Commit Graph

7173 Commits

Author SHA1 Message Date
Darko Poljak defa3c22ea ++changelog 2021-05-29 11:21:34 +02:00
poljakowski d2ce55ea6e Merge branch '__git_fix_group_explorer' into 'master'
[__git] fix group explorer

See merge request ungleich-public/cdist!992
2021-05-29 11:20:20 +02:00
fnux e0c52d0e1d
[scanner] remove mention of non-implemented trigger soruce script 2021-05-26 11:27:11 +02:00
fnux b8733c65f5
[scanner] fix minor CLI handling and --list bugs / typo 2021-05-26 11:26:35 +02:00
fnux ab10b453f2
[scanner] populate cdist(1) 2021-05-26 11:15:41 +02:00
fnux 75c71f69c1
[scanner] pycodestyle compliance 2021-05-26 10:18:12 +02:00
ander 503a06ed28
[__git] fix group explorer
group name from numberic id wasn't resolved correctly.

try to use getent and fallback to reading /etc/group directly.
2021-05-23 13:35:33 +03:00
evilham 6210cccb28 ++changelog 2021-05-10 12:34:04 +02:00
evilham f14623e45f ++changelog 2021-05-10 12:17:08 +02:00
evilham 81b426e4e2 [__letsencrypt_cert] Revamp explorers, add locking.
Closes #839

See merge request ungleich-public/cdist!976

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
2021-05-10 12:10:01 +02:00
evilham a696f3cf00 [__letsencrypt_cert] Revamp explorers, add locking.
This would fix #839

Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.

However, the previous explorers would take that as the certificate being absent
and would trigger code generation.

The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".

[1]: https://certbot.eff.org/docs/using.html#id5

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.

It has been tested with certbot 0.31.0 and 0.17 that the:

    from certbot.main import main

trick works. It is somewhat well documented so it can be somewhat relied upon.
2021-05-10 12:10:00 +02:00
evilham 0b05a8f5f7 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
See: https://code.ungleich.ch/ungleich-public/cdist/-/merge_requests/994

Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that 
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:23 +02:00
evilham c00c8c2012 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:22 +02:00
Dennis Camera a42ebc7a78 [type/__debconf_set_selections] Synchronise objects
Works around locking error:

	debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
2021-04-27 19:46:07 +02:00
Darko Poljak 3a25b80466 ++changelog 2021-04-26 21:27:15 +02:00
poljakowski 3e190c3481 Merge branch 'feature/type/__postgres/postgres_user-explorer' into 'master'
__postgres_*: Improve OS support and some cleanup

See merge request ungleich-public/cdist!990
2021-04-26 21:26:38 +02:00
Dennis Camera 9cf19388ab [type/__debconf_set_selections] Send message about each debconf setting that is changed 2021-04-26 16:47:44 +02:00
Dennis Camera a4122882f2 [type/__debconf_set_selections] Add state explorer
…and to make it work, replace --file with --line.

--file is deprecated because it does not work with the state explorer as the
contents of the file are not available on the target.
2021-04-26 16:39:51 +02:00
fnux 2232435c22
[scanner] initial documentation
Note: still needs to patch main cdist(1) manpage
2021-04-26 14:39:26 +02:00
fnux 3a9dd5b166
[scanner] add minimal (non-configurable) config mode 2021-04-26 12:09:55 +02:00
fnux 92fff7cb77
[scanner] fix crash on --list with name mapper provided 2021-04-26 12:09:44 +02:00
Dennis Camera 0f05f38384 [type/__postgres_role] Treat --password '' like no --password 2021-04-25 20:01:36 +02:00
Dennis Camera 0d33407b18 [type/__postgres_database] Proper quoting in state explorer 2021-04-25 20:01:36 +02:00
Dennis Camera 8296051653 [type/__postgres_extension] Add state explorer 2021-04-25 20:01:36 +02:00
Dennis Camera 3cf93249c3 [type/__postgres_extension] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Dennis Camera beb8da6d5f [type/__postgres_role] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Dennis Camera 58b279a8d0 [type/__postgres_database] Improve quoting 2021-04-25 20:01:36 +02:00
Dennis Camera 6ac8cbf98f [type/__postgres_database] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Darko Poljak 512e9b23c0 ++changelog 2021-04-25 15:53:40 +02:00
poljakowski 71d79ed6ee Merge branch 'feature/type/__postgres_conf' into 'master'
__postgres_conf: new type

See merge request ungleich-public/cdist!972
2021-04-25 15:49:19 +02:00
fnux 13e2ad175f
[scanner] add host class, name mapper and pre-config logic 2021-04-25 12:45:34 +02:00
fnux bb24d632d6
[scanner] implement the --list flag 2021-04-22 10:20:49 +02:00
fnux a4464209b6
[scanner] add minimal error handling, consolidate CLI args processing 2021-04-22 09:31:06 +02:00
fnux acf9bf91f1
[scanner] error to stderr and exit when scapy is not available 2021-04-22 08:55:14 +02:00
Darko Poljak 1bb696a410 Release 6.9.6 2021-04-20 07:33:07 +02:00
poljakowski 2f05467358 Merge branch 'fix/py-version-check' into 'master'
Fix Python version check

See merge request ungleich-public/cdist!991
2021-04-19 07:02:15 +02:00
Dennis Camera 1c047353a9 [bin/cdist] Fix Python version check 2021-04-17 09:57:10 +02:00
Dennis Camera 19bf37be1a [type/__postgres_conf] Update man.rst 2021-04-15 15:56:15 +02:00
Dennis Camera 686e4f0f2d [type/__postgres_conf] Reverse state logic (decide based on source first) 2021-04-15 15:50:03 +02:00
Dennis Camera bef1433ba3 [type/__postgres_conf] Accept empty values 2021-04-15 15:50:03 +02:00
Dennis Camera 12c2995494 [type/__postgres_conf] Implement complex state compare logic 2021-04-15 15:50:02 +02:00
Dennis Camera e0416403c4 [type/__postgres_conf] Add psql_conf_source function to state explorer 2021-04-15 15:50:02 +02:00
Dennis Camera 2ccc03fef1 [type/__postgres_conf] Add psql_conf_cmp function to state explorer 2021-04-15 15:50:02 +02:00
Dennis Camera 92b8942a8c [type/__postgres_conf] Add psql_exec function to state explorer 2021-04-15 15:50:02 +02:00
Darko Poljak 9ec01d9f97 ++changelog 2021-04-13 12:22:45 +02:00
poljakowski e27e88512b Merge branch '__download_optional_sum' into 'master'
[__download] make --sum optional

See merge request ungleich-public/cdist!989
2021-04-13 12:21:49 +02:00
ander d2eec60668
[__download] make --sum optional 2021-04-11 23:16:00 +03:00
Darko Poljak 750c71fb5a Minor refactoring and remove code duplication 2021-04-07 10:25:26 +02:00
Darko Poljak 199effb7ef Improve unfinished object requirements bool check
When we need only boolean value for unfinished object requirements then
we don't need to determine the whole list of unfinished objects.
2021-04-06 19:35:14 +02:00
Darko Poljak ab811ad282 ++changelog 2021-04-01 15:37:11 +02:00