Automatically order resources to not produce runtime failures

[vinzent]

Affected Puppet, Ruby, OS and module versions/distributions

• Module version: 0.5.1-rc0

How to reproduce (e.g Puppet code you use)

          selinux::module { 'puppet_selinux_test_policy':
            content => "policy_module(puppet_selinux_test_policy, 1.0.0)\ngen_tunable(puppet_selinux_test_policy_bool, false)\ntype puppet_selinux_test_policy_t;\ntype puppet_selinux_test_policy_exec_t;\ninit_daemon_domain(puppet_selinux_test_policy_t, puppet_selinux_test_policy_exec_t)\n",
            prefix => '',
            syncversion => undef,
          }
  
          file { '/tmp/test_selinux_fcontext':
            content => 'TEST',
            seltype => 'puppet_selinux_test_policy_exec_t',
          }

          selinux::boolean { 'puppet_selinux_test_policy_bool': }

What are you seeing

puppet tries to manage the boolean and only afterwards it loads the module. Because the module defines the boolean it fails to manage it.

What behaviour did you expect instead

Ordering of resources should be:

(uninstall is not a feature of the module)

Output log

Notice: /Stage[main]/Main/File[/tmp/test_selinux_fcontext]/ensure: defined content as '{md5}033bd94b1168d7e4f0d644c3c95e35bf'
Warning: Failed to set SELinux context unconfined_u:object_r:puppet_selinux_test_policy_exec_t:s0 on /tmp/test_selinux_fcontext
Error: /Stage[main]/Main/Selinux::Boolean[puppet_selinux_test_policy_bool]/Selboolean[puppet_selinux_test_policy_bool]: Could not evaluate: Execution of '/usr/sbin/getsebool puppet_selinux_test_policy_bool' returned 255: Error getting active value for puppet_selinux_test_policy_bool
Notice: /Stage[main]/Main/Selinux::Module[puppet_selinux_test_policy]/File[/usr/share/selinux/puppet_selinux_test_policy.te]/ensure: created
Info: /Stage[main]/Main/Selinux::Module[puppet_selinux_test_policy]/File[/usr/share/selinux/puppet_selinux_test_policy.te]: Scheduling refresh of Exec[/usr/share/selinux/puppet_selinux_test_policy.pp]
Notice: /Stage[main]/Main/Selinux::Module[puppet_selinux_test_policy]/Exec[/usr/share/selinux/puppet_selinux_test_policy.pp]: Triggered 'refresh' from 1 events
Notice: /Stage[main]/Main/Selinux::Module[puppet_selinux_test_policy]/Selmodule[puppet_selinux_test_policy]/ensure: created

[vinzent]

thinking further. ports need to be removed before disabling/removing a selinux module or removing the module will fail.

[vinzent]

I'd like to change to module so resources get ordered.

Please comment !

[rnelson0]

The obvious fix is to including ordering (arrows, meta-params, etc). If it were a class, it could also be required before the define, but since it is not, I think you would have to use a collector to force module defines prior to selboolean defines. That might cause conflicts if someone wants to explicitly create a different order. Would "make sure you order your modules and booleans properly" be good enough instructions, or do you feel the class should enforce some ordering, maybe a $manage_ordering flag or something? That may not fix the issue if someone only uses the defined types, though.

[vinzent]

@rnelson0 I thought about defining Anchors in init.pp like selinux::pre_modules_managed selinux::post_modules_managed to have resources ordered to those noop resources.

I only would order what is managed by the selinux module not selmodule or selbooleanresources directly.

And yes a manage_order param is maybe a good thing altough i don't know

[vinzent]

simplyfied example:

class 'selinux' {
 
  anchor { 'selinux::pre_install': } ->
  anchor { 'selinux::post_install': } ->
  anchor { 'selinux::pre_configure': } ->
  anchor { 'selinux::post_configure': } ->
  anchor { 'selinux::pre_manage_runtime_mode' } ->
  anchor { 'selinux::post_manage_runtime_mode' }

  Anchor['selinux::post_configure'] ->
  anchor { 'selinux::pre_manage_modules': } ->
  anchor { 'selinux::post_manage_modules': } ->
  Anchor['selinux::pre_manage_runtime_mode']
}

define selinux::module {
  Anchor['selinux::pre_manage_modules'] ->
  Selinux::Module[$name] ->
  Anchor['selinux::post_manage_modules'] 
}

define selinux::boolean {
  if $action == 'delete' {
    Anchor['selinux::post_configure'] ->
    Selinux::Module[$name] ->
    Anchor['selinux::pre_manage_modules'] ->
  } else {
    Anchor['selinux::post_manage_modules'] ->
    Selinux::Module[$name] ->
    Anchor['selinux::pre_manage_runtime_mode'] 
  }  
}

[rnelson0]

Those don't necessarily seem like bad ideas, but it looks pretty *complex*. Is it worth that for what could be resolved in this case with some arrows or meta-params (requires/before)?

[vinzent]

I think it adds value because users don't need to think about ordering. My very first error with this module was that I didn't specify relations between the things and it failed.

I even would say the average user should not care about the order of his resources - the module should order its business (resources created by the module itself only).

He should be able to specify in different profiles different modules/booleans/fcontexts without thinking about specifying relations.

[rnelson0]

Maybe at this point it would be best to create a spike and see how it looks. Are you able to do that so we can take a look at the initial results and give some feedback before we commit to anything?

[vinzent]

first version posted as PR. not all could be done because the module just doesn't support to remove some resources (GH-164, GH-165)

[oranenj]

@vinzent, is there still work to be done on this? Looking at the issues list, there doesn't seem to be anything left that blocks 1.0.0 that couldn't be deferred. Maybe a release candidate?

A final review of the APIs before declaring them stable might be useful, but otherwise all issues should be at least somewhat addressed.

[vinzent]

@oranenj sorry for the delay. yes indeed we could start going forward with releasing 1.0 I think.

[vinzent]

this was addressed by the last few PR with the new types and Puppet 4 only code.