This will fix if a package will be upgraded from some extras to all
extras. Previously, it will not work because some dependencies of 'all'
are already installed, so the feature 'all' is already installed.
Now, it will use a list of all extras to iterate over them separatly. This
will result it will never install all extras via `[all]`, but rather
`[foo,bar]`.
As the previous detection took the wrong values, this explorer now
checks if packages for an extra are installed or not. If not, the extra
is not installed.
Based on the information of the explorer, it will install the package
again with the absent extras.
Closes#853, see issue for full description / discussion.
Short summary:
- There was about 6.53% chances of `--renewal-hook` not being applied
- Using --automatic-renewal in one cert and not in another was an error.
- It was not possible to use different hooks for different certificates.
- FreeBSD support was utterly broken.
This would fix#839
Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.
However, the previous explorers would take that as the certificate being absent
and would trigger code generation.
The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".
[1]: https://certbot.eff.org/docs/using.html#id5
This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
It has been tested with certbot 0.31.0 and 0.17 that the:
from certbot.main import main
trick works. It is somewhat well documented so it can be somewhat relied upon.
This is a poor implementation of optional dependencies for pip packages.
It ensures to install them if the package will be installed, but does
not take into account if they must be added/removed after the package is
already installed. Also, it will not be autoremoved, as all dependencies
will not be removed.
sshd config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug
See merge request ungleich-public/cdist!968
Previously, cdist would silently swallow the error (no invalid config file was
generated).
Reason: `set -e` does not exit if a command in a sub-command group fails,
it merely returns with a non-zero exit status.
e.g. the following snippet does not abort the script if sshd -t returns with a
non-zero exit status:
set -e
cmp -s old new || {
# check config file and update it
sshd -t -f new \
&& cat new >old
}
or compressed:
set -e
false || { false && true; }
echo $?
# prints 1
