From dc2a80326666cb3c674f1c389d21ee28505272db Mon Sep 17 00:00:00 2001 From: rob thijssen Date: Fri, 22 May 2026 06:12:51 +0300 Subject: [PATCH] fix(rpm): migrate legacy helexa-cortex firewalld service to `cortex` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a %posttrans scriptlet to cortex.spec that: - Removes the stale /etc/firewalld/services/helexa-cortex.xml left behind by an older packaging stream that named the service `helexa-cortex` and (in some build streams) carried wrong port numbers (9301/9302/9304). - Walks every active firewalld zone; for any zone where the legacy helexa-cortex service was enabled, swaps it out for the new `cortex` service (which the RPM ships at /usr/lib/firewalld/services/cortex.xml with the right 31313/31314 ports). - Reloads firewalld so the change takes effect without operator intervention. Operators on whom this happened were silently dropping inbound connections to cortex on 31313 — the active zone advertised a helexa-cortex service that listed unrelated ports, masking the correctly-defined vendor cortex service. helexa-neuron is unaffected: that spec already ships the vendor service as helexa-neuron.xml (namespaced from day one) and no stale /etc override files exist in the fleet. Co-Authored-By: Claude Opus 4.7 (1M context) --- cortex.spec | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cortex.spec b/cortex.spec index 266a677..93a3c47 100644 --- a/cortex.spec +++ b/cortex.spec @@ -74,6 +74,32 @@ install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml %postun %systemd_postun_with_restart cortex.service +%posttrans +# Migration: older cortex packages shipped the firewalld service as +# `helexa-cortex` and (in some build streams) with wrong port numbers +# (9301/9302/9304). Operators who enabled that legacy service in their +# zone end up with the wrong-port override taking precedence over the +# vendor `cortex.xml` now in /usr/lib/firewalld/services/. Clean up the +# stale /etc/ override here and migrate any zone bindings to the new +# service name. +if [ -f /etc/firewalld/services/helexa-cortex.xml ]; then + rm -f /etc/firewalld/services/helexa-cortex.xml +fi +if [ -x /usr/bin/firewall-cmd ] && /usr/bin/firewall-cmd --state >/dev/null 2>&1; then + # Drop the legacy service name from every zone where it was enabled + # and add the new `cortex` service in its place. Operators who never + # ran firewall-cmd against either name see no zone change. + for zone in $(/usr/bin/firewall-cmd --get-active-zones 2>/dev/null \ + | awk '!/^[[:space:]]/ {print $1}'); do + if /usr/bin/firewall-cmd --permanent --zone="$zone" --query-service=helexa-cortex >/dev/null 2>&1; then + /usr/bin/firewall-cmd --permanent --zone="$zone" --remove-service=helexa-cortex >/dev/null 2>&1 || : + /usr/bin/firewall-cmd --permanent --zone="$zone" --add-service=cortex >/dev/null 2>&1 || : + fi + done + /usr/bin/firewall-cmd --reload >/dev/null 2>&1 || : +fi +: + %files %license LICENSE %doc README.md