From 3fd10535ddbd1fe356f2507a06912a8ad307a83e Mon Sep 17 00:00:00 2001 From: Stanislav Melnichuk Date: Wed, 24 Apr 2024 15:15:17 +0300 Subject: [PATCH] Enable selinux bool for grafana to postgresql connection. For package grafana >= 9.2.10-15 there is patch added for selinux module to allow connection from grafana to local postgresql. This flag enabled now during engine-setup command if version with this flag installed. For old versions of the grafana we do nothing with selinux. For versions between 9.2.10-10 and 9.2.10-14 we ask user to update package version. Signed-off-by: Stanislav Melnichuk --- .../config/__init__.py | 2 + .../config/selinux.py | 83 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/selinux.py diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/__init__.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/__init__.py index 375cca39..91ab58b9 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/__init__.py +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/__init__.py @@ -14,12 +14,14 @@ from . import database from . import datasource +from . import selinux @util.export def createPlugins(context): database.Plugin(context=context) datasource.Plugin(context=context) + selinux.Plugin(context=context) # vim: expandtab tabstop=4 shiftwidth=4 diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/selinux.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/selinux.py new file mode 100644 index 00000000..7f807e61 --- /dev/null +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-grafana-dwh/config/selinux.py @@ -0,0 +1,83 @@ +# +# ovirt-engine-setup -- ovirt engine setup +# +# Copyright oVirt Authors +# SPDX-License-Identifier: Apache-2.0 +# +# + + +import gettext +import rpm + +from otopi import util +from otopi import plugin + +from ovirt_engine_setup import constants as osetupcons +from ovirt_engine_setup import util as osetuputil + + +def _(m): + return gettext.dgettext(message=m, domain='ovirt-engine-dwh') + + +@util.export +class Plugin(plugin.PluginBase): + """ + This plugin is for configuring selinux for grafana package. + Grafana package from the version 9.2.10-10 has subpackage with selinux configurations. + And with initial configurations grafana can't communicate with postgresql. + From the version 9.2.10-15 there is the flag to control possibility for grafana to query local postgresql. + In this plugin we check grafana package version and enable selinux flag for postgresql if needed. + """ + + def __init__(self, context): + super(Plugin, self).__init__(context=context) + self._should_enable_selinux_bool = False + + @plugin.event( + stage=plugin.Stages.STAGE_CUSTOMIZATION + ) + def _misc_check_grafana_version_for_selinux(self): + _, mini_pm, _ = (osetuputil.getPackageManager(self.logger)) + queried_packages = mini_pm().queryPackages(patterns=['grafana']) + + grafana_pkg_info = next( + (package for package in queried_packages if package['operation'] == 'installed' and package['name'] == 'grafana'), + None + ) + if grafana_pkg_info: + version = grafana_pkg_info['version'] # looks like '9.2.10' + release = grafana_pkg_info['release'] # looks like '15.el8' + patch = release.split('.')[0] # remove part with OS stream + + # We are on the version without selinux configured, can do nothing with selinux. + if rpm.labelCompare(('1', version, patch), ('1', '9.2.10', '10')) < 0: + self._should_enable_selinux_bool = False + return + + # We are on the version with selinux flag added, should enable it. + if rpm.labelCompare(('1', version, patch), ('1', '9.2.10', '15')) >= 0: + self._should_enable_selinux_bool = True + return + + # Here we are between 9.2.10-10 and 9.2.10-14 and should ask user to update package version. + raise RuntimeError( + _('Please, update grafana up to 9.2.10-15 or higher version for operational state with selinux.') + ) + + @plugin.event( + stage=plugin.Stages.STAGE_MISC, + name='allow-grafana-connect-to-postgresql', + before=( + osetupcons.Stages.SETUP_SELINUX, + ), + condition=lambda self: self._should_enable_selinux_bool, + ) + def _misc_selinux_allow_grafana_request_postgresql(self): + self.environment[osetupcons.SystemEnv.SELINUX_BOOLEANS].append({ + 'boolean': 'grafana_can_tcp_connect_postgresql_port', + 'state': "on", + }) + +# vim: expandtab tabstop=4 shiftwidth=4