Compare commits
1 Commits
| Author | SHA1 | Date |
|---|---|---|
 eabdullin
|
41bc9b41af |
|
|
@ -1,2 +1,2 @@
|
|||
SOURCES/deps-pkgs-10.tar.gz
|
||||
SOURCES/leapp-repository-0.20.0.tar.gz
|
||||
SOURCES/deps-pkgs-9.tar.gz
|
||||
SOURCES/leapp-repository-0.18.0.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
d520ada12294e4dd8837c81f92d4c184ab403d51 SOURCES/deps-pkgs-10.tar.gz
|
||||
185bbb040dba48e1ea2d6c627133af594378afd4 SOURCES/leapp-repository-0.20.0.tar.gz
|
||||
02499ccd70d4a8e6ce9ad29bd286a317d5e0b57b SOURCES/deps-pkgs-9.tar.gz
|
||||
e69a6a7de3073175a4cc529cc47633a06e648a12 SOURCES/leapp-repository-0.18.0.tar.gz
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,251 +0,0 @@
|
|||
From 921c06892f7550a3a8e2b3fe941c6272bdacf88d Mon Sep 17 00:00:00 2001
|
||||
From: mhecko <mhecko@redhat.com>
|
||||
Date: Thu, 15 Feb 2024 09:56:27 +0100
|
||||
Subject: [PATCH] rhui: do not bootstrap target client on aws
|
||||
|
||||
Bootstrapping target RHUI client now requires installing the entire
|
||||
RHEL8 RPM stack. Threfore, do not try installing target client
|
||||
and instead rely only on the files from our leapp-rhui-aws package.
|
||||
---
|
||||
.../cloud/checkrhui/libraries/checkrhui.py | 6 +-
|
||||
.../libraries/userspacegen.py | 104 ++++++++++++++----
|
||||
.../system_upgrade/common/models/rhuiinfo.py | 7 ++
|
||||
3 files changed, 92 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/cloud/checkrhui/libraries/checkrhui.py b/repos/system_upgrade/common/actors/cloud/checkrhui/libraries/checkrhui.py
|
||||
index 84ab40e3..e1c158c7 100644
|
||||
--- a/repos/system_upgrade/common/actors/cloud/checkrhui/libraries/checkrhui.py
|
||||
+++ b/repos/system_upgrade/common/actors/cloud/checkrhui/libraries/checkrhui.py
|
||||
@@ -142,7 +142,11 @@ def customize_rhui_setup_for_aws(rhui_family, setup_info):
|
||||
|
||||
target_version = version.get_target_major_version()
|
||||
if target_version == '8':
|
||||
- return # The rhel8 plugin is packed into leapp-rhui-aws as we need python2 compatible client
|
||||
+ # RHEL8 rh-amazon-rhui-client depends on amazon-libdnf-plugin that depends
|
||||
+ # essentially on the entire RHEL8 RPM stack, so we cannot just swap the clients
|
||||
+ # The leapp-rhui-aws will provide all necessary files to access entire RHEL8 content
|
||||
+ setup_info.bootstrap_target_client = False
|
||||
+ return
|
||||
|
||||
amazon_plugin_copy_task = CopyFile(src='/usr/lib/python3.9/site-packages/dnf-plugins/amazon-id.py',
|
||||
dst='/usr/lib/python3.6/site-packages/dnf-plugins/')
|
||||
diff --git a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
||||
index d917bfd5..d60bc75f 100644
|
||||
--- a/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
||||
+++ b/repos/system_upgrade/common/actors/targetuserspacecreator/libraries/userspacegen.py
|
||||
@@ -853,9 +853,9 @@ def _get_rhui_available_repoids(context, cloud_repo):
|
||||
return set(repoids)
|
||||
|
||||
|
||||
-def get_copy_location_from_copy_in_task(context, copy_task):
|
||||
+def get_copy_location_from_copy_in_task(context_basepath, copy_task):
|
||||
basename = os.path.basename(copy_task.src)
|
||||
- dest_in_container = context.full_path(copy_task.dst)
|
||||
+ dest_in_container = os.path.join(context_basepath, copy_task.dst)
|
||||
if os.path.isdir(dest_in_container):
|
||||
return os.path.join(copy_task.dst, basename)
|
||||
return copy_task.dst
|
||||
@@ -871,7 +871,10 @@ def _get_rh_available_repoids(context, indata):
|
||||
|
||||
# If we are upgrading a RHUI system, check what repositories are provided by the (already installed) target clients
|
||||
if indata and indata.rhui_info:
|
||||
- files_provided_by_clients = _query_rpm_for_pkg_files(context, indata.rhui_info.target_client_pkg_names)
|
||||
+ setup_info = indata.rhui_info.target_client_setup_info
|
||||
+ target_content_access_files = set()
|
||||
+ if setup_info.bootstrap_target_client:
|
||||
+ target_content_access_files = _query_rpm_for_pkg_files(context, indata.rhui_info.target_client_pkg_names)
|
||||
|
||||
def is_repofile(path):
|
||||
return os.path.dirname(path) == '/etc/yum.repos.d' and os.path.basename(path).endswith('.repo')
|
||||
@@ -884,24 +887,33 @@ def _get_rh_available_repoids(context, indata):
|
||||
|
||||
yum_repos_d = context.full_path('/etc/yum.repos.d')
|
||||
all_repofiles = {os.path.join(yum_repos_d, path) for path in os.listdir(yum_repos_d) if path.endswith('.repo')}
|
||||
- client_repofiles = {context.full_path(path) for path in files_provided_by_clients if is_repofile(path)}
|
||||
+ api.current_logger().debug('(RHUI Setup) All available repofiles: {0}'.format(' '.join(all_repofiles)))
|
||||
+
|
||||
+ target_access_repofiles = {
|
||||
+ context.full_path(path) for path in target_content_access_files if is_repofile(path)
|
||||
+ }
|
||||
|
||||
# Exclude repofiles used to setup the target rhui access as on some platforms the repos provided by
|
||||
# the client are not sufficient to install the client into target userspace (GCP)
|
||||
rhui_setup_repofile_tasks = [task for task in setup_tasks if task.src.endswith('repo')]
|
||||
rhui_setup_repofiles = (
|
||||
- get_copy_location_from_copy_in_task(context, copy_task) for copy_task in rhui_setup_repofile_tasks
|
||||
+ get_copy_location_from_copy_in_task(context.base_dir, copy) for copy in rhui_setup_repofile_tasks
|
||||
)
|
||||
rhui_setup_repofiles = {context.full_path(repofile) for repofile in rhui_setup_repofiles}
|
||||
|
||||
- foreign_repofiles = all_repofiles - client_repofiles - rhui_setup_repofiles
|
||||
+ foreign_repofiles = all_repofiles - target_access_repofiles - rhui_setup_repofiles
|
||||
+
|
||||
+ api.current_logger().debug(
|
||||
+ 'The following repofiles are considered as unknown to'
|
||||
+ ' the target RHUI content setup and will be ignored: {0}'.format(' '.join(foreign_repofiles))
|
||||
+ )
|
||||
|
||||
# Rename non-client repofiles so they will not be recognized when running dnf repolist
|
||||
for foreign_repofile in foreign_repofiles:
|
||||
os.rename(foreign_repofile, '{0}.back'.format(foreign_repofile))
|
||||
|
||||
try:
|
||||
- dnf_cmd = ['dnf', 'repolist', '--releasever', target_ver, '-v']
|
||||
+ dnf_cmd = ['dnf', 'repolist', '--releasever', target_ver, '-v', '--enablerepo', '*']
|
||||
repolist_result = context.call(dnf_cmd)['stdout']
|
||||
repoid_lines = [line for line in repolist_result.split('\n') if line.startswith('Repo-id')]
|
||||
rhui_repoids = {extract_repoid_from_line(line) for line in repoid_lines}
|
||||
@@ -919,6 +931,9 @@ def _get_rh_available_repoids(context, indata):
|
||||
for foreign_repofile in foreign_repofiles:
|
||||
os.rename('{0}.back'.format(foreign_repofile), foreign_repofile)
|
||||
|
||||
+ api.current_logger().debug(
|
||||
+ 'The following repofiles are considered as provided by RedHat: {0}'.format(' '.join(rh_repoids))
|
||||
+ )
|
||||
return rh_repoids
|
||||
|
||||
|
||||
@@ -1086,7 +1101,7 @@ def _get_target_userspace():
|
||||
return constants.TARGET_USERSPACE.format(get_target_major_version())
|
||||
|
||||
|
||||
-def _create_target_userspace(context, packages, files, target_repoids):
|
||||
+def _create_target_userspace(context, indata, packages, files, target_repoids):
|
||||
"""Create the target userspace."""
|
||||
target_path = _get_target_userspace()
|
||||
prepare_target_userspace(context, target_path, target_repoids, list(packages))
|
||||
@@ -1096,12 +1111,57 @@ def _create_target_userspace(context, packages, files, target_repoids):
|
||||
_copy_files(target_context, files)
|
||||
dnfplugin.install(_get_target_userspace())
|
||||
|
||||
+ # If we used only repofiles from leapp-rhui-<provider> then remove these as they provide
|
||||
+ # duplicit definitions as the target clients already installed in the target container
|
||||
+ if indata.rhui_info:
|
||||
+ api.current_logger().debug(
|
||||
+ 'Target container should have access to content. '
|
||||
+ 'Removing repofiles from leapp-rhui-<provider> from the target..'
|
||||
+ )
|
||||
+ setup_info = indata.rhui_info.target_client_setup_info
|
||||
+ if not setup_info.bootstrap_target_client:
|
||||
+ target_userspace_path = _get_target_userspace()
|
||||
+ for copy in setup_info.preinstall_tasks.files_to_copy_into_overlay:
|
||||
+ dst_in_container = get_copy_location_from_copy_in_task(target_userspace_path, copy)
|
||||
+ dst_in_container = dst_in_container.strip('/')
|
||||
+ dst_in_host = os.path.join(target_userspace_path, dst_in_container)
|
||||
+ if os.path.isfile(dst_in_host) and dst_in_host.endswith('.repo'):
|
||||
+ api.current_logger().debug('Removing repofile: {0}'.format(dst_in_host))
|
||||
+ os.remove(dst_in_host)
|
||||
+
|
||||
# and do not forget to set the rhsm into the container mode again
|
||||
with mounting.NspawnActions(_get_target_userspace()) as target_context:
|
||||
rhsm.set_container_mode(target_context)
|
||||
|
||||
|
||||
-def install_target_rhui_client_if_needed(context, indata):
|
||||
+def _apply_rhui_access_preinstall_tasks(context, rhui_setup_info):
|
||||
+ if rhui_setup_info.preinstall_tasks:
|
||||
+ api.current_logger().debug('Applying RHUI preinstall tasks.')
|
||||
+ preinstall_tasks = rhui_setup_info.preinstall_tasks
|
||||
+
|
||||
+ for file_to_remove in preinstall_tasks.files_to_remove:
|
||||
+ api.current_logger().debug('Removing {0} from the scratch container.'.format(file_to_remove))
|
||||
+ context.remove(file_to_remove)
|
||||
+
|
||||
+ for copy_info in preinstall_tasks.files_to_copy_into_overlay:
|
||||
+ api.current_logger().debug(
|
||||
+ 'Copying {0} in {1} into the scratch container.'.format(copy_info.src, copy_info.dst)
|
||||
+ )
|
||||
+ context.makedirs(os.path.dirname(copy_info.dst), exists_ok=True)
|
||||
+ context.copy_to(copy_info.src, copy_info.dst)
|
||||
+
|
||||
+
|
||||
+def _apply_rhui_access_postinstall_tasks(context, rhui_setup_info):
|
||||
+ if rhui_setup_info.postinstall_tasks:
|
||||
+ api.current_logger().debug('Applying RHUI postinstall tasks.')
|
||||
+ for copy_info in rhui_setup_info.postinstall_tasks.files_to_copy:
|
||||
+ context.makedirs(os.path.dirname(copy_info.dst), exists_ok=True)
|
||||
+ debug_msg = 'Copying {0} to {1} (inside the scratch container).'
|
||||
+ api.current_logger().debug(debug_msg.format(copy_info.src, copy_info.dst))
|
||||
+ context.call(['cp', copy_info.src, copy_info.dst])
|
||||
+
|
||||
+
|
||||
+def setup_target_rhui_access_if_needed(context, indata):
|
||||
if not indata.rhui_info:
|
||||
return
|
||||
|
||||
@@ -1110,15 +1170,14 @@ def install_target_rhui_client_if_needed(context, indata):
|
||||
_create_target_userspace_directories(userspace_dir)
|
||||
|
||||
setup_info = indata.rhui_info.target_client_setup_info
|
||||
- if setup_info.preinstall_tasks:
|
||||
- preinstall_tasks = setup_info.preinstall_tasks
|
||||
+ _apply_rhui_access_preinstall_tasks(context, setup_info)
|
||||
|
||||
- for file_to_remove in preinstall_tasks.files_to_remove:
|
||||
- context.remove(file_to_remove)
|
||||
-
|
||||
- for copy_info in preinstall_tasks.files_to_copy_into_overlay:
|
||||
- context.makedirs(os.path.dirname(copy_info.dst), exists_ok=True)
|
||||
- context.copy_to(copy_info.src, copy_info.dst)
|
||||
+ if not setup_info.bootstrap_target_client:
|
||||
+ # Installation of the target RHUI client is not possible and we bundle all necessary
|
||||
+ # files into the leapp-rhui-<provider> packages.
|
||||
+ api.current_logger().debug('Bootstrapping target RHUI client is disabled, leapp will rely '
|
||||
+ 'only on files budled in leapp-rhui-<provider> package.')
|
||||
+ return
|
||||
|
||||
cmd = ['dnf', '-y']
|
||||
|
||||
@@ -1149,16 +1208,13 @@ def install_target_rhui_client_if_needed(context, indata):
|
||||
|
||||
context.call(cmd, callback_raw=utils.logging_handler, stdin='\n'.join(dnf_transaction_steps))
|
||||
|
||||
- if setup_info.postinstall_tasks:
|
||||
- for copy_info in setup_info.postinstall_tasks.files_to_copy:
|
||||
- context.makedirs(os.path.dirname(copy_info.dst), exists_ok=True)
|
||||
- context.call(['cp', copy_info.src, copy_info.dst])
|
||||
+ _apply_rhui_access_postinstall_tasks(context, setup_info)
|
||||
|
||||
# Do a cleanup so there are not duplicit repoids
|
||||
files_owned_by_clients = _query_rpm_for_pkg_files(context, indata.rhui_info.target_client_pkg_names)
|
||||
|
||||
for copy_task in setup_info.preinstall_tasks.files_to_copy_into_overlay:
|
||||
- dest = get_copy_location_from_copy_in_task(context, copy_task)
|
||||
+ dest = get_copy_location_from_copy_in_task(context.base_dir, copy_task)
|
||||
can_be_cleaned_up = copy_task.src not in setup_info.files_supporting_client_operation
|
||||
if dest not in files_owned_by_clients and can_be_cleaned_up:
|
||||
context.remove(dest)
|
||||
@@ -1184,10 +1240,10 @@ def perform():
|
||||
target_iso = next(api.consume(TargetOSInstallationImage), None)
|
||||
with mounting.mount_upgrade_iso_to_root_dir(overlay.target, target_iso):
|
||||
|
||||
- install_target_rhui_client_if_needed(context, indata)
|
||||
+ setup_target_rhui_access_if_needed(context, indata)
|
||||
|
||||
target_repoids = _gather_target_repositories(context, indata, prod_cert_path)
|
||||
- _create_target_userspace(context, indata.packages, indata.files, target_repoids)
|
||||
+ _create_target_userspace(context, indata, indata.packages, indata.files, target_repoids)
|
||||
# TODO: this is tmp solution as proper one needs significant refactoring
|
||||
target_repo_facts = repofileutils.get_parsed_repofiles(context)
|
||||
api.produce(TMPTargetRepositoriesFacts(repositories=target_repo_facts))
|
||||
diff --git a/repos/system_upgrade/common/models/rhuiinfo.py b/repos/system_upgrade/common/models/rhuiinfo.py
|
||||
index 3eaa4826..0a2e45af 100644
|
||||
--- a/repos/system_upgrade/common/models/rhuiinfo.py
|
||||
+++ b/repos/system_upgrade/common/models/rhuiinfo.py
|
||||
@@ -36,6 +36,13 @@ class TargetRHUISetupInfo(Model):
|
||||
files_supporting_client_operation = fields.List(fields.String(), default=[])
|
||||
"""A subset of files copied in preinstall tasks that should not be cleaned up."""
|
||||
|
||||
+ bootstrap_target_client = fields.Boolean(default=True)
|
||||
+ """
|
||||
+ Swap the current RHUI client for the target one to facilitate access to the target content.
|
||||
+
|
||||
+ When False, only files from the leapp-rhui-<provider> will be used to access target content.
|
||||
+ """
|
||||
+
|
||||
|
||||
class RHUIInfo(Model):
|
||||
"""
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -0,0 +1,98 @@
|
|||
From 619982896c07aa453a1b48b2bf399e4fe4f723b2 Mon Sep 17 00:00:00 2001
|
||||
From: Jarek Prokop <jprokop@redhat.com>
|
||||
Date: Fri, 21 Apr 2023 17:25:15 +0200
|
||||
Subject: [PATCH 2/5] Add el8toel9 actor to handle directory -> symlink with
|
||||
ruby IRB.
|
||||
|
||||
The `/usr/share/ruby/irb/` directory is a symlink in RHEL 9.
|
||||
|
||||
Simply remove the directory to then let the RPM mechanism create the
|
||||
correct symlink on update.
|
||||
|
||||
Users should not expect to ever retain anything in this directory.
|
||||
---
|
||||
.../actors/registerrubyirbadjustment/actor.py | 22 ++++++++++++++++++
|
||||
.../test_register_ruby_irb_adjustments.py | 11 +++++++++
|
||||
.../el8toel9/tools/handlerubyirbsymlink | 23 +++++++++++++++++++
|
||||
3 files changed, 56 insertions(+)
|
||||
create mode 100644 repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/actor.py
|
||||
create mode 100644 repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/tests/test_register_ruby_irb_adjustments.py
|
||||
create mode 100755 repos/system_upgrade/el8toel9/tools/handlerubyirbsymlink
|
||||
|
||||
diff --git a/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/actor.py b/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/actor.py
|
||||
new file mode 100644
|
||||
index 00000000..ac4d1e6f
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/actor.py
|
||||
@@ -0,0 +1,22 @@
|
||||
+from leapp.actors import Actor
|
||||
+from leapp.models import DNFWorkaround
|
||||
+from leapp.tags import FactsPhaseTag, IPUWorkflowTag
|
||||
+
|
||||
+
|
||||
+class RegisterRubyIRBAdjustment(Actor):
|
||||
+ """
|
||||
+ Registers a workaround which will adjust the Ruby IRB directories during the upgrade.
|
||||
+ """
|
||||
+
|
||||
+ name = 'register_ruby_irb_adjustment'
|
||||
+ consumes = ()
|
||||
+ produces = (DNFWorkaround,)
|
||||
+ tags = (IPUWorkflowTag, FactsPhaseTag)
|
||||
+
|
||||
+ def process(self):
|
||||
+ self.produce(
|
||||
+ DNFWorkaround(
|
||||
+ display_name='IRB directory fix',
|
||||
+ script_path=self.get_tool_path('handlerubyirbsymlink'),
|
||||
+ )
|
||||
+ )
|
||||
diff --git a/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/tests/test_register_ruby_irb_adjustments.py b/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/tests/test_register_ruby_irb_adjustments.py
|
||||
new file mode 100644
|
||||
index 00000000..fc341646
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/el8toel9/actors/registerrubyirbadjustment/tests/test_register_ruby_irb_adjustments.py
|
||||
@@ -0,0 +1,11 @@
|
||||
+import os.path
|
||||
+
|
||||
+from leapp.models import DNFWorkaround
|
||||
+
|
||||
+
|
||||
+def test_register_ruby_irb_adjustments(current_actor_context):
|
||||
+ current_actor_context.run()
|
||||
+ assert len(current_actor_context.consume(DNFWorkaround)) == 1
|
||||
+ assert current_actor_context.consume(DNFWorkaround)[0].display_name == 'IRB directory fix'
|
||||
+ assert os.path.basename(current_actor_context.consume(DNFWorkaround)[0].script_path) == 'handlerubyirbsymlink'
|
||||
+ assert os.path.exists(current_actor_context.consume(DNFWorkaround)[0].script_path)
|
||||
diff --git a/repos/system_upgrade/el8toel9/tools/handlerubyirbsymlink b/repos/system_upgrade/el8toel9/tools/handlerubyirbsymlink
|
||||
new file mode 100755
|
||||
index 00000000..9558dd48
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/el8toel9/tools/handlerubyirbsymlink
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/usr/bin/bash -e
|
||||
+
|
||||
+# just in case of hidden files.. not sure why would someone do that, it's more
|
||||
+# like forgotten cache file possibility, but rather do that..
|
||||
+shopt -s dotglob
|
||||
+
|
||||
+handle_dir() {
|
||||
+ # Check that $1 is not already a symlink
|
||||
+ # then remove the directory so that RPM can freely create the
|
||||
+ # symlink.
|
||||
+ if [ "$(readlink "$1")" == "/usr/share/gems/gems/irb-1.3.5" ]; then
|
||||
+ return
|
||||
+ fi
|
||||
+
|
||||
+ # There is no configuration or anything that the user should ever customize
|
||||
+ # and expect to retain.
|
||||
+ rm -rf "$1"
|
||||
+
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+
|
||||
+handle_dir /usr/share/ruby/irb
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
|
@ -0,0 +1,558 @@
|
|||
From 0c03180b274e9245611a7379a997ac81c726a9e9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20He=C4=8Dko?= <michal.sk.com@gmail.com>
|
||||
Date: Wed, 10 May 2023 16:51:49 +0200
|
||||
Subject: [PATCH 3/5] Enable 8>9 upgrades with FIPS enabled (#1053)
|
||||
|
||||
Short story long:
|
||||
==============
|
||||
|
||||
FIPS refers to a set of security standards governing many aspects of how information should be handled by computers and by people. FIPS in context of RHEL typically means FIPS 140, a single document defining rules for the use of encryption and cryptographic services. In essence, it defines requirements for cryptographic modules (e.g. what algorithms can be used, thus preventing the use of insecure ones) manipulating sensitive information.
|
||||
|
||||
From the point of view of upgrades there are 5 components that are certified under FIPS: kernel, OpenSSL, GnuTLS, NSS, and libgcrypt. As for the kernel, fips=1 needs to be present on the cmdline in order to enable FIPS in the kernel. Kernel offers a /proc/sys/crypto/fips_enabled virtual file containing the information about whether the kernel has booted with FIPS enabled.
|
||||
|
||||
According to FIPS, the userspace components need to verify that they were not tampered with, and thus they have to have some sort of checksum either in a special section of a binary, or in a separate file. The components read /proc/sys/crypto/fips_enabled to know when to switch into the FIPS enabled mode. OpenSSL does things a bit differently, by not including support for FIPS directly but via a special fips.so module. Furthermore, for OpenSSL to check whether FIPS is enabled a configuration file must be present at /etc/pki/tls/openssl.cnf, because the code checking for FIPS is a part of configuration parsing.
|
||||
|
||||
As every userspace component has different implementation of FIPS-mode, and a different way for the user to check whether the component believes that the system it is running on has FIPS enabled, there is no straightforward way for us to make really sure that all of the components run in FIPS enabled inside the target userspace container.
|
||||
|
||||
Brief summary of changes in the code:
|
||||
* scanfips: split scanning for fips into a separate actor
|
||||
* checkfips: inhibit the IPU only on 7>8
|
||||
* in case of FIPS for IPU 8 -> 9, copy related files into the target container to be able to generate FIPS compliant initramfs
|
||||
* checkfipsenabled: check for fips in upgrade initramfs (LastTestsPhase); interrupt the upgrade if FIPS is not enabled in the upgrade environment
|
||||
* upgradeinitramfsgenerator: refactor library and tests due to FIPS
|
||||
* create upgrade kernel hmac unconditionallly
|
||||
---------
|
||||
|
||||
Co-authored-by: Michal Hecko <mhecko@redhat.com>
|
||||
---
|
||||
.../libraries/addupgradebootentry.py | 1 +
|
||||
.../tests/unit_test_addupgradebootentry.py | 2 +-
|
||||
.../common/actors/checkfips/actor.py | 50 +++++++++++++------
|
||||
.../actors/checkfips/tests/test_checkfips.py | 23 +++++++++
|
||||
.../initramfs/checkfipsenabled/actor.py | 21 ++++++++
|
||||
.../checkfipsenabled/libraries/check_fips.py | 23 +++++++++
|
||||
.../tests/test_checkfipsenabled.py | 31 ++++++++++++
|
||||
.../upgradeinitramfsgenerator/actor.py | 2 +
|
||||
.../files/generate-initram.sh | 3 ++
|
||||
.../libraries/upgradeinitramfsgenerator.py | 28 ++++++++++-
|
||||
.../unit_test_upgradeinitramfsgenerator.py | 16 +++++-
|
||||
.../libraries/removebootfiles.py | 2 +-
|
||||
.../tests/unit_test_removebootfiles.py | 4 +-
|
||||
.../tests/unit_test_removeupgradebootentry.py | 2 +-
|
||||
.../common/actors/scanfips/actor.py | 28 +++++++++++
|
||||
.../tests/test_scanfips.py} | 13 +++--
|
||||
.../common/models/bootcontent.py | 1 +
|
||||
repos/system_upgrade/common/models/fips.py | 12 +++++
|
||||
18 files changed, 233 insertions(+), 29 deletions(-)
|
||||
create mode 100644 repos/system_upgrade/common/actors/checkfips/tests/test_checkfips.py
|
||||
create mode 100644 repos/system_upgrade/common/actors/initramfs/checkfipsenabled/actor.py
|
||||
create mode 100644 repos/system_upgrade/common/actors/initramfs/checkfipsenabled/libraries/check_fips.py
|
||||
create mode 100644 repos/system_upgrade/common/actors/initramfs/checkfipsenabled/tests/test_checkfipsenabled.py
|
||||
create mode 100644 repos/system_upgrade/common/actors/scanfips/actor.py
|
||||
rename repos/system_upgrade/common/actors/{checkfips/tests/unit_test_checkfips.py => scanfips/tests/test_scanfips.py} (74%)
|
||||
create mode 100644 repos/system_upgrade/common/models/fips.py
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/addupgradebootentry/libraries/addupgradebootentry.py b/repos/system_upgrade/common/actors/addupgradebootentry/libraries/addupgradebootentry.py
|
||||
index beddafec..4e1c4204 100644
|
||||
--- a/repos/system_upgrade/common/actors/addupgradebootentry/libraries/addupgradebootentry.py
|
||||
+++ b/repos/system_upgrade/common/actors/addupgradebootentry/libraries/addupgradebootentry.py
|
||||
@@ -88,6 +88,7 @@ def get_boot_file_paths():
|
||||
raise StopActorExecutionError('Could not create a GRUB boot entry for the upgrade initramfs',
|
||||
details={'details': 'Did not receive a message about the leapp-provided'
|
||||
'kernel and initramfs'})
|
||||
+ # Returning information about kernel hmac file path is needless as it is not used when adding boot entry
|
||||
return boot_content.kernel_path, boot_content.initram_path
|
||||
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/addupgradebootentry/tests/unit_test_addupgradebootentry.py b/repos/system_upgrade/common/actors/addupgradebootentry/tests/unit_test_addupgradebootentry.py
|
||||
index cc442f8d..ddc37e52 100644
|
||||
--- a/repos/system_upgrade/common/actors/addupgradebootentry/tests/unit_test_addupgradebootentry.py
|
||||
+++ b/repos/system_upgrade/common/actors/addupgradebootentry/tests/unit_test_addupgradebootentry.py
|
||||
@@ -135,7 +135,7 @@ def test_add_boot_entry_configs(monkeypatch):
|
||||
def test_get_boot_file_paths(monkeypatch):
|
||||
# BootContent message available
|
||||
def consume_message_mocked(*models):
|
||||
- yield BootContent(kernel_path='/ghi', initram_path='/jkl')
|
||||
+ yield BootContent(kernel_path='/ghi', initram_path='/jkl', kernel_hmac_path='/path')
|
||||
|
||||
monkeypatch.setattr('leapp.libraries.stdlib.api.consume', consume_message_mocked)
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/checkfips/actor.py b/repos/system_upgrade/common/actors/checkfips/actor.py
|
||||
index e76af950..bd09b1b9 100644
|
||||
--- a/repos/system_upgrade/common/actors/checkfips/actor.py
|
||||
+++ b/repos/system_upgrade/common/actors/checkfips/actor.py
|
||||
@@ -1,7 +1,8 @@
|
||||
from leapp import reporting
|
||||
from leapp.actors import Actor
|
||||
from leapp.exceptions import StopActorExecutionError
|
||||
-from leapp.models import KernelCmdline, Report
|
||||
+from leapp.libraries.common.config import version
|
||||
+from leapp.models import DracutModule, FIPSInfo, Report, UpgradeInitramfsTasks
|
||||
from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
|
||||
|
||||
|
||||
@@ -11,25 +12,44 @@ class CheckFips(Actor):
|
||||
"""
|
||||
|
||||
name = 'check_fips'
|
||||
- consumes = (KernelCmdline,)
|
||||
- produces = (Report,)
|
||||
+ consumes = (FIPSInfo,)
|
||||
+ produces = (Report, UpgradeInitramfsTasks)
|
||||
tags = (IPUWorkflowTag, ChecksPhaseTag)
|
||||
|
||||
def process(self):
|
||||
- cmdline = next(self.consume(KernelCmdline), None)
|
||||
- if not cmdline:
|
||||
- raise StopActorExecutionError('Cannot check FIPS state due to missing command line parameters',
|
||||
- details={'Problem': 'Did not receive a message with kernel command '
|
||||
- 'line parameters (KernelCmdline)'})
|
||||
- for parameter in cmdline.parameters:
|
||||
- if parameter.key == 'fips' and parameter.value == '1':
|
||||
- title = 'Cannot upgrade a system with FIPS mode enabled'
|
||||
- summary = 'Leapp has detected that FIPS is enabled on this system. ' \
|
||||
- 'In-place upgrade of systems in FIPS mode is currently unsupported.'
|
||||
+ fips_info = next(self.consume(FIPSInfo), None)
|
||||
+
|
||||
+ if not fips_info:
|
||||
+ raise StopActorExecutionError('Cannot check FIPS state due to not receiving necessary FIPSInfo message',
|
||||
+ details={'Problem': 'Did not receive a message with information about FIPS '
|
||||
+ 'usage'})
|
||||
+
|
||||
+ if version.get_target_major_version() == '8':
|
||||
+ if fips_info.is_enabled:
|
||||
+ title = 'Automated upgrades from RHEL 7 to RHEL 8 in FIPS mode are not supported'
|
||||
+ summary = ('Leapp has detected that FIPS is enabled on this system. '
|
||||
+ 'Automated in-place upgrade of RHEL 7 systems in FIPS mode is currently unsupported '
|
||||
+ 'and manual intervention is required.')
|
||||
+
|
||||
+ fips_7to8_steps_docs_url = 'https://red.ht/planning-upgrade-to-rhel8'
|
||||
+
|
||||
reporting.create_report([
|
||||
reporting.Title(title),
|
||||
reporting.Summary(summary),
|
||||
reporting.Severity(reporting.Severity.HIGH),
|
||||
- reporting.Groups([reporting.Groups.SECURITY]),
|
||||
- reporting.Groups([reporting.Groups.INHIBITOR])
|
||||
+ reporting.Groups([reporting.Groups.SECURITY, reporting.Groups.INHIBITOR]),
|
||||
+ reporting.ExternalLink(url=fips_7to8_steps_docs_url,
|
||||
+ title='Planning an upgrade from RHEL 7 to RHEL 8')
|
||||
])
|
||||
+ else:
|
||||
+ # FIXME(mhecko): We include these files manually as they are not included automatically when the fips
|
||||
+ # module is used due to a bug in dracut. This code should be removed, once the dracut bug is resolved.
|
||||
+ # See https://bugzilla.redhat.com/show_bug.cgi?id=2176560
|
||||
+ if fips_info.is_enabled:
|
||||
+ fips_required_initramfs_files = [
|
||||
+ '/etc/crypto-policies/back-ends/opensslcnf.config',
|
||||
+ '/etc/pki/tls/openssl.cnf',
|
||||
+ '/usr/lib64/ossl-modules/fips.so',
|
||||
+ ]
|
||||
+ self.produce(UpgradeInitramfsTasks(include_files=fips_required_initramfs_files,
|
||||
+ include_dracut_modules=[DracutModule(name='fips')]))
|
||||
diff --git a/repos/system_upgrade/common/actors/checkfips/tests/test_checkfips.py b/repos/system_upgrade/common/actors/checkfips/tests/test_checkfips.py
|
||||
new file mode 100644
|
||||
index 00000000..5498bf23
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/actors/checkfips/tests/test_checkfips.py
|
||||
@@ -0,0 +1,23 @@
|
||||
+import pytest
|
||||
+
|
||||
+from leapp.libraries.common.config import version
|
||||
+from leapp.models import FIPSInfo, Report
|
||||
+from leapp.utils.report import is_inhibitor
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize(('fips_info', 'target_major_version', 'should_inhibit'), [
|
||||
+ (FIPSInfo(is_enabled=True), '8', True),
|
||||
+ (FIPSInfo(is_enabled=True), '9', False),
|
||||
+ (FIPSInfo(is_enabled=False), '8', False),
|
||||
+ (FIPSInfo(is_enabled=False), '9', False),
|
||||
+])
|
||||
+def test_check_fips(monkeypatch, current_actor_context, fips_info, target_major_version, should_inhibit):
|
||||
+ monkeypatch.setattr(version, 'get_target_major_version', lambda: target_major_version)
|
||||
+ current_actor_context.feed(fips_info)
|
||||
+ current_actor_context.run()
|
||||
+ if should_inhibit:
|
||||
+ output = current_actor_context.consume(Report)
|
||||
+ assert len(output) == 1
|
||||
+ assert is_inhibitor(output[0].report)
|
||||
+ else:
|
||||
+ assert not any(is_inhibitor(msg.report) for msg in current_actor_context.consume(Report))
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/actor.py b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/actor.py
|
||||
new file mode 100644
|
||||
index 00000000..ef1930da
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/actor.py
|
||||
@@ -0,0 +1,21 @@
|
||||
+from leapp.actors import Actor
|
||||
+from leapp.libraries.actor import check_fips as check_fips_lib
|
||||
+from leapp.models import FIPSInfo
|
||||
+from leapp.tags import IPUWorkflowTag, LateTestsPhaseTag
|
||||
+
|
||||
+
|
||||
+class CheckFIPSCorrectlyEnabled(Actor):
|
||||
+ """
|
||||
+ Sanity check to stop the IPU if the system did not boot into the upgrade initramfs with FIPS settings preserved.
|
||||
+
|
||||
+ The performed check should be unlikely to fail, as it would mean that the upgrade boot entry was created without
|
||||
+ fips=1 on the kernel cmdline.
|
||||
+ """
|
||||
+
|
||||
+ name = 'check_fips_correctly_enabled'
|
||||
+ consumes = (FIPSInfo,)
|
||||
+ produces = ()
|
||||
+ tags = (LateTestsPhaseTag, IPUWorkflowTag)
|
||||
+
|
||||
+ def process(self):
|
||||
+ check_fips_lib.check_fips_state_perserved()
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/libraries/check_fips.py b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/libraries/check_fips.py
|
||||
new file mode 100644
|
||||
index 00000000..ba236619
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/libraries/check_fips.py
|
||||
@@ -0,0 +1,23 @@
|
||||
+from leapp.exceptions import StopActorExecutionError
|
||||
+from leapp.libraries.stdlib import api
|
||||
+from leapp.models import FIPSInfo
|
||||
+
|
||||
+
|
||||
+def read_sys_fips_state():
|
||||
+ with open('/proc/sys/crypto/fips_enabled') as fips_status_handle:
|
||||
+ return fips_status_handle.read().strip()
|
||||
+
|
||||
+
|
||||
+def check_fips_state_perserved():
|
||||
+ fips_info = next(api.consume(FIPSInfo), None)
|
||||
+ if not fips_info:
|
||||
+ # Unexpected, FIPSInfo is produced unconditionally
|
||||
+ raise StopActorExecutionError('Cannot check for the correct FIPS state in the upgrade initramfs',
|
||||
+ details={'Problem': 'Did not receive any FIPSInfo message'})
|
||||
+
|
||||
+ if fips_info.is_enabled:
|
||||
+ fips_status = read_sys_fips_state()
|
||||
+ if fips_status != '1':
|
||||
+ details = {'details': ('The system is reporting FIPS as disabled, although it should be enabled'
|
||||
+ ' since it was enabled on the source system.')}
|
||||
+ raise StopActorExecutionError('Failed to enable FIPS in the upgrade initramfs', details=details)
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/tests/test_checkfipsenabled.py b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/tests/test_checkfipsenabled.py
|
||||
new file mode 100644
|
||||
index 00000000..9a396e8a
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/checkfipsenabled/tests/test_checkfipsenabled.py
|
||||
@@ -0,0 +1,31 @@
|
||||
+import pytest
|
||||
+
|
||||
+from leapp.exceptions import StopActorExecutionError
|
||||
+from leapp.libraries.actor import check_fips
|
||||
+from leapp.libraries.common.testutils import CurrentActorMocked
|
||||
+from leapp.libraries.stdlib import api
|
||||
+from leapp.models import FIPSInfo
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize(
|
||||
+ ('fips_info', 'sys_fips_enabled_contents', 'should_prevent_ipu'),
|
||||
+ (
|
||||
+ (FIPSInfo(is_enabled=False), '0', False),
|
||||
+ (FIPSInfo(is_enabled=True), '0', True),
|
||||
+ (FIPSInfo(is_enabled=True), '1', False),
|
||||
+ )
|
||||
+)
|
||||
+def test_ipu_prevention_if_fips_not_perserved(monkeypatch,
|
||||
+ fips_info,
|
||||
+ sys_fips_enabled_contents,
|
||||
+ should_prevent_ipu):
|
||||
+
|
||||
+ mocked_actor = CurrentActorMocked(msgs=[fips_info])
|
||||
+ monkeypatch.setattr(check_fips, 'read_sys_fips_state', lambda: sys_fips_enabled_contents)
|
||||
+ monkeypatch.setattr(api, 'current_actor', mocked_actor)
|
||||
+
|
||||
+ if should_prevent_ipu:
|
||||
+ with pytest.raises(StopActorExecutionError):
|
||||
+ check_fips.check_fips_state_perserved()
|
||||
+ else:
|
||||
+ check_fips.check_fips_state_perserved() # unhandled exception with crash the test
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/actor.py b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/actor.py
|
||||
index dc97172a..2c52e817 100644
|
||||
--- a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/actor.py
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/actor.py
|
||||
@@ -4,6 +4,7 @@ from leapp.models import RequiredUpgradeInitramPackages # deprecated
|
||||
from leapp.models import UpgradeDracutModule # deprecated
|
||||
from leapp.models import (
|
||||
BootContent,
|
||||
+ FIPSInfo,
|
||||
TargetOSInstallationImage,
|
||||
TargetUserSpaceInfo,
|
||||
TargetUserSpaceUpgradeTasks,
|
||||
@@ -27,6 +28,7 @@ class UpgradeInitramfsGenerator(Actor):
|
||||
|
||||
name = 'upgrade_initramfs_generator'
|
||||
consumes = (
|
||||
+ FIPSInfo,
|
||||
RequiredUpgradeInitramPackages, # deprecated
|
||||
TargetOSInstallationImage,
|
||||
TargetUserSpaceInfo,
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/files/generate-initram.sh b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/files/generate-initram.sh
|
||||
index 104af586..d6934147 100755
|
||||
--- a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/files/generate-initram.sh
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/files/generate-initram.sh
|
||||
@@ -78,6 +78,9 @@ build() {
|
||||
}
|
||||
\cp "/lib/modules/${KERNEL_VERSION}/vmlinuz" "vmlinuz-upgrade.$KERNEL_ARCH"
|
||||
|
||||
+ # Copy out kernel HMAC so that integrity checks can be performed (performed only in FIPS mode)
|
||||
+ \cp "/lib/modules/${KERNEL_VERSION}/.vmlinuz.hmac" ".vmlinuz-upgrade.$KERNEL_ARCH.hmac"
|
||||
+
|
||||
stage "Building initram disk for kernel: $KERNEL_VERSION"
|
||||
\dracut \
|
||||
-vvvv \
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/libraries/upgradeinitramfsgenerator.py b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/libraries/upgradeinitramfsgenerator.py
|
||||
index f6539b25..2f145217 100644
|
||||
--- a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/libraries/upgradeinitramfsgenerator.py
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/libraries/upgradeinitramfsgenerator.py
|
||||
@@ -180,6 +180,24 @@ def generate_initram_disk(context):
|
||||
copy_boot_files(context)
|
||||
|
||||
|
||||
+def create_upgrade_hmac_from_target_hmac(original_hmac_path, upgrade_hmac_path, upgrade_kernel):
|
||||
+ # Rename the kernel name stored in the HMAC file as the upgrade kernel is named differently and the HMAC file
|
||||
+ # refers to the real target kernel
|
||||
+ with open(original_hmac_path) as original_hmac_file:
|
||||
+ hmac_file_lines = [line for line in original_hmac_file.read().split('\n') if line]
|
||||
+ if len(hmac_file_lines) > 1:
|
||||
+ details = ('Expected the target kernel HMAC file to containing only one HMAC line, '
|
||||
+ 'found {0}'.format(len(hmac_file_lines)))
|
||||
+ raise StopActorExecutionError('Failed to prepare HMAC file for upgrade kernel.',
|
||||
+ details={'details': details})
|
||||
+
|
||||
+ # Keep only non-empty strings after splitting on space
|
||||
+ hmac, dummy_target_kernel_name = [fragment for fragment in hmac_file_lines[0].split(' ') if fragment]
|
||||
+
|
||||
+ with open(upgrade_hmac_path, 'w') as upgrade_kernel_hmac_file:
|
||||
+ upgrade_kernel_hmac_file.write('{hmac} {kernel}\n'.format(hmac=hmac, kernel=upgrade_kernel))
|
||||
+
|
||||
+
|
||||
def copy_boot_files(context):
|
||||
"""
|
||||
Function to copy the generated initram and corresponding kernel to /boot - Additionally produces a BootContent
|
||||
@@ -188,14 +206,22 @@ def copy_boot_files(context):
|
||||
curr_arch = api.current_actor().configuration.architecture
|
||||
kernel = 'vmlinuz-upgrade.{}'.format(curr_arch)
|
||||
initram = 'initramfs-upgrade.{}.img'.format(curr_arch)
|
||||
+
|
||||
+ kernel_hmac = '.{0}.hmac'.format(kernel)
|
||||
+ kernel_hmac_path = os.path.join('/boot', kernel_hmac)
|
||||
+
|
||||
content = BootContent(
|
||||
kernel_path=os.path.join('/boot', kernel),
|
||||
- initram_path=os.path.join('/boot', initram)
|
||||
+ initram_path=os.path.join('/boot', initram),
|
||||
+ kernel_hmac_path=kernel_hmac_path
|
||||
)
|
||||
|
||||
context.copy_from(os.path.join('/artifacts', kernel), content.kernel_path)
|
||||
context.copy_from(os.path.join('/artifacts', initram), content.initram_path)
|
||||
|
||||
+ kernel_hmac_path = context.full_path(os.path.join('/artifacts', kernel_hmac))
|
||||
+ create_upgrade_hmac_from_target_hmac(kernel_hmac_path, content.kernel_hmac_path, kernel)
|
||||
+
|
||||
api.produce(content)
|
||||
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/tests/unit_test_upgradeinitramfsgenerator.py b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/tests/unit_test_upgradeinitramfsgenerator.py
|
||||
index 13939df1..cd9d0546 100644
|
||||
--- a/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/tests/unit_test_upgradeinitramfsgenerator.py
|
||||
+++ b/repos/system_upgrade/common/actors/initramfs/upgradeinitramfsgenerator/tests/unit_test_upgradeinitramfsgenerator.py
|
||||
@@ -10,6 +10,7 @@ from leapp.libraries.common.testutils import CurrentActorMocked, logger_mocked,
|
||||
from leapp.utils.deprecation import suppress_deprecation
|
||||
|
||||
from leapp.models import ( # isort:skip
|
||||
+ FIPSInfo,
|
||||
RequiredUpgradeInitramPackages, # deprecated
|
||||
UpgradeDracutModule, # deprecated
|
||||
BootContent,
|
||||
@@ -133,19 +134,32 @@ class MockedLogger(logger_mocked):
|
||||
@pytest.mark.parametrize('arch', architecture.ARCH_SUPPORTED)
|
||||
def test_copy_boot_files(monkeypatch, arch):
|
||||
kernel = 'vmlinuz-upgrade.{}'.format(arch)
|
||||
+ kernel_hmac = '.vmlinuz-upgrade.{}.hmac'.format(arch)
|
||||
initram = 'initramfs-upgrade.{}.img'.format(arch)
|
||||
bootc = BootContent(
|
||||
kernel_path=os.path.join('/boot', kernel),
|
||||
+ kernel_hmac_path=os.path.join('/boot', kernel_hmac),
|
||||
initram_path=os.path.join('/boot', initram)
|
||||
)
|
||||
|
||||
+ context = MockedContext()
|
||||
monkeypatch.setattr(upgradeinitramfsgenerator.api, 'current_actor', CurrentActorMocked(arch=arch))
|
||||
monkeypatch.setattr(upgradeinitramfsgenerator.api, 'produce', produce_mocked())
|
||||
- context = MockedContext()
|
||||
+
|
||||
+ def create_upgrade_hmac_from_target_hmac_mock(original_hmac_path, upgrade_hmac_path, upgrade_kernel):
|
||||
+ hmac_file = '.{}.hmac'.format(upgrade_kernel)
|
||||
+ assert original_hmac_path == os.path.join(context.full_path('/artifacts'), hmac_file)
|
||||
+ assert upgrade_hmac_path == bootc.kernel_hmac_path
|
||||
+
|
||||
+ monkeypatch.setattr(upgradeinitramfsgenerator,
|
||||
+ 'create_upgrade_hmac_from_target_hmac',
|
||||
+ create_upgrade_hmac_from_target_hmac_mock)
|
||||
+
|
||||
upgradeinitramfsgenerator.copy_boot_files(context)
|
||||
assert len(context.called_copy_from) == 2
|
||||
assert (os.path.join('/artifacts', kernel), bootc.kernel_path) in context.called_copy_from
|
||||
assert (os.path.join('/artifacts', initram), bootc.initram_path) in context.called_copy_from
|
||||
+
|
||||
assert upgradeinitramfsgenerator.api.produce.called == 1
|
||||
assert upgradeinitramfsgenerator.api.produce.model_instances[0] == bootc
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/removebootfiles/libraries/removebootfiles.py b/repos/system_upgrade/common/actors/removebootfiles/libraries/removebootfiles.py
|
||||
index a0eccbb8..d31af906 100644
|
||||
--- a/repos/system_upgrade/common/actors/removebootfiles/libraries/removebootfiles.py
|
||||
+++ b/repos/system_upgrade/common/actors/removebootfiles/libraries/removebootfiles.py
|
||||
@@ -14,7 +14,7 @@ def remove_boot_files():
|
||||
api.current_logger().warning('Did not receive a message about the leapp-provided kernel and initramfs ->'
|
||||
' Skipping removal of these files.')
|
||||
raise StopActorExecution
|
||||
- for filepath in boot_content.kernel_path, boot_content.initram_path:
|
||||
+ for filepath in boot_content.kernel_path, boot_content.initram_path, boot_content.kernel_hmac_path:
|
||||
remove_file(filepath)
|
||||
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/removebootfiles/tests/unit_test_removebootfiles.py b/repos/system_upgrade/common/actors/removebootfiles/tests/unit_test_removebootfiles.py
|
||||
index dab94e89..7e5fbbf0 100644
|
||||
--- a/repos/system_upgrade/common/actors/removebootfiles/tests/unit_test_removebootfiles.py
|
||||
+++ b/repos/system_upgrade/common/actors/removebootfiles/tests/unit_test_removebootfiles.py
|
||||
@@ -20,14 +20,14 @@ class remove_file_mocked(object):
|
||||
def test_remove_boot_files(monkeypatch):
|
||||
# BootContent message available
|
||||
def consume_message_mocked(*models):
|
||||
- yield BootContent(kernel_path='/abc', initram_path='/def')
|
||||
+ yield BootContent(kernel_path='/abc', initram_path='/def', kernel_hmac_path='/ghi')
|
||||
|
||||
monkeypatch.setattr('leapp.libraries.stdlib.api.consume', consume_message_mocked)
|
||||
monkeypatch.setattr(removebootfiles, 'remove_file', remove_file_mocked())
|
||||
|
||||
removebootfiles.remove_boot_files()
|
||||
|
||||
- assert removebootfiles.remove_file.files_to_remove == ['/abc', '/def']
|
||||
+ assert removebootfiles.remove_file.files_to_remove == ['/abc', '/def', '/ghi']
|
||||
|
||||
# No BootContent message available
|
||||
def consume_no_message_mocked(*models):
|
||||
diff --git a/repos/system_upgrade/common/actors/removeupgradebootentry/tests/unit_test_removeupgradebootentry.py b/repos/system_upgrade/common/actors/removeupgradebootentry/tests/unit_test_removeupgradebootentry.py
|
||||
index 1bf48c15..54eec552 100644
|
||||
--- a/repos/system_upgrade/common/actors/removeupgradebootentry/tests/unit_test_removeupgradebootentry.py
|
||||
+++ b/repos/system_upgrade/common/actors/removeupgradebootentry/tests/unit_test_removeupgradebootentry.py
|
||||
@@ -50,7 +50,7 @@ def test_remove_boot_entry(firmware, arch, monkeypatch):
|
||||
def test_get_upgrade_kernel_filepath(monkeypatch):
|
||||
# BootContent message available
|
||||
def consume_message_mocked(*models):
|
||||
- yield BootContent(kernel_path='/abc', initram_path='/def')
|
||||
+ yield BootContent(kernel_path='/abc', initram_path='/def', kernel_hmac_path='/ghi')
|
||||
|
||||
monkeypatch.setattr(api, 'consume', consume_message_mocked)
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/scanfips/actor.py b/repos/system_upgrade/common/actors/scanfips/actor.py
|
||||
new file mode 100644
|
||||
index 00000000..f369b796
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/actors/scanfips/actor.py
|
||||
@@ -0,0 +1,28 @@
|
||||
+from leapp.actors import Actor
|
||||
+from leapp.exceptions import StopActorExecutionError
|
||||
+from leapp.models import FIPSInfo, KernelCmdline
|
||||
+from leapp.tags import FactsPhaseTag, IPUWorkflowTag
|
||||
+
|
||||
+
|
||||
+class ScanFIPS(Actor):
|
||||
+ """
|
||||
+ Determine whether the source system has FIPS enabled.
|
||||
+ """
|
||||
+
|
||||
+ name = 'scan_fips'
|
||||
+ consumes = (KernelCmdline,)
|
||||
+ produces = (FIPSInfo,)
|
||||
+ tags = (IPUWorkflowTag, FactsPhaseTag)
|
||||
+
|
||||
+ def process(self):
|
||||
+ cmdline = next(self.consume(KernelCmdline), None)
|
||||
+ if not cmdline:
|
||||
+ raise StopActorExecutionError('Cannot check FIPS state due to missing command line parameters',
|
||||
+ details={'Problem': 'Did not receive a message with kernel command '
|
||||
+ 'line parameters (KernelCmdline)'})
|
||||
+
|
||||
+ for parameter in cmdline.parameters:
|
||||
+ if parameter.key == 'fips' and parameter.value == '1':
|
||||
+ self.produce(FIPSInfo(is_enabled=True))
|
||||
+ return
|
||||
+ self.produce(FIPSInfo(is_enabled=False))
|
||||
diff --git a/repos/system_upgrade/common/actors/checkfips/tests/unit_test_checkfips.py b/repos/system_upgrade/common/actors/scanfips/tests/test_scanfips.py
|
||||
similarity index 74%
|
||||
rename from repos/system_upgrade/common/actors/checkfips/tests/unit_test_checkfips.py
|
||||
rename to repos/system_upgrade/common/actors/scanfips/tests/test_scanfips.py
|
||||
index 7774352e..c5f6ac66 100644
|
||||
--- a/repos/system_upgrade/common/actors/checkfips/tests/unit_test_checkfips.py
|
||||
+++ b/repos/system_upgrade/common/actors/scanfips/tests/test_scanfips.py
|
||||
@@ -1,6 +1,6 @@
|
||||
import pytest
|
||||
|
||||
-from leapp.models import KernelCmdline, KernelCmdlineArg, Report
|
||||
+from leapp.models import FIPSInfo, KernelCmdline, KernelCmdlineArg
|
||||
from leapp.snactor.fixture import current_actor_context
|
||||
|
||||
ballast1 = [KernelCmdlineArg(key=k, value=v) for k, v in [
|
||||
@@ -19,7 +19,7 @@ ballast2 = [KernelCmdlineArg(key=k, value=v) for k, v in [
|
||||
('LANG', 'en_US.UTF-8')]]
|
||||
|
||||
|
||||
-@pytest.mark.parametrize('parameters,expected_report', [
|
||||
+@pytest.mark.parametrize(('parameters', 'should_detect_enabled_fips'), [
|
||||
([], False),
|
||||
([KernelCmdlineArg(key='fips', value='')], False),
|
||||
([KernelCmdlineArg(key='fips', value='0')], False),
|
||||
@@ -27,11 +27,10 @@ ballast2 = [KernelCmdlineArg(key=k, value=v) for k, v in [
|
||||
([KernelCmdlineArg(key='fips', value='11')], False),
|
||||
([KernelCmdlineArg(key='fips', value='yes')], False)
|
||||
])
|
||||
-def test_check_fips(current_actor_context, parameters, expected_report):
|
||||
+def test_check_fips(current_actor_context, parameters, should_detect_enabled_fips):
|
||||
cmdline = KernelCmdline(parameters=ballast1+parameters+ballast2)
|
||||
current_actor_context.feed(cmdline)
|
||||
current_actor_context.run()
|
||||
- if expected_report:
|
||||
- assert current_actor_context.consume(Report)
|
||||
- else:
|
||||
- assert not current_actor_context.consume(Report)
|
||||
+ produced_msgs = current_actor_context.consume(FIPSInfo)
|
||||
+
|
||||
+ assert (FIPSInfo(is_enabled=should_detect_enabled_fips),) == produced_msgs
|
||||
diff --git a/repos/system_upgrade/common/models/bootcontent.py b/repos/system_upgrade/common/models/bootcontent.py
|
||||
index 03efa8f6..edada01e 100644
|
||||
--- a/repos/system_upgrade/common/models/bootcontent.py
|
||||
+++ b/repos/system_upgrade/common/models/bootcontent.py
|
||||
@@ -11,3 +11,4 @@ class BootContent(Model):
|
||||
|
||||
kernel_path = fields.String(help='Filepath of the kernel copied to /boot/ by Leapp.')
|
||||
initram_path = fields.String(help='Filepath of the initramfs copied to /boot/ by Leapp.')
|
||||
+ kernel_hmac_path = fields.String(help='Filepath of the kernel hmac copied to /boot/ by Leapp.')
|
||||
diff --git a/repos/system_upgrade/common/models/fips.py b/repos/system_upgrade/common/models/fips.py
|
||||
new file mode 100644
|
||||
index 00000000..aa9930db
|
||||
--- /dev/null
|
||||
+++ b/repos/system_upgrade/common/models/fips.py
|
||||
@@ -0,0 +1,12 @@
|
||||
+from leapp.models import fields, Model
|
||||
+from leapp.topics import SystemInfoTopic
|
||||
+
|
||||
+
|
||||
+class FIPSInfo(Model):
|
||||
+ """
|
||||
+ Information about whether the source system has FIPS enabled.
|
||||
+ """
|
||||
+ topic = SystemInfoTopic
|
||||
+
|
||||
+ is_enabled = fields.Boolean(default=False)
|
||||
+ """ Is fips enabled on the source system """
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
|
@ -0,0 +1,259 @@
|
|||
From 24bfcccc59047c43237ce1b0202245314eca7158 Mon Sep 17 00:00:00 2001
|
||||
From: Irina Gulina <igulina@redhat.com>
|
||||
Date: Fri, 5 May 2023 08:43:19 +0200
|
||||
Subject: [PATCH 4/5] Change the upgrade paths for SAP HANA
|
||||
|
||||
- Drop 7.9 to 8.2
|
||||
- Add 7.9 to 8.8, but keep 7.9 to 8.6 as default
|
||||
- Add 8.8 to 9.2
|
||||
- Drop SAP HANA version check for the target releases >=8.8 and >=9.2
|
||||
- Correct actor.py docstring to support ppc64le for 8to9 upgrade (see PR1042)
|
||||
---
|
||||
.../common/actors/checksaphana/actor.py | 11 +++-
|
||||
.../checksaphana/libraries/checksaphana.py | 57 ++++++++++++-------
|
||||
.../checksaphana/tests/test_checksaphana.py | 31 +---------
|
||||
.../common/files/upgrade_paths.json | 7 ++-
|
||||
.../common/libraries/config/version.py | 2 +-
|
||||
5 files changed, 50 insertions(+), 58 deletions(-)
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/checksaphana/actor.py b/repos/system_upgrade/common/actors/checksaphana/actor.py
|
||||
index 70e78147..97d00455 100644
|
||||
--- a/repos/system_upgrade/common/actors/checksaphana/actor.py
|
||||
+++ b/repos/system_upgrade/common/actors/checksaphana/actor.py
|
||||
@@ -12,10 +12,15 @@ class CheckSapHana(Actor):
|
||||
If the upgrade flavour is 'default' no checks are being executed.
|
||||
|
||||
The following checks are executed:
|
||||
- - If this system is _NOT_ running on x86_64, the upgrade is inhibited.
|
||||
- - If SAP HANA 1 has been detected on the system the upgrade is inhibited since it is not supported on RHEL8.
|
||||
+ - If the major target release is 8, and this system is _NOT_ running on x86_64, the upgrade is inhibited.
|
||||
+ - If the major target release is 9, and this system is _NOT_ running on x86_64 or ppc64le,
|
||||
+ the upgrade is inhibited.
|
||||
+ - If SAP HANA 1 has been detected on the system the upgrade is inhibited since there is no supported upgrade path
|
||||
+ with installed SAP HANA 1.
|
||||
- If SAP HANA 2 has been detected, the upgrade will be inhibited if an unsupported version for the target release
|
||||
- has been detected.
|
||||
+ has been detected (<8.8, <9.2).
|
||||
+ - If the target release >=8.8 or >=9.2, the upgrade will be inhibited unless a user confirms to proceed
|
||||
+ for the currently installed SAP HANA 2.0 version and the chosen target release.
|
||||
- If SAP HANA is running the upgrade is inhibited.
|
||||
"""
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/checksaphana/libraries/checksaphana.py b/repos/system_upgrade/common/actors/checksaphana/libraries/checksaphana.py
|
||||
index 92109997..1b08f3d2 100644
|
||||
--- a/repos/system_upgrade/common/actors/checksaphana/libraries/checksaphana.py
|
||||
+++ b/repos/system_upgrade/common/actors/checksaphana/libraries/checksaphana.py
|
||||
@@ -10,20 +10,36 @@ SAP_HANA_SUPPORTER_ARCHS = {
|
||||
'9': [architecture.ARCH_X86_64, architecture.ARCH_PPC64LE]
|
||||
}
|
||||
|
||||
-# SAP HANA 2.00 rev 54 is the minimal supported revision for both RHEL 7.9 and RHEL 8.2
|
||||
-
|
||||
SAP_HANA_MINIMAL_MAJOR_VERSION = 2
|
||||
-# RHEL 8.2 target requirements
|
||||
-SAP_HANA_RHEL82_REQUIRED_PATCH_LEVELS = ((5, 54, 0),)
|
||||
-SAP_HANA_RHEL82_MINIMAL_VERSION_STRING = 'HANA 2.0 SPS05 rev 54 or later'
|
||||
|
||||
# RHEL 8.6 target requirements
|
||||
SAP_HANA_RHEL86_REQUIRED_PATCH_LEVELS = ((5, 59, 2),)
|
||||
SAP_HANA_RHEL86_MINIMAL_VERSION_STRING = 'HANA 2.0 SPS05 rev 59.02 or later'
|
||||
|
||||
-# RHEL 9 target requirements
|
||||
-SAP_HANA_RHEL9_REQUIRED_PATCH_LEVELS = ((5, 59, 4), (6, 63, 0))
|
||||
-SAP_HANA_RHEL9_MINIMAL_VERSION_STRING = 'HANA 2.0 SPS05 rev 59.04 or later, or SPS06 rev 63 or later'
|
||||
+# RHEL 9.0 target requirements
|
||||
+SAP_HANA_RHEL90_REQUIRED_PATCH_LEVELS = ((5, 59, 4), (6, 63, 0))
|
||||
+SAP_HANA_RHEL90_MINIMAL_VERSION_STRING = 'HANA 2.0 SPS05 rev 59.04 or later, or SPS06 rev 63 or later'
|
||||
+
|
||||
+
|
||||
+def _report_skip_check():
|
||||
+ summary = (
|
||||
+ 'For the target RHEL releases >=8.8 and >=9.2 '
|
||||
+ 'the leapp utility does not check RHEL and SAP HANA 2.0 '
|
||||
+ 'versions compatibility. Please ensure your SAP HANA 2.0 '
|
||||
+ 'is supported on the target RHEL release and '
|
||||
+ 'proceed on your discretion. '
|
||||
+ 'SAP HANA: Supported Operating Systems '
|
||||
+ 'https://launchpad.support.sap.com/#/notes/2235581')
|
||||
+ remedy_hint = 'Ensure your SAP HANA 2.0 is supported on the target release.'
|
||||
+ reporting.create_report([
|
||||
+ reporting.Title('SAP HANA 2.0 version should be checked prior the upgrade'),
|
||||
+ reporting.Summary(summary),
|
||||
+ reporting.Severity(reporting.Severity.MEDIUM),
|
||||
+ reporting.Groups([reporting.Groups.SANITY]),
|
||||
+ reporting.Remediation(hint=remedy_hint),
|
||||
+ reporting.ExternalLink(url='https://launchpad.support.sap.com/#/notes/2235581',
|
||||
+ title='SAP HANA: Supported Operating Systems'),
|
||||
+ ])
|
||||
|
||||
|
||||
def _manifest_get(manifest, key, default_value=None):
|
||||
@@ -45,7 +61,6 @@ def running_check(info):
|
||||
reporting.Severity(reporting.Severity.HIGH),
|
||||
reporting.Groups([reporting.Groups.SANITY]),
|
||||
reporting.Groups([reporting.Groups.INHIBITOR]),
|
||||
- reporting.Audience('sysadmin')
|
||||
])
|
||||
|
||||
|
||||
@@ -72,12 +87,10 @@ def _create_detected_instances_list(details):
|
||||
|
||||
|
||||
def _min_ver_string():
|
||||
- if version.get_target_major_version() == '8':
|
||||
+ if version.matches_target_version('8.6'):
|
||||
ver_str = SAP_HANA_RHEL86_MINIMAL_VERSION_STRING
|
||||
- if version.matches_target_version('8.2'):
|
||||
- ver_str = SAP_HANA_RHEL82_MINIMAL_VERSION_STRING
|
||||
else:
|
||||
- ver_str = SAP_HANA_RHEL9_MINIMAL_VERSION_STRING
|
||||
+ ver_str = SAP_HANA_RHEL90_MINIMAL_VERSION_STRING
|
||||
return ver_str
|
||||
|
||||
|
||||
@@ -89,10 +102,9 @@ def version1_check(info):
|
||||
_add_hana_details(found, instance)
|
||||
|
||||
if found:
|
||||
- min_ver_string = _min_ver_string()
|
||||
detected = _create_detected_instances_list(found)
|
||||
reporting.create_report([
|
||||
- reporting.Title('Found SAP HANA 1 which is not supported with the target version of RHEL'),
|
||||
+ reporting.Title('Found SAP HANA 1.0 which is not supported with the target version of RHEL'),
|
||||
reporting.Summary(
|
||||
('SAP HANA 1.00 is not supported with the version of RHEL you are upgrading to.\n\n'
|
||||
'The following instances have been detected to be version 1.00:\n'
|
||||
@@ -101,12 +113,11 @@ def version1_check(info):
|
||||
reporting.Severity(reporting.Severity.HIGH),
|
||||
reporting.RemediationHint((
|
||||
'In order to upgrade RHEL, you will have to upgrade your SAP HANA 1.0 software to '
|
||||
- '{supported}.'.format(supported=min_ver_string))),
|
||||
+ 'SAP HANA 2.0 supported on the target RHEL release first.')),
|
||||
reporting.ExternalLink(url='https://launchpad.support.sap.com/#/notes/2235581',
|
||||
title='SAP HANA: Supported Operating Systems'),
|
||||
reporting.Groups([reporting.Groups.SANITY]),
|
||||
reporting.Groups([reporting.Groups.INHIBITOR]),
|
||||
- reporting.Audience('sysadmin')
|
||||
])
|
||||
|
||||
|
||||
@@ -160,12 +171,10 @@ def _sp_rev_patchlevel_check(instance, patchlevels):
|
||||
|
||||
def _fullfills_hana_min_version(instance):
|
||||
""" Performs a check whether the version of SAP HANA fulfills the minimal requirements for the target RHEL """
|
||||
- if version.get_target_major_version() == '8':
|
||||
+ if version.matches_target_version('8.6'):
|
||||
patchlevels = SAP_HANA_RHEL86_REQUIRED_PATCH_LEVELS
|
||||
- if version.matches_target_version('8.2'):
|
||||
- patchlevels = SAP_HANA_RHEL82_REQUIRED_PATCH_LEVELS
|
||||
else:
|
||||
- patchlevels = SAP_HANA_RHEL9_REQUIRED_PATCH_LEVELS
|
||||
+ patchlevels = SAP_HANA_RHEL90_REQUIRED_PATCH_LEVELS
|
||||
return _major_version_check(instance) and _sp_rev_patchlevel_check(instance, patchlevels)
|
||||
|
||||
|
||||
@@ -175,6 +184,11 @@ def version2_check(info):
|
||||
for instance in info.instances:
|
||||
if _manifest_get(instance.manifest, 'release', None) == '1.00':
|
||||
continue
|
||||
+ if version.matches_target_version('> 8.6', '< 9.0') or version.matches_target_version('> 9.0'):
|
||||
+ # if a target release is >=8.8 or >=9.2, the SAP HANA and RHEL versions compatibility is not checked
|
||||
+ _report_skip_check()
|
||||
+ return
|
||||
+ # if a starget release is 8.6 or 9.0 we still check SAP HANA and RHEL versions compatibility
|
||||
if not _fullfills_hana_min_version(instance):
|
||||
_add_hana_details(found, instance)
|
||||
|
||||
@@ -196,7 +210,6 @@ def version2_check(info):
|
||||
reporting.Severity(reporting.Severity.HIGH),
|
||||
reporting.Groups([reporting.Groups.SANITY]),
|
||||
reporting.Groups([reporting.Groups.INHIBITOR]),
|
||||
- reporting.Audience('sysadmin')
|
||||
])
|
||||
|
||||
|
||||
diff --git a/repos/system_upgrade/common/actors/checksaphana/tests/test_checksaphana.py b/repos/system_upgrade/common/actors/checksaphana/tests/test_checksaphana.py
|
||||
index 3dc2c192..1417b00a 100644
|
||||
--- a/repos/system_upgrade/common/actors/checksaphana/tests/test_checksaphana.py
|
||||
+++ b/repos/system_upgrade/common/actors/checksaphana/tests/test_checksaphana.py
|
||||
@@ -166,33 +166,6 @@ class MockSAPHanaVersionInstance(object):
|
||||
]
|
||||
|
||||
|
||||
-@pytest.mark.parametrize(
|
||||
- 'major,rev,patchlevel,result', (
|
||||
- (2, 52, 0, True),
|
||||
- (2, 52, 1, True),
|
||||
- (2, 52, 2, True),
|
||||
- (2, 53, 0, True),
|
||||
- (2, 60, 0, True),
|
||||
- (2, 48, 2, True),
|
||||
- (2, 48, 1, False),
|
||||
- (2, 48, 0, False),
|
||||
- (2, 38, 2, False),
|
||||
- (2, 49, 0, True),
|
||||
- )
|
||||
-)
|
||||
-def test_checksaphana__fullfills_rhel82_hana_min_version(monkeypatch, major, rev, patchlevel, result):
|
||||
- monkeypatch.setattr(version, 'get_target_major_version', lambda: '8')
|
||||
- monkeypatch.setattr(version, 'get_target_version', lambda: '8.2')
|
||||
- monkeypatch.setattr(checksaphana, 'SAP_HANA_RHEL82_REQUIRED_PATCH_LEVELS', ((4, 48, 2), (5, 52, 0)))
|
||||
- assert checksaphana._fullfills_hana_min_version(
|
||||
- MockSAPHanaVersionInstance(
|
||||
- major=major,
|
||||
- rev=rev,
|
||||
- patchlevel=patchlevel,
|
||||
- )
|
||||
- ) == result
|
||||
-
|
||||
-
|
||||
@pytest.mark.parametrize(
|
||||
'major,rev,patchlevel,result', (
|
||||
(2, 52, 0, True),
|
||||
@@ -239,10 +212,10 @@ def test_checksaphana__fullfills_rhel86_hana_min_version(monkeypatch, major, rev
|
||||
(2, 64, 0, True),
|
||||
)
|
||||
)
|
||||
-def test_checksaphana__fullfills_hana_rhel9_min_version(monkeypatch, major, rev, patchlevel, result):
|
||||
+def test_checksaphana__fullfills_hana_rhel90_min_version(monkeypatch, major, rev, patchlevel, result):
|
||||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '9')
|
||||
monkeypatch.setattr(version, 'get_target_version', lambda: '9.0')
|
||||
- monkeypatch.setattr(checksaphana, 'SAP_HANA_RHEL9_REQUIRED_PATCH_LEVELS', ((5, 59, 4), (6, 63, 0)))
|
||||
+ monkeypatch.setattr(checksaphana, 'SAP_HANA_RHEL90_REQUIRED_PATCH_LEVELS', ((5, 59, 4), (6, 63, 0)))
|
||||
assert checksaphana._fullfills_hana_min_version(
|
||||
MockSAPHanaVersionInstance(
|
||||
major=major,
|
||||
diff --git a/repos/system_upgrade/common/files/upgrade_paths.json b/repos/system_upgrade/common/files/upgrade_paths.json
|
||||
index 5e3c5d32..5d8b44e9 100644
|
||||
--- a/repos/system_upgrade/common/files/upgrade_paths.json
|
||||
+++ b/repos/system_upgrade/common/files/upgrade_paths.json
|
||||
@@ -7,9 +7,10 @@
|
||||
"8": ["9.2"]
|
||||
},
|
||||
"saphana": {
|
||||
- "7.9": ["8.2", "8.6"],
|
||||
- "7": ["8.2", "8.6"],
|
||||
+ "7.9": ["8.8", "8.6"],
|
||||
+ "7": ["8.8", "8.6"],
|
||||
"8.6": ["9.0"],
|
||||
- "8": ["9.0"]
|
||||
+ "8.8": ["9.2"],
|
||||
+ "8": ["9.2", "9.0"]
|
||||
}
|
||||
}
|
||||
diff --git a/repos/system_upgrade/common/libraries/config/version.py b/repos/system_upgrade/common/libraries/config/version.py
|
||||
index cc5bfca5..6bf6b4da 100644
|
||||
--- a/repos/system_upgrade/common/libraries/config/version.py
|
||||
+++ b/repos/system_upgrade/common/libraries/config/version.py
|
||||
@@ -14,7 +14,7 @@ OP_MAP = {
|
||||
_SUPPORTED_VERSIONS = {
|
||||
# Note: 'rhel-alt' is detected when on 'rhel' with kernel 4.x
|
||||
'7': {'rhel': ['7.9'], 'rhel-alt': [], 'rhel-saphana': ['7.9']},
|
||||
- '8': {'rhel': ['8.6', '8.8'], 'rhel-saphana': ['8.6']},
|
||||
+ '8': {'rhel': ['8.6', '8.8'], 'rhel-saphana': ['8.6', '8.8']},
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
|
@ -0,0 +1,118 @@
|
|||
From 1240116a7989f24f00a06273104f059449516365 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Stodulka <pstodulk@redhat.com>
|
||||
Date: Mon, 5 Jun 2023 16:24:03 +0200
|
||||
Subject: [PATCH] Update the repomap.json file for RHUI Azure
|
||||
|
||||
python repomap_diff.py old_repomap.json new_repomap.json
|
||||
Upg paths are unchanged.
|
||||
Mappings are unchanged.
|
||||
The following repos have been removed:
|
||||
- Repo(pesid='rhel8-AppStream', major_version='8', repoid='rhui-rhel-8-for-x86_64-appstream-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
- Repo(pesid='rhel8-BaseOS', major_version='8', repoid='rhui-rhel-8-for-x86_64-baseos-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
- Repo(pesid='rhel8-CRB', major_version='8', repoid='rhui-codeready-builder-for-rhel-8-x86_64-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
The following repos have been added:
|
||||
- Repo(pesid='rhel8-CRB', major_version='8', repoid='codeready-builder-for-rhel-8-x86_64-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
- Repo(pesid='rhel8-BaseOS', major_version='8', repoid='rhel-8-for-x86_64-baseos-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
- Repo(pesid='rhel8-AppStream', major_version='8', repoid='rhel-8-for-x86_64-appstream-rhui-rpms', repo_type='rpm', channel='ga', arch='x86_64', rhui='azure')
|
||||
---
|
||||
etc/leapp/files/repomap.json | 44 ++++++++++++++++++------------------
|
||||
1 file changed, 22 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/etc/leapp/files/repomap.json b/etc/leapp/files/repomap.json
|
||||
index 88116e2..14b6f0d 100644
|
||||
--- a/etc/leapp/files/repomap.json
|
||||
+++ b/etc/leapp/files/repomap.json
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
- "datetime": "202303072246Z",
|
||||
+ "datetime": "202306051542Z",
|
||||
"version_format": "1.0.0",
|
||||
"mapping": [
|
||||
{
|
||||
@@ -1409,6 +1409,14 @@
|
||||
"channel": "eus",
|
||||
"repo_type": "rpm"
|
||||
},
|
||||
+ {
|
||||
+ "major_version": "8",
|
||||
+ "repoid": "rhel-8-for-x86_64-baseos-rhui-rpms",
|
||||
+ "arch": "x86_64",
|
||||
+ "channel": "ga",
|
||||
+ "repo_type": "rpm",
|
||||
+ "rhui": "azure"
|
||||
+ },
|
||||
{
|
||||
"major_version": "8",
|
||||
"repoid": "rhel-8-for-x86_64-baseos-rpms",
|
||||
@@ -1432,14 +1440,6 @@
|
||||
"repo_type": "rpm",
|
||||
"rhui": "aws"
|
||||
},
|
||||
- {
|
||||
- "major_version": "8",
|
||||
- "repoid": "rhui-rhel-8-for-x86_64-baseos-rhui-rpms",
|
||||
- "arch": "x86_64",
|
||||
- "channel": "ga",
|
||||
- "repo_type": "rpm",
|
||||
- "rhui": "azure"
|
||||
- },
|
||||
{
|
||||
"major_version": "8",
|
||||
"repoid": "rhui-rhel-8-for-x86_64-baseos-rhui-rpms",
|
||||
@@ -1615,6 +1615,14 @@
|
||||
"channel": "eus",
|
||||
"repo_type": "rpm"
|
||||
},
|
||||
+ {
|
||||
+ "major_version": "8",
|
||||
+ "repoid": "rhel-8-for-x86_64-appstream-rhui-rpms",
|
||||
+ "arch": "x86_64",
|
||||
+ "channel": "ga",
|
||||
+ "repo_type": "rpm",
|
||||
+ "rhui": "azure"
|
||||
+ },
|
||||
{
|
||||
"major_version": "8",
|
||||
"repoid": "rhel-8-for-x86_64-appstream-rpms",
|
||||
@@ -1638,14 +1646,6 @@
|
||||
"repo_type": "rpm",
|
||||
"rhui": "aws"
|
||||
},
|
||||
- {
|
||||
- "major_version": "8",
|
||||
- "repoid": "rhui-rhel-8-for-x86_64-appstream-rhui-rpms",
|
||||
- "arch": "x86_64",
|
||||
- "channel": "ga",
|
||||
- "repo_type": "rpm",
|
||||
- "rhui": "azure"
|
||||
- },
|
||||
{
|
||||
"major_version": "8",
|
||||
"repoid": "rhui-rhel-8-for-x86_64-appstream-rhui-rpms",
|
||||
@@ -1762,18 +1762,18 @@
|
||||
},
|
||||
{
|
||||
"major_version": "8",
|
||||
- "repoid": "codeready-builder-for-rhel-8-x86_64-rpms",
|
||||
+ "repoid": "codeready-builder-for-rhel-8-x86_64-rhui-rpms",
|
||||
"arch": "x86_64",
|
||||
"channel": "ga",
|
||||
- "repo_type": "rpm"
|
||||
+ "repo_type": "rpm",
|
||||
+ "rhui": "azure"
|
||||
},
|
||||
{
|
||||
"major_version": "8",
|
||||
- "repoid": "rhui-codeready-builder-for-rhel-8-x86_64-rhui-rpms",
|
||||
+ "repoid": "codeready-builder-for-rhel-8-x86_64-rpms",
|
||||
"arch": "x86_64",
|
||||
"channel": "ga",
|
||||
- "repo_type": "rpm",
|
||||
- "rhui": "azure"
|
||||
+ "repo_type": "rpm"
|
||||
},
|
||||
{
|
||||
"major_version": "8",
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
%global repositorydir %{leapp_datadir}/repositories
|
||||
%global custom_repositorydir %{leapp_datadir}/custom-repositories
|
||||
|
||||
%define leapp_repo_deps 10
|
||||
%define leapp_repo_deps 9
|
||||
|
||||
%if 0%{?rhel} == 7
|
||||
%define leapp_python_sitelib %{python2_sitelib}
|
||||
|
|
@ -41,14 +41,14 @@ py2_byte_compile "%1" "%2"}
|
|||
# RHEL 8+ packages to be consistent with other leapp projects in future.
|
||||
|
||||
Name: leapp-repository
|
||||
Version: 0.20.0
|
||||
Release: 2%{?dist}
|
||||
Version: 0.18.0
|
||||
Release: 1%{?dist}.2.alma
|
||||
Summary: Repositories for leapp
|
||||
|
||||
License: ASL 2.0
|
||||
URL: https://oamg.github.io/leapp/
|
||||
Source0: https://github.com/oamg/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Source1: deps-pkgs-10.tar.gz
|
||||
Source1: deps-pkgs-9.tar.gz
|
||||
|
||||
# NOTE: Our packages must be noarch. Do no drop this in any way.
|
||||
BuildArch: noarch
|
||||
|
|
@ -56,8 +56,18 @@ BuildArch: noarch
|
|||
### PATCHES HERE
|
||||
# Patch0001: filename.patch
|
||||
|
||||
Patch0001: 0001-rhui-do-not-bootstrap-target-client-on-aws.patch
|
||||
# Patches were taken from:
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/leapp-repository/-/raw/65448d3a2a18542fef73ec1d5e6b75b303efe71e/0001-Introduce-leapp-data-in-the-RPM-repository.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/leapp-repository/-/raw/65448d3a2a18542fef73ec1d5e6b75b303efe71e/0002-Add-el8toel9-actor-to-handle-directory-symlink.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/leapp-repository/-/raw/65448d3a2a18542fef73ec1d5e6b75b303efe71e/0003-Enable-8-9-upgrades-with-FIPS-enabled-1053.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/leapp-repository/-/raw/65448d3a2a18542fef73ec1d5e6b75b303efe71e/0004-Change-the-upgrade-paths-for-SAP-HANA.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/leapp-repository/-/raw/65448d3a2a18542fef73ec1d5e6b75b303efe71e/0005-Update-the-repomap.json-file-for-RHUI-Azure.patch
|
||||
|
||||
Patch0001: 0001-Introduce-leapp-data-in-the-RPM-repository.patch
|
||||
Patch0002: 0002-Add-el8toel9-actor-to-handle-directory-symlink.patch
|
||||
Patch0003: 0003-Enable-8-9-upgrades-with-FIPS-enabled-1053.patch
|
||||
Patch0004: 0004-Change-the-upgrade-paths-for-SAP-HANA.patch
|
||||
Patch0005: 0005-Update-the-repomap.json-file-for-RHUI-Azure.patch
|
||||
|
||||
%description
|
||||
%{summary}
|
||||
|
|
@ -102,7 +112,7 @@ Requires: leapp-repository-dependencies = %{leapp_repo_deps}
|
|||
|
||||
# IMPORTANT: this is capability provided by the leapp framework rpm.
|
||||
# Check that 'version' instead of the real framework rpm version.
|
||||
Requires: leapp-framework >= 5.0
|
||||
Requires: leapp-framework >= 3.1
|
||||
|
||||
# Since we provide sub-commands for the leapp utility, we expect the leapp
|
||||
# tool to be installed as well.
|
||||
|
|
@ -151,16 +161,6 @@ Provides: leapp-repository-dependencies = %{leapp_repo_deps}
|
|||
##################################################
|
||||
Requires: dnf >= 4
|
||||
Requires: pciutils
|
||||
|
||||
# required to be able to format disk images with XFS file systems (default)
|
||||
Requires: xfsprogs
|
||||
|
||||
# required to be able to format disk images with Ext4 file systems
|
||||
# NOTE: this is not happening by default, but we can expact that many customers
|
||||
# will want to / need to do this - especially on RHEL 7 now. Adding this deps
|
||||
# as the best trade-off to resolve this problem.
|
||||
Requires: e2fsprogs
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} == 7
|
||||
# Required to gather system facts about SELinux
|
||||
Requires: libselinux-python
|
||||
|
|
@ -210,6 +210,10 @@ Requires: python3-gobject-base
|
|||
# APPLY PATCHES HERE
|
||||
# %%patch0001 -p1
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
%patch0003 -p1
|
||||
%patch0004 -p1
|
||||
%patch0005 -p1
|
||||
|
||||
|
||||
%build
|
||||
|
|
@ -287,111 +291,12 @@ done;
|
|||
# no files here
|
||||
|
||||
%changelog
|
||||
* Tue Feb 20 2024 Petr Stodulka <pstodulk@redhat.com> - 0.20.0-2
|
||||
- Fallback to original RHUI solution on AWS to fix issues caused by changes in RHUI client
|
||||
- Resolves: RHEL-16729
|
||||
|
||||
* Tue Feb 13 2024 Toshio Kuratomi <toshio@fedoraproject.org> - 0.20.0-1
|
||||
- Rebase to new upstream v0.20.0.
|
||||
- Fix semanage import issue
|
||||
- Fix handling of libvirt's systemd services
|
||||
- Add a dracut breakpoint for the pre-upgrade step.
|
||||
- Drop obsoleted upgrade paths (obsoleted releases: 8.6, 8.9, 9.0, 9.3)
|
||||
- Resolves: RHEL-16729
|
||||
|
||||
* Tue Jan 23 2024 Toshio Kuratomi <toshio@fedoraproject.org> - 0.19.0-10
|
||||
- Print nice error msg when device and driver deprecation data is malformed
|
||||
- Fix another cornercase when preserving symlinks to certificates in /etc/pki
|
||||
- Update the leapp upgrade data files - fixing upgrades with idm-tomcatjss
|
||||
- Resolves: RHEL-16729
|
||||
|
||||
* Fri Jan 19 2024 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-9
|
||||
- Do not try to download data files anymore when missing as the service
|
||||
is obsoleted since the data is part of installed packages
|
||||
- Update error messages and reports when installed upgrade data files
|
||||
are malformed or missing to instruct user how to resolve it
|
||||
- Update the leapp upgrade data files - bump data stream to "3.0"
|
||||
- Resolves: RHEL-16729
|
||||
|
||||
* Fri Jan 12 2024 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-7
|
||||
- Add detection of possible usage of OpenSSL IBMCA engine on IBM Z machines
|
||||
- Add detection of modified /etc/pki/tls/openssl.cnf file
|
||||
- Update the leapp upgrade data files
|
||||
- Fix handling of symlinks under /etc/pki with relative paths specified
|
||||
- Report custom actors and modifications of the upgrade tooling
|
||||
- Requires xfsprogs and e2fsprogs to ensure that Ext4 and XFS tools are installed
|
||||
- Bump leapp-repository-dependencies to 10
|
||||
- Resolves: RHEL-1774, RHEL-16729
|
||||
|
||||
* Thu Nov 16 2023 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-5
|
||||
- Enable new upgrade path for RHEL 8.10 -> RHEL 9.4 (including RHEL with SAP HANA)
|
||||
- Introduce generic transition of systemd services states during the IPU
|
||||
- Introduce possibility to upgrade with local repositories
|
||||
- Improve possibilities of upgrade when a proxy is configured in DNF configutation file
|
||||
- Fix handling of symlinks under /etc/pki when managing certificates
|
||||
- Fix the upgrade with custom https repositories
|
||||
- Default to the NO_RHSM mode when subscription-manager is not installed
|
||||
- Detect customized configuration of dynamic linker
|
||||
- Drop the invalid `tuv` target channel for the --channel option
|
||||
- Fix the issue of going out of bounds in the isccfg parser
|
||||
- Fix traceback when saving the rhsm facts results and the /etc/rhsm/facts directory doesn’t exist yet
|
||||
- Load all rpm repository substitutions that dnf knows about, not just "releasever" only
|
||||
- Simplify handling of upgrades on systems using RHUI, reducing the maintenance burden for cloud providers
|
||||
- Detect possible unexpected RPM GPG keys has been installed during RPM transaction
|
||||
- Resolves: RHEL-16729
|
||||
|
||||
* Thu Nov 02 2023 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-4
|
||||
- Fix the upgrade for systems without subscription-manager package
|
||||
- Resolves: RHEL-14901
|
||||
|
||||
* Tue Oct 31 2023 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-3
|
||||
- Fix the upgrade when the release is locked by new subscription-manager
|
||||
- Resolves: RHEL-14901
|
||||
|
||||
* Wed Aug 23 2023 Petr Stodulka <pstodulk@redhat.com> - 0.19.0-1
|
||||
- Rebase to v0.19.0
|
||||
- Requires leapp-framework 5.0
|
||||
- Handle correctly the installed certificates to allow upgrades with custom repositories using HTTPs with enabled SSL verification
|
||||
- Fix failing upgrades with devtmpfs file systems specified in FSTAB
|
||||
- Do not try to update GRUB core on IBM Z systems
|
||||
- Minor improvements and fixes of various reports and error messages
|
||||
- Redesign handling of information about kernel (booted and target) to reflect changes in RHEL 9.3
|
||||
- Use new leapp CLI API which provides better report summary output
|
||||
- Resolves: rhbz#2215997, rhbz#2222861, rhbz#2232618
|
||||
|
||||
* Tue Jul 18 2023 Petr Stodulka <pstodulk@redhat.com> - 0.18.0-5
|
||||
- Fix the calculation of the required free space on each partitions/volume for the upgrade transactions
|
||||
- Create source overlay images with dynamic sizes to optimize disk space consumption
|
||||
- Update GRUB2 when /boot resides on multiple devices aggregated in RAID
|
||||
- Use new leapp CLI API which provides better report summary output
|
||||
- Introduce possibility to add (custom) kernel drivers to initramfs
|
||||
- Detect and report use of deprecated Xorg drivers
|
||||
- Fix the generation of the report about hybrid images
|
||||
- Inhibit the upgrade when unsupported x86-64 microarchitecture is detected
|
||||
- Minor improvements and fixes of various reports
|
||||
- Requires leapp-framework 4.0
|
||||
- Update leapp data files
|
||||
- Resolves: rhbz#2140011, rhbz#2144304, rhbz#2174095, rhbz#2215997
|
||||
|
||||
* Mon Jun 19 2023 Petr Stodulka <pstodulk@redhat.com> - 0.18.0-4
|
||||
- Introduce new upgrade path RHEL 8.9 -> 9.3
|
||||
- Update leapp data files to reflect new changes between systems
|
||||
- Detect and report use of deprecated Xorg drivers
|
||||
- Minor improvements of generated reports
|
||||
- Fix false positive report about invalid symlinks
|
||||
- Inhibit the upgrade when unsupported x86-64 microarchitecture is detected
|
||||
- Resolves: rhbz#2215997
|
||||
|
||||
* Mon Jun 05 2023 Petr Stodulka <pstodulk@redhat.com> - 0.18.0-3
|
||||
- Update the repomap.json file to address planned changes on RHUI Azure
|
||||
- Resolves: rhbz#2203800
|
||||
|
||||
* Fri May 19 2023 Petr Stodulka <pstodulk@redhat.com> - 0.18.0-2
|
||||
- Include leap data files in the package
|
||||
- Introduce in-place upgrades for systems with enabled FIPS mode
|
||||
- Enable the upgrade path 8.8 -> 9.2 for RHEL with SAP HANA
|
||||
- Fix the upgrade of ruby-irb package
|
||||
- Resolves: rhbz#2030627, rhbz#2097003, rhbz#2203800, rhbz#2203803
|
||||
* Thu Jul 13 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.18.0-1.2.alma
|
||||
- Apply 0001-Introduce-leapp-data-in-the-RPM-repository.patch
|
||||
- Apply 0002-Add-el8toel9-actor-to-handle-directory-symlink.patch
|
||||
- Apply 0003-Enable-8-9-upgrades-with-FIPS-enabled-1053.patch
|
||||
- Apply 0004-Change-the-upgrade-paths-for-SAP-HANA.patch
|
||||
- Apply 0005-Update-the-repomap.json-file-for-RHUI-Azure.patch
|
||||
|
||||
* Tue Feb 21 2023 Petr Stodulka <pstodulk@redhat.com> - 0.18.0-1
|
||||
- Rebase to v0.18.0
|
||||
|
|
|
|||
Loading…
Reference in New Issue