This is what is happening during an update: According to the yum logs the system first had selinux-policy-targeted-3.13.1-102.el7_3.16. There is no ganesha_use_fusefs in this package. Then the system was updated to RHEL-7.4. glusterfs-ganesha was updated at 18:00:12. Then at 18:00:37 selinux-policy-targeted was updated to 3.13.1-166.el7. This has ganesha_use_fusefs. ganesha_use_fusefs still wasn't available when glusterfs-ganesha was updated so the semanage command (silently) failed. rpm only allows a 'Requires: selinux-policy-targeted >= NV'. I.e. NV = 3.13.1. It doesn't allow a 'Requires: selinux-policy-targeted >= NVR'. I.e. NVR = 3.13.1-166. Thus, for the purposes of upgrading, 3.13.1-102.el7_3.16 satisfies the Requires: but doesn't have the necessary ganesha_fuse_fusefs for the %post to work. Of course on a fresh install you will get the correct version of selinux-policy-targeted and everything works as expected. Off the top of my head the only way to force selinux-policy-targeted to be updated before glusterfs-ganesha is to explicitly update it first, before applying the rest of the update. IOW this has to be prominently documented in the Release Notes. --- Additional comment from Lukas Vrabec on 2017-07-12 03:05:29 EDT --- Kaleb, There is a trigger , which you can use and do the post phase on the end of the RPM transaction. Which means, that you'll have all the new packages updated and then you switch on the SELinux boolean on.
(In reply to Kaleb KEITHLEY from comment #1) > This is what is happening during an update: > > According to the yum logs the system first had > selinux-policy-targeted-3.13.1-102.el7_3.16. There is no ganesha_use_fusefs > in this package. > > Then the system was updated to RHEL-7.4. glusterfs-ganesha was updated at > 18:00:12. Then at 18:00:37 selinux-policy-targeted was updated to > 3.13.1-166.el7. This has ganesha_use_fusefs. > > ganesha_use_fusefs still wasn't available when glusterfs-ganesha was updated > so the semanage command (silently) failed. > > rpm only allows a 'Requires: selinux-policy-targeted >= NV'. I.e. NV = > 3.13.1. It doesn't allow a 'Requires: selinux-policy-targeted >= NVR'. I.e. > NVR = 3.13.1-166. > > Thus, for the purposes of upgrading, 3.13.1-102.el7_3.16 satisfies the > Requires: but doesn't have the necessary ganesha_fuse_fusefs for the %post > to work. > > Of course on a fresh install you will get the correct version of > selinux-policy-targeted and everything works as expected. > > Off the top of my head the only way to force selinux-policy-targeted to be > updated before glusterfs-ganesha is to explicitly update it first, before > applying the rest of the update. IOW this has to be prominently documented > in the Release Notes. > > --- Additional comment from Lukas Vrabec on 2017-07-12 03:05:29 EDT --- > > Kaleb, > > There is a trigger , which you can use and do the post phase on the end of > the RPM transaction. Which means, that you'll have all the new packages > updated and then you switch on the SELinux boolean on. Kaleb, Yum update will pull all the packages all at once,ganesha and selinux packages. We cannot only update the selinux package first followed by ganesha package. However after upgrading both selinux and ganesha packages,we can document to enable this boolean manually before doing gluster nfs-ganesha enable. I will verify this steps manually too following the upgrade path. Need your opinion on this...
I believe Lukas' suggestion of using the %trigger to run the semanage command after selinux-policy-targeted is updated will fix this.
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#1) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update often fails semanage) posted (#2) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#3) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#4) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes fails semanage) posted (#5) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes fails semanage) posted (#6) for review on release-3.10 by Kaleb KEITHLEY (kkeithle)
COMMIT: https://review.gluster.org/17756 committed in release-3.10 by Kaleb KEITHLEY (kkeithle) ------ commit 4eebb51afeef48add13a5155a6a858b780327fce Author: Kaleb S. KEITHLEY <kkeithle> Date: Wed Jul 12 07:43:51 2017 -0400 packaging: glusterfs-ganesha update sometimes fails semanage Depending on how dnf orders updates, the updated version of selinux-policy-targeted with ganesha_use_fusefs may not be updated before the glusterfs-ganesha update execute its %post scriptlet containing the `semanage ganesha_use_fusefs ...` command. In such situations the semanage command (silently) fails. Use a %trigger (and %triggerun) to run the scriptlet (again) after selinux-policy-targeted with ganesha_use_fusefs has been installed or updated. Note: the %triggerun is probably unnecessary, but it doesn't hurt. The release-3.10 branch is the "upstream master" for the glusterfs- ganesha subpackage. Note: to be merged after https://review.gluster.org/17806 Change-Id: I1ad06d79fa1711e4abf038baf9f0a5b7bb665934 BUG: 1470040 Signed-off-by: Kaleb S. KEITHLEY <kkeithle> Reviewed-on: https://review.gluster.org/17756 Smoke: Gluster Build System <jenkins.org> CentOS-regression: Gluster Build System <jenkins.org> Reviewed-by: Niels de Vos <ndevos>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.10.5, please open a new bug report. glusterfs-3.10.5 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://lists.gluster.org/pipermail/announce/2017-August/000079.html [2] https://www.gluster.org/pipermail/gluster-users/