Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans

2012-10-02 Thread Rob Crittenden 

Petr Viktorin wrote:

On 10/01/2012 09:29 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 10/01/2012 04:41 PM, Rob Crittenden wrote:

The web uninstall step can be very long because we restore two SELinux
booleans individually. This patch combines them into a single step, and
skips setting them if the values won't actually change.

rob




Is there a reason to not reuse the code that sets the values on install?
As far as I can tell it does the same thing slightly differently.



The differences are enough that trying to consolidate them would likely
end up taking considerable more time, require considerable more testing,
etc. It would be worthwhile to revisit this at the beginning of a new
version, but at the end it seems safer to take the simplest route.

rob


Well, okay then, ACK. But please keep the bug open.



I'm going to withdraw this patch for now. I think it can wait for a more 
complete fix in a future release.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans

2012-10-02 Thread Petr Viktorin 

On 10/01/2012 09:29 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 10/01/2012 04:41 PM, Rob Crittenden wrote:

The web uninstall step can be very long because we restore two SELinux
booleans individually. This patch combines them into a single step, and
skips setting them if the values won't actually change.

rob




Is there a reason to not reuse the code that sets the values on install?
As far as I can tell it does the same thing slightly differently.



The differences are enough that trying to consolidate them would likely
end up taking considerable more time, require considerable more testing,
etc. It would be worthwhile to revisit this at the beginning of a new
version, but at the end it seems safer to take the simplest route.

rob


Well, okay then, ACK. But please keep the bug open.

--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans

2012-10-01 Thread Rob Crittenden 

Petr Viktorin wrote:

On 10/01/2012 04:41 PM, Rob Crittenden wrote:

The web uninstall step can be very long because we restore two SELinux
booleans individually. This patch combines them into a single step, and
skips setting them if the values won't actually change.

rob




Is there a reason to not reuse the code that sets the values on install?
As far as I can tell it does the same thing slightly differently.



The differences are enough that trying to consolidate them would likely 
end up taking considerable more time, require considerable more testing, 
etc. It would be worthwhile to revisit this at the beginning of a new 
version, but at the end it seems safer to take the simplest route.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans

2012-10-01 Thread Petr Viktorin 

On 10/01/2012 04:41 PM, Rob Crittenden wrote:

The web uninstall step can be very long because we restore two SELinux
booleans individually. This patch combines them into a single step, and
skips setting them if the values won't actually change.

rob




Is there a reason to not reuse the code that sets the values on install? 
As far as I can tell it does the same thing slightly differently.


--
PetrĀ³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans

2012-10-01 Thread Rob Crittenden 
The web uninstall step can be very long because we restore two SELinux 
booleans individually. This patch combines them into a single step, and 
skips setting them if the values won't actually change.


rob
>From f9cfa7252e7a5d967ca0786c56431589b4489660 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Wed, 26 Sep 2012 16:45:52 -0400
Subject: [PATCH] Selectively restore SELinux booleans on uninstall

Restore only those values that have changed and do the restoration
in a single step instead of one at a time.  This improves uninstall
performance in the web server step.

https://fedorahosted.org/freeipa/ticket/2934
---
 ipaserver/install/httpinstance.py | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e1d8b6db8503cf8eacc337b58f49054f3590eda4..ee6506f62001d057403e02b4b64716223959d220 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -340,14 +340,25 @@ class HTTPInstance(service.Service):
 installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
 installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
 
+changes = []
 for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
 sebool_state = self.restore_state(var)
 if not sebool_state is None:
 try:
-ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+(stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
 except ipautil.CalledProcessError, e:
-self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \
-% (var, sebool_state, e))
+self.print_msg("Cannot get current state of SELinux boolean: %s" % e)
+else:
+current_state = stdout.split()[2]
+if current_state != sebool_state:
+changes.append('%s=%s' % (var, sebool_state))
+if changes:
+args = ["/usr/sbin/setsebool", "-P"]
+args.extend(changes)
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError, e:
+self.print_msg("Cannot restore SELinux booleans: %s" % e)
 
 if not running is None and running:
 self.start()
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel