Bug 260019 - net/foreman-proxy: update to 3.0.1
Summary: net/foreman-proxy: update to 3.0.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ruby (Nobody)
URL:
Keywords:
Depends on: 260020 260021 260022
Blocks: 253008
  Show dependency treegraph
 
Reported: 2021-11-24 14:58 UTC by Frank Wall
Modified: 2022-04-19 11:37 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)

Attachments
Update foreman-proxy to 3.0.1 (25.66 KB, patch)
2021-11-24 14:58 UTC, Frank Wall 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Wall 2021-11-24 14:58:06 UTC 
Created attachment 229698 [details]
Update foreman-proxy to 3.0.1

This patch updates foreman-proxy to the most recent version 3.0.1 and applies a bunch of improvements:

* update to version 3.0.1
* bump Puppet dependency to Puppet 7
* add new dependency: sysutils/rubygem-sd_notify
* add new BMC dependency: rubygem-redfish_client
* fix path in pkg-message
* take maintainership (assuming that ruby@ agrees)

CHANGELOG

The port is 2 major releases behind, so I'll just leave all the official changelogs for reference:

https://theforeman.org/manuals/3.0/index.html#Releasenotesfor3.0
https://theforeman.org/manuals/2.5/index.html#Releasenotesfor2.5
https://theforeman.org/manuals/2.4/index.html#Releasenotesfor2.4
https://theforeman.org/manuals/2.3/index.html#Releasenotesfor2.3
https://theforeman.org/manuals/2.2/index.html#Releasenotesfor2.2
https://theforeman.org/manuals/2.1/index.html#Releasenotesfor2.1
https://theforeman.org/manuals/2.0/index.html#Releasenotesfor2.0

TEST STATUS

This update was tested on FreeBSD 13.0 and the new version seems to be running just fine with several plugins enabled:

2021-11-24T15:44:09  [I] Successfully initialized 'foreman_proxy'
2021-11-24T15:44:09  [I] Successfully initialized 'dns_nsupdate'
2021-11-24T15:44:09  [I] Successfully initialized 'dns'
2021-11-24T15:44:09  [I] Successfully initialized 'tftp'
2021-11-24T15:44:10  [I] Successfully initialized 'dhcp_isc'
2021-11-24T15:44:10  [I] Successfully initialized 'dhcp'
2021-11-24T15:44:10  [I] Successfully initialized 'bmc'
2021-11-24T15:44:10  [I] Successfully initialized 'logs'
2021-11-24T15:44:10  [I] Successfully initialized 'httpboot'
2021-11-24T15:44:10  [I] WEBrick 1.6.1
2021-11-24T15:44:10  [I] ruby 2.7.4 (2021-07-07) [amd64-freebsd13]
2021-11-24T15:44:10  [D] Rack::Handler::WEBrick is mounted on /.
2021-11-24T15:44:10  [I] WEBrick::HTTPServer#start: pid=83480 port=8443
2021-11-24T15:44:10  [I] Smart proxy has launched on 1 socket(s), waiting for requests

This submission obsoletes BZ #253008. I'll submit a few follow-up BZ with the new dependencies.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2021-12-01 02:31:57 UTC 
(In reply to Frank Wall from comment #0)

Hi Frank, thanks for picking up where PR 253008 left off. I'm speaking for myself on this one and am not tracking the most recent commit policy, but we don't need to pull in systemd for this. My patch added in PR for the 2.2.3 to 2.3.5 update includes a patch file to revert the callback in theforeman/smart-proxy@99e9e5bf5843 which introduced the new dependency on the sd_notify Rubygem port. I can't find clear guidance in the handbook on what we do for this just now but we can patch it out until the upstream code is more agnostic to *nix implementation it's on.

Visual inspection of the patch looks mostly good but I do have one alibi putting the security hat on, why do we need to patch lib/proxy/http_download.rb to include a "verify_server_cert = false" line? There would be implications if there is an adversary performing a MITM including this suggested portion of the patch that I am hesitant on without further understanding of what it means at runtime. For the rest of the patch if you have tested and run it I'm good myself and we'll just need an active/current committer to pick this up.

I'll be traveling for a job until the new year and limited on things but am glad to discuss regarding the verify_server_cert pending your feedback. Thanks again!
Comment 3 Frank Wall 2021-12-14 13:08:03 UTC 
(In reply to Jason Unovitch from comment #2)

> but we don't need to pull in systemd for this

I'm not biased towards any solution to this problem, I'm fine with whatever a plugin committer is willing to approve. But one could argue that the systemd code is no-op, because it will just do nothing on FreeBSD. And going forward it will be much easier to update the port if we don't modify the source code to remove systemd-related stuff.

> why do we need to patch lib/proxy/http_download.rb to include a "verify_server_cert = false" line?

I think you're reading the patch incorrectly. :) It's a patch for the patch. This line is the new content of the original lib/proxy/http_download.rb file. We only change the wget path, everything else is unmodified. But the patch-patch shows a modification, because the original file got modified upstream.
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2021-12-18 10:18:21 UTC 
(In reply to Frank Wall from comment #3)

>> why do we need to patch lib/proxy/http_download.rb to include a "verify_server_cert = false" line?
> I think you're reading the patch incorrectly. :) It's a patch for the patch. This line is the new content of the original lib/proxy/http_download.rb file. We only change the wget path, everything else is unmodified. But the patch-patch shows a modification, because the original file got modified upstream.

You are absolutely correct. My apologies reading this in haste. It looks like between https://projects.theforeman.org/issues/18936 and https://github.com/theforeman/smart-proxy/commit/040da586908d48d193838fff703d77dab98fa3b2#diff-5d7889818cffc0feec3f66f7e0054e96fd1403ee8c81c30dba7aff024ee28bb7 this was updated. We just just need these PRs all committed then.
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-04-19 11:33:17 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=97108f5a3fca1ae8de3556eebae86de77622b7e2

commit 97108f5a3fca1ae8de3556eebae86de77622b7e2
Author:     Frank Wall <fw@moov.de>
AuthorDate: 2022-01-25 01:27:34 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2022-04-19 11:32:17 +0000

    net/foreman-proxy: update 2.5.4 -> 3.0.1

    * update to version 3.0.1
    * bump Puppet dependency to Puppet 7
    * fix path in pkg-message
    * take maintainership

    Changes:        https://github.com/theforeman/smart-proxy/compare/2.5.4...3.0.1
    PR:             260019
    Submitted by:   Frank Wall <fw@moov.de>; junovitch (rebase on incremental update)

 net/foreman-proxy/Makefile                               | 16 ++++++++++------
 net/foreman-proxy/distinfo                               |  6 +++---
 ...gs.d-puppetca_hostname_whitelisting.yml.example (new) |  8 ++++++++
 ...config-settings.d-puppetca_http_api.yml.example (new) | 12 ++++++++++++
 .../patch-config-settings.d-realm_freeipa.yml.example    |  8 ++++----
 .../files/patch-lib_proxy_http__download.rb              |  6 +++---
 net/foreman-proxy/pkg-message                            |  2 +-
 net/foreman-proxy/pkg-plist                              |  2 ++
 8 files changed, 43 insertions(+), 17 deletions(-)
Comment 6 Matthias Fechner freebsd_committer freebsd_triage 2022-04-19 11:37:36 UTC 
Committed, thanks.