SElinux dependency error on upgrade to 1.5


#1

I get this error when trying an upgrade - we’re about a month behind on cent7 updates, but I’m not seeing anything newer than 3.13.1-229 in the live repos either. Is this cutting edge necessary or can I skip this? We only cut new repos for clusters 1 or 2 times a year, so this is a bit problematic.

Thanks!

Error: Package: ondemand-passenger-5.3.7-1.el7.x86_64 (ondemand-web)
Requires: selinux-policy >= 3.13.1-229.el7_6.9
Installed: selinux-policy-3.13.1-229.el7_6.6.noarch (@rcac-centos7-updates)
selinux-policy = 3.13.1-229.el7_6.6
Available: selinux-policy-3.13.1-229.el7.noarch (rcac-centos7-os)
selinux-policy = 3.13.1-229.el7
Available: selinux-policy-3.13.1-229.el7_6.5.noarch (rcac-centos7-updates)
selinux-policy = 3.13.1-229.el7_6.5


#2

@ddietz How is your site’s copy of CentOS 7 repos created, is it just a sync that you only run 1 or 2 times a year or are you using something that would allow you to cherry-pick in specific packages like Pulp?

The dependency on SELinux comes from upstream passenger RPM spec and is likely a result of RPMs being built using latest CentOS 7 release. If you’re unable to put newer selinux-policy in your copy of CentOS repos, maybe try a local install where you download selinux-policy RPM needed by ondemand-passenger and install the RPM with yum localinstall before upgrading OnDemand to 1.5.

Given we document turning off SELinux as part of OnDemand I am thinking we may need to modify the passenger RPM spec further to remove SELinux bits.


#3

We clone a copy of the repos whenever a new cluster image is built so that package versions stay constant across the cluster. The images are usually only updated/clusters rebooted once or twice a year.

It sounds like we’ve got a few options - yes, I can cherry-pick in custom packages (though have to be careful about having the entire cluster grab it) - I had to do this for the SCL packages IIRC. Or it looks like I can rev a new repo copy and update the ondemand machine to it. I thought that was a cluster wide setting, but looks like I technically have that option. I’ll need to run this by the engineers to see what they think.

I’m thinking this might be easiest/lowest impact/lowest risk option. I do see the newest version of that package in another cluster’s repo copy, so I could easily grab that.

I was surprised to see that pop up on the dependencies since I remember reading to disable SElinux.


#4

I am working on removing SELinux from the ondemand-passenger and ondemand-nginx RPMs. Hopefully sometime today I will have updated RPMs built and will test them on our end then make them available via OnDemand 1.5 repos.


#5

We ended up doing a rev of the repo cache for the ondemand machine, and I could upgrade successfully. I do think removing the unnecessary dependencies will hep make the upgrade go smoother on other machines.


#6

I released new RPMs for ondemand-passenger and ondemand-nginx that removed the dependency.