Red Hat Bugzilla – Bug 1394177
Update to 6.2.4 does relabel /var/lib/pulp
Last modified: 2018-09-19 11:11:28 EDT
Description of problem: Customer noticed that update to Satellite 6.2.4 does relabel `/var/lib/pulp` which can take a while for a productive environment that has lots of products synced. Checking this in `pulp.spec` I found: 955 %pre selinux 956 # Record old version so we can limit which restorecon statement are executed later 957 test -e %{_localstatedir}/lib/rpm-state/%{name} || mkdir -p %{_localstatedir}/lib/rpm-state/%{name} 958 oldversion=$(semodule -l | grep pulp-server) 959 echo ${oldversion:12} > %{_localstatedir}/lib/rpm-state/%{name}/old-version I guess the problem is, that we no longer show the SELinux module version in Red Hat Enterprise Linux 7.3. See https://bugzilla.redhat.com/show_bug.cgi?id=1392573 for more details Because of this, I think the check is failing and thus initiate relabel.sh Version-Release number of selected component (if applicable): - foreman-1.11.0.54-1.el7sat.noarch - pulp-server-2.8.7.3-1.el7sat.noarch - candlepin-0.9.54.14-1.el7.noarch How reproducible: Always Steps to Reproduce: 1. Install Satellite 6.2 on Red Hat Enterprise Linux 7.2 2. Update Red Hat Enterprise Linux to 7.3 3. Update to Stellite 6.2.4 and check if pulp does a relabel Actual results: Does a relabel even if that is likely not required Expected results: Should not do a relabel respectively the test in `pulp.spec` should be adjusted according to https://bugzilla.redhat.com/show_bug.cgi?id=1392573 Additional info: See https://bugzilla.redhat.com/show_bug.cgi?id=1392573 for more details
I can see how this is a problem, and I believe upstream is affected. I've filed the upstream bug as 2424. We'll be tracking the issue on the related bug.
The restorecon operation is I/O bound not CPU or memory bound. I expect the runtime to be proportional to the amount of data in /var/lib/pulp/ and the speed of the filesystem. So solid state will be very fast, spinning local disks normal, and NFS mounted filesystem will likely take a long time.
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
The Pulp upstream bug priority is at High. Updating the external tracker on this bug.
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
The upstream issue is at modified. This should cherry pick cleanly onto 2.8.7+
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
The Pulp upstream bug status is at VERIFIED. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Urgent. Updating the external tracker on this bug.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Since we are aligning this to 6.2.6, is there any workaround that will allow customers to avoid the relabelling if/when they upgrade to 6.2.5?
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Verified in Satellite 6.2.7 snap 2 using steps from comment #23, /var/lib/pulp is no longer relabeled upon upgrade.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0197