diff --git a/0001-Give-root-RW-permissions-to-var-lib-cobbler-web.ss.patch b/0001-Give-root-RW-permissions-to-var-lib-cobbler-web.ss.patch deleted file mode 100644 index bf55655..0000000 --- a/0001-Give-root-RW-permissions-to-var-lib-cobbler-web.ss.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 782dd7a1deacfcaa4318519f1cae2c0b4748661b Mon Sep 17 00:00:00 2001 -From: Orion Poplawski -Date: Sun, 25 Oct 2020 11:43:25 -0600 -Subject: [PATCH] Give root RW permissions to /var/lib/cobbler/web.ss - ---- - cobbler/cobblerd.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cobbler/cobblerd.py b/cobbler/cobblerd.py -index fe1cf889..34aedf97 100644 ---- a/cobbler/cobblerd.py -+++ b/cobbler/cobblerd.py -@@ -57,7 +57,7 @@ def regen_ss_file(): - data = fd.read(512) - fd.close() - -- fd = os.open(ssfile, os.O_CREAT | os.O_RDWR, 0o600) -+ fd = os.open(ssfile, os.O_CREAT | os.O_RDWR, 0o660) - os.write(fd, binascii.hexlify(data)) - os.close(fd) - --- -2.29.0 - diff --git a/2441.patch b/2441.patch deleted file mode 100644 index fb1f0f4..0000000 --- a/2441.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8c04ef7d81f33900fda1ad3c4efa710827e22064 Mon Sep 17 00:00:00 2001 -From: Orion Poplawski -Date: Sun, 25 Oct 2020 13:49:25 -0600 -Subject: [PATCH] Do not try to access log file if we are not running as root - ---- - cobbler/clogger.py | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/cobbler/clogger.py b/cobbler/clogger.py -index 191455113..635865dc1 100644 ---- a/cobbler/clogger.py -+++ b/cobbler/clogger.py -@@ -30,14 +30,8 @@ - # Cobbler. - - # This is necessary to prevent apache to try to access the file --LOG_FILE = "/var/log/cobbler/cobbler.log" --try: -- if not os.path.isfile(LOG_FILE): -- open(LOG_FILE, 'a').close() -- if os.access(LOG_FILE, os.W_OK): -- logging.config.fileConfig('/etc/cobbler/logging_config.conf') --except Exception: -- pass -+if os.geteuid() == 0: -+ logging.config.fileConfig('/etc/cobbler/logging_config.conf') - - - class Logger(object): diff --git a/2590.patch b/2590.patch deleted file mode 100644 index 5e7221b..0000000 --- a/2590.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 4b5025e9e30db30d6e264fabeb860a7758d7d7ad Mon Sep 17 00:00:00 2001 -From: Orion Poplawski -Date: Mon, 8 Mar 2021 22:04:52 -0700 -Subject: [PATCH] autoinstall_templates are installed into - /var/lib/cobbler/templates - ---- - cobbler/actions/sync.py | 2 +- - config/cobbler/settings.yaml | 4 ++-- - docs/cobbler-conf.rst | 4 ++-- - tests/test_data/settings_old | 4 ++-- - 4 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/cobbler/actions/sync.py b/cobbler/actions/sync.py -index 2667edb56..302c81de7 100644 ---- a/cobbler/actions/sync.py -+++ b/cobbler/actions/sync.py -@@ -179,7 +179,7 @@ def clean_trees(self): - if x not in self.settings.webdir_whitelist: - # delete directories that shouldn't exist - utils.rmtree(path, logger=self.logger) -- if x in ["autoinstall_templates", "autoinstall_templates_sys", "images", "systems", "distros", "profiles", "repo_profile", "repo_system", "rendered"]: -+ if x in ["templates", "images", "systems", "distros", "profiles", "repo_profile", "repo_system", "rendered"]: - # clean out directory contents - utils.rmtree_contents(path, logger=self.logger) - # -diff --git a/config/cobbler/settings.yaml b/config/cobbler/settings.yaml -index b2e05a7bf..ac8edccbf 100644 ---- a/config/cobbler/settings.yaml -+++ b/config/cobbler/settings.yaml -@@ -77,7 +77,7 @@ cheetah_import_whitelist: - createrepo_flags: "-c cache -s sha" - - # if no autoinstall template is specified to profile add, use this template --default_autoinstall: /var/lib/cobbler/autoinstall_templates/default.ks -+default_autoinstall: /var/lib/cobbler/templates/default.ks - - # configure all installed systems to use these nameservers by default - # unless defined differently in the profile. For DHCP configurations -@@ -92,7 +92,7 @@ default_ownership: - - "admin" - - # Cobbler has various sample automatic installation templates stored --# in /var/lib/cobbler/autoinstall_templates/. This controls -+# in /var/lib/cobbler/templates/. This controls - # what install (root) password is set up for those - # systems that reference this variable. The factory - # default is "cobbler" and Cobbler check will warn if -diff --git a/docs/cobbler-conf.rst b/docs/cobbler-conf.rst -index 52621e278..ef65acc0b 100644 ---- a/docs/cobbler-conf.rst -+++ b/docs/cobbler-conf.rst -@@ -257,7 +257,7 @@ default_autoinstall - - If no autoinstall template is specified to profile add, use this template. - --default: ``/var/lib/cobbler/autoinstall_templates/default.ks`` -+default: ``/var/lib/cobbler/templates/default.ks`` - - default_name_* - ============== -@@ -284,7 +284,7 @@ default: - default_password_crypted - ======================== - --Cobbler has various sample automatic installation templates stored in ``/var/lib/cobbler/autoinstall_templates/``. This -+Cobbler has various sample automatic installation templates stored in ``/var/lib/cobbler/templates/``. This - controls what install (root) password is set up for those systems that reference this variable. The factory default is - "cobbler" and Cobbler check will warn if this is not changed. The simplest way to change the password is to run - ``openssl passwd -1`` and put the output between the ``""``. -diff --git a/tests/test_data/settings_old b/tests/test_data/settings_old -index acbe8cdc9..1b531d21d 100644 ---- a/tests/test_data/settings_old -+++ b/tests/test_data/settings_old -@@ -92,7 +92,7 @@ cheetah_import_whitelist: - createrepo_flags: "-c cache -s sha" - - # if no autoinstall template is specified to profile add, use this template --default_autoinstall: /var/lib/cobbler/autoinstall_templates/default.ks -+default_autoinstall: /var/lib/cobbler/templates/default.ks - - # configure all installed systems to use these nameservers by default - # unless defined differently in the profile. For DHCP configurations -@@ -107,7 +107,7 @@ default_ownership: - - "admin" - - # cobbler has various sample automatic installation templates stored --# in /var/lib/cobbler/autoinstall_templates/. This controls -+# in /var/lib/cobbler/templates/. This controls - # what install (root) password is set up for those - # systems that reference this variable. The factory - # default is "cobbler" and cobbler check will warn if diff --git a/3945.patch b/3945.patch new file mode 100644 index 0000000..e75c349 --- /dev/null +++ b/3945.patch @@ -0,0 +1,32 @@ +From 1d83bd29c253ba898ac35683258fec285d5a6529 Mon Sep 17 00:00:00 2001 +From: Orion Poplawski +Date: Sat, 4 Oct 2025 19:49:26 -0600 +Subject: [PATCH] Use systemctl is-active --quiet to check status of services + (fixes #3942) + +--- + changelog.d/3942.fixed | 1 + + cobbler/actions/check.py | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 changelog.d/3942.fixed + +diff --git a/changelog.d/3942.fixed b/changelog.d/3942.fixed +new file mode 100644 +index 0000000000..444bdb800a +--- /dev/null ++++ b/changelog.d/3942.fixed +@@ -0,0 +1 @@ ++check: Use systemctl is-active --quiet to check the status of services +diff --git a/cobbler/actions/check.py b/cobbler/actions/check.py +index b79706aff1..5f6a3fa3bc 100644 +--- a/cobbler/actions/check.py ++++ b/cobbler/actions/check.py +@@ -142,7 +142,7 @@ def check_service(self, status, which, notes=""): + status.append("service %s is not running%s" % (which, notes)) + return + elif utils.is_systemd(): +- return_code = utils.subprocess_call("systemctl status %s > /dev/null 2>/dev/null" % which, ++ return_code = utils.subprocess_call("systemctl is-active --quiet %s > /dev/null 2>/dev/null" % which, + shell=True) + if return_code != 0: + status.append("service %s is not running%s" % (which, notes)) diff --git a/changelog b/changelog new file mode 100644 index 0000000..291772a --- /dev/null +++ b/changelog @@ -0,0 +1,354 @@ +* Thu Jan 16 2025 Fedora Release Engineering - 3.3.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Jan 05 2025 Orion Poplawski - 3.3.7-2 +- Backport upstream patch for Python 3.13 support (rhbz#2335620) + +* Sun Nov 17 2024 Orion Poplawski - 3.3.7-1 +- Update to 3.3.7 (CVE-2024-47533) + +* Fri Sep 27 2024 Carl George - 3.3.6-2 +- Fix cheetah dependency rhbz#2314630 + +* Wed Jul 31 2024 Orion Poplawski - 3.3.6-1 +- Update to 3.3.6 + +* Thu Jul 25 2024 Miroslav Suchý - 3.3.5-3 +- convert license to SPDX + +* Wed Jul 17 2024 Fedora Release Engineering - 3.3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Orion Poplawski - 3.3.5-1 +- Update to 3.3.5 + +* Fri Jun 07 2024 Python Maint - 3.3.4-5 +- Rebuilt for Python 3.13 + +* Fri Jun 07 2024 Python Maint - 3.3.4-4 +- Rebuilt for Python 3.13 + +* Sat Apr 27 2024 Orion Poplawski - 3.3.4-3 +- Fix service name in selinux post install script + +* Fri Apr 26 2024 Orion Poplawski - 3.3.4-2 +- Test for existence of web.ss before chowning it (bz#2276860) + +* Mon Feb 26 2024 Orion Poplawski - 3.3.4-1 +- Update to 3.3.4 +- Add local SELinux policy and allow cobbler to check service statuses, + run mkfs.fat, and check for reposync and yumdownloader (bz#2251220) +- Change owndership of web.ss to root (bz#2247653) + +* Wed Jan 24 2024 Fedora Release Engineering - 3.3.3-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 3.3.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jul 19 2023 Fedora Release Engineering - 3.3.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 17 2023 Orion Poplawski - 3.3.3-6 +- Add patch to fix build with Sphinx 7 + +* Wed Jun 14 2023 Python Maint - 3.3.3-5 +- Rebuilt for Python 3.12 + +* Thu Jan 19 2023 Fedora Release Engineering - 3.3.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jul 20 2022 Fedora Release Engineering - 3.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jun 23 2022 Python Maint - 3.3.3-2 +- Rebuilt for Python 3.11 + +* Tue Jun 14 2022 Orion Poplawski - 3.3.3-1 +- Update to 3.3.3 + +* Wed May 04 2022 Orion Poplawski - 3.3.2-2 +- Drop setting cache_enabled no longer present in 3.3 + +* Sat Mar 12 2022 Orion Poplawski - 3.3.2-1 +- Update to 3.3.2 + +* Tue Mar 01 2022 Orion Poplawski - 3.3.1-1 +- Update to 3.3.1, removes web interface + +* Tue Mar 01 2022 Orion Poplawski - 3.2.2-9 +- Apply fixes for CVE-2021-45082/3 +- Remove BR on python3-coverage + +* Mon Jan 24 2022 Orion Poplawski - 3.2.2-8 +- Fix posttrans script + +* Wed Jan 19 2022 Fedora Release Engineering - 3.2.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Dec 23 2021 Orion Poplawski - 3.2.2-6 +- Fix path to settings.yaml in scriptlet + +* Thu Dec 09 2021 Orion Poplawski - 3.2.2-5 +- Remove defunct get-loaders command + +* Mon Nov 22 2021 Orion Poplawski - 3.2.2-4 +- Add new keys to settings.yaml on migration or if missing +- Save original settings to settings.rpmorig + +* Fri Oct 08 2021 Orion Poplawski - 3.2.2-3 +- Fix dependencies (bz#2010567) + +* Thu Sep 23 2021 Orion Poplawski - 3.2.2-2 +- Migrate settings to settings.yaml +- Migrate pre-cobbler 3 data if needed +- Fix autoinstall_templates -> templates + +* Thu Sep 23 2021 Orion Poplawski - 3.2.2-1 +- Update to 3.2.2 +- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection +- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function +- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings + +* Wed Sep 22 2021 Orion Poplawski - 3.2.1-1 +- Update to 3.2.1 + +* Wed Jul 21 2021 Fedora Release Engineering - 3.2.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 3.2.0-5 +- Rebuilt for Python 3.10 + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.2.0-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 3.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sun Oct 25 2020 Orion Poplawski - 3.2.0-2 +- Give root RW permission to /var/lib/cobbler/web.ss +- Fix SELinux cobbler logging issue + +* Sat Oct 24 2020 Orion Poplawski - 3.2.0-1 +- Update to 3.2.0 + +* Thu Sep 17 2020 Orion Poplawski - 3.1.2-4 +- Add requires on python-distro and file + +* Mon Jul 27 2020 Fedora Release Engineering - 3.1.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 08 2020 Orion Poplawski - 3.1.2-2 +- Fix apache configuration + +* Fri May 29 2020 Orion Poplawski - 3.1.2-1 +- Update to 3.1.2 + +* Tue May 26 2020 Miro Hrončok - 3.1.1-4 +- Rebuilt for Python 3.9 + +* Fri Feb 21 2020 Orion Poplawski - 3.1.1-3 +- Add requires for python3-dns + +* Tue Jan 28 2020 Fedora Release Engineering - 3.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sun Jan 12 2020 Orion Poplawski - 3.1.1-1 +- Update to 3.1.1 + +* Tue Oct 22 2019 Orion Poplawski - 3.0.1-4 +- Drop koan completely, including obsoletes. It is a separate package now. + +* Thu Oct 10 2019 Orion Poplawski - 3.0.1-3 +- Require /sbin/service + +* Tue Oct 8 2019 Orion Poplawski - 3.0.1-2 +- Fix requires (requests instead of urlgrabber) +- Fix BR for EL8 + +* Mon Sep 09 2019 Nicolas Chauvet - 3.0.1-1 +- Update to 3.0.1 + +* Fri Aug 30 2019 Nicolas Chauvet - 3.0.0-1 +- Update to 3.0.0 + +* Mon Aug 26 2019 Nicolas Chauvet - 2.8.5-0.1 +- Update to 2.8.5 - pre-release + +* Wed Jul 24 2019 Fedora Release Engineering - 2.8.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 2.8.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Nov 26 2018 Orion Poplawski - 2.8.4-5 +- Fix empty man pages (BZ 1653415) + +* Mon Nov 26 2018 Orion Poplawski - 2.8.4-4 +- Revert bind_manage_ipmi feature that is broken on 2.8 + +* Sun Nov 25 2018 Orion Poplawski - 2.8.4-3 +- Use pathfix.py to fix python shebangs + +* Sun Nov 25 2018 Orion Poplawski - 2.8.4-2 +- Make koan require python2-ethtool (BZ 1638933) + +* Sat Nov 24 2018 Orion Poplawski - 2.8.4-1 +- Update to 2.8.4 (Fixes BZ 1613292, 1643860, 1614433, CVE-2018-1000226, CVE-2018-10931) + +* Thu Jul 12 2018 Fedora Release Engineering - 2.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed May 30 2018 Orion Poplawski - 2.8.3-3 +- koan requires urlgrabber + +* Mon May 28 2018 Nicolas Chauvet - 2.8.3-2 +- Restore mergeability with epel7 + +* Mon May 28 2018 Nicolas Chauvet - 2.8.3-1 +- Update to 2.8.3 - security bugfix + +* Wed Feb 21 2018 Orion Poplawski - 2.8.2-6 +- Really fix django requires for Fedora 28+ + +* Tue Feb 20 2018 Orion Poplawski - 2.8.2-5 +- Fix django requires for Fedora 28+ + +* Fri Feb 09 2018 Igor Gnatenko - 2.8.2-4 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 2.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Feb 06 2018 Iryna Shcherbina - 2.8.2-2 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Mon Sep 18 2017 Orion Poplawski - 2.8.2-1 +- Update to 2.8.2 + +* Wed Aug 02 2017 Fedora Release Engineering - 2.8.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.8.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 Orion Poplawski - 2.8.1-3 +- Suppress logrotate output + +* Mon Jun 12 2017 Orion Poplawski - 2.8.1-2 +- Fix module loading + +* Wed May 24 2017 Orion Poplawski - 2.8.1-1 +- Update to 2.8.1 + +* Fri Feb 17 2017 Orion Poplawski - 2.8.0-6 +- Add patch to fix handling of multiple bridge interfaces + +* Fri Feb 10 2017 Fedora Release Engineering - 2.8.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 27 2017 Orion Poplawski - 2.8.0-4 +- Fix named patch + +* Tue Jan 24 2017 Orion Poplawski - 2.8.0-3 +- Restart named-chroot service if used + +* Fri Jan 20 2017 Orion Poplawski - 2.8.0-2 +- Fix logrotate script for systemd (bug #1414617) + +* Thu Dec 1 2016 Orion Poplawski - 2.8.0-1 +- Update to 2.8.0 +- Restructure spec file + +* Thu Sep 1 2016 Orion Poplawski - 2.6.11-11.gitf78af86 +- Add patches to fix TEMPLATE_DIRS and use OrderedDict + +* Thu Aug 11 2016 Orion Poplawski - 2.6.11-10.gitf78af86 +- Force IPv4 connections to cobblerd from web proxy + +* Thu Jul 21 2016 Orion Poplawski - 2.6.11-9.gitf78af86 +- Suppress "virt-install --os-variant list" error messages + +* Thu Jul 21 2016 Orion Poplawski - 2.6.11-8.git5680bf8 +- Fix handling unknown os variants with osinfo-query + +* Tue Jul 19 2016 Fedora Release Engineering - 2.6.11-7.git95749a6 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Wed Jul 13 2016 Orion Poplawski - 2.6.11-6.git95749a6 +- Fix typo in koan/app.py + +* Wed Jul 13 2016 Orion Poplawski - 2.6.11-5.git13b035f +- Update to current git snapshot (bug #1276896) + +* Wed Feb 03 2016 Fedora Release Engineering - 2.6.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Feb 1 2016 Orion Poplawski - 2.6.11-3 +- Require dnf-plugins-core + +* Sun Jan 24 2016 Orion Poplawski - 2.6.11-2 +- Require dnf-core-plugins instead of yum-utils for repoquery on Fedora 23+ + +* Sun Jan 24 2016 Orion Poplawski - 2.6.11-1 +- Update to 2.6.11 +- Make cobbler arch specific to allow for arch specific requires + +* Thu Oct 1 2015 Orion Poplawski - 2.6.10-1 +- Update to 2.6.10 + +* Mon Jun 22 2015 Orion Poplawski - 2.6.9-1 +- Update to 2.6.9 + +* Wed Jun 17 2015 Fedora Release Engineering - 2.6.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 12 2015 Orion Poplawski - 2.6.8-2 +- Support django 1.8 in Fedora 22+ + +* Fri May 8 2015 Orion Poplawski - 2.6.8-1 +- Update to 2.6.8 +- Backport upstream patch to fix centos version detection (bug #1201879) + +* Tue Apr 28 2015 Orion Poplawski - 2.6.7-3 +- Add patch to fix virt-install support for F21+/EL7 (bug #1188424) + +* Mon Apr 27 2015 Orion Poplawski - 2.6.7-2 +- Create and own directories in tftp_dir + +* Wed Dec 31 2014 Orion Poplawski - 2.6.7-1 +- Update to 2.6.7 + +* Sun Oct 19 2014 Orion Poplawski - 2.6.6-1 +- Update to 2.6.6 + +* Fri Aug 15 2014 Orion Poplawski - 2.6.5-1 +- Update to 2.6.5 + +* Wed Aug 13 2014 Orion Poplawski - 2.6.4-2 +- Require Django >= 1.4 + +* Mon Aug 11 2014 Orion Poplawski - 2.6.4-1 +- Update to 2.6.4 + +* Fri Jul 18 2014 Orion Poplawski - 2.6.3-1 +- Update to 2.6.3 + +* Wed Jul 16 2014 Orion Poplawski - 2.6.2-1 +- Update to 2.6.2 +- Spec cleanup + +* Sat Jun 07 2014 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri May 23 2014 Orion Poplawski - 2.6.1-1 +- Update to 2.6.1 +- Drop koan patch applied upstream + +* Tue Apr 22 2014 Orion Poplawski - 2.6.0-2 +- Only require syslinux on x86 + +* Mon Apr 21 2014 Orion Poplawski - 2.6.0-1 +- Update to 2.6.0 diff --git a/cobbler-CVE-2021-45082.patch b/cobbler-CVE-2021-45082.patch deleted file mode 100644 index 022f15a..0000000 --- a/cobbler-CVE-2021-45082.patch +++ /dev/null @@ -1,75 +0,0 @@ -diff --git a/cobbler.spec b/cobbler.spec -index bbbbae37..1f81456a 100644 ---- a/cobbler.spec -+++ b/cobbler.spec -@@ -382,6 +382,20 @@ fi - %{_datadir}/%{name}/bin/mkgrub.sh >/dev/null 2>&1 - %endif - %systemd_post cobblerd.service -+# Fixup permission for world readable settings files -+chmod 640 %{_sysconfdir}/cobbler/settings.yaml -+chmod 600 %{_sysconfdir}/cobbler/mongodb.conf -+chmod 600 %{_sysconfdir}/cobbler/modules.conf -+chmod 640 %{_sysconfdir}/cobbler/users.conf -+chmod 640 %{_sysconfdir}/cobbler/users.digest -+chmod 750 %{_sysconfdir}/cobbler/settings.d -+chmod 640 %{_sysconfdir}/cobbler/settings.d/* -+chgrp %{apache_group} %{_sysconfdir}/cobbler/settings.yaml -+chgrp %{apache_group} %{_sysconfdir}/cobbler/users.conf -+chgrp %{apache_group} %{_sysconfdir}/cobbler/users.digest -+chgrp %{apache_group} %{_sysconfdir}/cobbler/settings.d -+chgrp %{apache_group} %{_sysconfdir}/cobbler/settings.d/* -+ - - %preun - %systemd_preun cobblerd.service -@@ -461,8 +475,8 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler - %dir %{_sysconfdir}/cobbler/iso - %config(noreplace) %{_sysconfdir}/cobbler/iso/buildiso.template - %config(noreplace) %{_sysconfdir}/cobbler/logging_config.conf --%config(noreplace) %{_sysconfdir}/cobbler/modules.conf --%config(noreplace) %{_sysconfdir}/cobbler/mongodb.conf -+%attr(600, root, root) %config(noreplace) %{_sysconfdir}/cobbler/modules.conf -+%attr(600, root, root) %config(noreplace) %{_sysconfdir}/cobbler/mongodb.conf - %config(noreplace) %{_sysconfdir}/cobbler/named.template - %config(noreplace) %{_sysconfdir}/cobbler/ndjbdns.template - %dir %{_sysconfdir}/cobbler/reporting -@@ -470,13 +484,13 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler - %config(noreplace) %{_sysconfdir}/cobbler/rsync.exclude - %config(noreplace) %{_sysconfdir}/cobbler/rsync.template - %config(noreplace) %{_sysconfdir}/cobbler/secondary.template --%config(noreplace) %{_sysconfdir}/cobbler/settings.yaml --%dir %{_sysconfdir}/cobbler/settings.d --%config(noreplace) %{_sysconfdir}/cobbler/settings.d/bind_manage_ipmi.settings --%config(noreplace) %{_sysconfdir}/cobbler/settings.d/manage_genders.settings --%config(noreplace) %{_sysconfdir}/cobbler/settings.d/nsupdate.settings --%config(noreplace) %{_sysconfdir}/cobbler/users.conf --%config(noreplace) %{_sysconfdir}/cobbler/users.digest -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/settings.yaml -+%attr(750, root, %{apache_group}) %dir %{_sysconfdir}/cobbler/settings.d -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/bind_manage_ipmi.settings -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/manage_genders.settings -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/nsupdate.settings -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/users.conf -+%attr(640, root, %{apache_group}) %config(noreplace) %{_sysconfdir}/cobbler/users.digest - %config(noreplace) %{_sysconfdir}/cobbler/version - %config(noreplace) %{_sysconfdir}/cobbler/zone.template - %dir %{_sysconfdir}/cobbler/zone_templates -diff --git a/cobbler/templar.py b/cobbler/templar.py -index 7321e2d5..58ef16de 100644 ---- a/cobbler/templar.py -+++ b/cobbler/templar.py -@@ -77,10 +77,10 @@ class Templar: - """ - lines = data.split("\n") - for line in lines: -- if line.find("#import") != -1: -- rest = line.replace("#import", "").replace(" ", "").strip() -+ if "#import" in line or "#from" in line: -+ rest = line.replace("#import", "").replace("#from", "").replace("import", ".").replace(" ", "").strip() - if self.settings and rest not in self.settings.cheetah_import_whitelist: -- raise CX("potentially insecure import in template: %s" % rest) -+ raise CX(f"Potentially insecure import in template: {rest}") - - def render(self, data_input: Union[TextIO, str], search_table: dict, out_path: Optional[str], - template_type="default") -> str: diff --git a/cobbler-httpd.patch b/cobbler-httpd.patch deleted file mode 100644 index 2464a8c..0000000 --- a/cobbler-httpd.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up cobbler-3.1.2/config/apache/cobbler_web.conf.httpd cobbler-3.1.2/config/apache/cobbler_web.conf ---- cobbler-3.1.2/config/apache/cobbler_web.conf.httpd 2020-05-27 02:26:44.000000000 -0600 -+++ cobbler-3.1.2/config/apache/cobbler_web.conf 2020-07-07 21:12:53.942577055 -0600 -@@ -16,8 +16,6 @@ WSGIDaemonProcess cobbler_web display-na - WSGIProcessGroup cobbler_web - WSGIPassAuthorization On - -- -- - - - SSLRequireSSL -@@ -42,5 +40,3 @@ WSGIPassAuthorization On - AllowOverride None - Require all granted - -- -- diff --git a/cobbler-nocov.patch b/cobbler-nocov.patch index fe6aa76..c50edfd 100644 --- a/cobbler-nocov.patch +++ b/cobbler-nocov.patch @@ -1,24 +1,17 @@ -diff -up cobbler-3.2.2/setup.py.nocov cobbler-3.2.2/setup.py ---- cobbler-3.2.2/setup.py.nocov 2022-02-28 20:05:35.388747435 -0700 -+++ cobbler-3.2.2/setup.py 2022-02-28 20:06:31.743251279 -0700 -@@ -18,7 +18,6 @@ from setuptools import find_packages - from sphinx.setup_command import BuildDoc +diff --git a/setup.py b/setup.py +index 59f7601..023d84b 100644 +--- a/setup.py ++++ b/setup.py +@@ -341,17 +341,9 @@ class test_command(Command): - import codecs --from coverage import Coverage - import pwd - import shutil - import subprocess ---- cobbler-3.2.2/setup.py.nocov 2022-02-28 21:34:34.996746220 -0700 -+++ cobbler-3.2.2/setup.py 2022-02-28 21:35:51.598440218 -0700 -@@ -373,15 +373,8 @@ def run(self): import pytest - +- from coverage import Coverage +- - cov = Coverage() - cov.erase() - cov.start() -- + result = pytest.main() - cov.stop() @@ -27,20 +20,22 @@ diff -up cobbler-3.2.2/setup.py.nocov cobbler-3.2.2/setup.py sys.exit(int(bool(len(result.failures) > 0 or len(result.errors) > 0))) -@@ -505,7 +498,6 @@ - url="https://cobbler.github.io", +@@ -479,7 +471,6 @@ if __name__ == "__main__": + }, license="GPLv2+", setup_requires=[ - "coverage", "distro", "setuptools", "sphinx", -@@ -528,7 +520,7 @@ - ], - extras_require={ - "lint": ["pyflakes", "pycodestyle"], -- "test": ["pytest", "pytest-cov", "codecov", "pytest-mock"] -+ "test": ["pytest", "pytest-mock"] - }, - packages=find_packages(exclude=["*tests*"]), - scripts=[ +@@ -501,10 +492,7 @@ if __name__ == "__main__": + "lint": ["pyflakes", "pycodestyle", "pylint", "black", "mypy"], + "test": [ + "pytest>6", +- "pytest-cov", +- "codecov", + "pytest-mock", +- "pytest-benchmark", + ], + "docs": ["sphinx", "sphinx-rtd-theme", "sphinxcontrib-apidoc"], + # We require the current version to properly detect duplicate issues diff --git a/cobbler-python3.13.patch b/cobbler-python3.13.patch new file mode 100644 index 0000000..78847a4 --- /dev/null +++ b/cobbler-python3.13.patch @@ -0,0 +1,972 @@ +diff --git a/changelog.d/3842.fixed b/changelog.d/3842.fixed +new file mode 100644 +index 00000000..6c6d6313 +--- /dev/null ++++ b/changelog.d/3842.fixed +@@ -0,0 +1 @@ ++Fix compatibility with Python 3.13 +diff --git a/cobbler/actions/reposync.py b/cobbler/actions/reposync.py +index c0163350..ec5745fb 100644 +--- a/cobbler/actions/reposync.py ++++ b/cobbler/actions/reposync.py +@@ -23,9 +23,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + import logging + import os + import os.path +-import pipes +-import stat ++import shlex + import shutil ++import stat + from typing import Optional, Union + + from cobbler import utils +@@ -272,9 +272,9 @@ class RepoSync: + blended = utils.blender(self.api, False, repo) + flags = blended.get("createrepo_flags", "(ERROR: FLAGS)") + try: +- cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, pipes.quote(dirname)) +- utils.subprocess_call(cmd) +- except: ++ cmd = ["createrepo"] + mdoptions + flags + [shlex.quote(dirname)] ++ utils.subprocess_call(cmd, shell=False) ++ except Exception: + utils.log_exc() + self.logger.error("createrepo failed.") + del fnames[:] # we're in the right place +@@ -302,8 +302,19 @@ class RepoSync: + dest_path = os.path.join(self.settings.webdir, "repo_mirror", repo.name) + + # FIXME: wrapper for subprocess that logs to logger +- cmd = ["wget", "-N", "-np", "-r", "-l", "inf", "-nd", "-P", pipes.quote(dest_path), pipes.quote(repo.mirror)] +- rc = utils.subprocess_call(cmd) ++ cmd = [ ++ "wget", ++ "-N", ++ "-np", ++ "-r", ++ "-l", ++ "inf", ++ "-nd", ++ "-P", ++ shlex.quote(dest_path), ++ shlex.quote(repo.mirror), ++ ] ++ return_value = utils.subprocess_call(cmd, shell=False) + + if rc != 0: + raise CX("cobbler reposync failed") +@@ -347,9 +358,14 @@ class RepoSync: + if flags == '': + flags = self.settings.reposync_rsync_flags + +- cmd = "rsync %s --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" \ +- % (flags, spacer, pipes.quote(repo.mirror), pipes.quote(dest_path)) +- rc = utils.subprocess_call(cmd) ++ cmd = ["rsync"] + flags + ["--delete-after"] ++ cmd += spacer + [ ++ "--delete", ++ "--exclude-from=/etc/cobbler/rsync.exclude", ++ shlex.quote(repo.mirror), ++ shlex.quote(dest_path), ++ ] ++ return_code = utils.subprocess_call(cmd, shell=False) + + if rc != 0: + raise CX("cobbler reposync failed") +@@ -386,10 +402,11 @@ class RepoSync: + if not HAS_LIBREPO: + raise CX("no librepo found, please install python3-librepo") + +- if os.path.exists("/usr/bin/dnf"): +- cmd = "/usr/bin/dnf reposync" +- elif os.path.exists("/usr/bin/reposync"): +- cmd = "/usr/bin/reposync" ++ if os.path.exists("/usr/bin/reposync"): ++ cmd = ["/usr/bin/reposync"] ++ # DNF5 does not have a reposync subcommand ++ elif os.path.exists("/usr/bin/dnf"): ++ cmd = ["/usr/bin/dnf", "reposync"] + else: + # Warn about not having yum-utils. We don't want to require it in the package because Fedora 22+ has moved + # to dnf. +@@ -451,6 +468,11 @@ class RepoSync: + # Counter-intuitive, but we want the newish kernels too + arch = "i686" + ++ cmd = self.reposync_cmd() ++ cmd += self.rflags + [ ++ f"--repo={shlex.quote(rest)}", ++ f"--download-path={shlex.quote(repos_path)}", ++ ] + if arch != "none": + cmd = "%s -a %s" % (cmd, arch) + +@@ -544,9 +566,11 @@ class RepoSync: + + if not has_rpm_list: + # If we have not requested only certain RPMs, use reposync +- cmd = "%s %s --config=%s --repoid=%s -p %s" \ +- % (cmd, self.rflags, temp_file, pipes.quote(repo.name), +- pipes.quote(repos_path)) ++ cmd += self.rflags + [ ++ f"--config={temp_file}", ++ f"--repoid={shlex.quote(repo.name)}", ++ f"--download-path={shlex.quote(repos_path)}", ++ ] + if arch != "none": + cmd = "%s -a %s" % (cmd, arch) + +@@ -557,14 +581,14 @@ class RepoSync: + + use_source = "" + if arch == "src": +- use_source = "--source" +- +- # Older yumdownloader sometimes explodes on --resolvedeps if this happens to you, upgrade yum & yum-utils +- extra_flags = self.settings.yumdownloader_flags +- cmd = "/usr/bin/dnf download" +- cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" \ +- % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), +- " ".join(repo.rpm_list)) ++ cmd.append("--source") ++ cmd += [ ++ "--disablerepo=*", ++ f"--enablerepo={shlex.quote(repo.name)}", ++ f"-c={temp_file}", ++ f"--destdir={shlex.quote(dest_path)}", ++ ] ++ cmd += repo.rpm_list + + # Now regardless of whether we're doing yumdownloader or reposync or whether the repo was http://, ftp://, or + # rhn://, execute all queued commands here. Any failure at any point stops the operation. +@@ -669,17 +693,21 @@ class RepoSync: + dists = ",".join(repo.apt_dists) + components = ",".join(repo.apt_components) + +- mirror_data = "--method=%s --host=%s --root=%s --dist=%s --section=%s" \ +- % (pipes.quote(method), pipes.quote(host), pipes.quote(mirror), pipes.quote(dists), +- pipes.quote(components)) ++ mirror_data = [ ++ f"--method={shlex.quote(method)}", ++ f"--host={shlex.quote(host)}", ++ f"--root={shlex.quote(mirror)}", ++ f"--dist={shlex.quote(dists)}", ++ f"--section={shlex.quote(components)}", ++ ] + + rflags = "--nocleanup" + for x in repo.yumopts: + if repo.yumopts[x]: + rflags += " %s=%s" % (x, repo.yumopts[x]) + else: +- rflags += " %s" % x +- cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, pipes.quote(dest_path)) ++ rflags.append(repo_yumoption) ++ cmd = [mirror_program] + rflags + mirror_data + [shlex.quote(dest_path)] + if repo.arch == RepoArchs.SRC: + cmd = "%s --source" % cmd + else: +diff --git a/tests/actions/reposync_test.py b/tests/actions/reposync_test.py +index 0bee772c..ee8d1549 100644 +--- a/tests/actions/reposync_test.py ++++ b/tests/actions/reposync_test.py +@@ -1,251 +1,592 @@ ++""" ++Tests that validate the functionality of the module that is responsible for repository synchronization. ++""" ++ + import os +-import glob ++from pathlib import Path ++from typing import TYPE_CHECKING, Any, Dict, List, Union + + import pytest + +-from cobbler import enums ++from cobbler import cexceptions, enums ++from cobbler.actions import reposync + from cobbler.api import CobblerAPI +-from cobbler.actions.reposync import RepoSync + from cobbler.items.repo import Repo +-from cobbler import cexceptions +-from tests.conftest import does_not_raise + ++from tests.conftest import does_not_raise + +-@pytest.fixture(scope="class") +-def api(): +- return CobblerAPI() ++if TYPE_CHECKING: ++ from pytest_mock import MockerFixture + + +-@pytest.fixture(scope="class") +-def reposync(api): +- test_reposync = RepoSync(api, tries=2, nofail=False) ++@pytest.fixture(name="reposync_object", scope="function") ++def fixture_reposync_object( ++ mocker: "MockerFixture", cobbler_api: CobblerAPI ++) -> reposync.RepoSync: ++ settings_mock = mocker.MagicMock() ++ settings_mock.webdir = "/srv/www/cobbler" ++ settings_mock.server = "localhost" ++ settings_mock.http_port = 80 ++ settings_mock.proxy_url_ext = "" ++ settings_mock.yumdownloader_flags = "--testflag" ++ settings_mock.reposync_rsync_flags = "--testflag" ++ settings_mock.reposync_flags = "--testflag" ++ mocker.patch.object(cobbler_api, "settings", return_value=settings_mock) ++ test_reposync = reposync.RepoSync(cobbler_api, tries=2, nofail=False) + return test_reposync + + +-@pytest.fixture +-def repo(api): ++@pytest.fixture(name="repo") ++def fixture_repo(cobbler_api: CobblerAPI) -> Repo: + """ + Creates a Repository "testrepo0" with a keep_updated=True and mirror_locally=True". + """ +- test_repo = Repo(api) ++ test_repo = Repo(cobbler_api) + test_repo.name = "testrepo0" + test_repo.mirror_locally = True + test_repo.keep_updated = True +- api.add_repo(test_repo) + return test_repo + + + @pytest.fixture +-def remove_repo(api): ++def remove_repo(cobbler_api: CobblerAPI): + """ + Removes the Repository "testrepo0" which can be created with repo. + """ + yield +- test_repo = api.find_repo("testrepo0") +- if test_repo is not None: +- api.remove_repo(test_repo.name) ++ test_repo = cobbler_api.find_repo("testrepo0") ++ if test_repo is not None and not isinstance(test_repo, list): ++ cobbler_api.remove_repo(test_repo.name) + + +-class TestRepoSync: +- @pytest.mark.usefixtures("remove_repo") +- @pytest.mark.parametrize( +- "input_mirror_type,input_mirror,expected_exception", +- [ +- ( +- enums.MirrorType.BASEURL, +- "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os", +- does_not_raise() +- ), +- ( +- enums.MirrorType.MIRRORLIST, +- "https://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=x86_64", +- does_not_raise() +- ), +- ( +- enums.MirrorType.METALINK, +- "https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64", +- does_not_raise() +- ), +- ( +- enums.MirrorType.BASEURL, +- "http://www.example.com/path/to/some/repo", +- pytest.raises(cexceptions.CX) +- ), ++@pytest.fixture(scope="function", autouse=True) ++def reset_librepo(): ++ has_librepo = reposync.HAS_LIBREPO ++ yield ++ reposync.HAS_LIBREPO = has_librepo ++ ++ ++def test_repo_walker(mocker: "MockerFixture", tmp_path: Path): ++ # Arrange ++ def test_fun(arg: Any, top: Any, names: Any): ++ pass ++ ++ subdir1 = tmp_path / "sub1" ++ subdir2 = tmp_path / "sub2" ++ subdir1.mkdir() ++ subdir2.mkdir() ++ spy = mocker.Mock(wraps=test_fun) ++ ++ # Act ++ reposync.repo_walker(tmp_path, spy, None) # type: ignore ++ ++ # Assert ++ assert spy.mock_calls == [ ++ # settings.yaml is here because of our autouse fixture that we use to restore the settings ++ mocker.call(None, tmp_path, ["settings.yaml", "sub1", "sub2"]), ++ mocker.call(None, str(subdir1), []), ++ mocker.call(None, str(subdir2), []), ++ ] ++ ++ ++@pytest.mark.parametrize( ++ "input_has_librepo,input_path_exists_side_effect,expected_exception,expected_result", ++ [ ++ (True, [False, True], does_not_raise(), ["/usr/bin/dnf", "reposync"]), ++ (True, [True, False], does_not_raise(), ["/usr/bin/reposync"]), ++ (True, [False, False], pytest.raises(cexceptions.CX), ""), ++ (False, [False, True], pytest.raises(cexceptions.CX), ""), ++ ], ++) ++def test_reposync_cmd( ++ mocker: "MockerFixture", ++ reposync_object: reposync.RepoSync, ++ input_has_librepo: bool, ++ input_path_exists_side_effect: List[bool], ++ expected_exception: Any, ++ expected_result: Union[List[str], str], ++): ++ # Arrange ++ mocker.patch("os.path.exists", side_effect=input_path_exists_side_effect) ++ reposync.HAS_LIBREPO = input_has_librepo ++ ++ # Act ++ with expected_exception: ++ result = reposync_object.reposync_cmd() ++ ++ # Assert ++ assert result == expected_result ++ ++ ++def test_run(mocker: "MockerFixture", reposync_object: reposync.RepoSync, repo: Repo): ++ # Arrange ++ env_vars: Dict[str, Any] = {} ++ mocker.patch("os.makedirs") ++ mocker.patch("os.path.isdir", return_value=True) ++ mocker.patch( ++ "os.path.join", ++ side_effect=[ ++ "/srv/www/cobbler/repo_mirror", ++ "/srv/www/cobbler/repo_mirror/%s" % repo.name, + ], + ) +- def test_reposync_yum( +- self, +- input_mirror_type, +- input_mirror, +- expected_exception, +- api, +- repo, +- reposync +- ): +- # Arrange +- test_repo = repo +- test_repo.breed = enums.RepoBreeds.YUM +- test_repo.mirror = input_mirror +- test_repo.mirror_type = input_mirror_type +- test_repo.rpm_list = "fedora-gpg-keys" +- test_settings = api.settings() +- repo_path = os.path.join(test_settings.webdir, "repo_mirror", test_repo.name) +- +- # Act & Assert +- with expected_exception: +- reposync.run(test_repo.name) +- result = os.path.exists(repo_path) +- if test_repo.rpm_list and test_repo.rpm_list != []: +- for rpm in test_repo.rpm_list: +- assert glob.glob(os.path.join(repo_path, "**", rpm) + "*.rpm", recursive=True) != [] +- assert result +- # Test that re-downloading the metadata in .origin/repodata will not result in an error +- reposync.run(test_repo.name) +- +- @pytest.mark.usefixtures("remove_repo") +- @pytest.mark.parametrize( +- "input_mirror_type,input_mirror,input_arch,input_rpm_list,expected_exception", ++ mocker.patch("os.environ", return_value=env_vars) ++ mocker.patch.object(reposync_object, "repos", return_value=[repo]) ++ mocker.patch.object(reposync_object, "sync") ++ mocker.patch.object(reposync_object, "update_permissions") ++ reposync_object.repos = [repo] # type: ignore ++ ++ # Act ++ reposync_object.run() ++ ++ # Assert ++ # This has to be 0 since all env vars need to be removed after reposync has run. ++ assert len(env_vars) == 0 ++ ++ ++def test_gen_urlgrab_ssl_opts(reposync_object: reposync.RepoSync): ++ # Arrange ++ input_dict: Dict[str, Any] = {} ++ ++ # Act ++ result = reposync_object.gen_urlgrab_ssl_opts(input_dict) ++ ++ # Assert ++ assert isinstance(result, tuple) ++ assert len(result) == 2 ++ # The data of the first element is kind of flexible let's skip asserting it for now ++ assert isinstance(result[1], bool) ++ ++ ++@pytest.mark.usefixtures("remove_repo") ++@pytest.mark.parametrize( ++ "input_mirror_type,input_mirror,expected_exception", ++ [ ++ ( ++ enums.MirrorType.BASEURL, ++ "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os", ++ does_not_raise(), ++ ), ++ ( ++ enums.MirrorType.MIRRORLIST, ++ "https://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=x86_64", ++ does_not_raise(), ++ ), ++ ( ++ enums.MirrorType.METALINK, ++ "https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=x86_64", ++ does_not_raise(), ++ ), ++ ], ++) ++def test_reposync_yum( ++ mocker: "MockerFixture", ++ input_mirror_type: enums.MirrorType, ++ input_mirror: str, ++ expected_exception: Any, ++ cobbler_api: CobblerAPI, ++ repo: Repo, ++ reposync_object: reposync.RepoSync, ++): ++ # Arrange ++ test_repo = repo ++ test_repo.breed = enums.RepoBreeds.YUM ++ test_repo.mirror = input_mirror ++ test_repo.mirror_type = input_mirror_type ++ test_repo.rpm_list = "fedora-gpg-keys" ++ test_settings = cobbler_api.settings() ++ repo_path = os.path.join(test_settings.webdir, "repo_mirror", test_repo.name) ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ mocker.patch.object( ++ reposync_object, "create_local_file", return_value="/create/local/file" ++ ) ++ mocker.patch.object( ++ reposync_object, "reposync_cmd", return_value=["/my/fake/dnf", "reposync"] ++ ) ++ mocker.patch.object(reposync_object, "rflags", return_value="--fake-r-flakg") ++ mocker.patch.object( ++ reposync_object, ++ "gen_urlgrab_ssl_opts", ++ return_value=(("TODO", "TODO", "TODO"), False), ++ ) ++ mocker.patch("os.path.exists", return_value=True) ++ mocker.patch("shutil.rmtree") ++ mocker.patch("os.makedirs") ++ mocked_repo_walker = mocker.patch("cobbler.actions.reposync.repo_walker") ++ handle_mock = mocker.MagicMock() ++ result_mock = mocker.MagicMock() ++ mocker.patch("librepo.Handle", return_value=handle_mock) ++ mocker.patch("librepo.Result", return_value=result_mock) ++ ++ # Act & Assert ++ with expected_exception: ++ reposync_object.yum_sync(repo) ++ ++ mocked_subprocess.assert_called_with( ++ [ ++ "/usr/bin/dnf", ++ "download", ++ "--testflag", ++ "--disablerepo=*", ++ f"--enablerepo={repo.name}", ++ "-c=/create/local/file", ++ f"--destdir={repo_path}", ++ "fedora-gpg-keys", ++ ], ++ shell=False, ++ ) ++ handle_mock.perform.assert_called_with(result_mock) ++ assert mocked_repo_walker.call_count == 1 ++ ++ ++@pytest.mark.usefixtures("remove_repo") ++@pytest.mark.parametrize( ++ "input_mirror_type,input_mirror,input_arch,input_rpm_list,expected_exception", ++ [ ++ ( ++ enums.MirrorType.BASEURL, ++ "http://ftp.debian.org/debian", ++ enums.RepoArchs.X86_64, ++ "", ++ does_not_raise(), ++ ), ++ ( ++ enums.MirrorType.MIRRORLIST, ++ "http://ftp.debian.org/debian", ++ enums.RepoArchs.X86_64, ++ "", ++ pytest.raises(cexceptions.CX), ++ ), ++ ( ++ enums.MirrorType.METALINK, ++ "http://ftp.debian.org/debian", ++ enums.RepoArchs.X86_64, ++ "", ++ pytest.raises(cexceptions.CX), ++ ), ++ ( ++ enums.MirrorType.BASEURL, ++ "http://ftp.debian.org/debian", ++ enums.RepoArchs.NONE, ++ "", ++ pytest.raises(cexceptions.CX), ++ ), ++ ( ++ enums.MirrorType.BASEURL, ++ "http://ftp.debian.org/debian", ++ enums.RepoArchs.X86_64, ++ "dpkg", ++ pytest.raises(cexceptions.CX), ++ ), ++ ], ++) ++def test_reposync_apt( ++ mocker: "MockerFixture", ++ input_mirror_type: enums.MirrorType, ++ input_mirror: str, ++ input_arch: enums.RepoArchs, ++ input_rpm_list: str, ++ expected_exception: Any, ++ cobbler_api: CobblerAPI, ++ repo: Repo, ++ reposync_object: reposync.RepoSync, ++): ++ # Arrange ++ test_repo = repo ++ test_repo.breed = enums.RepoBreeds.APT ++ test_repo.arch = input_arch ++ test_repo.apt_components = "main" ++ test_repo.apt_dists = "stable" ++ test_repo.mirror = input_mirror ++ test_repo.mirror_type = input_mirror_type ++ test_repo.rpm_list = input_rpm_list ++ test_settings = cobbler_api.settings() ++ repo_path = os.path.join(test_settings.webdir, "repo_mirror", test_repo.name) ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ mocker.patch("os.path.exists", return_value=True) ++ ++ # Act ++ with expected_exception: ++ reposync_object.apt_sync(repo) ++ ++ # Assert ++ mocked_subprocess.assert_called_with( ++ [ ++ "/usr/bin/debmirror", ++ "--nocleanup", ++ "--method=http", ++ "--host=ftp.debian.org", ++ "--root=/debian", ++ "--dist=stable", ++ "--section=main", ++ repo_path, ++ "--nosource", ++ "-a=amd64", ++ ], ++ shell=False, ++ ) ++ ++ ++@pytest.mark.usefixtures("remove_repo") ++@pytest.mark.parametrize( ++ "input_mirror_type,input_mirror,expected_exception", ++ [ ++ ( ++ enums.MirrorType.BASEURL, ++ "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", ++ does_not_raise(), ++ ), ++ ( ++ enums.MirrorType.MIRRORLIST, ++ "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", ++ pytest.raises(cexceptions.CX), ++ ), ++ ( ++ enums.MirrorType.METALINK, ++ "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", ++ pytest.raises(cexceptions.CX), ++ ), ++ ], ++) ++def test_reposync_wget( ++ mocker: "MockerFixture", ++ input_mirror_type: enums.MirrorType, ++ input_mirror: str, ++ expected_exception: Any, ++ cobbler_api: CobblerAPI, ++ repo: Repo, ++ reposync_object: reposync.RepoSync, ++): ++ # Arrange ++ test_repo = repo ++ test_repo.breed = enums.RepoBreeds.WGET ++ test_repo.mirror = input_mirror ++ test_repo.mirror_type = input_mirror_type ++ repo_path = os.path.join( ++ reposync_object.settings.webdir, "repo_mirror", test_repo.name ++ ) ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ mocker.patch("cobbler.actions.reposync.repo_walker") ++ mocker.patch.object(reposync_object, "create_local_file") ++ ++ # Act ++ with expected_exception: ++ reposync_object.wget_sync(test_repo) ++ ++ # Assert ++ mocked_subprocess.assert_called_with( ++ [ ++ "wget", ++ "-N", ++ "-np", ++ "-r", ++ "-l", ++ "inf", ++ "-nd", ++ "-P", ++ repo_path, ++ input_mirror, ++ ], ++ shell=False, ++ ) ++ ++ ++def test_reposync_rhn( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync, repo: Repo ++): ++ # Arrange ++ repo.mirror = "rhn://%s" % repo.name ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ mocker.patch("os.path.isdir", return_value=True) ++ mocker.patch("os.makedirs") ++ mocker.patch("cobbler.actions.reposync.repo_walker") ++ mocker.patch.object(reposync_object, "create_local_file") ++ mocker.patch.object( ++ reposync_object, "reposync_cmd", return_value=["/my/fake/reposync"] ++ ) ++ ++ # Act ++ reposync_object.rhn_sync(repo) ++ ++ # Assert ++ # TODO: Check this more and document how its actually working ++ mocked_subprocess.assert_called_with( + [ +- ( +- enums.MirrorType.BASEURL, +- "http://ftp.debian.org/debian", +- enums.RepoArchs.X86_64, +- "", +- does_not_raise() +- ), +- ( +- enums.MirrorType.MIRRORLIST, +- "http://ftp.debian.org/debian", +- enums.RepoArchs.X86_64, +- "", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.METALINK, +- "http://ftp.debian.org/debian", +- enums.RepoArchs.X86_64, +- "", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.BASEURL, +- "http://www.example.com/path/to/some/repo", +- enums.RepoArchs.X86_64, +- "", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.BASEURL, +- "http://ftp.debian.org/debian", +- enums.RepoArchs.NONE, +- "", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.BASEURL, +- "http://ftp.debian.org/debian", +- enums.RepoArchs.X86_64, +- "dpkg", +- pytest.raises(cexceptions.CX) +- ), ++ "/my/fake/reposync", ++ "--testflag", ++ "--repo=testrepo0", ++ "--download-path=/srv/www/cobbler/repo_mirror", + ], ++ shell=False, + ) +- def test_reposync_apt( +- self, +- input_mirror_type, +- input_mirror, +- input_arch, +- input_rpm_list, +- expected_exception, +- api, +- repo, +- reposync +- ): +- # Arrange +- test_repo = repo +- test_repo.breed = enums.RepoBreeds.APT +- test_repo.arch = input_arch +- test_repo.apt_components = "main" +- test_repo.apt_dists = "stable" +- test_repo.mirror = input_mirror +- test_repo.mirror_type = input_mirror_type +- test_repo.rpm_list = input_rpm_list +- test_repo.yumopts = "--exclude=.* --include=dpkg.* --no-check-gpg --rsync-extra=none" +- test_settings = api.settings() +- repo_path = os.path.join(test_settings.webdir, "repo_mirror", test_repo.name) +- +- # Act & Assert +- with expected_exception: +- reposync.run(test_repo.name) +- result = os.path.exists(repo_path) +- for rpm in ["dpkg"]: +- assert glob.glob(os.path.join(repo_path, "**", "dpkg") + "*", recursive=True) != [] +- assert result +- +- @pytest.mark.skip("To flaky and thus not reliable. Needs to be mocked to be of use.") +- @pytest.mark.usefixtures("remove_repo") +- @pytest.mark.parametrize( +- "input_mirror_type,input_mirror,expected_exception", ++ ++ ++def test_reposync_rsync( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync, repo: Repo ++): ++ # Arrange ++ mocked_subprocess = mocker.patch("cobbler.utils.subprocess_call", return_value=0) ++ mocker.patch("cobbler.actions.reposync.repo_walker") ++ mocker.patch.object(reposync_object, "create_local_file") ++ repo_path = os.path.join(reposync_object.settings.webdir, "repo_mirror", repo.name) ++ ++ # Act ++ reposync_object.rsync_sync(repo) ++ ++ # Assert ++ mocked_subprocess.assert_called_with( + [ +- ( +- enums.MirrorType.BASEURL, +- "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", +- does_not_raise() +- ), +- ( +- enums.MirrorType.MIRRORLIST, +- "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.METALINK, +- "http://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/2", +- pytest.raises(cexceptions.CX) +- ), +- ( +- enums.MirrorType.BASEURL, +- "http://www.example.com/path/to/some/repo", +- pytest.raises(cexceptions.CX) +- ), ++ "rsync", ++ "--testflag", ++ "--delete-after", ++ "-e ssh", ++ "--delete", ++ "--exclude-from=/etc/cobbler/rsync.exclude", ++ "/", ++ repo_path, + ], ++ shell=False, + ) +- def test_reposync_wget( +- self, +- input_mirror_type, +- input_mirror, +- expected_exception, +- api, +- repo, +- reposync +- ): +- # Arrange +- test_repo = repo +- test_repo.breed = enums.RepoBreeds.WGET +- test_repo.mirror = input_mirror +- test_repo.mirror_type = input_mirror_type +- test_settings = api.settings() +- repo_path = os.path.join(test_settings.webdir, "repo_mirror", test_repo.name) +- +- # Act & Assert +- with expected_exception: +- reposync.run(test_repo.name) +- result = os.path.exists(repo_path) +- for rpm in ["rpm"]: +- assert glob.glob(os.path.join(repo_path, "**", "2") + "*", recursive=True) != [] +- assert result +- +- +-@pytest.mark.skip("TODO") +-def test_reposync_rhn(): ++ ++ ++def test_createrepo_walker( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync, repo: Repo ++): + # Arrange ++ input_repo = repo ++ input_repo.breed = enums.RepoBreeds.RSYNC ++ input_dirname = "" ++ input_fnames = [] ++ expected_call = ["createrepo", "--testflags", f"'{input_dirname}'"] ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ mocker.patch( ++ "cobbler.utils.blender", ++ autospec=True, ++ return_value={"createrepo_flags": "--testflags"}, ++ ) ++ mocker.patch("cobbler.utils.remove_yum_olddata") ++ mocker.patch("cobbler.utils.subprocess_get", return_value="5") ++ mocker.patch("cobbler.utils.get_family", return_value="TODO") ++ mocker.patch("os.path.exists", return_value=True) ++ mocker.patch("os.path.isfile", return_value=True) ++ mocker.patch.object(reposync_object, "librepo_getinfo", return_value={}) ++ + # Act ++ reposync_object.createrepo_walker(input_repo, input_dirname, input_fnames) ++ + # Assert +- assert False ++ # TODO: Improve coverage over different cases in method ++ mocked_subprocess.assert_called_with(expected_call, shell=False) + + +-@pytest.mark.skip("TODO") +-def test_reposync_rsync(): ++@pytest.mark.parametrize( ++ "input_repotype,expected_exception", ++ [ ++ (enums.RepoBreeds.YUM, does_not_raise()), ++ (enums.RepoBreeds.RHN, does_not_raise()), ++ (enums.RepoBreeds.APT, does_not_raise()), ++ (enums.RepoBreeds.RSYNC, does_not_raise()), ++ (enums.RepoBreeds.WGET, does_not_raise()), ++ (enums.RepoBreeds.NONE, pytest.raises(cexceptions.CX)), ++ ], ++) ++def test_sync( ++ mocker: "MockerFixture", ++ cobbler_api: CobblerAPI, ++ reposync_object: reposync.RepoSync, ++ input_repotype: enums.RepoBreeds, ++ expected_exception: Any, ++): + # Arrange ++ test_repo = Repo(cobbler_api) ++ test_repo.breed = input_repotype ++ rhn_sync_mock = mocker.patch.object(reposync_object, "rhn_sync") ++ yum_sync_mock = mocker.patch.object(reposync_object, "yum_sync") ++ apt_sync_mock = mocker.patch.object(reposync_object, "apt_sync") ++ rsync_sync_mock = mocker.patch.object(reposync_object, "rsync_sync") ++ wget_sync_mock = mocker.patch.object(reposync_object, "wget_sync") ++ + # Act ++ with expected_exception: ++ reposync_object.sync(test_repo) ++ ++ # Assert ++ call_count = sum( ++ ( ++ rhn_sync_mock.call_count, ++ yum_sync_mock.call_count, ++ apt_sync_mock.call_count, ++ rsync_sync_mock.call_count, ++ wget_sync_mock.call_count, ++ ) ++ ) ++ assert call_count == 1 ++ ++ ++def test_librepo_getinfo( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync, tmp_path: Path ++): ++ # Arrange ++ handle_mock = mocker.MagicMock() ++ result_mock = mocker.MagicMock() ++ mocker.patch("librepo.Handle", return_value=handle_mock) ++ mocker.patch("librepo.Result", return_value=result_mock) ++ ++ # Act ++ reposync_object.librepo_getinfo(str(tmp_path)) ++ ++ # Assert ++ handle_mock.perform.assert_called_with(result_mock) ++ result_mock.getinfo.assert_called() ++ ++ ++def test_create_local_file( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync, repo: Repo ++): ++ # Arrange ++ mocker.patch("cobbler.utils.filesystem_helpers.mkdir", autospec=True) ++ mock_open = mocker.patch("builtins.open", mocker.mock_open()) ++ input_dest_path = "" ++ input_repo = repo ++ input_output = True ++ ++ # Act ++ reposync_object.create_local_file(input_dest_path, input_repo, output=input_output) ++ ++ # Assert ++ # TODO: Extend checks ++ assert mock_open.call_count == 1 ++ assert mock_open.mock_calls[0] == mocker.call("config.repo", "w", encoding="UTF-8") ++ mock_open_handle = mock_open() ++ assert mock_open_handle.write.mock_calls[0] == mocker.call("[testrepo0]\n") ++ assert mock_open_handle.write.mock_calls[1] == mocker.call("name=testrepo0\n") ++ ++ ++def test_update_permissions( ++ mocker: "MockerFixture", reposync_object: reposync.RepoSync ++): ++ # Arrange ++ mocked_subprocess = mocker.patch( ++ "cobbler.utils.subprocess_call", autospec=True, return_value=0 ++ ) ++ path_to_update = "/my/fake/path" ++ expected_calls = [ ++ mocker.call(["chown", "-R", "root:www", path_to_update], shell=False), ++ mocker.call(["chmod", "-R", "755", path_to_update], shell=False), ++ ] ++ ++ # Act ++ reposync_object.update_permissions(path_to_update) ++ + # Assert +- assert False ++ assert mocked_subprocess.mock_calls == expected_calls diff --git a/cobbler-remove-get-loaders.patch b/cobbler-remove-get-loaders.patch deleted file mode 100644 index d2f1981..0000000 --- a/cobbler-remove-get-loaders.patch +++ /dev/null @@ -1,316 +0,0 @@ -commit a798eabd9b9e3e7d4cb8a828a5aa2273c69cec48 -Author: Dominik Gedon -Date: Fri Mar 5 16:25:05 2021 +0100 - - Remove get-loader code - -diff --git a/cobbler/actions/check.py b/cobbler/actions/check.py -index e034071e..4fadab53 100644 ---- a/cobbler/actions/check.py -+++ b/cobbler/actions/check.py -@@ -386,12 +386,11 @@ class CobblerCheck: - not_found.append(loader_name) - - if len(not_found) > 0: -- status.append("some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler " -- "get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, " -- "you may ensure that you have installed a *recent* version of the syslinux package " -- "installed and can ignore this message entirely. Files in this directory, should you want " -- "to support all architectures, should include pxelinux.0, menu.c32, and yaboot. The " -- "'cobbler get-loaders' command is the easiest way to resolve these requirements.") -+ status.append("some network boot-loaders are missing from /var/lib/cobbler/loaders. If you only want to " -+ "handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version " -+ "of the syslinux package installed and can ignore this message entirely. Files in this " -+ "directory, should you want to support all architectures, should include pxelinux.0, " -+ "menu.c32, and yaboot.") - - def check_tftpd_dir(self, status): - """ -diff --git a/cobbler/actions/dlcontent.py b/cobbler/actions/dlcontent.py -deleted file mode 100644 -index 84d73b8d..00000000 ---- a/cobbler/actions/dlcontent.py -+++ /dev/null -@@ -1,77 +0,0 @@ --""" --Downloads bootloader content for all arches for when the user doesn't want to supply their own. -- --Copyright 2009, Red Hat, Inc and Others --Michael DeHaan -- --This program is free software; you can redistribute it and/or modify --it under the terms of the GNU General Public License as published by --the Free Software Foundation; either version 2 of the License, or --(at your option) any later version. -- --This program is distributed in the hope that it will be useful, --but WITHOUT ANY WARRANTY; without even the implied warranty of --MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --GNU General Public License for more details. -- --You should have received a copy of the GNU General Public License --along with this program; if not, write to the Free Software --Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA --02110-1301 USA --""" -- --import os -- --from cobbler import clogger --from cobbler import download_manager -- -- --class ContentDownloader: -- -- def __init__(self, collection_mgr, logger=None): -- """ -- Constructor -- -- :param collection_mgr: The main collection manager instance which is used by the current running server. -- :param logger: The logger object which logs to the desired target. -- """ -- self.collection_mgr = collection_mgr -- self.settings = collection_mgr.settings() -- if logger is None: -- logger = clogger.Logger() -- self.logger = logger -- -- def run(self, force: bool = False): -- """ -- Download bootloader content for all of the latest bootloaders, since the user has chosen to not supply their -- own. You may ask "why not get this from yum", we also want this to be able to work on Debian and further do not -- want folks to have to install a cross compiler. For those that don't like this approach they can still source -- their cross-arch bootloader content manually. -- -- :param force: If the target path should be overwritten, even if there are already files present. -- """ -- -- content_server = "https://cobbler.github.io/loaders" -- dest = "/var/lib/cobbler/loaders" -- -- files = ( -- ("%s/README" % content_server, "%s/README" % dest), -- ("%s/COPYING.yaboot" % content_server, "%s/COPYING.yaboot" % dest), -- ("%s/COPYING.syslinux" % content_server, "%s/COPYING.syslinux" % dest), -- ("%s/yaboot-1.3.17" % content_server, "%s/yaboot" % dest), -- ("%s/pxelinux.0-3.86" % content_server, "%s/pxelinux.0" % dest), -- ("%s/menu.c32-3.86" % content_server, "%s/menu.c32" % dest), -- ("%s/grub-0.97-x86.efi" % content_server, "%s/grub-x86.efi" % dest), -- ("%s/grub-0.97-x86_64.efi" % content_server, "%s/grub-x86_64.efi" % dest), -- ) -- -- dlmgr = download_manager.DownloadManager(self.collection_mgr, self.logger) -- for src, dst in files: -- if os.path.exists(dst) and not force: -- self.logger.info("path %s already exists, not overwriting existing content, use --force if you wish " -- "to update" % dst) -- continue -- self.logger.info("downloading %s to %s" % (src, dst)) -- dlmgr.download_file(src, dst) -- --# EOF -diff --git a/cobbler/api.py b/cobbler/api.py -index bdf18391..9c52015e 100644 ---- a/cobbler/api.py -+++ b/cobbler/api.py -@@ -25,7 +25,7 @@ import random - import tempfile - from typing import Optional - --from cobbler.actions import status, dlcontent, hardlink, sync, buildiso, replicate, report, log, acl, check, reposync -+from cobbler.actions import status, hardlink, sync, buildiso, replicate, report, log, acl, check, reposync - from cobbler import autoinstall_manager - from cobbler import clogger - from cobbler.cobbler_collections import manager -@@ -1276,21 +1276,6 @@ class CobblerAPI: - - # ========================================================================== - -- def dlcontent(self, force=False, logger=None): -- """ -- Downloads bootloader content that may not be avialable in packages for the given arch, ex: if installing on PPC, -- get syslinux. If installing on x86_64, get elilo, etc. -- -- :param force: Force the download, although the content may be already downloaded. -- :param logger: The logger to audit the removal with. -- """ -- # FIXME: teach code that copies it to grab from the right place -- self.log("dlcontent") -- grabber = dlcontent.ContentDownloader(self._collection_mgr, logger=logger) -- return grabber.run(force) -- -- # ========================================================================== -- - def validate_autoinstall_files(self, logger=None): - """ - Validate if any of the autoinstallation files are invalid and if yes report this. -diff --git a/cobbler/cli.py b/cobbler/cli.py -index 5441ce0a..9a6c4fff 100644 ---- a/cobbler/cli.py -+++ b/cobbler/cli.py -@@ -55,7 +55,7 @@ OBJECT_ACTIONS = [] - for actions in list(OBJECT_ACTIONS_MAP.values()): - OBJECT_ACTIONS += actions - DIRECT_ACTIONS = "aclsetup buildiso import list replicate report reposync sync validate-autoinstalls version " \ -- "signature get-loaders hardlink".split() -+ "signature hardlink".split() - - #################################################### - -@@ -687,10 +687,6 @@ class CobblerCLI: - elif action_name == "validate-autoinstalls": - (options, args) = self.parser.parse_args(self.args) - task_id = self.start_task("validate_autoinstall_files", options) -- elif action_name == "get-loaders": -- self.parser.add_option("--force", dest="force", action="store_true", help="overwrite any existing content in /var/lib/cobbler/loaders") -- (options, args) = self.parser.parse_args(self.args) -- task_id = self.start_task("dlcontent", options) - elif action_name == "import": - self.parser.add_option("--arch", dest="arch", help="OS architecture being imported") - self.parser.add_option("--breed", dest="breed", help="the breed being imported") -diff --git a/cobbler/remote.py b/cobbler/remote.py -index 759879a8..ac788752 100644 ---- a/cobbler/remote.py -+++ b/cobbler/remote.py -@@ -200,18 +200,6 @@ class CobblerXMLRPCInterface: - ) - return self.__start_task(runner, token, "aclsetup", "(CLI) ACL Configuration", options) - -- def background_dlcontent(self, options, token) -> str: -- """ -- Download bootloaders and other support files. -- -- :param options: Unknown what this parameter is doing at the moment. -- :param token: The API-token obtained via the login() method. The API-token obtained via the login() method. -- :return: The id of the task which was started. -- """ -- def runner(self): -- self.remote.api.dlcontent(self.options.get("force", False), self.logger) -- return self.__start_task(runner, token, "get_loaders", "Download Bootloader Content", options) -- - def background_sync(self, options, token) -> str: - """ - Run a full Cobbler sync in the background. -diff --git a/config/bash/completion/cobbler b/config/bash/completion/cobbler -index f2d5bd59..169dbaec 100755 ---- a/config/bash/completion/cobbler -+++ b/config/bash/completion/cobbler -@@ -9,7 +9,7 @@ _cobbler_completions() - prev="${COMP_WORDS[COMP_CWORD-1]}" - cobbler_type=${COMP_WORDS[1]} - COMPREPLY=() -- TYPE="distro profile system repo image mgmtclass package file aclsetup buildiso import list replicate report reposync sync validateks version signature get-loaders hardlink" -+ TYPE="distro profile system repo image mgmtclass package file aclsetup buildiso import list replicate report reposync sync validateks version signature hardlink" - ACTION="add edit copy list remove rename report" - opts=( - [distro]="--ctime --depth --mtime --source-repos --tree-build-time --uid --arch --autoinstall-meta --boot-files --boot-loader --breed --comment --fetchable-files --initrd --kernel --kernel-options --kernel-options-post --mgmt-classes --name --os-version --owners --redhat-management-key --template-files --in-place --help" -diff --git a/config/cobbler/settings.yaml b/config/cobbler/settings.yaml -index 82b8c11f..b2e05a7b 100644 ---- a/config/cobbler/settings.yaml -+++ b/config/cobbler/settings.yaml -@@ -426,7 +426,7 @@ replicate_repo_rsync_options: "-avzH" - # always write DHCP entries, regardless if netboot is enabled - always_write_dhcp_entries: false - --# External proxy - used by: "get-loaders", "reposync", "signature update" -+# External proxy - used by: reposync", "signature update" - # Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS) - proxy_url_ext: "" - -diff --git a/docs/cobbler-conf.rst b/docs/cobbler-conf.rst -index 673beffd..808d7738 100644 ---- a/docs/cobbler-conf.rst -+++ b/docs/cobbler-conf.rst -@@ -577,7 +577,7 @@ default: ``ipmilanplus`` - proxy_url_ext - ============= - --External proxy which is used by the following commands: ``get-loaders``, ``reposync``, ``signature update`` -+External proxy which is used by the following commands: ``reposync``, ``signature update`` - - defaults: - -diff --git a/docs/cobbler.rst b/docs/cobbler.rst -index 1fffc41e..6332a662 100644 ---- a/docs/cobbler.rst -+++ b/docs/cobbler.rst -@@ -74,7 +74,7 @@ Long Usage: - .. code-block:: shell - - cobbler ... [add|edit|copy|get-autoinstall*|list|remove|rename|report] [options|--help] -- cobbler [options|--help] -+ cobbler [options|--help] - - Cobbler distro - ============== -@@ -1071,15 +1071,6 @@ Example: - - $ cobbler signature - --Cobbler get-loaders --=================== -- --Example: -- --.. code-block:: shell -- -- $ cobbler get-loaders -- - Cobbler hardlink - ================ - -diff --git a/docs/code-autodoc/cobbler.actions.rst b/docs/code-autodoc/cobbler.actions.rst -index 44f7e1a4..a5845996 100644 ---- a/docs/code-autodoc/cobbler.actions.rst -+++ b/docs/code-autodoc/cobbler.actions.rst -@@ -28,14 +28,6 @@ cobbler.actions.check module - :undoc-members: - :show-inheritance: - --cobbler.actions.dlcontent module ---------------------------------- -- --.. automodule:: cobbler.actions.dlcontent -- :members: -- :undoc-members: -- :show-inheritance: -- - cobbler.actions.hardlink module - ------------------------------- - -diff --git a/tests/cli/cobbler_cli_direct_test.py b/tests/cli/cobbler_cli_direct_test.py -index 7cd6729c..01d42d6d 100644 ---- a/tests/cli/cobbler_cli_direct_test.py -+++ b/tests/cli/cobbler_cli_direct_test.py -@@ -148,11 +148,6 @@ class TestCobblerCliTestDirect: - i = assert_report_section(lines, i, "packages") - i = assert_report_section(lines, i, "files") - -- def test_cobbler_getloaders(self, run_cmd, get_last_line): -- (outputstd, outputerr) = run_cmd(cmd=["get-loaders"]) -- lines = outputstd.split("\n") -- assert "*** TASK COMPLETE ***" == get_last_line(lines) -- - def test_cobbler_hardlink(self, run_cmd, get_last_line): - (outputstd, outputerr) = run_cmd(cmd=["hardlink"]) - lines = outputstd.split("\n") -diff --git a/tests/xmlrpcapi/background_test.py b/tests/xmlrpcapi/background_test.py -index 36c03b01..64e219ca 100644 ---- a/tests/xmlrpcapi/background_test.py -+++ b/tests/xmlrpcapi/background_test.py -@@ -25,15 +25,6 @@ class TestBackground: - # Assert - assert result - -- def test_background_dlccontent(self, remote, token): -- # Arrange -- -- # Act -- result = remote.background_dlcontent({}, token) -- -- # Assert -- assert result -- - def test_background_hardlink(self, remote, token): - # Arrange - diff --git a/cobbler-reposync.patch b/cobbler-reposync.patch new file mode 100644 index 0000000..4a2fff1 --- /dev/null +++ b/cobbler-reposync.patch @@ -0,0 +1,18 @@ +diff -up cobbler-3.3.7/cobbler/cli.py.reposync cobbler-3.3.7/cobbler/cli.py +--- cobbler-3.3.7/cobbler/cli.py.reposync 2024-11-17 14:02:02.000000000 -0700 ++++ cobbler-3.3.7/cobbler/cli.py 2025-10-04 19:21:03.379260526 -0600 +@@ -1184,7 +1184,13 @@ class CobblerCLI: + task_id = self.start_task("import", options) + elif action_name == "reposync": + self.parser.add_option("--only", dest="only", help="update only this repository name") +- self.parser.add_option("--tries", dest="tries", help="try each repo this many times", default=1) ++ self.parser.add_option( ++ "--tries", ++ dest="tries", ++ help="try each repo this many times", ++ default=1, ++ type="int", ++ ) + self.parser.add_option("--no-fail", dest="nofail", help="don't stop reposyncing if a failure occurs", + action="store_true") + (options, args) = self.parser.parse_args(self.args) diff --git a/cobbler-rhel.patch b/cobbler-rhel.patch deleted file mode 100644 index 021f46c..0000000 --- a/cobbler-rhel.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/distro_build_configs.sh b/distro_build_configs.sh -index bad43e3c..52eb1136 100644 ---- a/distro_build_configs.sh -+++ b/distro_build_configs.sh -@@ -24,7 +24,7 @@ if [ "$DISTRO" = "" ] && [ -r /etc/os-release ];then - sle*|*suse*) - DISTRO="SUSE" - ;; -- fedora*|centos*) -+ fedora*|centos*|rhel*) - DISTRO="FEDORA" - ;; - ubuntu*|debian*) diff --git a/cobbler-scripts.patch b/cobbler-scripts.patch deleted file mode 100644 index 97f3058..0000000 --- a/cobbler-scripts.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up cobbler-3.2.1/setup.py.orig cobbler-3.2.1/setup.py ---- cobbler-3.2.1/setup.py.orig 2021-03-04 12:07:10.000000000 -0700 -+++ cobbler-3.2.1/setup.py 2021-03-08 22:25:15.239563778 -0700 -@@ -566,7 +566,7 @@ if __name__ == "__main__": - ("share/cobbler/web", glob("web/*.*")), - ("%s" % webcontent, glob("web/static/*")), - ("%s" % webimages, glob("web/static/images/*")), -- ("share/cobbler/bin", glob("scripts/*.sh")), -+ ("share/cobbler/bin", glob("scripts/*")), - ("share/cobbler/web/templates", glob("web/templates/*")), - ("%s/webui_sessions" % libpath, []), - ("%s/loaders" % libpath, []), diff --git a/cobbler.fc b/cobbler.fc new file mode 100644 index 0000000..568bf88 --- /dev/null +++ b/cobbler.fc @@ -0,0 +1,28 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) + +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + +/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0) + +/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/images2(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) + +/var/www/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff --git a/cobbler.if b/cobbler.if new file mode 100644 index 0000000..4054eab --- /dev/null +++ b/cobbler.if @@ -0,0 +1,251 @@ +## Cobbler installation server. + +######################################## +## +## Execute a domain transition to run cobblerd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## +## Execute cobblerd server in the cobblerd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_systemctl',` + gen_require(` + type named_unit_file_t; + type named_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 named_unit_file_t:file read_file_perms; + allow $1 named_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, named_t) +') + +######################################## +## +## Execute cobblerd init scripts in +## the init script domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + + + +######################################## +## +## Read cobbler configuration dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_list_config',` + gen_require(` + type cobbler_etc_t; + ') + + list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) +') + + +######################################## +## +## Read cobbler configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) +') + +######################################## +## +## Do not audit attempts to read and write +## cobbler log files. +## +## +## +## Domain to not audit. +## +## +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## +## +## Search cobbler lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## +## Read cobbler lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_read_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## cobbler lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_manage_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## +## All of the rules required to +## administrate an cobbler environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cobblerd_admin',` + refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.') + cobbler_admin($1, $2) +') + +######################################## +## +## All of the rules required to +## administrate an cobbler environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cobbler_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t; + type cobbler_tmp_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cobblerd_t) + + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_search_tmp($1) + admin_pattern($1, cobbler_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) +') diff --git a/cobbler.spec b/cobbler.spec index 86073a8..69d7d40 100644 --- a/cobbler.spec +++ b/cobbler.spec @@ -1,91 +1,87 @@ %global tftpboot_dir %{_sharedstatedir}/tftpboot/ -%global commit0 172b8a0f79d110dcac1f50acfe412e0a01ff20ab -%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) +%global commit 700eb5bdfb28baba4de5e4083bec9e132a763bcb +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global selinuxtype targeted + +# Tests require an installed system with root access +%bcond check 0 Name: cobbler -Version: 3.2.2 -Release: 9%{?dist} +Version: 3.3.7 +Release: %autorelease Summary: Boot server configurator URL: https://cobbler.github.io/ -License: GPLv2+ +# Automatically converted from old format: GPLv2+ - review is highly recommended. +License: GPL-2.0-or-later Source0: https://github.com/cobbler/cobbler/archive/v%{version}/%{name}-%{version}.tar.gz -#Source0: https://github.com/cobbler/cobbler/archive/%{commit0}/%{name}-%{commit0}.tar.gz Source1: migrate-settings.sh -# Revert upstream's VirtualHost addition -# https://github.com/cobbler/cobbler/issues/2286 -Patch0: cobbler-httpd.patch -# Fix autoinstall_templates -> templates -Patch1: https://patch-diff.githubusercontent.com/raw/cobbler/cobbler/pull/2590.patch -# Install migrate-data-v2-to-v3.py - https://github.com/cobbler/cobbler/pull/2591 -Patch2: cobbler-scripts.patch -# Remove get-loaders command -Patch3: cobbler-remove-get-loaders.patch -# Upstream fix for CVE-2021-45082 -Patch4: cobbler-CVE-2021-45082.patch +Source2: %{name}.te +Source3: %{name}.if +Source4: %{name}.fc + # Do not run coverage tests -Patch5: cobbler-nocov.patch +Patch0: cobbler-nocov.patch +# Python 3.13 support (backport of https://github.com/cobbler/cobbler/pull/3842) +# https://bugzilla.redhat.com/show_bug.cgi?id=2335620 +Patch1: cobbler-python3.13.patch +# Upstream fix for reposync --tries +# https://bugzilla.redhat.com/show_bug.cgi?id=2401605 +# Backport of https://github.com/cobbler/cobbler/pull/3378 +Patch2: cobbler-reposync.patch +# Use systemctl is-active to prevent some SELinux denials checking service status +# https://bugzilla.redhat.com/show_bug.cgi?id=2353898 +Patch3: https://github.com/cobbler/cobbler/pull/3945.patch BuildArch: noarch +BuildRequires: make BuildRequires: python%{python3_pkgversion}-devel -%if 0%{?fedora} || 0%{?rhel} >= 8 +# Cheetah switched names from Cheetah3 to CT3 in its metadata in version 3.3.0. +# https://github.com/CheetahTemplate3/cheetah3/commit/673259b2d139b4ea970b1c2da12607b7ac39cbec +%if 0%{?fedora} >= 42 || 0%{?rhel} >= 10 +BuildRequires: %{py3_dist ct3} +%else BuildRequires: %{py3_dist cheetah3} +%endif BuildRequires: %{py3_dist distro} BuildRequires: %{py3_dist netaddr} BuildRequires: %{py3_dist pyyaml} BuildRequires: %{py3_dist requests} BuildRequires: %{py3_dist schema} BuildRequires: %{py3_dist setuptools} -BuildRequires: %{py3_dist simplejson} # For docs BuildRequires: %{py3_dist sphinx} -%else -BuildRequires: python%{python3_pkgversion}-cheetah -BuildRequires: python%{python3_pkgversion}-distro -BuildRequires: python%{python3_pkgversion}-netaddr -BuildRequires: python%{python3_pkgversion}-PyYAML -BuildRequires: python%{python3_pkgversion}-requests -BuildRequires: python%{python3_pkgversion}-schema -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-simplejson -# For docs -BuildRequires: python%{python3_pkgversion}-sphinx +%if %{with check} +# For tests +BuildRequires: %{py3_dist crypt-r} +BuildRequires: %{py3_dist dnspython} +BuildRequires: %{py3_dist file-magic} +BuildRequires: %{py3_dist pytest-benchmark} %endif +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + Requires: httpd Requires: tftp-server +Requires: dosfstools Requires: createrepo_c Requires: rsync Requires: xorriso -Requires: %{py3_dist cheetah3} -Requires: %{py3_dist distro} -Requires: %{py3_dist dnspython} -Requires: %{py3_dist file-magic} -Requires: %{py3_dist mod_wsgi} -Requires: %{py3_dist netaddr} -Requires: %{py3_dist pyyaml} -Requires: %{py3_dist requests} -Requires: %{py3_dist schema} -Requires: %{py3_dist simplejson} -Requires: %{py3_dist tornado} Requires: genisoimage -%if 0%{?fedora} || 0%{?rhel} >= 8 # Not everyone wants bash-completion...? Recommends: bash-completion Requires: dnf-plugins-core # syslinux is only available on x86 -Requires: (syslinux if (filesystem.x86_64 or filesystem.i686)) +Requires: (syslinux if (filesystem(x86-64) or filesystem(x86-32))) # grub2 efi stuff is only available on x86 Recommends: grub2-efi-ia32 Recommends: grub2-efi-x64 Recommends: logrotate Recommends: %{py3_dist librepo} -%else -Requires: yum-utils -%endif -# https://github.com/cobbler/cobbler/issues/1685 -Requires: /sbin/service +Obsoletes: cobbler-web < 3.3 BuildRequires: systemd Requires(post): systemd @@ -93,28 +89,26 @@ Requires(preun): systemd Requires(postun): systemd %description -Cobbler is a network install server. Cobbler supports PXE, ISO -virtualized installs, and re-installing existing Linux machines. -The last two modes use a helper tool, 'koan', that integrates with -cobbler. There is also a web interface 'cobbler-web'. Cobbler's -advanced features include importing distributions from DVDs and rsync -mirrors, kickstart templating, integrated yum mirroring, and built-in -DHCP/DNS Management. Cobbler has a XML-RPC API for integration with -other applications. +Cobbler is a network install server. Cobbler supports PXE, ISO +virtualized installs, and re-installing existing Linux machines. The +last two modes use a helper tool, 'koan', that integrates with cobbler. +Cobbler's advanced features include importing distributions from DVDs +and rsync mirrors, kickstart templating, integrated yum mirroring, and +built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration +with other applications. -%package -n cobbler-web -Summary: Web interface for Cobbler -Requires: cobbler = %{version}-%{release} -Requires: %{py3_dist django} -Requires: %{py3_dist mod_wsgi} -Requires: mod_ssl -Requires(post): coreutils -Requires(post): sed +%package selinux +Summary: SELinux policies for %{name} +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} -%description -n cobbler-web -Web interface for Cobbler that allows visiting -http://server/cobbler_web to configure the install server. + +%description selinux +SELinux policies for %{name}. %package tests @@ -122,15 +116,38 @@ Summary: Unit tests for cobbler Requires: cobbler = %{version}-%{release} %description tests -Unit test files from the Cobbler project +Unit test files from the Cobbler project. + + +%package tests-containers +Summary: Dockerfiles and scripts to setup testing containers +Requires: cobbler = %{version}-%{release} + +%description tests-containers +Dockerfiles and scripts to setup testing containers. %prep %autosetup -p1 +mkdir -p selinux +cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux/ + +# Cheetah switched names from Cheetah3 to CT3 in its metadata in version 3.3.0. +# https://github.com/CheetahTemplate3/cheetah3/commit/673259b2d139b4ea970b1c2da12607b7ac39cbec +%if 0%{?fedora} >= 42 || 0%{?rhel} >= 10 +sed -e 's/Cheetah3/CT3/' -i setup.py +%endif + %build . ./distro_build_configs.sh %py3_build +make man + +# SELinux +make -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 %{name}.pp + %install . ./distro_build_configs.sh @@ -150,15 +167,22 @@ mkdir -p %{buildroot}%{tftpboot_dir}/{boot,etc,grub/system{,_link},images{,2},pp mkdir -p %{buildroot}%{_unitdir} mv %{buildroot}%{_sysconfdir}/cobbler/cobblerd.service %{buildroot}%{_unitdir} -# cobbler-web -rm %{buildroot}%{_sysconfdir}/cobbler/cobbler_web.conf - # ghosted files touch %{buildroot}%{_sharedstatedir}/cobbler/web.ss # migrate-settings.sh install -p -m0755 %SOURCE1 %{buildroot}%{_datadir}/cobbler/bin/migrate-settings.sh +# SELinux +install -D -m 0644 %{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -p -m 0644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if + + +%if %{with check} +%check +%pytest -v +%endif + %pre if [ $1 -ge 2 ]; then @@ -179,6 +203,23 @@ fi %post %systemd_post cobblerd.service +# Fixup permission for world readable settings files +chmod 640 %{_sysconfdir}/cobbler/settings.yaml +chmod 600 %{_sysconfdir}/cobbler/mongodb.conf +chmod 600 %{_sysconfdir}/cobbler/modules.conf +chmod 640 %{_sysconfdir}/cobbler/users.conf +chmod 640 %{_sysconfdir}/cobbler/users.digest +chmod 750 %{_sysconfdir}/cobbler/settings.d +chmod 640 %{_sysconfdir}/cobbler/settings.d/* +chgrp apache %{_sysconfdir}/cobbler/settings.yaml +chgrp apache %{_sysconfdir}/cobbler/users.conf +chgrp apache %{_sysconfdir}/cobbler/users.digest +chgrp apache %{_sysconfdir}/cobbler/settings.d +chgrp apache %{_sysconfdir}/cobbler/settings.d/* +# Change from apache +if [ -f %{_sharedstatedir}/cobbler/web.ss ]; then + chown root %{_sharedstatedir}/cobbler/web.ss +fi %posttrans # Migrate pre-3.2.1 settings to settings.yaml @@ -190,13 +231,7 @@ if [ -f %{_sysconfdir}/cobbler/settings.rpmsave ]; then %{_datadir}/cobbler/bin/migrate-settings.sh fi # Add some missing options if needed -grep -q '^cache_enabled:' %{_sysconfdir}/cobbler/settings.yaml || echo -e '#ADDED:\ncache_enabled: true' >> %{_sysconfdir}/cobbler/settings.yaml grep -q '^reposync_rsync_flags:' %{_sysconfdir}/cobbler/settings.yaml || echo -e '#ADDED:\nreposync_rsync_flags: "-rltDv --copy-unsafe-links"' >> %{_sysconfdir}/cobbler/settings.yaml -# Migrate pre-3 configuration data if needed -if [ -d %{_sharedstatedir}/cobbler/kickstarts -a $(find %{_sharedstatedir}/cobbler/collections -type f | wc -l) -eq 0 ]; then - echo warning: migrating pre cobbler 3 configuration data - %{_datadir}/cobbler/bin/migrate-data-v2-to-v3.py -fi %preun %systemd_preun cobblerd.service @@ -204,12 +239,24 @@ fi %postun %systemd_postun_with_restart cobblerd.service -%post -n cobbler-web -# Change the SECRET_KEY option in the Django settings.py file -# required for security reasons, should be unique on all systems -# Choose from letters and numbers only, so no special chars like ampersand (&). -RAND_SECRET=$(head /dev/urandom | tr -dc 'A-Za-z0-9!' | head -c 50 ; echo '') -sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler/web/settings.py + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # the daemon needs to be restarted for the custom label to be applied + %systemd_postun_with_restart cobblerd.service +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi %files @@ -221,6 +268,7 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler %config(noreplace) %{_sysconfdir}/cobbler/boot_loader_conf/ %config(noreplace) %{_sysconfdir}/cobbler/cheetah_macros %config(noreplace) %{_sysconfdir}/cobbler/dhcp.template +%config(noreplace) %{_sysconfdir}/cobbler/dhcp6.template %config(noreplace) %{_sysconfdir}/cobbler/dnsmasq.template %config(noreplace) %{_sysconfdir}/cobbler/genders.template %config(noreplace) %{_sysconfdir}/cobbler/import_rsync_whitelist @@ -239,17 +287,19 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler %attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/bind_manage_ipmi.settings %attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/manage_genders.settings %attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/nsupdate.settings +%attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/settings.d/windows.settings %attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/users.conf %attr(640, root, apache) %config(noreplace) %{_sysconfdir}/cobbler/users.digest %config(noreplace) %{_sysconfdir}/cobbler/version +%config(noreplace) %{_sysconfdir}/cobbler/windows/ %config(noreplace) %{_sysconfdir}/cobbler/zone.template %config(noreplace) %{_sysconfdir}/cobbler/zone_templates/ %config(noreplace) %{_sysconfdir}/logrotate.d/cobblerd %config(noreplace) /etc/httpd/conf.d/cobbler.conf %{_bindir}/cobbler +%{_bindir}/cobbler-settings %{_bindir}/cobbler-ext-nodes %{_bindir}/cobblerd -%{_sbindir}/tftpd.py %{_datadir}/bash-completion/ %dir %{_datadir}/cobbler %{_datadir}/cobbler/bin @@ -261,299 +311,32 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" %{_datadir}/cobbler %{_unitdir}/cobblerd.service %{tftpboot_dir}/* /var/www/cobbler -%config(noreplace) %{_sharedstatedir}/cobbler -%exclude %{_sharedstatedir}/cobbler/web.ss -%exclude %{_sharedstatedir}/cobbler/webui_sessions +%dir %{_sharedstatedir}/cobbler +%ghost %attr(0755,root,root) %{_sharedstatedir}/cobbler/backup/ +%config(noreplace) %{_sharedstatedir}/cobbler/collections/ +%config(noreplace) %{_sharedstatedir}/cobbler/distro_signatures.json +%config(noreplace) %{_sharedstatedir}/cobbler/grub_config/ +%config(noreplace) %{_sharedstatedir}/cobbler/loaders/ +%config(noreplace) %{_sharedstatedir}/cobbler/scripts/ +%config(noreplace) %{_sharedstatedir}/cobbler/snippets/ +%config(noreplace) %{_sharedstatedir}/cobbler/templates/ +%config(noreplace) %{_sharedstatedir}/cobbler/triggers/ +%ghost %attr(0644,root,root) %{_sharedstatedir}/cobbler/lock +# Currently used for cli auth +%ghost %attr(0644,root,root) %{_sharedstatedir}/cobbler/web.ss /var/log/cobbler -%files -n cobbler-web -%license COPYING -%doc AUTHORS.in README.md -%config(noreplace) /etc/httpd/conf.d/cobbler_web.conf -%attr(-,apache,apache) %{_datadir}/cobbler/web -%ghost %attr(0660,apache,root) %{_sharedstatedir}/cobbler/web.ss -%dir %attr(700,apache,root) %{_sharedstatedir}/cobbler/webui_sessions -%attr(-,apache,apache) /var/www/cobbler_webui_content/ +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %files tests -%dir %{_datadir}/cobbler/tests -%{_datadir}/cobbler/tests/* +%{_datadir}/cobbler/tests/ + +%files tests-containers +%{_datadir}/cobbler/docker/ %changelog -* Tue Mar 01 2022 Orion Poplawski - 3.2.2-9 -- Apply fixes for CVE-2021-45082/3 -- Remove BR on python3-coverage - -* Mon Jan 24 2022 Orion Poplawski - 3.2.2-8 -- Fix posttrans script - -* Wed Jan 19 2022 Fedora Release Engineering - 3.2.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Thu Dec 23 2021 Orion Poplawski - 3.2.2-6 -- Fix path to settings.yaml in scriptlet - -* Thu Dec 09 2021 Orion Poplawski - 3.2.2-5 -- Remove defunct get-loaders command - -* Mon Nov 22 2021 Orion Poplawski - 3.2.2-4 -- Add new keys to settings.yaml on migration or if missing -- Save original settings to settings.rpmorig - -* Fri Oct 08 2021 Orion Poplawski - 3.2.2-3 -- Fix dependencies (bz#2010567) - -* Thu Sep 23 2021 Orion Poplawski - 3.2.2-2 -- Migrate settings to settings.yaml -- Migrate pre-cobbler 3 data if needed -- Fix autoinstall_templates -> templates - -* Thu Sep 23 2021 Orion Poplawski - 3.2.2-1 -- Update to 3.2.2 -- bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection -- bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function -- bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings - -* Wed Sep 22 2021 Orion Poplawski - 3.2.1-1 -- Update to 3.2.1 - -* Wed Jul 21 2021 Fedora Release Engineering - 3.2.0-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri Jun 04 2021 Python Maint - 3.2.0-5 -- Rebuilt for Python 3.10 - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.2.0-4 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Tue Jan 26 2021 Fedora Release Engineering - 3.2.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Sun Oct 25 2020 Orion Poplawski - 3.2.0-2 -- Give root RW permission to /var/lib/cobbler/web.ss -- Fix SELinux cobbler logging issue - -* Sat Oct 24 2020 Orion Poplawski - 3.2.0-1 -- Update to 3.2.0 - -* Thu Sep 17 2020 Orion Poplawski - 3.1.2-4 -- Add requires on python-distro and file - -* Mon Jul 27 2020 Fedora Release Engineering - 3.1.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 08 2020 Orion Poplawski - 3.1.2-2 -- Fix apache configuration - -* Fri May 29 2020 Orion Poplawski - 3.1.2-1 -- Update to 3.1.2 - -* Tue May 26 2020 Miro Hrončok - 3.1.1-4 -- Rebuilt for Python 3.9 - -* Fri Feb 21 2020 Orion Poplawski - 3.1.1-3 -- Add requires for python3-dns - -* Tue Jan 28 2020 Fedora Release Engineering - 3.1.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Sun Jan 12 2020 Orion Poplawski - 3.1.1-1 -- Update to 3.1.1 - -* Tue Oct 22 2019 Orion Poplawski - 3.0.1-4 -- Drop koan completely, including obsoletes. It is a separate package now. - -* Thu Oct 10 2019 Orion Poplawski - 3.0.1-3 -- Require /sbin/service - -* Tue Oct 8 2019 Orion Poplawski - 3.0.1-2 -- Fix requires (requests instead of urlgrabber) -- Fix BR for EL8 - -* Mon Sep 09 2019 Nicolas Chauvet - 3.0.1-1 -- Update to 3.0.1 - -* Fri Aug 30 2019 Nicolas Chauvet - 3.0.0-1 -- Update to 3.0.0 - -* Mon Aug 26 2019 Nicolas Chauvet - 2.8.5-0.1 -- Update to 2.8.5 - pre-release - -* Wed Jul 24 2019 Fedora Release Engineering - 2.8.4-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 2.8.4-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Nov 26 2018 Orion Poplawski - 2.8.4-5 -- Fix empty man pages (BZ 1653415) - -* Mon Nov 26 2018 Orion Poplawski - 2.8.4-4 -- Revert bind_manage_ipmi feature that is broken on 2.8 - -* Sun Nov 25 2018 Orion Poplawski - 2.8.4-3 -- Use pathfix.py to fix python shebangs - -* Sun Nov 25 2018 Orion Poplawski - 2.8.4-2 -- Make koan require python2-ethtool (BZ 1638933) - -* Sat Nov 24 2018 Orion Poplawski - 2.8.4-1 -- Update to 2.8.4 (Fixes BZ 1613292, 1643860, 1614433, CVE-2018-1000226, CVE-2018-10931) - -* Thu Jul 12 2018 Fedora Release Engineering - 2.8.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed May 30 2018 Orion Poplawski - 2.8.3-3 -- koan requires urlgrabber - -* Mon May 28 2018 Nicolas Chauvet - 2.8.3-2 -- Restore mergeability with epel7 - -* Mon May 28 2018 Nicolas Chauvet - 2.8.3-1 -- Update to 2.8.3 - security bugfix - -* Wed Feb 21 2018 Orion Poplawski - 2.8.2-6 -- Really fix django requires for Fedora 28+ - -* Tue Feb 20 2018 Orion Poplawski - 2.8.2-5 -- Fix django requires for Fedora 28+ - -* Fri Feb 09 2018 Igor Gnatenko - 2.8.2-4 -- Escape macros in %%changelog - -* Wed Feb 07 2018 Fedora Release Engineering - 2.8.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Tue Feb 06 2018 Iryna Shcherbina - 2.8.2-2 -- Update Python 2 dependency declarations to new packaging standards - (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) - -* Mon Sep 18 2017 Orion Poplawski - 2.8.2-1 -- Update to 2.8.2 - -* Wed Aug 02 2017 Fedora Release Engineering - 2.8.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 2.8.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Jun 21 2017 Orion Poplawski - 2.8.1-3 -- Suppress logrotate output - -* Mon Jun 12 2017 Orion Poplawski - 2.8.1-2 -- Fix module loading - -* Wed May 24 2017 Orion Poplawski - 2.8.1-1 -- Update to 2.8.1 - -* Fri Feb 17 2017 Orion Poplawski - 2.8.0-6 -- Add patch to fix handling of multiple bridge interfaces - -* Fri Feb 10 2017 Fedora Release Engineering - 2.8.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Jan 27 2017 Orion Poplawski - 2.8.0-4 -- Fix named patch - -* Tue Jan 24 2017 Orion Poplawski - 2.8.0-3 -- Restart named-chroot service if used - -* Fri Jan 20 2017 Orion Poplawski - 2.8.0-2 -- Fix logrotate script for systemd (bug #1414617) - -* Thu Dec 1 2016 Orion Poplawski - 2.8.0-1 -- Update to 2.8.0 -- Restructure spec file - -* Thu Sep 1 2016 Orion Poplawski - 2.6.11-11.gitf78af86 -- Add patches to fix TEMPLATE_DIRS and use OrderedDict - -* Thu Aug 11 2016 Orion Poplawski - 2.6.11-10.gitf78af86 -- Force IPv4 connections to cobblerd from web proxy - -* Thu Jul 21 2016 Orion Poplawski - 2.6.11-9.gitf78af86 -- Suppress "virt-install --os-variant list" error messages - -* Thu Jul 21 2016 Orion Poplawski - 2.6.11-8.git5680bf8 -- Fix handling unknown os variants with osinfo-query - -* Tue Jul 19 2016 Fedora Release Engineering - 2.6.11-7.git95749a6 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Wed Jul 13 2016 Orion Poplawski - 2.6.11-6.git95749a6 -- Fix typo in koan/app.py - -* Wed Jul 13 2016 Orion Poplawski - 2.6.11-5.git13b035f -- Update to current git snapshot (bug #1276896) - -* Wed Feb 03 2016 Fedora Release Engineering - 2.6.11-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Mon Feb 1 2016 Orion Poplawski - 2.6.11-3 -- Require dnf-plugins-core - -* Sun Jan 24 2016 Orion Poplawski - 2.6.11-2 -- Require dnf-core-plugins instead of yum-utils for repoquery on Fedora 23+ - -* Sun Jan 24 2016 Orion Poplawski - 2.6.11-1 -- Update to 2.6.11 -- Make cobbler arch specific to allow for arch specific requires - -* Thu Oct 1 2015 Orion Poplawski - 2.6.10-1 -- Update to 2.6.10 - -* Mon Jun 22 2015 Orion Poplawski - 2.6.9-1 -- Update to 2.6.9 - -* Wed Jun 17 2015 Fedora Release Engineering - 2.6.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Tue May 12 2015 Orion Poplawski - 2.6.8-2 -- Support django 1.8 in Fedora 22+ - -* Fri May 8 2015 Orion Poplawski - 2.6.8-1 -- Update to 2.6.8 -- Backport upstream patch to fix centos version detection (bug #1201879) - -* Tue Apr 28 2015 Orion Poplawski - 2.6.7-3 -- Add patch to fix virt-install support for F21+/EL7 (bug #1188424) - -* Mon Apr 27 2015 Orion Poplawski - 2.6.7-2 -- Create and own directories in tftp_dir - -* Wed Dec 31 2014 Orion Poplawski - 2.6.7-1 -- Update to 2.6.7 - -* Sun Oct 19 2014 Orion Poplawski - 2.6.6-1 -- Update to 2.6.6 - -* Fri Aug 15 2014 Orion Poplawski - 2.6.5-1 -- Update to 2.6.5 - -* Wed Aug 13 2014 Orion Poplawski - 2.6.4-2 -- Require Django >= 1.4 - -* Mon Aug 11 2014 Orion Poplawski - 2.6.4-1 -- Update to 2.6.4 - -* Fri Jul 18 2014 Orion Poplawski - 2.6.3-1 -- Update to 2.6.3 - -* Wed Jul 16 2014 Orion Poplawski - 2.6.2-1 -- Update to 2.6.2 -- Spec cleanup - -* Sat Jun 07 2014 Fedora Release Engineering - 2.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Fri May 23 2014 Orion Poplawski - 2.6.1-1 -- Update to 2.6.1 -- Drop koan patch applied upstream - -* Tue Apr 22 2014 Orion Poplawski - 2.6.0-2 -- Only require syslinux on x86 - -* Mon Apr 21 2014 Orion Poplawski - 2.6.0-1 -- Update to 2.6.0 +%autochangelog diff --git a/cobbler.te b/cobbler.te new file mode 100644 index 0000000..d233f01 --- /dev/null +++ b/cobbler.te @@ -0,0 +1,249 @@ +policy_module(cobbler, 1.3.0) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether Cobbler can modify +## public files used for public file +## transfer services. +##

+## +gen_tunable(cobbler_anon_write, false) + +## +##

+## Determine whether Cobbler can connect +## to the network using TCP. +##

+## +gen_tunable(cobbler_can_network_connect, false) + +## +##

+## Determine whether Cobbler can access +## cifs file systems. +##

+## +gen_tunable(cobbler_use_cifs, false) + +## +##

+## Determine whether Cobbler can access +## nfs file systems. +##

+## +gen_tunable(cobbler_use_nfs, false) + +gen_require(` + type debuginfo_exec_t; + type init_exec_t; + class file getattr; +') + +type cobblerd_t; +type cobblerd_exec_t; +init_daemon_domain(cobblerd_t, cobblerd_exec_t) + +type cobblerd_initrc_exec_t; +init_script_file(cobblerd_initrc_exec_t) + +type cobbler_etc_t; +files_config_file(cobbler_etc_t) + +type cobbler_var_log_t; +logging_log_file(cobbler_var_log_t) + +type cobbler_var_lib_t alias cobbler_content_t; +files_type(cobbler_var_lib_t) + +type cobbler_tmp_t; +files_tmp_file(cobbler_tmp_t) + +type cobblerd_unit_file_t; +systemd_unit_file(cobblerd_unit_file_t) + +######################################## +# +# Local policy +# + +allow cobblerd_t self:capability { chown dac_read_search fowner fsetid sys_nice }; +dontaudit cobblerd_t self:capability sys_tty_config; +allow cobblerd_t self:process { getsched setsched signal }; +allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:tcp_socket { accept listen }; +allow cobblerd_t self:netlink_audit_socket create_socket_perms; + +allow cobblerd_t cobbler_etc_t:dir list_dir_perms; +allow cobblerd_t cobbler_etc_t:file read_file_perms; +allow cobblerd_t cobbler_etc_t:lnk_file read_lnk_file_perms; + +allow cobblerd_t cobbler_tmp_t:file mmap_file_perms; +# Allow cobbler to stat /usr/libexec/dnf-utils (aka reposync/yumdownloader) +allow cobblerd_t debuginfo_exec_t:file getattr; +# Allow cobbler to stat /usr/lib/systemd/systemd +allow cobblerd_t init_exec_t:file getattr; +# Allow cobbler to check status of itself +allow cobblerd_t cobblerd_unit_file_t:service status; + +manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) +files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) + +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) +files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler") + +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + +kernel_read_system_state(cobblerd_t) +kernel_read_network_state(cobblerd_t) + +corecmd_exec_bin(cobblerd_t) +corecmd_exec_shell(cobblerd_t) + +corenet_all_recvfrom_netlabel(cobblerd_t) +corenet_all_recvfrom_unlabeled(cobblerd_t) +corenet_tcp_sendrecv_generic_if(cobblerd_t) +corenet_tcp_sendrecv_generic_node(cobblerd_t) +corenet_tcp_bind_generic_node(cobblerd_t) + +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_sendrecv_cobbler_port(cobblerd_t) + +corenet_sendrecv_ftp_client_packets(cobblerd_t) +corenet_tcp_connect_ftp_port(cobblerd_t) +corenet_tcp_sendrecv_ftp_port(cobblerd_t) + +corenet_tcp_sendrecv_http_port(cobblerd_t) +corenet_tcp_connect_http_port(cobblerd_t) +corenet_sendrecv_http_client_packets(cobblerd_t) + +dev_read_sysfs(cobblerd_t) +dev_read_urand(cobblerd_t) + +files_list_boot(cobblerd_t) +files_list_tmp(cobblerd_t) +files_read_boot_files(cobblerd_t) +files_read_etc_runtime_files(cobblerd_t) + +fs_getattr_all_fs(cobblerd_t) +fs_read_iso9660_files(cobblerd_t) + +selinux_get_enforce_mode(cobblerd_t) + +term_use_console(cobblerd_t) + +auth_use_nsswitch(cobblerd_t) + +logging_send_syslog_msg(cobblerd_t) + +miscfiles_read_localization(cobblerd_t) +miscfiles_read_public_files(cobblerd_t) + +sysnet_dns_name_resolve(cobblerd_t) +sysnet_rw_dhcp_config(cobblerd_t) +sysnet_write_config(cobblerd_t) + +tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files(cobblerd_t) +') + +tunable_policy(`cobbler_can_network_connect',` + corenet_sendrecv_all_client_packets(cobblerd_t) + corenet_tcp_connect_all_ports(cobblerd_t) + corenet_tcp_sendrecv_all_ports(cobblerd_t) +') + +tunable_policy(`cobbler_use_cifs',` + fs_manage_cifs_dirs(cobblerd_t) + fs_manage_cifs_files(cobblerd_t) + fs_manage_cifs_symlinks(cobblerd_t) +') + +tunable_policy(`cobbler_use_nfs',` + fs_manage_nfs_dirs(cobblerd_t) + fs_manage_nfs_files(cobblerd_t) + fs_manage_nfs_symlinks(cobblerd_t) +') + +optional_policy(` + apache_search_config(cobblerd_t) + apache_domtrans(cobblerd_t) + apache_search_sys_content(cobblerd_t) +') + +optional_policy(` + bind_read_config(cobblerd_t) + bind_write_config(cobblerd_t) + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) + bind_systemctl(cobblerd_t) +') + +optional_policy(` + certmaster_exec(cobblerd_t) +') + +optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) + dhcpd_systemctl(cobblerd_t) +') + +optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) + dnsmasq_systemctl(cobblerd_t) +') + +# To read /boot/efi +optional_policy(` + fs_list_dos(cobblerd_t) + fs_read_dos_files(cobblerd_t) +') + +# To run mkfs.fat when generating ISO +optional_policy(` + fstools_exec(cobblerd_t) +') + +optional_policy(` + libs_exec_ldconfig(cobblerd_t) +') + +optional_policy(` + mysql_stream_connect(cobblerd_t) +') + +optional_policy(` + rpm_exec(cobblerd_t) +') + +optional_policy(` + rsync_exec(cobblerd_t) + rsync_read_config(cobblerd_t) + rsync_manage_config(cobblerd_t) + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") +') + +optional_policy(` + tftp_manage_config(cobblerd_t) + tftp_manage_rw_content(cobblerd_t) + tftp_delete_content_dirs(cobblerd_t) + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) +') diff --git a/sources b/sources index e8eac50..ba2585a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cobbler-3.2.2.tar.gz) = 65f3bf3bb43d1b1a6631ab299cd5a9a807c8e20ea07a61f89edc425b4833be5f2ddf0ac473010906bbcaaa5edfad577378185290bd2db01d9d64f276c2ad6be9 +SHA512 (cobbler-3.3.7.tar.gz) = df6570dd7c6cbe50464624267df1bbecbb29e60513bba312a6c726502d4670670f3113f24b6b7e465d0b3353c0721e6fe3725dbc4569b4f624ec2b4a29682d1a