Foreman 3.2.0 RC2 is ready for testing!

The second release candidate of Foreman 3.2.0 is now available for testing. Special thanks to everyone who contributed and taken part in making this release ready.

The ansible/ansible-core and openscap dependency issues have been fixed and plugin installations should work smoothly now.

The plugin test pipeline is showing unstable because of React errors, and we are checking further on it. This post will be updated on the status of same.

Please help by testing and getting it release-ready, and let us know if you hit any issue when upgrading or installing the release candidate either here or on our issue tracker .

There are likely still some updates needed in the installation instructions and other parts of the documentation.

Installation quick start:
https://theforeman.org/manuals/3.2/quickstart_guide.html

Upgrade instructions:
https://theforeman.org/manuals/3.2/index.html#3.6Upgrade

Release notes:
https://theforeman.org/manuals/3.2/index.html#Releasenotesfor3.2

This is also a good time to improve translations for existing locales to ensure full coverage. Help out at: Foreman localization

Packages may be found in the 3.2 directories on both deb.theforeman.org and yum.theforeman.org , and tarballs are on downloads.theforeman.org .

The GPG key used for signing RPMs and tarballs has the following fingerprint:
77F7076DFD4F373EF0F0E9AC8D746ED06DA7EB32

The GPG key used for signing DEBs has been rotated and has the following fingerprint:
5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A.

I have noticed something when running yum upgrade. Likely it was there even with RC1 but I only noticed now

  Running scriptlet: foreman-selinux-3.2.0-0.1.rc2.20220303185036git19af6df.el8.noarch                                                                             228/228 
/sbin/restorecon: SELinux: Could not get canonical path for /etc/puppet/node.rb restorecon: No such file or directory.

I already disabled Puppet on this instance, so our SELinux shouldn’t try to restorecon on it. I guess foreman_puppet should have its own SELinux policy (or plugin to it?)

That’s a weird version number. It looks like it’s using the nightly releaser, which means it could actually be a nightly tarball instead of the released tarball. For selinux it probably doesn’t matter since there haven’t really been changes, but if that’s also true for other projects it could be bad.

I think it should ignore files that don’t exist. There’s -i for that, as man 8 restorecon says:

-i ignore files that do not exist.

And we do pass it:

I wonder if this is a bug in restorecon. It’s easy to reproduce on my Fedora 35:

$ restorecon /file
restorecon: lstat(/file) failed: No such file or directory
$ restorecon -i /file
$ restorecon -i /dir/file
restorecon: SELinux: Could not get canonical path for /dir/file restorecon: No such file or directory.

The workaround is to send stderr to /dev/null or to first check if the directory exists in relabel.

Having separate policies only makes sense if it’s really a big thing, but separate policies are expensive. Both in the work to maintain it and the time to install it. In theory we could introduce booleans for it, but I don’t think we’d win that much.

Having said that, it probably belongs in the non-existant foreman-proxy-selinux package more than foreman-selinux.

The version should be fixed in the next RC/GA via don't configure nightly releasers for 3.2 stable branch by evgeni · Pull Request #7668 · theforeman/foreman-packaging · GitHub

Thanks for taking a look. If it’s a known issue of restorecon, we should probably mention that in release/upgrade notes. But the severity is quite low I think.

Another finding with foreman_ansible - the roles loading on the new host page fails with TypeError: Cannot read properties of undefined (reading 'map'),, I suppose it’s related to the pagination. Either we released too new version or probably didn’t release new version for 3.2? cc @lstejskal @Ron_Lavi