Re-thinking foreman-maintain whitelist option

Development RFCs
1

Situation

The foreman-maintain tool provides a --whitelist option to actions such as upgrade, backup and restore that allows a user to skip almost any step. This can result in users performing destructive actions thinking they are safe to do so. Additionally, the term whitelist is incorrectly used. There are a few steps that, over time, have been marked with do_not_whitelist to prevent them from being skipped.

Proposal

The general proposal is to flip the expectation from everything is able to be skipped by default to the default being a step cannot be skipped unless specifically designated. Here are the specifics.

Rename

The whitelist terminology will be instead replaced with skip terminology.

CLI options

For how the CLI options change, there are two possibilities:

Option 1

For each step that we want to enable a user to skip, we add a dedicated option, e.g.

  • –skip-repositories-validate
  • –skip-repositories-setup

This option could be, for a release or two, backwards compatible by mapping --whitelist to --skip-<step-name>. Unless a step is supplied that is not able to be skipped.

Option 2

The current paradigm is kept, and there is a single option that can take a comma separated list. This would also include the addition of a command that lists the skippable options:

  • –skip=“repositories-validate,repositories-setup”
  • foreman-maintain upgrade --list-skip
  • foreman-maintain backup --list-skip

This option could be, for a release or two, backwards compatible by mapping --whitelist to --skip. Unless a step is supplied that is not able to be skipped.

Risks

Given the current foreman-maintain provides the ability to skip nearly anything, there is a risk that users may have scripted upgrade/backup/restore that is calling the --whitelist option with some set of skipped steps that we are unware of. This change could break those setups for some period of time:

  • Users find steps that we should allow skipping and we have to backport code
  • Users find steps that they feel they need to skip, but we feel should never be skipped and we must find a compromise. This could leave them in a temporary bind as this proposal has no fall-back mechanism.
2 Likes