Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
Petr Viktorin wrote: On 10/01/2012 09:29 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. The differences are enough that trying to consolidate them would likely end up taking considerable more time, require considerable more testing, etc. It would be worthwhile to revisit this at the beginning of a new version, but at the end it seems safer to take the simplest route. rob Well, okay then, ACK. But please keep the bug open. I'm going to withdraw this patch for now. I think it can wait for a more complete fix in a future release. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
On 10/01/2012 09:29 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. The differences are enough that trying to consolidate them would likely end up taking considerable more time, require considerable more testing, etc. It would be worthwhile to revisit this at the beginning of a new version, but at the end it seems safer to take the simplest route. rob Well, okay then, ACK. But please keep the bug open. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
Petr Viktorin wrote: On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. The differences are enough that trying to consolidate them would likely end up taking considerable more time, require considerable more testing, etc. It would be worthwhile to revisit this at the beginning of a new version, but at the end it seems safer to take the simplest route. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob >From f9cfa7252e7a5d967ca0786c56431589b4489660 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 26 Sep 2012 16:45:52 -0400 Subject: [PATCH] Selectively restore SELinux booleans on uninstall Restore only those values that have changed and do the restoration in a single step instead of one at a time. This improves uninstall performance in the web server step. https://fedorahosted.org/freeipa/ticket/2934 --- ipaserver/install/httpinstance.py | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e1d8b6db8503cf8eacc337b58f49054f3590eda4..ee6506f62001d057403e02b4b64716223959d220 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -340,14 +340,25 @@ class HTTPInstance(service.Service): installutils.remove_file("/etc/httpd/conf.d/ipa.conf") installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") +changes = [] for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: sebool_state = self.restore_state(var) if not sebool_state is None: try: -ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) +(stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var]) except ipautil.CalledProcessError, e: -self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ -% (var, sebool_state, e)) +self.print_msg("Cannot get current state of SELinux boolean: %s" % e) +else: +current_state = stdout.split()[2] +if current_state != sebool_state: +changes.append('%s=%s' % (var, sebool_state)) +if changes: +args = ["/usr/sbin/setsebool", "-P"] +args.extend(changes) +try: +ipautil.run(args) +except ipautil.CalledProcessError, e: +self.print_msg("Cannot restore SELinux booleans: %s" % e) if not running is None and running: self.start() -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel