Skip to content

Commit

Permalink
Enable selinux bool for grafana to postgresql connection.
Browse files Browse the repository at this point in the history
For package grafana >= 9.2.10-15 there is patch added for selinux module to allow connection from grafana to local postgresql.
This flag enabled now during engine-setup command if version with this flag installed.
For old versions of the grafana we do nothing with selinux.
For versions between 9.2.10-10 and 9.2.10-14 we ask user to update package version.

Signed-off-by: Stanislav Melnichuk <[email protected]>
  • Loading branch information
0ffer committed May 22, 2024
1 parent a007944 commit 3355c68
Show file tree
Hide file tree
Showing 3 changed files with 80 additions and 2 deletions.
3 changes: 1 addition & 2 deletions ovirt-engine-dwh.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -154,8 +154,7 @@ Summary: %{product_name} Grafana integration setup
Group: Virtualization/Management
Requires: ovirt-engine-setup-plugin-ovirt-engine-common >= 4.5.3
Requires: %{name}-setup = %{version}-%{release}
Requires: grafana >= 7.3
Requires: grafana-postgres >= 7.3
Requires: ((grafana >= 7.3 and grafana < 9.2.10-10) or (grafana >= 9.2.10-15))
Requires: httpd
Requires: mod_ssl
BuildRequires: python3
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,14 @@

from . import database
from . import datasource
from . import selinux


@util.export
def createPlugins(context):
database.Plugin(context=context)
datasource.Plugin(context=context)
selinux.Plugin(context=context)


# vim: expandtab tabstop=4 shiftwidth=4
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
#
# ovirt-engine-setup -- ovirt engine setup
#
# Copyright oVirt Authors
# SPDX-License-Identifier: Apache-2.0
#
#


import gettext
import rpm

from otopi import util
from otopi import plugin

from ovirt_engine_setup import constants as osetupcons
from ovirt_engine_setup import util as osetuputil


def _(m):
return gettext.dgettext(message=m, domain='ovirt-engine-dwh')


@util.export
class Plugin(plugin.PluginBase):
"""
This plugin is for configuring selinux for grafana package.
Grafana package from the version 9.2.10-10 has subpackage with selinux configurations.
And with initial configurations grafana can't communicate with postgresql.
From the version 9.2.10-15 there is the flag to control possibility for grafana to query local postgresql.
In this plugin we check grafana package version and enable selinux flag for postgresql if needed.
"""

def __init__(self, context):
super(Plugin, self).__init__(context=context)
self._should_enable_selinux_bool = False

@plugin.event(
stage=plugin.Stages.STAGE_CUSTOMIZATION
)
def _misc_check_grafana_version_for_selinux(self):
_, mini_pm, _ = (osetuputil.getPackageManager(self.logger))
queried_packages = mini_pm().queryPackages(patterns=['grafana'])

grafana_pkg_info = next(
(package for package in queried_packages if package['operation'] == 'installed' and package['name'] == 'grafana'),
None
)
if grafana_pkg_info:
version = grafana_pkg_info['version'] # looks like '9.2.10'
release = grafana_pkg_info['release'] # looks like '15.el8'
patch = release.split('.')[0] # remove part with OS stream

# We are on the version without selinux configured, can do nothing with selinux.
if rpm.labelCompare(('1', version, patch), ('1', '9.2.10', '10')) < 0:
self._should_enable_selinux_bool = False
return

# We are on the version with selinux flag added, should enable it.
if rpm.labelCompare(('1', version, patch), ('1', '9.2.10', '15')) >= 0:
self._should_enable_selinux_bool = True
return

@plugin.event(
stage=plugin.Stages.STAGE_MISC,
before=(
osetupcons.Stages.SETUP_SELINUX,
),
condition=lambda self: self._should_enable_selinux_bool,
)
def _misc_selinux_allow_grafana_request_postgresql(self):
self.environment[osetupcons.SystemEnv.SELINUX_BOOLEANS].append({
'boolean': 'grafana_can_tcp_connect_postgresql_port',
'state': "on",
})

# vim: expandtab tabstop=4 shiftwidth=4

0 comments on commit 3355c68

Please sign in to comment.