Bug 1470040 - packaging: Upgrade glusterfs-ganesha sometimes fails to semanage ganesha_use_fusefs
packaging: Upgrade glusterfs-ganesha sometimes fails to semanage ganesha_use_...
Status: CLOSED CURRENTRELEASE
Product: GlusterFS
Classification: Community
Component: packaging (Show other bugs)
3.10
Unspecified Unspecified
urgent Severity unspecified
: ---
: ---
Assigned To: Kaleb KEITHLEY
: Triaged
Depends On: 1470136 1469561
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-12 06:30 EDT by Kaleb KEITHLEY
Modified: 2017-08-21 09:40 EDT (History)
4 users (show)

See Also:
Fixed In Version: glusterfs-3.10.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1469561
Environment:
Last Closed: 2017-08-21 09:40:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Kaleb KEITHLEY 2017-07-12 06:31:21 EDT
This is what is happening during an update:

According to the yum logs the system first had selinux-policy-targeted-3.13.1-102.el7_3.16. There is no ganesha_use_fusefs in this package.

Then the system was updated to RHEL-7.4. glusterfs-ganesha was updated at 18:00:12. Then at 18:00:37 selinux-policy-targeted was updated to 3.13.1-166.el7. This has ganesha_use_fusefs.

ganesha_use_fusefs still wasn't available when glusterfs-ganesha was updated so the semanage command (silently) failed.

rpm only allows a 'Requires: selinux-policy-targeted >= NV'. I.e. NV = 3.13.1. It doesn't allow a 'Requires: selinux-policy-targeted >= NVR'. I.e. NVR = 3.13.1-166.

Thus, for the purposes of upgrading, 3.13.1-102.el7_3.16 satisfies the Requires: but doesn't have the necessary ganesha_fuse_fusefs for the %post to work.

Of course on a fresh install you will get the correct version of selinux-policy-targeted and everything works as expected.

Off the top of my head the only way to force selinux-policy-targeted to be updated before glusterfs-ganesha is to explicitly update it first, before applying the rest of the update. IOW this has to be prominently documented in the Release Notes.

--- Additional comment from Lukas Vrabec on 2017-07-12 03:05:29 EDT ---

Kaleb, 

There is a trigger , which you can use and do the post phase on the end of the RPM transaction. Which means, that you'll have all the new packages updated and then you switch on the SELinux boolean on.
Comment 2 Manisha Saini 2017-07-12 07:05:08 EDT
(In reply to Kaleb KEITHLEY from comment #1)
> This is what is happening during an update:
> 
> According to the yum logs the system first had
> selinux-policy-targeted-3.13.1-102.el7_3.16. There is no ganesha_use_fusefs
> in this package.
> 
> Then the system was updated to RHEL-7.4. glusterfs-ganesha was updated at
> 18:00:12. Then at 18:00:37 selinux-policy-targeted was updated to
> 3.13.1-166.el7. This has ganesha_use_fusefs.
> 
> ganesha_use_fusefs still wasn't available when glusterfs-ganesha was updated
> so the semanage command (silently) failed.
> 
> rpm only allows a 'Requires: selinux-policy-targeted >= NV'. I.e. NV =
> 3.13.1. It doesn't allow a 'Requires: selinux-policy-targeted >= NVR'. I.e.
> NVR = 3.13.1-166.
> 
> Thus, for the purposes of upgrading, 3.13.1-102.el7_3.16 satisfies the
> Requires: but doesn't have the necessary ganesha_fuse_fusefs for the %post
> to work.
> 
> Of course on a fresh install you will get the correct version of
> selinux-policy-targeted and everything works as expected.
> 
> Off the top of my head the only way to force selinux-policy-targeted to be
> updated before glusterfs-ganesha is to explicitly update it first, before
> applying the rest of the update. IOW this has to be prominently documented
> in the Release Notes.
> 
> --- Additional comment from Lukas Vrabec on 2017-07-12 03:05:29 EDT ---
> 
> Kaleb, 
> 
> There is a trigger , which you can use and do the post phase on the end of
> the RPM transaction. Which means, that you'll have all the new packages
> updated and then you switch on the SELinux boolean on.



Kaleb,

Yum update will pull all the packages all at once,ganesha and selinux packages.
We cannot only update the selinux package first followed by ganesha package.

However after upgrading both selinux and ganesha packages,we can document to enable this boolean manually before doing gluster nfs-ganesha enable.
I will verify this steps manually too following the upgrade path.

Need your opinion on this...
Comment 3 Kaleb KEITHLEY 2017-07-12 07:33:18 EDT
I believe Lukas' suggestion of using the %trigger to run the semanage command after selinux-policy-targeted is updated will fix this.
Comment 4 Worker Ant 2017-07-12 07:56:46 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#1) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 5 Worker Ant 2017-07-12 14:45:20 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update often fails semanage) posted (#2) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 6 Worker Ant 2017-07-17 12:27:29 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#3) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 7 Worker Ant 2017-07-17 12:49:08 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes files semanage) posted (#4) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 8 Worker Ant 2017-07-17 13:16:34 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes fails semanage) posted (#5) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 9 Worker Ant 2017-07-24 10:02:03 EDT
REVIEW: https://review.gluster.org/17756 (packaging: glusterfs-ganesha update sometimes fails semanage) posted (#6) for review on release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com)
Comment 10 Worker Ant 2017-07-28 08:28:31 EDT
COMMIT: https://review.gluster.org/17756 committed in release-3.10 by Kaleb KEITHLEY (kkeithle@redhat.com) 
------
commit 4eebb51afeef48add13a5155a6a858b780327fce
Author: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Date:   Wed Jul 12 07:43:51 2017 -0400

    packaging: glusterfs-ganesha update sometimes fails semanage
    
    Depending on how dnf orders updates, the updated version of
    selinux-policy-targeted with ganesha_use_fusefs may not be updated
    before the glusterfs-ganesha update execute its %post scriptlet
    containing the `semanage ganesha_use_fusefs ...` command. In such
    situations the semanage command (silently) fails.
    
    Use a %trigger (and %triggerun) to run the scriptlet (again) after
    selinux-policy-targeted with ganesha_use_fusefs has been installed
    or updated.
    
    Note: the %triggerun is probably unnecessary, but it doesn't hurt.
    
    The release-3.10 branch is the "upstream master" for the glusterfs-
    ganesha subpackage.
    
    Note: to be merged after https://review.gluster.org/17806
    
    Change-Id: I1ad06d79fa1711e4abf038baf9f0a5b7bb665934
    BUG: 1470040
    Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
    Reviewed-on: https://review.gluster.org/17756
    Smoke: Gluster Build System <jenkins@build.gluster.org>
    CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
    Reviewed-by: Niels de Vos <ndevos@redhat.com>
Comment 11 Shyamsundar 2017-08-21 09:40:58 EDT
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.10.5, please open a new bug report.

glusterfs-3.10.5 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2017-August/000079.html
[2] https://www.gluster.org/pipermail/gluster-users/

Note You need to log in before you can comment on or make changes to this bug.