raphink
commented
8 years ago Another option would be to find all the files affected by the change and updated them one by one, which will avoid the timeout (and might take hours).
Open jmuf opened 8 years ago
raphink
commented
8 years ago Another option would be to find all the files affected by the change and updated them one by one, which will avoid the timeout (and might take hours).
jmuf
commented
8 years ago "Finding" the broken file contexts is indeed the slow part - the underlying tree can be arbitrarily deep. Which is why this operation should not be done within a puppet run. Starting it asynchronously also won't work, these would simply pile up (and puppet would not know whether to re-launch or not).
raphink
commented
8 years ago Asynchronous operations are not possible with Puppet, because of the tree dependencies.
The best would probably be to write a Ruby type/provider that would perform actions in a smarter way.
"restorecon -R" on a populated tree may take longer to complete than puppet is willing to wait (this could easily take hours). This means the command will get re-launched at every puppet run, and never be allowed to complete.
Suggest to check whether the top-level files/directories are correctly labelled, and if so, assume the rest is as well. Trees with incorrect labelling only deeper inside will not get fixed (not sure whether users rely on this - would the new behaviour be acceptable?). Trees with incorrect labels at the top will run "restorecon -R" once (which might timeout and cause an error, i.e. the admin may need to re-run manually).