Questions[rhel7](server)

I'm looking for the best way to perform regular rolling upgrades for my infrastructure.

Typically, this involves doing this on each host, one at a time:

sudo yum update -y && sudo reboot

But, I'm hitting limits of that being a scalable.

I want to only reboot one node at a time within each of my roles, so that, say, I don't take down all of my load balancers, or DB cluster members, at the same time.

Ideally, I'd wanna do something like:

for role in $(< roles_list.txt) ; do
    mco package update_all_and_reboot \
        --batch 1 --batch-sleep 90 \
        -C $role -F environment=test
done

But, that doesn't quite seem to exist. I'm not sure if using the "shell" agent is the best approach, either?

mco shell run 'yum update -y && reboot' \
    --batch 1 --batch-sleep 90

Am I just looking at the wrong sort of tool for this job, though? Is there something better for managing these sort of rolling reboots, but that I can somehow link up with my Puppet-assigned roles, so that I can be comfortable that I'm not taking down anything important all at once, but that I can still do some parallel updates & reboots?

On RHEL/CentOS 7 I'm trying to create a new SELinux security context for files to support a new service that I'm writing.

I've created a Type Enforcement file for my new service, but I can't manage to create a new type that the system will recognize as a file type.

I'm working based on this CentOS 5 "Building a local policy module" document, which instructs me to create a TE file then use checkmodule and semodule_package to compile it.

If I just write in my TE file:

type myservice_spool_t;

then the TE compiles fine, but when I try to semanage fcontext I get this:

$ sudo semanage fcontext -a -t myservice_spool_t "/var/spool/myservice(/.*)?" 
ValueError: Type myservice_spool_t is invalid, must be a file or device type

I've read various tutorials but failed to find an example that works - everything I look at is either:

• outdated - e.g. This RHEL 4 SELinux documentation page says that one should use type myservice_spool_t, file_type; but checkmodule says: ERROR 'attribute file_type is not declared'
• incomplete - e.g. this answer will have me use the macro file_type() but checkmodule says: ERROR 'This block has no require section.' at token 'files_type'
• or completely missing - e.g. the new SELinux guide for RHEL 7 does not have any information on how to create new policies, except using audit2allow.

The SELinux project website is completely useless as I failed to locate a single working example

I'd appreciate a simple concise example of how to write a TE file that introduces a new type that semanage fcontext will approve of.

[Update]

I found this Gentoo documentation for creating policy files, which some useful explanations and examples.

I have a Redhat server (Red Hat Enterprise Linux Server release 7.2 (Maipo)) that resets iptable rules on re/boot.

According to the version 6 documentation, I execute:

/sbin/service iptables save

which returns:

The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

If I understand the message correctly, I attempted the following:

sudo systemctl iptables save

which returns:

Unknown operation 'iptables'.

I cannot locate the version 7 documentation on saving ip tables specifically, but previous versions support the same command.

What command should I run to save iptables config?

For reference:

firewall d satatus:

systemctl status firewalld
firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Is there a way to determine whether a RHEL7 server was rebooted via systemctl (or reboot / shutdown aliases), or whether the server crashed? Pre-systemd this was fairly easy to determine with last -x runlevel, but with RHEL7 it's not so clear.

At work, the infrastructure team is rolling out new VMs with RHEL7 installed as the base OS. This particular image comes with the nmap-ncat version of Netcat and does not have NMap installed. We are precluded from installing anything on the machines.

Previously, we were using the GNU Netcat which have the -z option to scan a remote host/port to check if it was open. Something like this:

nc -z -v -w 3 remote.host.name 1234

How can I achieve the same check with the new ncat which does not have the -z option on a system where I cannot install nmap?