fix(rpm): migrate legacy helexa-cortex firewalld service to cortex
Some checks failed
build-prerelease / Resolve version stamps (push) Successful in 33s
CI / Format (push) Successful in 1m1s
CI / Clippy (push) Successful in 3m12s
CI / Test (push) Successful in 4m31s
CI / Build cortex SRPM (push) Has been skipped
CI / Build neuron SRPM (push) Has been skipped
CI / Publish cortex to COPR (push) Has been skipped
CI / Publish neuron to COPR (push) Has been skipped
CI / Bump version in source (push) Has been skipped
build-prerelease / Build cortex binary (push) Successful in 4m52s
build-prerelease / Package cortex RPM (push) Successful in 1m18s
build-prerelease / Build neuron-ampere (push) Has been cancelled
build-prerelease / Build neuron-ada (push) Has been cancelled
build-prerelease / Package helexa-neuron-ada RPM (push) Has been cancelled
build-prerelease / Package helexa-neuron-ampere RPM (push) Has been cancelled
build-prerelease / Package helexa-neuron-blackwell RPM (push) Has been cancelled
build-prerelease / Publish to rpm.lair.cafe (unstable) (push) Has been cancelled
build-prerelease / Build neuron-blackwell (push) Has been cancelled
Some checks failed
build-prerelease / Resolve version stamps (push) Successful in 33s
CI / Format (push) Successful in 1m1s
CI / Clippy (push) Successful in 3m12s
CI / Test (push) Successful in 4m31s
CI / Build cortex SRPM (push) Has been skipped
CI / Build neuron SRPM (push) Has been skipped
CI / Publish cortex to COPR (push) Has been skipped
CI / Publish neuron to COPR (push) Has been skipped
CI / Bump version in source (push) Has been skipped
build-prerelease / Build cortex binary (push) Successful in 4m52s
build-prerelease / Package cortex RPM (push) Successful in 1m18s
build-prerelease / Build neuron-ampere (push) Has been cancelled
build-prerelease / Build neuron-ada (push) Has been cancelled
build-prerelease / Package helexa-neuron-ada RPM (push) Has been cancelled
build-prerelease / Package helexa-neuron-ampere RPM (push) Has been cancelled
build-prerelease / Package helexa-neuron-blackwell RPM (push) Has been cancelled
build-prerelease / Publish to rpm.lair.cafe (unstable) (push) Has been cancelled
build-prerelease / Build neuron-blackwell (push) Has been cancelled
Adds a %posttrans scriptlet to cortex.spec that: - Removes the stale /etc/firewalld/services/helexa-cortex.xml left behind by an older packaging stream that named the service `helexa-cortex` and (in some build streams) carried wrong port numbers (9301/9302/9304). - Walks every active firewalld zone; for any zone where the legacy helexa-cortex service was enabled, swaps it out for the new `cortex` service (which the RPM ships at /usr/lib/firewalld/services/cortex.xml with the right 31313/31314 ports). - Reloads firewalld so the change takes effect without operator intervention. Operators on whom this happened were silently dropping inbound connections to cortex on 31313 — the active zone advertised a helexa-cortex service that listed unrelated ports, masking the correctly-defined vendor cortex service. helexa-neuron is unaffected: that spec already ships the vendor service as helexa-neuron.xml (namespaced from day one) and no stale /etc override files exist in the fleet. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
26
cortex.spec
26
cortex.spec
@@ -74,6 +74,32 @@ install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
|
|||||||
%postun
|
%postun
|
||||||
%systemd_postun_with_restart cortex.service
|
%systemd_postun_with_restart cortex.service
|
||||||
|
|
||||||
|
%posttrans
|
||||||
|
# Migration: older cortex packages shipped the firewalld service as
|
||||||
|
# `helexa-cortex` and (in some build streams) with wrong port numbers
|
||||||
|
# (9301/9302/9304). Operators who enabled that legacy service in their
|
||||||
|
# zone end up with the wrong-port override taking precedence over the
|
||||||
|
# vendor `cortex.xml` now in /usr/lib/firewalld/services/. Clean up the
|
||||||
|
# stale /etc/ override here and migrate any zone bindings to the new
|
||||||
|
# service name.
|
||||||
|
if [ -f /etc/firewalld/services/helexa-cortex.xml ]; then
|
||||||
|
rm -f /etc/firewalld/services/helexa-cortex.xml
|
||||||
|
fi
|
||||||
|
if [ -x /usr/bin/firewall-cmd ] && /usr/bin/firewall-cmd --state >/dev/null 2>&1; then
|
||||||
|
# Drop the legacy service name from every zone where it was enabled
|
||||||
|
# and add the new `cortex` service in its place. Operators who never
|
||||||
|
# ran firewall-cmd against either name see no zone change.
|
||||||
|
for zone in $(/usr/bin/firewall-cmd --get-active-zones 2>/dev/null \
|
||||||
|
| awk '!/^[[:space:]]/ {print $1}'); do
|
||||||
|
if /usr/bin/firewall-cmd --permanent --zone="$zone" --query-service=helexa-cortex >/dev/null 2>&1; then
|
||||||
|
/usr/bin/firewall-cmd --permanent --zone="$zone" --remove-service=helexa-cortex >/dev/null 2>&1 || :
|
||||||
|
/usr/bin/firewall-cmd --permanent --zone="$zone" --add-service=cortex >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
/usr/bin/firewall-cmd --reload >/dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
:
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc README.md
|
%doc README.md
|
||||||
|
|||||||
Reference in New Issue
Block a user