Exosphere

@julianpistorius to revisit in the next couple of days. Goal: 80% solution that lets us move forward with implementation. Indicate which things are one-way doors or hard to reverse.

Remaining todo is API plumbing. Approach going forward, branch off of this to do that separately, so we can review smaller change sets. Anticipated merge order: TBD.

In addition to the last point, allow users to create a new instance and access it? I suspect the answer is no, because access rules may need specific instance UUIDs specified in the URL path. Access rules work on specific API endpoints, so ... [More] (from my own testing with the IndySCC setup) they can be bound to the instance's UUID and/or name. Theoretically, you could allow a credential to POST /servers (create instances) and to manage an instance with a specific naming scheme, but that would be a pretty terrible user experience. Also, from @cmart on #715 (closed): How well have we found this to work in practice? For some time, application credentials with access rules did not work on Jetstream2, but this appears to be fixed now? I've never had any issues with this on JS2 after the changes service_type configs you referenced. I reliably created ~60 scoped credentials with no problem (see here for an example). [Less]

Overview Temporarily relaxes SELinux so that cloud-init can run firewall-cmd to create some firewall rules. Fixes broken instance setup on Rocky Linux 8 (and possibly also other RHEL-derivative operating systems). Fixes #1034. How to Test Create ... [More] a RHEL 8 instance with web desktop enabled (i.e. a Rocky Linux 8 instance from the featured image on Jetstream2) Screenshots N/A [Less]

👍 Done.

Chris Martin (49339bb5) at 09 Dec 22:36 Merge branch 'fix-rhel8-firewallcmd' into 'master' ... and 1 more commit

Overview Temporarily relaxes SELinux so that cloud-init can run firewall-cmd to create some firewall rules. Fixes broken instance setup on Rocky Linux 8 (and possibly also other RHEL-derivative operating systems). Fixes #1034. How to Test Create ... [More] a RHEL 8 instance with web desktop enabled (i.e. a Rocky Linux 8 instance from the featured image on Jetstream2) Screenshots N/A [Less]

The latest Rocky 8 image on Jetstream2 in the build pipeline hangs during Exosphere deployment with desktop. Investigation in /var/log/audit/audit.log showed it failing with this error: type=USER_AVC msg=audit(1733510019.215:148): pid=917 uid=81 ... [More] auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.187 spid=995 tpid=29283 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" This appears to be a bug in RHEL 8: firewall-cmd hangs when used as part of cloud-init script Full text is here due to paywallfirewall-cmd_hangs_when_used_as_part_of_cloud-init_script_-_Red_Hat_Customer_Portal.pdf Root Cause: SELinux prevents cloud-init from modifying running firewalld rules. Likely need to set SELinux permissive in https://gitlab.com/exosphere/exosphere/-/blob/master/ansible/roles/vnc-server/tasks/RedHat.yml?ref_type=heads and then reenable to enforcing after setting the firewall rules. [Less]

The latest Rocky 8 image on Jetstream2 in the build pipeline hangs during Exosphere deployment with desktop. Investigation in /var/log/audit/audit.log showed it failing with this error: type=USER_AVC msg=audit(1733510019.215:148): pid=917 uid=81 ... [More] auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.187 spid=995 tpid=29283 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" This appears to be a bug in RHEL 8: firewall-cmd hangs when used as part of cloud-init script Full text is here due to paywallfirewall-cmd_hangs_when_used_as_part_of_cloud-init_script_-_Red_Hat_Customer_Portal.pdf Root Cause: SELinux prevents cloud-init from modifying running firewalld rules. Likely need to set SELinux permissive in https://gitlab.com/exosphere/exosphere/-/blob/master/ansible/roles/vnc-server/tasks/RedHat.yml?ref_type=heads and then reenable to enforcing after setting the firewall rules. [Less]

Overview Temporarily relaxes SELinux so that cloud-init can run firewall-cmd to create some firewall rules. Fixes broken instance setup on Rocky Linux 8 (and possibly also other RHEL-derivative operating systems). Fixes #1034. How to Test Create ... [More] a RHEL 8 instance with web desktop enabled (i.e. a Rocky Linux 8 instance from the featured image on Jetstream2) Screenshots N/A [Less]