Commit graph

7208 commits

Author SHA1 Message Date
Darko Poljak
de11666161 ++changelog 2021-07-18 17:45:19 +02:00
8b160841ad Merge branch 'apt-pin-type' into 'master'
New type: __apt_pin - manage apt pinning

See merge request ungleich-public/cdist!1005
2021-07-18 17:44:04 +02:00
Darko Poljak
5229337611 ++changelog 2021-07-18 17:41:29 +02:00
917a5d1aa8 Merge branch 'ander/__rsync' into 'master'
[__rsync] rewrite

See merge request ungleich-public/cdist!1007
2021-07-18 17:40:51 +02:00
46b5c24cd2
use $__remote_exec for RSYNC_RSH 2021-07-18 16:25:00 +03:00
0e611af2a6
[__rsync] rewrite 2021-07-17 11:44:09 +03:00
Darko Poljak
65c43d3c1d Fix docs code block errors 2021-07-10 21:02:27 +02:00
Darko Poljak
77dab4c5c6 Release 6.9.7 2021-07-10 20:37:02 +02:00
Darko Poljak
3e76d1cd3f ++changelog 2021-07-08 08:09:05 +02:00
b8f601ee15 Merge branch 'rsync-ssh-multiplex' into 'master'
__rsync: Use $__remote_exec and thus the ssh multiplexing

See merge request ungleich-public/cdist!1001
2021-07-08 08:05:52 +02:00
cf0032d667
add messaging and exit earlier 2021-07-07 21:28:00 +03:00
7a5896acfa
add --onchange, fix shellcheck 2021-07-07 21:23:25 +03:00
485283f2e5
new type: __sed 2021-07-07 20:47:22 +03:00
166b58aeea Fix typo in distro names... 2021-07-05 15:32:27 +02:00
521241d741 Refine docs even more 2021-07-05 15:28:05 +02:00
be92731c5c Shell check quoting
We're actually echo-ing the command, hence the escape in front of the
quotes - the issue Shellcheck alludes too would actually occur, had the
escaping bakcslashes been omitted.
2021-07-05 12:44:09 +01:00
Darko Poljak
853e5cf7b4 ++changelog 2021-07-05 09:07:06 +02:00
d8da298cdf Merge branch '__snakeoil_cert' into 'master'
new type: __snakeoil_cert

See merge request ungleich-public/cdist!1002
2021-07-05 08:59:59 +02:00
fnux
44eeb4bbfc Merge branch 'scanner' into 'master'
usable cdist scan

See merge request ungleich-public/cdist!993
2021-07-05 07:44:28 +02:00
30ba796d06
new type: __snakeoil_cert 2021-07-02 10:09:38 +03:00
Darko Poljak
243a4b904a ++changelog 2021-07-02 06:50:02 +02:00
6528fd1c77 Merge branch 'feature/type/__debconf_set_selections/state-explorer' into 'master'
__debconf set selections: Add state explorer

See merge request ungleich-public/cdist!999
2021-07-02 06:49:24 +02:00
99188b4822 Merge branch '__download_improvements' into 'master'
[__download] improvements

See merge request ungleich-public/cdist!1003
2021-07-02 06:38:15 +02:00
62ea1d2721 Merge branch 'ander/update_readme' into 'master'
update README

See merge request ungleich-public/cdist!1004
2021-07-02 06:33:53 +02:00
a90e642c13
update README 2021-07-01 14:50:40 +03:00
60753ddfcc
fix shellcheck 2021-07-01 14:42:10 +03:00
d937d53f3d Add quotes to rsync command 2021-06-28 18:09:35 +01:00
2db40d8d70 Use $__remote_exec and thus the ssh multiplexing 2021-06-28 12:54:20 +02:00
7b3f268df2
[__download] improvements
1. post download checksum verification
2. detect hashes without prefix
3. add optional --destination
4. updated man
2021-06-22 16:36:30 +03:00
b726697e07 Add documentation 2021-06-11 15:05:33 +01:00
a3102022e1 More sensible defaults; reword debian-only error message 2021-06-11 15:05:17 +01:00
Darko Poljak
c308a28969 ++changelog 2021-06-10 06:39:55 +02:00
02aa88463a Merge branch 'fix/type/__pyvenv/group-explorer' into 'master'
__pyvenv: Fix group explorer

See merge request ungleich-public/cdist!998
2021-06-10 06:37:21 +02:00
Dennis Camera
6ede76b08b [type/__debconf_set_selections] man.rst: Fix line break in AUTHORS 2021-06-08 16:20:55 +02:00
Dennis Camera
d596986af8 [type/__pyvenv] Fix group explorer 2021-05-31 09:06:52 +02:00
Darko Poljak
defa3c22ea ++changelog 2021-05-29 11:21:34 +02:00
d2ce55ea6e Merge branch '__git_fix_group_explorer' into 'master'
[__git] fix group explorer

See merge request ungleich-public/cdist!992
2021-05-29 11:20:20 +02:00
e0c52d0e1d
[scanner] remove mention of non-implemented trigger soruce script 2021-05-26 11:27:11 +02:00
b8733c65f5
[scanner] fix minor CLI handling and --list bugs / typo 2021-05-26 11:26:35 +02:00
ab10b453f2
[scanner] populate cdist(1) 2021-05-26 11:15:41 +02:00
75c71f69c1
[scanner] pycodestyle compliance 2021-05-26 10:18:12 +02:00
503a06ed28
[__git] fix group explorer
group name from numberic id wasn't resolved correctly.

try to use getent and fallback to reading /etc/group directly.
2021-05-23 13:35:33 +03:00
6210cccb28 ++changelog 2021-05-10 12:34:04 +02:00
f14623e45f ++changelog 2021-05-10 12:17:08 +02:00
81b426e4e2 [__letsencrypt_cert] Revamp explorers, add locking.
Closes #839

See merge request ungleich-public/cdist!976

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
2021-05-10 12:10:01 +02:00
a696f3cf00 [__letsencrypt_cert] Revamp explorers, add locking.
This would fix #839

Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.

However, the previous explorers would take that as the certificate being absent
and would trigger code generation.

The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".

[1]: https://certbot.eff.org/docs/using.html#id5

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.

It has been tested with certbot 0.31.0 and 0.17 that the:

    from certbot.main import main

trick works. It is somewhat well documented so it can be somewhat relied upon.
2021-05-10 12:10:00 +02:00
0b05a8f5f7 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
See: https://code.ungleich.ch/ungleich-public/cdist/-/merge_requests/994

Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that 
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:23 +02:00
c00c8c2012 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:22 +02:00
Dennis Camera
a42ebc7a78 [type/__debconf_set_selections] Synchronise objects
Works around locking error:

	debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
2021-04-27 19:46:07 +02:00
Darko Poljak
3a25b80466 ++changelog 2021-04-26 21:27:15 +02:00