Bug 844013 - Review Request: openshift-origin-broker - OpenShift Origin broker components
Review Request: openshift-origin-broker - OpenShift Origin broker components
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael Scherer
Fedora Extras Quality Assurance
:
: 842891 (view as bug list)
Depends On: 470696 839395
Blocks: 845021
  Show dependency treegraph
 
Reported: 2012-07-27 18:43 EDT by Troy Dawson
Modified: 2012-09-17 18:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-17 18:49:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
misc: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Troy Dawson 2012-07-27 18:43:15 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-2.fc18.src.rpm
Description: 
This contains the broker 'controlling' components of OpenShift.
This includes the public APIs for the client tools.

Fedora Account System Username: tdawson

Rpmlint Output:
[rawhide]$ rpmlint openshift-origin-broker.spec
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

[rawhide]$ rpmlint /home/quake/rpmbuild/SRPMS/openshift-origin-broker-0.6.7-2.fc18.src.rpm
1 packages and 0 specfiles checked; 0 errors, 0 warnings.

[rawhide]$ rpmlint /home/quake/rpmbuild/RPMS/noarch/openshift-origin-broker-0.6.7-2.fc18.noarch.rpm
openshift-origin-broker.noarch: W: dangling-symlink /var/www/stickshift/broker/httpd/modules /usr/lib64/httpd/modules
openshift-origin-broker.noarch: W: dangling-symlink /var/www/stickshift/broker/httpd/conf/magic /etc/httpd/conf/magic
openshift-origin-broker.noarch: W: dangerous-command-in-%post chmod
openshift-origin-broker.noarch: W: missing-lsb-keyword Default-Stop in /etc/rc.d/init.d/stickshift-broker
openshift-origin-broker.noarch: W: incoherent-init-script-name stickshift-broker ('openshift-origin-broker', 'openshift-origin-brokerd')
1 packages and 0 specfiles checked; 0 errors, 5 warnings.
Comment 1 Troy Dawson 2012-07-27 18:49:41 EDT
*** Bug 842891 has been marked as a duplicate of this bug. ***
Comment 2 Troy Dawson 2012-08-01 12:54:57 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-3.fc18.src.rpm

- Changed logs to ghost setting.
- Changed from ridealong back to passenger
-- This is because it looks like we'll have passenger soon
https://bugzilla.redhat.com/show_bug.cgi?id=470696
Comment 3 Troy Dawson 2012-08-02 18:48:35 EDT
I would like to add FAS account name maxamillion to this review as I'll be out of town for the next week and don't want to be a blocker.

Fedora Account System Username: maxamillion tdawson
Comment 4 Michael Scherer 2012-08-03 04:18:54 EDT
There is no mention of the origin of the favicon :

Source1:   favicon


I am also surprised by some permission, do we want apache to be able to modify all those files :
%defattr(-,apache,apache,-)
%{brokerdir}
%{htmldir}/broker
%config(noreplace) %{brokerdir}/config/environments/production.rb
%config(noreplace) %{brokerdir}/config/environments/development.rb
%config(noreplace) %{_sysconfdir}/httpd/conf.d/000000_stickshift_proxy.conf
%attr(0664,-,-) %ghost %{brokerdir}/log/production.log
%attr(0664,-,-) %ghost %{brokerdir}/log/development.log
%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/error_log
%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/access_log

I see why for logs, but the rest seems to me rather strange, if we run process under the apache uid, they shouldn't mess with anything like rails config and such, in case of compromise of the apache process.
Comment 5 Adam Miller 2012-08-07 17:21:06 EDT
SPEC URL: http://maxamillion.fedorapeople.org/openshift-origin-broker.spec
SRPM URL: http://maxamillion.fedorapeople.org/openshift-origin-broker-0.6.7-4.fc17.src.rpm


I added a note about the favicon and fixed the permissions for the config files, but the log files as per upstream do need to keep their permissions. (Could potentially be owned by root:apache but have never been tested that way).
Comment 6 Troy Dawson 2012-08-13 18:38:11 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-5.fc18.src.rpm

With this, I think we're ready.

- Now uses systemd instead of init.d for Fedora and RHEL7+
-- This came from upstream.
- cleaned up %files section
-- mainly got rid of duplicates listings
Comment 9 Troy Dawson 2012-08-15 16:12:06 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-7.fc19.src.rpm

- Removed "/sbin/restorecon -R -v /var/run" we have no files there
- Made systeconfig/openshift-origin-broker a config file
Comment 10 Michael Scherer 2012-08-15 17:49:19 EDT
* I still think the permission on all file except logs should not be such as apache could write them. If there is a security issue in apache ( like a php application gone crazy and letting anyone upload in any file, installed on the same server ),
that mean the attacker would be able to write ruby code there, and then execute it by doing request on openshift, thus elevating his privileges. 


* I can see why the boolean are turned on, except for httpd_enable_homedirs, who permit to read from ~/public_html/, and that's curious that openshift would rely on this. I also see a boolean httpd_run_stickshift in man pages, maybe this would be helpful to turn it on ( not sure, please check with a real selinux specialist )

* The boolean are reset on each upgrade, thus erasing the settings changed by admin. That do not sound like a great idea IMHO.

* I am also not sure that replacing the policy of passenger is the right thing to do. What if I deployed another application using it on the same server ?
According to readme, this is because mod_passenger from phusion site ship a policy that do not play well with openshift. Wouldn't it be better to fix the policy of mod_passenger to not requires such hacks ( especially now the rpm is in fedora )

* %config(noreplace) %{brokerdir}/config/environments/production.rb 
I would try to put them in /etc, so someone doing a backup of /etc would get them ( principle of least surprise ). Of course, you need to a do a link somewhere.

* that's redundant, since 0644 is already the default 
%attr(0644,-,-) %{_unitdir}/%{name}.service
%attr(0644,-,-) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}

* %attr(0664,-,-) %ghost %{brokerdir}/log/production.log
do we want any process in apache group be able to write there ?

* after compiling the selinux policy , /usr/share/selinux/packages/stickshift-broker/stickshift-broker.pp end as being unowned ( and untracked ). this should be written as %ghost IMHO. There is also no filecontext ( file .fc ) to make sure file are of the proper type, so I would recommend to add that in the policy instead of adding it with semanage fcontext in %post 

* as a side note, the selinux policy still speak of oddjob, despites being obsoleted. And the policy speak of stickshift_t and stickthisft_exec_t type, but nothing is labeled with this in this rpm nor on openshift-origin-controller, so I think this should be revised or dropped, cause it doesn't seems to change anything ( but I am a novice in selinux policy )

* there is now macro for systemd : 
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd


* since openshift-broker is network facing, it should not be started by default 
https://fedoraproject.org/wiki/Starting_services_by_default ( ie, no chkconfig on ) 

* various cp invocation should use -p, to preserve the modification time 
https://fedoraproject.org/wiki/Packaging:Guidelines#Timestamps

* those mkdir are not needed :
mkdir -p %{buildroot}%{_sysconfdir}/oddjobd.conf.d
mkdir -p %{buildroot}%{_sysconfdir}/dbus-1/system.d
mkdir -p %{buildroot}%{_bindir}

and this one is redundant (already done by all other thanks to -p ) :
mkdir -p %{buildroot}%{brokerdir}

theses one are also duplicated :
mkdir -p %{buildroot}%{_var}/lib/stickshift
mkdir -p %{buildroot}%{appdir}
since appdir is /var/lib/stickshift. I guess you can remove appdir from the spec and keep var/lib/, more readable. ( and so remove the define too )

* better written as 1 line : ( ie directly move and rename with 1 mv )
mv %{buildroot}%{brokerdir}/init.d/* %{buildroot}%{_initddir}
mv -f %{buildroot}%{_initddir}/stickshift-broker %{buildroot}%{_initddir}/%{name}
Comment 11 Troy Dawson 2012-08-16 15:06:56 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-7.fc19.src.rpm

* permissions
- removed apache permissions
-- upstream says this should work but has not been completely tested.

* booleans - homedirs
- homedirs booleans - Yes, this is needed by openshift.
- httpd_run_stickshift - currently no response, but isn't a blocker

* booleans - reset them on each upgrade
- They are needed for openshift to run
- Is this a blocker?

* passenger selinux policy
- passenger in F17,f18 now has it's own policy.
-- removed all instances where we mess with passenger policy

* move config files in /etc/
- Upstream is aware of this and working towards it, not there yet
- Other openshift origin packages have this also
- Is this a blocker?

* redundant attr setting
- removed redundant attr settings

* selinux policy
- %ghost /usr/share/selinux/packages/%{name}/stickshift-broker.pp
- At this point I don't feel comfortable changing how they are doing their file context.

* selinux side note
- contacted upstream about oddjob in the policy.
-- Will get an expert to go through the file and remove cruft (there is other things that they think can be removed as well)
-- At this point they'd like to keep the cruft in so we don't accidentally break anything.

*Macros for systemd
- I put in options so that it runs the macro's for F18+
- For F17- it uses the official commands for those
-- Side note: Right now, when the F18 macro expands, it is the exact 
same as what is in F17-.  It's somewhat expected, but it made it debuging
the %if command a little hard.

* Not start by default
- Changed that, using the recommended scriptlets for not starting by default

* Various cp should use -p
- Fixed

* extra mkdirs
- Removed extra and redundant mkdirs

* combine two lines into 1
- done
Comment 12 Michael Scherer 2012-08-16 20:24:08 EDT
Why those permissions :
%attr(0664,-,-) %ghost /usr/share/selinux/packages/%{name}/stickshift-broker.pp
I would use 644 rather, no ?

For booleans, that's not a blocker, but I fear that's something that could annoy people if they write custom policy. Admin tend to not like this :)
But I guess that once someone review the selinux policy, this will be taken care of.

And moving config to /etc is not a blocker, but better have it done before the first stable packages to avoid migration later. Maybe this is too late, since there is already a repository.

For apache, i fear you removed too much. IE, while most of the file should not be owned by apache, I can see reason for directory where the name implies that something will be written there :
%{brokerdir}/log
%{brokerdir}/run
%{brokerdir}/tmp

I will finish the review tomorow, too late now for this.
Comment 13 Michael Scherer 2012-08-17 11:24:38 EDT
So besides the previous comments ( and they can be fixed later ), there is just various missing deps, like mod_passenger. So once they are in, I will approve the package.

Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[-]: %build honors applicable compiler flags or justifies otherwise.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package contains no bundled libraries.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[x]: %config files are marked noreplace or the reason is justified.
[x]: Macros in Summary, %description expandable at SRPM build time.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Permissions on files are set properly.
[x]: Package does not contain duplicates in %files.
[x]: Package complies to the Packaging Guidelines
[x]: Spec file lacks Packager, Vendor, PreReq tags.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[-]: Large documentation files are in a -doc subpackage, if required.
[x]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: License field in the package spec file matches the actual license.
[x]: Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: Package is named using only allowed ASCII characters.
[x]: Package is named according to the Package Naming Guidelines.
[x]: No %config files under /usr.
[x]: Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[!]: Package installs properly.
     Note: Installation errors (see attachment)
[x]: Package is not relocatable.
[x]: Requires correct, justified where necessary.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file is legible and written in American English.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: Package contains systemd file(s) if in need.
[x]: File names are valid UTF-8.

===== SHOULD items =====

Generic:
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL5 is required
[x]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Each %files section contains %defattr if rpm < 4.4
     Note: %defattr macros not found. They would be needed for EPEL5
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[-]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[x]: Scriptlets must be sane, if used.
[x]: SourceX tarball generation or download is documented.
[x]: SourceX / PatchY prefixed with %{name}.
[x]: SourceX is a working URL.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed files.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[!]: Spec file according to URL is the same as in SRPM.
     Note: Spec file as given by url is not the same as in SRPM (see attached
     diff).

Issues:
=======
[!]: Package installs properly.
     Note: Installation errors (see attachment)
See: https://fedoraproject.org/wiki/Packaging:Guidelines

Installation errors
-------------------
INFO: mock.py version 1.1.23 starting...
Start: init plugins
INFO: selinux enabled
Finish: init plugins
Start: run
Mock Version: 1.1.23
INFO: Mock Version: 1.1.23
Start: lock buildroot
INFO: installing package(s): /home/misc/checkout/git/FedoraReview/844013-openshift-origin-broker/results/openshift-origin-broker-0.6.7-7.fc17.noarch.rpm
ERROR: Command failed: 
 # ['/usr/bin/yum', '--installroot', '/var/lib/mock/fedora-17-x86_64/root/', 'install', '/home/misc/checkout/git/FedoraReview/844013-openshift-origin-broker/results/openshift-origin-broker-0.6.7-7.fc17.noarch.rpm', '--setopt=tsflags=nocontexts']
Erreur : Paquet : openshift-origin-broker-0.6.7-7.fc17.noarch (/openshift-origin-broker-0.6.7-7.fc17.noarch)
             Requiert : rubygem(multimap)
Erreur : Paquet : openshift-origin-broker-0.6.7-7.fc17.noarch (/openshift-origin-broker-0.6.7-7.fc17.noarch)
             Requiert : rubygem(passenger)
Erreur : Paquet : openshift-origin-broker-0.6.7-7.fc17.noarch (/openshift-origin-broker-0.6.7-7.fc17.noarch)
             Requiert : rubygem(openshift-origin-controller)
Erreur : Paquet : openshift-origin-broker-0.6.7-7.fc17.noarch (/openshift-origin-broker-0.6.7-7.fc17.noarch)
             Requiert : mod_passenger
Erreur : Paquet : openshift-origin-broker-0.6.7-7.fc17.noarch (/openshift-origin-broker-0.6.7-7.fc17.noarch)
             Requiert : rubygem(passenger-native)
 Vous pouvez essayer d'utiliser --skip-broken pour contourner le problème
 Vous pouvez essayer d'exécuter : rpm -Va --nofiles --nodigest

Rpmlint
-------
Checking: openshift-origin-broker-0.6.7-7.fc17.src.rpm
          openshift-origin-broker-0.6.7-7.fc17.noarch.rpm
openshift-origin-broker.noarch: W: only-non-binary-in-usr-lib
openshift-origin-broker.noarch: W: dangling-symlink /var/www/stickshift/broker/httpd/conf/magic /etc/httpd/conf/magic
openshift-origin-broker.noarch: W: cross-directory-hard-link /var/www/stickshift/broker/httpd/logs/error_log /var/www/stickshift/broker/log/development.log
openshift-origin-broker.noarch: W: dangling-symlink /var/www/stickshift/broker/httpd/modules /usr/lib64/httpd/modules
openshift-origin-broker.noarch: W: cross-directory-hard-link /var/www/stickshift/broker/log/production.log /var/www/stickshift/broker/httpd/logs/access_log
2 packages and 0 specfiles checked; 0 errors, 5 warnings.


Rpmlint (installed packages)
----------------------------
Cannot parse rpmlint output:
Diff spec file in url and in SRPM
---------------------------------
--- /home/misc/checkout/git/FedoraReview/844013-openshift-origin-broker/srpm/openshift-origin-broker.spec	2012-08-17 17:01:20.730438830 +0200
+++ /home/misc/checkout/git/FedoraReview/844013-openshift-origin-broker/srpm-unpacked/openshift-origin-broker.spec	2012-08-17 17:01:21.534444878 +0200
@@ -1,4 +1,5 @@
 %global htmldir %{_localstatedir}/www/html
 %global brokerdir %{_localstatedir}/www/stickshift/broker
+%global appdir %{_localstatedir}/lib/stickshift
 
 %if 0%{?fedora} >= 16 || 0%{?rhel} >= 7
@@ -11,5 +12,5 @@
 Name:      openshift-origin-broker
 Version:   0.6.7
-Release:   8%{?dist}
+Release:   7%{?dist}
 License:   ASL 2.0
 URL:       http://openshift.redhat.com
@@ -59,5 +60,7 @@
 mkdir -p %{buildroot}%{_initddir}
 %endif
+mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{htmldir}
+mkdir -p %{buildroot}%{brokerdir}
 mkdir -p %{buildroot}%{brokerdir}/httpd/root
 mkdir -p %{buildroot}%{brokerdir}/httpd/run
@@ -70,5 +73,9 @@
 mkdir -p %{buildroot}%{brokerdir}/tmp/sessions
 mkdir -p %{buildroot}%{brokerdir}/tmp/sockets
+mkdir -p %{buildroot}%{appdir}
 mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/stickshift
+mkdir -p %{buildroot}%{_sysconfdir}/oddjobd.conf.d
+mkdir -p %{buildroot}%{_sysconfdir}/dbus-1/system.d
+mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{_var}/lib/stickshift
 mkdir -p %{buildroot}/usr/share/selinux/packages/%{name}
@@ -78,8 +85,9 @@
 cp -rp . %{buildroot}%{brokerdir}
 %if %{with_systemd}
-cp -p %{SOURCE2} %{buildroot}%{_unitdir}
-cp -p %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
+cp %{SOURCE2} %{buildroot}%{_unitdir}
+cp %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
 %else
-mv %{buildroot}%{brokerdir}/init.d/stickshift-broker %{buildroot}%{_initddir}/%{name}
+mv %{buildroot}%{brokerdir}/init.d/* %{buildroot}%{_initddir}
+mv -f %{buildroot}%{_initddir}/stickshift-broker %{buildroot}%{_initddir}/%{name}
 %endif
 ln -s %{brokerdir}/public %{buildroot}%{htmldir}/broker
@@ -96,5 +104,5 @@
 rm -f %{buildroot}%{brokerdir}/openshift-origin-broker.spec
 rm -rf %{buildroot}%{brokerdir}/init.d
-cp -p %{SOURCE1} %{buildroot}%{brokerdir}/public/favicon.ico
+cp %{SOURCE1} %{buildroot}%{brokerdir}/public/favicon.ico
 chmod 644 %{buildroot}%{brokerdir}/Gemfile
 chmod 644 %{buildroot}%{brokerdir}/config/environments/production.rb
@@ -104,17 +112,10 @@
 
 %post
-%if %{with_systemd}
-%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%systemd_post %{name}.service
-%else
-if [ $1 -eq 1 ] ; then 
-    # Initial installation --
-    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-fi
-%endif
-%endif
+chkconfig %{name} on
 
 #selinux updated
-pushd /usr/share/selinux/packages/%{name}
+systemctl --system daemon-reload
+
+pushd /usr/share/selinux/packages/stickshift-broker
 make -f /usr/share/selinux/devel/Makefile
 popd
@@ -129,5 +130,5 @@
 fcontext -a -t httpd_log_t '%{brokerdir}/log(/.*)?'
 _EOF
-semodule -i /usr/share/selinux/packages/%{name}/stickshift-broker.pp
+semodule -i /usr/share/selinux/packages/stickshift-broker/stickshift-broker.pp -d passenger -i /usr/share/selinux/packages/rubygem-passenger/rubygem-passenger.pp
 
 /sbin/restorecon -R -v %{brokerdir}/httpd
@@ -135,50 +136,31 @@
 
 %preun
-%if %{with_systemd}
-%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%systemd_preun %{name}.service
-%else
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade --
-    /bin/systemctl --no-reload disable %{name}.service > /dev/null 2>&1 || :
-    /bin/systemctl stop %{name}.service > /dev/null 2>&1 || :
-fi
-%endif
-%else
-if [ "$1" -eq 0 ] ; then
+if [ "$1" = 0 ] ; then
   service %{name} stop > /dev/null 2>&1
   chkconfig %{name} off || :
 fi
-%endif
 
 %postun
-if [ "$1" -eq 0 ] ; then
-    # Package uninstall, not upgrade
-  /usr/sbin/semodule -r stickshift-broker
-fi
-%if %{with_systemd}
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
-%systemd_postun_with_restart %{name}.service
-%else
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall --
-    /bin/systemctl try-restart %{name}.service >/dev/null 2>&1 || :
-fi
-%endif
-%endif
+/usr/sbin/semodule -e passenger -r stickshift-broker
+/sbin/fixfiles -R rubygem-passenger restore
+/sbin/fixfiles -R mod_passenger restore
 
 %files
 %doc LICENSE COPYRIGHT
 %if %{with_systemd}
-%{_unitdir}/%{name}.service
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%attr(0644,-,-) %{_unitdir}/%{name}.service
+%attr(0644,-,-) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %else
 %{_initddir}/%{name}
 %endif
 /usr/share/selinux/packages/%{name}/
-%attr(0664,-,-) %ghost /usr/share/selinux/packages/%{name}/stickshift-broker.pp
 %{_var}/lib/stickshift
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/000000_stickshift_proxy.conf
+%attr(0664,-,-) %ghost %{brokerdir}/log/production.log
+%attr(0664,-,-) %ghost %{brokerdir}/log/development.log
+%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/error_log
+%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/access_log
+
+%defattr(-,apache,apache,-)
 %dir %{brokerdir}
 %{brokerdir}/Gemfile
@@ -202,10 +184,6 @@
 %{brokerdir}/doc
 %{brokerdir}/httpd
-%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/error_log
-%attr(0664,-,-) %ghost %{brokerdir}/httpd/logs/access_log
 %{brokerdir}/lib
 %{brokerdir}/log
-%attr(0664,-,-) %ghost %{brokerdir}/log/production.log
-%attr(0664,-,-) %ghost %{brokerdir}/log/development.log
 %{brokerdir}/public
 %{brokerdir}/run
@@ -217,11 +195,4 @@
 
 %changelog
-* Thu Aug 16 2012 Troy Dawson <tdawson@redhat.com> 0.6.7-8
-- Remove apache ownership of the directories and files
-- removed instances where we messed with passenger selinux stuff
-- cleaned up alot of spec stuff
-- added stickshift-broker.pp as a ghost file
-- Used official systemd scripts/templates for post,preun,postun
-
 * Wed Aug 15 2012 Troy Dawson <tdawson@redhat.com> 0.6.7-7
 - Removed "/sbin/restorecon -R -v /var/run" we have no files there
Requires
--------
openshift-origin-broker-0.6.7-7.fc17.noarch.rpm (rpmlib, GLIBC filtered):
    
    /bin/bash  
    /bin/sh  
    /usr/bin/env  
    config(openshift-origin-broker) = 0.6.7-7.fc17
    httpd  
    mod_passenger  
    mod_ssl  
    mongodb-server  
    policycoreutils-python  
    rubygem(bson_ext)  
    rubygem(json)  
    rubygem(multimap)  
    rubygem(open4)  
    rubygem(openshift-origin-controller)  
    rubygem(parseconfig)  
    rubygem(passenger)  
    rubygem(passenger-native)  
    rubygem(rack)  
    rubygem(rails)  
    rubygem(rest-client)  
    rubygem(xml-simple)  
    selinux-policy-targeted  
    systemd-units  

Provides
--------
openshift-origin-broker-0.6.7-7.fc17.noarch.rpm:
    
    config(openshift-origin-broker) = 0.6.7-7.fc17
    openshift-origin-broker = 0.6.7-7.fc17

MD5-sum check
-------------
http://mirror.openshift.com/pub/openshift-origin/source/openshift-origin-broker/openshift-origin-broker-0.6.7.tar.gz :
  CHECKSUM(SHA256) this package     : d5e894e1dc84b26e577d7fdacd5a90c72bb5c226fb92e90943bdbcb445a44d03
  CHECKSUM(SHA256) upstream package : d5e894e1dc84b26e577d7fdacd5a90c72bb5c226fb92e90943bdbcb445a44d03


Generated by fedora-review 0.2.0 (a5c4ced) last change: 2012-07-22
Command line :./try-fedora-review -b 844013
External plugins:
Comment 14 Troy Dawson 2012-08-17 12:09:08 EDT
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-broker-0.6.7-9.fc19.src.rpm

- ghost permissions - changed to 644
-- originally they were 666, in the original spec file.  rpmlint didn't like that, and neither did I becaue I didn't want everyone writting to them.  Since I was only thinking of "world" I only changed the one number.  But you are right, there is no reason to have it 664 instead of 644.

- apache owning /log /run /tmp - done
-- I agree with you.  I think I was a little over zelous in removing the apache permissions.  But it looked so much cleaner without them. :)
Comment 15 Michael Scherer 2012-09-11 17:22:11 EDT
Since mod_passenger is in, this one can be approved.
Comment 16 Troy Dawson 2012-09-11 18:11:19 EDT
New Package SCM Request
=======================
Package Name: openshift-origin-broker
Short Description: OpenShift Origin broker components
Owners: tdawson maxamillion brenton
Branches: f17 f18
InitialCC:
Comment 17 Jon Ciesla 2012-09-11 19:24:41 EDT
Git done (by process-git-requests).
Comment 18 Fedora Update System 2012-09-12 09:26:51 EDT
openshift-origin-broker-0.6.7-9.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openshift-origin-broker-0.6.7-9.fc18
Comment 19 Fedora Update System 2012-09-12 11:17:53 EDT
openshift-origin-broker-0.6.7-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openshift-origin-broker-0.6.7-10.fc18
Comment 20 Fedora Update System 2012-09-12 15:11:50 EDT
Package openshift-origin-broker-0.6.7-10.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openshift-origin-broker-0.6.7-10.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13857/openshift-origin-broker-0.6.7-10.fc18
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-09-17 18:49:03 EDT
openshift-origin-broker-0.6.7-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.