-upgrade.
My
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in all cases,
the right selinux-policy should be there before all the posttrans scripts are
being run.
Maybe the new selinux-policy is required for certmonger itself or some other
event during upgrade?
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in all
cases, the right selinux-policy should be there before all the posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7, for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package
upgrade, it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
freeipa-server post scriptlet runs
|
v
RPM installs some dependencies of freeipa-server
|
v
RPM executes posttrans scriptlets, including
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 08/25/2015 09:22 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 08:59 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 05:37 PM, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Martin Kosek wrote:
On 08/25/2015 04:37 PM, Jan Cholasta wrote:
On 25.8.2015 14:50, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes
https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of
old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
OK, let's try that. Updated patch attached.
Will this really make a difference? I thought the problem is caused by
selinux-policy being installed after freeipa-server package upgrade. We
already
have Requires on selinux-policy, so I am not sure what is actually
changed by
this patch.
The change is that with Requires(pre) or Requires(post) we are
guaranteed that selinux-policy is installed and available before our pre
or post scriptlets are run. With Requires only we are not guaranteed to
be installed after selinux-policy, only that it would be available as
part of the same transaction we are installed in.
We don't really need to have Requires(pre) because we don't rely on
selinux-policy being available in pre scriptlet. Forcing Requires(pre)
doesn't help anyone else (rpm/yum/dnf need to solve dependency loops and
we are only complicating with Requires(pre) if we don't actually need
it). Thus, choosing Require(post) is more correct from distribution
point of view.
Sure, but given that FreeIPA upgrade is run in the posttrans phase:
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet /dev/null || :
I am now not sure how Requires(pre) or Requires(post) help here, in all
cases, the right selinux-policy should be there before all the posttrans
scripts are being run.
I've looked at the rpm source code and here is the list of all supported
requires/dependencies types:
https://github.com/rpm-software-management/rpm/blob/140744377b019e0de81d76d0931c32228d2ed57e/build/rpmfc.c#L1056
Requires(posttrans) is there so we could use this one too but it was
added only in 4.12-alpha which means it is missing in RHEL/CentOS 7, for
example, as they are only up to 4.11.
Maybe the new selinux-policy is required for certmonger itself or some other
event during upgrade?
No, I don't think so. However, we cannot set Requires(posttrans), thus
we should be using closest target before it, i.e. Requires(post).
Thank you, but I think I still did not get an answer for my question.
IIUC, the rough rpm process with regards to freeipa-server package upgrade,
it should be in this order:
_
|
v
RPM installs some dependencies of freeipa-server
|
V
RPM installs Requires(pre) of freeipa-server
freeipa-server pre scriptlet runs
|
v
RPM installs freeipa-server
|
v
RPM installs Requires(post) of freeipa-server
freeipa-server post scriptlet runs
|
v
RPM installs some dependencies of freeipa-server
|
v
[Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre) be
changed to Required(posttrans)?
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
On Tue, 25 Aug 2015, Jan Cholasta wrote:
On 25.8.2015 14:23, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/5256.
Honza
--
Jan Cholasta
From 216be8de30747f80f490d4e91a7cca4af3e767d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 25 Aug 2015 14:14:25 +0200
Subject: [PATCH] spec file: Add Requires(pre) on selinux-policy
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba91fe..fd73cda 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,6 +139,7 @@ Requires: systemd-units = 38
Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
+Requires(pre): selinux-policy = %{selinux_policy_version}
Requires: selinux-policy = %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.54.2-1
If we have it in Requires(pre), we don't need it in Requires, as
Requires(pre) is a superset of guarantees that Requires gives you.
Martin (CCed) told me Requires(pre) does not imply Requires.
See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
Since the only way out of a dependency loop is to snip the loop
somewhere, rpm uses hints from Requires: dependencies to distinguish
co-requisite (these are not needed to install, only to use, a package)
from pre-requisite (these are guaranteed to be installed before the
package that includes the dependency) relations.
Requires(pre) ensures that selinux-policy of specific version is
installed before pre scripts of freeipa-server would run, be it in the
same transaction or in a previous one.
Hmm, ipa-server-upgrade is run in posttrans. Should the Requires(pre)
be changed to Required(posttrans)?
I don't think there is posttrans target. Perhaps, we can just make sure
Requires(post) is enough.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
