systemd: Show package updates status on front page

[martinpitt]

Show a summary indicator on the system front page whether the host has
available package updates.

https://bugzilla.redhat.com/show_bug.cgi?id=1495543
Fixes #7758

• land some refactorings - PR packagekit: Some refactoring and fixes #8820
• blacklist tests on rhel-7-4
• reproduce and fix Andreas' TypeError: self.refresh_os_updates_state is not a function
• fix rhsmd SELinux violations on fedora-27
• report and naughty rhsmd SELinux violations on RHEL Atomic (#1556763)
• fix missing Promise polyfill for IE (PR lib: Add missing Promise polyfill for IE #8838)

follow-ups:

• add tooltips (blocked on fixing tooltips in general, issue inconsistent tool tips #8829)
• improve update availability string on dnf where we don't have correct severities: PR systemd: Don't infer package update severity if we don't know #8867

[martinpitt]

Screenshot from my system:

Or for security updates:

Clicking on the link leads to "Software Updates". If cockpit-packagekit is not installed, it's not a link, just text. If the system is not registered:

Again, clicking on it leads to /subscriptions (if installed, otherwise it's just a normal text).

While the updates are loading, there is a spinner icon with "Checking For Updates…". It usually appears < 1 s as this does not have to load any details about the updates. This is also the reason why it does not see the individual Red Hat security update severity classification, but I think this is a worthwhile tradeoff for a massively faster result.

[andreasn]

I tested it on my system, and the Server page said "Bug Fix Updates Available", but when I went to the Software Updates page, it showed me a bunch security updates. I do get and "Oops", so something might be janky.

[andreasn]

The registration notification works as expected!

[martinpitt]

@andreasn: You are on Fedora? cockpit-packagekit has a rather expensive workaround for https://bugs.freedesktop.org/show_bug.cgi?id=101070 . The current system page doesn't currently load all the details from all the updates, so it can't figure this out (it's also just a heuristics by parsing changelogs for CVEs). This should work fine on RHEL.

I don't have known oopses here, can you please post the log of it?

[andreasn]

TypeError: self.refresh_os_updates_state is not a function[Learn More] system.js:3911:14

[martinpitt]

@andreasn: I could reproduce your bug at last. subscription-manager is broken in Fedora 27, I just filed https://bugzilla.redhat.com/show_bug.cgi?id=1555384 . Once I fixed that locally, I got the crash as well, stupid typo :-) Thanks for finding! Fix pushed.

[martinpitt]

Several tests fail on unexpected SELinux violations from rhsmd (example 1, example 2):

audit: type=1400 audit(1521046773.361:302): avc:  denied  { write } for  pid=1850 comm="rhsmd" name="nss" dev="dm-0" ino=12642789 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
audit: type=1400 audit(1521046773.361:302): avc:  denied  { connectto } for  pid=1850 comm="rhsmd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=1400 audit(1521047735.710:5): avc:  denied  { write } for  pid=1506 comm="rhsmd" name="encodings" dev="dm-0" ino=6446470 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir
type=1400 audit(1521047735.744:6): avc:  denied  { write } for  pid=1506 comm="rhsmd" name="dbus" dev="dm-0" ino=12816715 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir

These need to be reported downstream and naughty-ed.

[martinpitt]

rhsm is broken on our fedora-27 image due to a missing dependency, I filed that as https://bugzilla.redhat.com/show_bug.cgi?id=1556738. But I cannot reproduce the various SELinux violations manually, with either a busctl, or directly starting /usr/libexec/rhsmd or even with logging in on cockpit and have that do the d-bus call.

I do get the violations with running testAbrtReport locally, but that's not yet helpful for downstream. At least after sitting after that test cases' failure, the violations happen again straight after logging in. So that test triggers some change on the system.

Update: This is due to the test calling setenforce 0. If I run that plus busctl on subscription-manager, I get the messages.

[martinpitt]

I reported the rhsmd SELinux violations downstream, and added a naughty override. I also removed some obsolete SELinux disablings in the tests.

[andreasn]

Looks good to me!
Awesome work!

[martinpitt]

Ugh, on Windows 8 (with Edge) we get page oopses like mad due to Promise not being defined. Seems we need some polyfills here.. This is only being picked up by the tests now because the front page now calls this.

[martinpitt]

I fixed the Promise oopses with IE in #8838, and included this here to already confirm with CI (tests run fine locally now, and I verified that the subscription/updates status works in IE). Setting to blocked until that PR lands.