Closes#839
See merge request ungleich-public/cdist!976
This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
This would fix#839
Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.
However, the previous explorers would take that as the certificate being absent
and would trigger code generation.
The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".
[1]: https://certbot.eff.org/docs/using.html#id5
This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
It has been tested with certbot 0.31.0 and 0.17 that the:
from certbot.main import main
trick works. It is somewhat well documented so it can be somewhat relied upon.
Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.
Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
(as was the case)
2. It allows for a simple way to remove keys from the keyring that were
previously added with apt-key(8) to /etc/apt/trusted.gpg
This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.
During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.
That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
…and to make it work, replace --file with --line.
--file is deprecated because it does not work with the state explorer as the
contents of the file are not available on the target.
This will fix if a package will be upgraded from some extras to all
extras. Previously, it will not work because some dependencies of 'all'
are already installed, so the feature 'all' is already installed.
Now, it will use a list of all extras to iterate over them separatly. This
will result it will never install all extras via `[all]`, but rather
`[foo,bar]`.
As the previous detection took the wrong values, this explorer now
checks if packages for an extra are installed or not. If not, the extra
is not installed.
Based on the information of the explorer, it will install the package
again with the absent extras.
Closes#853, see issue for full description / discussion.
Short summary:
- There was about 6.53% chances of `--renewal-hook` not being applied
- Using --automatic-renewal in one cert and not in another was an error.
- It was not possible to use different hooks for different certificates.
- FreeBSD support was utterly broken.
This is a poor implementation of optional dependencies for pip packages.
It ensures to install them if the package will be installed, but does
not take into account if they must be added/removed after the package is
already installed. Also, it will not be autoremoved, as all dependencies
will not be removed.
Previously, cdist would silently swallow the error (no invalid config file was
generated).
Reason: `set -e` does not exit if a command in a sub-command group fails,
it merely returns with a non-zero exit status.
e.g. the following snippet does not abort the script if sshd -t returns with a
non-zero exit status:
set -e
cmp -s old new || {
# check config file and update it
sshd -t -f new \
&& cat new >old
}
or compressed:
set -e
false || { false && true; }
echo $?
# prints 1
As discussed in the chat, this type now supports a broader list of OSes
which it supports backports for. Because of this, it was renamed to
something more generic. "apt" should fit in.
Because the sourced explorer can't be detected by shellcheck, it will be
completely disabled. Changing the path to /etc/os-release isn't
deterministic either.
The shellcheck wiki page suggests to use `source=/dev/null` instead of
`disable=SC1090`, but it was choosen to completely avoid that check ..
Because the function already exists, it will be used for the file to be
changed, too. Therefor, no quotes are required for that value.
The prefix and suffix match was also improved: There is no regex check
any more (the regex did checked the whole line); instead it will do it
simple.
This changes the here-document to do not interpret any shell-things. It
also single-quotes some more strings that are printed to code-remote.
Fixes#838
Because it currently only support IPv4. To implement this, it falls back
to IPv4 for backward compatibilty, but now supports rules for IPv6 and
both protocols at the same time.
