You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "selinux_module" resource would skip the install, if the module is already installed. So there is no way to install a new version without first removing the module first. But removing the module can cause run time issue.
❔ Possible Solution
This is a fundamental issue since RHEL8 "semodule -l" no longer provides the module version information. So any solution would assume the absence of the information. I ended up with a workaround.
I save the downloaded policy .pp file.
When the policy is installed, I create a ".pp.install_flag" file.
I do a a check whether the ".pp.install_flag" file is newer than ".pp" file. If yes, skip the install, otherwise call the "selinux_module" resource.
But for this to work (to install the updated module), there need to be a "force_install" mode for the "selinux_module" resource.
⤴️ Describe alternatives you've considered
I am not aware of any, and would welcome ideas.
➕ Additional context
If it's acceptable, I submit a PR to add the "force_install" flag.
The text was updated successfully, but these errors were encountered:
Otherwise what i've done in the past to help with idempotency for something like this is to write the config into a file resource. Then the file resource calls the custom resource with notifies and desired action. Thus if file's content changes due to module configuration changes then it triggers the update.
We are not using the built in module resource, since we are on older
version of Chef.
The notification is a good idea. Would that also need the force_install
switch?
Thanks
On Mon, Apr 15, 2024 at 2:41 PM Corey Hemminger ***@***.***> wrote:
Otherwise what i've done in the past to help with idempotency for
something like this is to write the config into a file resource. Then the
file resource calls the custom resource with notifies and desired action.
Thus if file's content changes due to module configuration changes then it
triggers the update.
—
Reply to this email directly, view it on GitHub
<#118 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHJK3CPWLSQP7RWIULIZNGLY5QUOFAVCNFSM6AAAAABGHZ6TYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXGY3TCNBUGM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
🙍 Problem Statement
The "selinux_module" resource would skip the install, if the module is already installed. So there is no way to install a new version without first removing the module first. But removing the module can cause run time issue.
❔ Possible Solution
This is a fundamental issue since RHEL8 "semodule -l" no longer provides the module version information. So any solution would assume the absence of the information. I ended up with a workaround.
But for this to work (to install the updated module), there need to be a "force_install" mode for the "selinux_module" resource.
I am not aware of any, and would welcome ideas.
➕ Additional context
If it's acceptable, I submit a PR to add the "force_install" flag.
The text was updated successfully, but these errors were encountered: