Fixes #37883 - halt if remote DB does not own EVR

[ianballou]

Checks if the postgres user owns the evr extension. If it does, halt the foreman-installer and report an error with the command to run to fix the permissions.

Also check if postgres is the foreman DB owner. In that case, don't do anything because the migration will succeed.

There's no provision if the admin user is called something other than postgres. Should there be?

[ianballou]

To-do: skip the entire hook if the database is local.
Edit: done

[ehelms]

Tested and I see the proper error message:

    2024-10-24 13:55:54 [NOTICE] [root] Loading installer configuration. This will take some time.
    2024-10-24 13:55:56 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
    2024-10-24 13:55:56 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
    2024-10-24 13:55:57 [NOTICE] [checks] System checks passed
    The evr extension is owned by postgres and not the foreman DB owner. Please run the following on the foreman DB to fix it: UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='foreman');
    2024-10-24 13:55:59 [ERROR ] [root] The evr extension is owned by postgres and not the foreman DB owner. Please run the following on the foreman DB to fix it: UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='foreman');

I ran (at least I think I ran) the recommended update UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE rolname='foreman'); command on the database but it keeps telling me that things are not correct on the remote database. Any ideas?

I tested this using some new Forklift code to make it easier (theforeman/forklift#1871). This is needed locally to get all the PRs:

diff --git a/pipelines/external_database.yml b/pipelines/external_database.yml
index 1e0021c4..0f1b85c8 100644
--- a/pipelines/external_database.yml
+++ b/pipelines/external_database.yml
@@ -19,6 +19,11 @@
   become: yes
   vars_files:
     - vars/external_database.yml
+  vars:
+    packit_prs:
+      - https://github.com/theforeman/foreman-installer/pull/984
+      - https://github.com/Katello/katello/pull/11159
+    postgresql_use_evr: false
   roles:
     - role: forklift_versions
       scenario: "{{ pipeline_type }}"
@@ -27,6 +32,7 @@
     - role: foreman_server_repositories
     - role: etc_hosts
     - role: update_os_packages
+    - role: packit
     - role: foreman_installer
       foreman_installer_options_internal_use_only:
         - "--foreman-db-manage false"

[ehelms]

From discussion with @ianballou, a check that evr extension will be added to this hook since for fresh installations the EVR extension would not be expected to have been installed.

[ianballou]

@ehelms I fixed up the PR, it should be okay now. I haven't tested it yet for nil outputs, but the nil check there should do the trick.

[ehelms]

@ianballou Can you fix up the rubocop issue?

[ehelms]

We should also add a similar check to foreman-maintain to test the ownership before upgrading for the best user experience.

[ekohl]

At least the logging of the password needs to be addressed.

[ianballou]

@ekohl I believe I've addressed all of your comments. I had to move some methods around to use them in both this hook and the database reset one.

[evgeni]

We should also add a similar check to foreman-maintain to test the ownership before upgrading for the best user experience.

I consider not having this check a blocker, TBH.

[ianballou]

I realized that we don't need to check the evr permissions if the extension does not exist, so I added a check for that earlier in the script.

[ianballou]

Foreman maintain side: theforeman/foreman_maintain#953

[evgeni]

Should be squashed