RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1441673 - Make pcs avoid a full CIB replacement
Summary: Make pcs avoid a full CIB replacement
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
: 1499796 (view as bug list)
Depends On: 1412309
Blocks: 1482623
TreeView+ depends on / blocked
 
Reported: 2017-04-12 12:34 UTC by Tomas Jelinek
Modified: 2021-06-10 12:10 UTC (History)
8 users (show)

Fixed In Version: pcs-0.9.160-1.el7
Doc Type: No Doc Update
Doc Text:
The fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture. This may be confusing to the users so I think we can skip documenting this bz.
Clone Of:
: 1482623 (view as bug list)
Environment:
Last Closed: 2018-04-10 15:39:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed fix + tests (236.53 KB, patch)
2017-08-28 14:49 UTC, Tomas Jelinek 		no flags Details | Diff
additional fix (1.51 KB, patch)
2017-09-01 12:52 UTC, Ivan Devat 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1404233 0 urgent CLOSED Make pcs avoid a full CIB replacement when possible 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1441669 0 low CLOSED cibadmin can return a CIB not conforming to the schema if deny ACLs are in use 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 3456901 0 None None None 2018-05-23 12:13:18 UTC
Red Hat Product Errata RHBA-2018:0866 0 None None None 2018-04-10 15:40:17 UTC

Internal Links: 1404233 1441669

Description Tomas Jelinek 2017-04-12 12:34:17 UTC 
Description of problem:
This has been partially implemented in bz1404233 - the "pcs cluster cib-push" command has now an option to obtain and push just a diff instead of the whole CIB.

It is required to make this approach a standard way of pushing cib in all pcs commands. The only exception is the "pcs cluster cib-push" command where the user may want to really overwrite the existing CIB and make the live CIB look exactly like what has been provided to the command.

Reasoning:
1) avoid conflicts when editing the CIB simultaneously
See bz1404233 for more details.

2) replacing the whole CIB fails when ACLs are in place, see reproducer

3) performance reasons
When pushing the whole CIB, it takes more time to process it in pacemaker.


Version-Release number of selected component (if applicable):
pcs-0.9.157-1.el7.x86_64


How reproducible:
always, easily


Steps to Reproduce:
[root@rh73-node1:~]# pcs resource create dummy1 ocf:pacemaker:Dummy    
[root@rh73-node1:~]# pcs resource create dummy2 ocf:pacemaker:Dummy
[root@rh73-node1:~]# pcs acl user create user1
[root@rh73-node1:~]# pcs acl role create role1
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /
[root@rh73-node1:~]# pcs acl permission add role1 write xpath /cib/configuration
[root@rh73-node1:~]# pcs acl permission add role1 deny id dummy1
# avoid bz1441669
[root@rh73-node1:~]# pcs acl permission add role1 deny xpath /cib/configuration/acls
[root@rh73-node1:~]# pcs acl role assign role1 user user1
[root@rh73-node1:~]# pcs acl enable

# now switch to user1
[user1@rh73-node1 ~]$ pcs resource disable dummy2
Error: Unable to update cib
Call cib_replace failed (-13): Permission denied


Actual results:
It is not possible to edit the CIB.


Expected results:
It is possible to edit CIB.


Additional info:
The command fails, because:
* When reading the CIB, dummy1 resource is filtered out because of the configured ACLs.
* Dummy2 resource is updated in memory.
* The whole CIB is pushed, but it does not contain dummy1 resource - see above.
* Pacemaker evaluates this as an attempt to remove dummy1 resource, which is prohibited by the ACLs.

If only a diff is pushed, everything works, as the diff does not contain any changes to dummy1 resource.
Comment 2 Tomas Jelinek 2017-08-28 14:49:13 UTC 
Created attachment 1319106 [details]
proposed fix + tests
Comment 3 Tomas Jelinek 2017-08-28 15:25:12 UTC 
This is an internal change. The only effect users can notice is that issues described in comment 0 are fixed. However the fix only applies to pcs commands moved to the new pcs architecture. The list of these command is changing as we are working on moving all pcs commands to the new architecture.
Comment 4 Ivan Devat 2017-09-01 12:52:54 UTC 
Created attachment 1320928 [details]
additional fix

This patch fixes the following problem:

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
CIB has been upgraded to the latest schema version.
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
Error: Unable to update cib
Couldn't parse input from STDIN.
Comment 7 Ivan Devat 2017-10-11 08:09:47 UTC 
After Fix:

[vm-rhel72-1 ~] $ rpm -q pcs
pcs-0.9.160-1.el7.x86_64

vm-rhel72-1 ~] $ pcs resource create dummy1 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs resource create dummy2 ocf:pacemaker:Dummy
[vm-rhel72-1 ~] $ pcs acl user create user1
[vm-rhel72-1 ~] $ pcs acl role create role1
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /
[vm-rhel72-1 ~] $ pcs acl permission add role1 write xpath /cib/configuration
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny id dummy1
[vm-rhel72-1 ~] $ pcs acl permission add role1 deny xpath /cib/configuration/acls
[vm-rhel72-1 ~] $ pcs acl role assign role1 user user1
[vm-rhel72-1 ~] $ pcs acl enable

[user1@vm-rhel72-1 ~]$ pcs resource disable dummy2
[user1@vm-rhel72-1 ~]$ echo $?
0

> the problem with zero change is not there anymore

[vm-rhel72-1 ~] $ pcs resource bundle create B container docker image=pcs:test
[vm-rhel72-1 ~] $ pcs resource bundle update B container extra=
[vm-rhel72-1 ~] $ echo $?
0
Comment 9 Tomas Jelinek 2017-10-12 08:56:23 UTC 
*** Bug 1499796 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2018-04-10 15:39:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0866
Note You need to log in before you can comment on or make changes to this bug.