Refs #31614: Drop Pulp 2, Pulpcore only

[ehelms]

This is similar in nature to #299 and #271 in it's goal. I have attempted to create individual commits that paint the picture of items that can be removed, or adjusted. The landing place for this configuration is:

• this module will deploy Pulpcore, optionally with mirror configured to true
• this module will deploy Qpid routers when Pulpcore is configured as a mirror on EL7 only
• puppet-katello will continue to handle deploying Pulp 2 for the interim katello-agent support

This does require some ecosystem changes to go in first:

• Do not run Puppet tests if Pulp 3 only for Katello 4 forklift#1240
• Identify content proxy by hardcoded ID forklift#1221

[ehelms]

Here is a layout of scenarios and how they will be handled:

EL8: Fresh install, no upgrade handling needed, this will install Pulpcore or Pulpcore in mirror mode

EL7:

New Install: Will deploy Pulpcore or Pulpcore in mirror mode along with Qpid bits to handle katello-agent

Upgrade:

• Server: Will deploy Pulpcore and leave Pulp running which is handled by puppet-katello, Qpid bits will remain
• Content proxy: Will deploy Pulpcore in mirror mode and leave Pulp running, users will need to perform a forced re-sync of the content proxy to populate Pulpcore. A foreman-maintain command will be available to shutdown services, remove RPMs and clean up data from Pulp 2. A similar command will be needed on the main server to clean it up.

[wbclark]

I tested a new install on EL7 using forklift with this PR ('checkout' merge strategy) and found that in fact Pulp 2 was still installed:

# hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          ok
    Server Response: Duration: 40ms
candlepin_events: 
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
candlepin_auth:   
    Status:          ok
    Server Response: Duration: 24ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp:             
    Status:          ok
    Server Response: Duration: 136ms
pulp_auth:        
    Status:          ok
    Server Response: Duration: 44ms
pulp3:            
    Status:          ok
    Server Response: Duration: 49ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 2ms

# systemctl status pulp_workers
● pulp_workers.service - Pulp Celery Workers
   Loaded: loaded (/usr/lib/systemd/system/pulp_workers.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2021-01-04 21:52:50 UTC; 33min ago
 Main PID: 13144 (code=exited, status=0/SUCCESS)
    Tasks: 0
   CGroup: /system.slice/pulp_workers.service

Jan 04 21:52:49 centos7-katello-nightly.mercury.example.com systemd[1]: Starting Pulp Celery Workers...
Jan 04 21:52:50 centos7-katello-nightly.mercury.example.com systemd[1]: Started Pulp Celery Workers.

# cat /etc/httpd/conf.d/pulp_content.conf 
WSGISocketPrefix run/wsgi
WSGIProcessGroup pulp-content
WSGIApplicationGroup pulp-content
WSGIScriptAlias /pulp2/content /usr/share/pulp/wsgi/content.wsgi
WSGIDaemonProcess pulp-content user=apache group=apache processes=3 display-name=%{GROUP}
WSGIImportScript /usr/share/pulp/wsgi/content.wsgi process-group=pulp-content application-group=pulp-content

<Files content.wsgi>
    WSGIPassAuthorization On
    WSGIProcessGroup pulp-content
    WSGIApplicationGroup pulp-content
    SSLRenegBufferSize  1048576
    SSLVerifyDepth 9
    SSLOptions +StdEnvVars +ExportCertData
    SSLVerifyClient require
</Files>

<Location /pulp2/content/>
    XSendFile on
    XSendFilePath /var/lib/pulp/content
    XSendFilePath /var/lib/pulp/published
</Location>

Is anything else required in order to properly test?

P.S. relevant configuration in forklift/roles/foreman_installer/defaults/main.yml is below:

# Comma-separated list of "organization/module/pr_number", e.g. "katello/foreman_proxy_content/37,katello/certs/34"
foreman_installer_module_prs: ["katello/foreman_proxy_content/306"]
# Another option is checkout which can be useful if you're not based on master
foreman_installer_module_prs_strategy: "checkout"

And I did validate that the changes to puppet-FPC were reflected on the provisioned box in /usr/share/foreman-installer/modules/foreman_proxy_content

[wbclark]

Server: Will deploy Pulpcore and leave Pulp running which is handled by puppet-katello, Qpid bits will remain

Right, of course.

[wbclark]

When I install content proxy with this PR I'm getting an AVC denial here:

[root@centos7-foreman-proxy-nightly ~]# systemctl status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/etc/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-01-05 19:42:00 UTC; 4min 27s ago
  Process: 31928 ExecStart=/bin/sh -c source scl_source enable rh-postgresql12 ; exec postmaster -D ${PGDATA} (code=exited, status=2)
  Process: 31926 ExecStartPre=/opt/rh/rh-postgresql12/root/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
 Main PID: 31928 (code=exited, status=2)

Jan 05 19:42:00 centos7-foreman-proxy-nightly.mercury.example.com systemd[1]: Starting PostgreSQL database server...
Jan 05 19:42:00 centos7-foreman-proxy-nightly.mercury.example.com systemd[1]: postgresql.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Jan 05 19:42:00 centos7-foreman-proxy-nightly.mercury.example.com systemd[1]: Failed to start PostgreSQL database server.
Jan 05 19:42:00 centos7-foreman-proxy-nightly.mercury.example.com systemd[1]: Unit postgresql.service entered failed state.
Jan 05 19:42:00 centos7-foreman-proxy-nightly.mercury.example.com systemd[1]: postgresql.service failed.
[root@centos7-foreman-proxy-nightly ~]# grep -i avc /var/log/audit/audit.log  | grep postgres
type=AVC msg=audit(1609862840.692:2247): avc:  denied  { getattr } for  pid=9071 comm="postmaster" path="/var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf" dev="vda1" ino=33696691 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=AVC msg=audit(1609875720.490:2343): avc:  denied  { getattr } for  pid=31928 comm="postmaster" path="/var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf" dev="vda1" ino=33696691 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
[root@centos7-foreman-proxy-nightly ~]# 

[wbclark]

Installer completes successfully after restorecon -RvF /var/opt/rh/rh-postgresql12/lib/pgsql/

[ekohl]

puppetlabs/puppetlabs-postgresql@171a1be sould fix that btw. I'll see about nagging people for a release.

[wbclark]

puppetlabs/puppetlabs-postgresql@171a1be sould fix that btw. I'll see about nagging people for a release.

Great, thanks. It also made me realize we need theforeman/foreman-installer#636

[ekohl]

Looks like I failed to submit my review.

[ekohl]

I think it should make a declaration of foreman_proxy::plugin::pulp:

class { 'foreman_proxy::plugin::pulp':
  enabled              => false,
  pulpnode_enabled     => false,
  pulpcore_enabled     => true,
  pulpcore_mirror      => $pulpcore_mirror,
  pulpcore_api_url     => $pulpcore_api_url, # TODO: derive this from $pulpcore::apache
  pulpcore_content_url => $pulpcore_content_url, # TODO: derive this too
  require              => Class['pulpcore'],
}

[ekohl]

Could you open an issue for this and relate the installer migration to it as well?

[ekohl]

If we're doing a breaking change, thoughts about renaming this to $enable_container?

[ehelms]

I was thinking a similar thing. Given this will require an installer migration alongside it, I thought to do it as an individual follow up change after this all went in.

[ekohl]

My reasoning was that it already required an installer migration anyway. Might as well combine them into one.

[ekohl]

Could you open an issue for this and relate the installer migration to it as well?

I now see there was one, but it wasn't in the subject.

[ekohl]

Overall I think this looks good. A minor inline comment about tests. Other than that I wonder how we deal with the installed qpid. Do we clean up the installed broker or is that something we leave for other processes?

[ehelms]

We still need the qpid broker for katello-agent, so we want to leave it be on upgrades.

[ekohl]

Please take a look at the pub dir. It probably works, but it feels redundant.

[ehelms]

Connecting the pieces, this change needs to go in alongside theforeman/foreman-installer#638

[ekohl]

Small nit: probably good to require pulpcore version 3.0.0 in metadata.json for the include pulpcore fix.