Selinux module installation should have optional re-try mechanism

Recently we encountered random failures on attempts to install gitlab SELInux policies due to SELinux trans lock is being locked presumably by other process:

          Recipe: gitlab::selinux
            * execute[semodule -i /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp] action run
              [execute] libsemanage.semanage_get_lock: Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Resource temporarily unavailable).
                        semodule:  Failed on /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp!

              ================================================================================
              Error executing action `run` on resource 'execute[semodule -i /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp]'
              ================================================================================

              Mixlib::ShellOut::ShellCommandFailed
              ------------------------------------
              Expected process to exit with [0], but received '1'
              ---- Begin output of semodule -i /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp ----
              STDOUT:
              STDERR: libsemanage.semanage_get_lock: Could not get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Resource temporarily unavailable).
              semodule:  Failed on /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp!
              ---- End output of semodule -i /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp ----
              Ran semodule -i /opt/gitlab/embedded/selinux/gitlab-7.2.0-ssh-keygen.pp returned 1

              Resource Declaration:
              ---------------------
              # In /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/selinux.rb

               45:     execute "semodule -i /opt/gitlab/embedded/selinux/#{ssh_keygen_module}.pp" do
               46:       not_if "getenforce | grep Disabled"
               47:       not_if "semodule -l | grep -E '^#{ssh_keygen_module}([[:space:]]|$)'"
               48:     end
               49:

gitlab-reconfigure was

retries.patch

able to install module in consequential run, but I think it would be beneficial to add retries on this action in omnibus selinux cookbooks as from nature of the issue it is close to impossible to find other selinux command which is holding lock at the time when gitlab-reconfigure is trying to install policies./label typefeature

assigned to @Alexand

mentioned in merge request !8149 (merged)

changed milestone to %17.9

added Category:Cloud Connector devopssystems groupself managed sectioncore platform severity4 typebug labels

removed Category:Cloud Connector label

added Category:Omnibus Package label

mentioned in commit b2ee98b1

added workflowready for review label

closed with merge request !8149 (merged)

mentioned in commit dfa19419

mentioned in commit 8573c613