[__letsencrypt_cert] Revamp explorers, add locking.
Closes #839 See merge request ungleich-public/cdist!976 This patch joins all explorers in one to avoid starting multiple remote python processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a 60 seconds timeout.
This commit is contained in:
		
				commit
				
					
						81b426e4e2
					
				
			
		
					 7 changed files with 87 additions and 42 deletions
				
			
		|  | @ -1,3 +0,0 @@ | ||||||
| #!/bin/sh -e |  | ||||||
| 
 |  | ||||||
| command -v certbot 2>/dev/null || true |  | ||||||
							
								
								
									
										78
									
								
								cdist/conf/type/__letsencrypt_cert/explorer/certificate-data
									
										
									
									
									
										Executable file
									
								
							
							
						
						
									
										78
									
								
								cdist/conf/type/__letsencrypt_cert/explorer/certificate-data
									
										
									
									
									
										Executable file
									
								
							|  | @ -0,0 +1,78 @@ | ||||||
|  | #!/bin/sh -e | ||||||
|  | certbot_path="$(command -v certbot 2>/dev/null || true)" | ||||||
|  | # Defaults | ||||||
|  | certificate_exists="no" | ||||||
|  | certificate_is_test="no" | ||||||
|  | 
 | ||||||
|  | if [ -n "${certbot_path}" ]; then | ||||||
|  | 	# Find python executable that has access to certbot's module | ||||||
|  | 	python_path=$(sed -n '1s/^#! *//p' "${certbot_path}") | ||||||
|  | 
 | ||||||
|  | 	# Use a lock for cdist due to certbot not exiting with failure | ||||||
|  | 	# or having any flags for concurrent use. | ||||||
|  | 	_certbot() { | ||||||
|  | 		${python_path} - 2>/dev/null <<EOF | ||||||
|  | from certbot.main import main | ||||||
|  | import fcntl | ||||||
|  | lock_file = "/tmp/certbot.cdist.lock" | ||||||
|  | timeout=60 | ||||||
|  | with open(lock_file, 'w') as fd: | ||||||
|  |     for i in range(timeout): | ||||||
|  |         try: | ||||||
|  |             # Get exclusive lock | ||||||
|  |             fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) | ||||||
|  |             break | ||||||
|  |         except: | ||||||
|  |             # Wait if that fails | ||||||
|  |             import time | ||||||
|  |             time.sleep(1) | ||||||
|  |     else: | ||||||
|  |         # Timed out, exit with failure | ||||||
|  |         import sys | ||||||
|  |         sys.exit(1) | ||||||
|  |     # Do list certificates | ||||||
|  |     main(["certificates", "--cert-name", "${__object_id:?}"]) | ||||||
|  | EOF | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | 	_certificate_exists() { | ||||||
|  | 		if grep -q "  Certificate Name: ${__object_id:?}$"; then | ||||||
|  | 			echo yes | ||||||
|  | 		else | ||||||
|  | 			echo no | ||||||
|  | 		fi | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	_certificate_is_test() { | ||||||
|  | 		if grep -q 'INVALID: TEST_CERT'; then | ||||||
|  | 			echo yes | ||||||
|  | 		else | ||||||
|  | 			echo no | ||||||
|  | 		fi | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	_certificate_domains() { | ||||||
|  | 		grep '    Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n' | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	# Get data about all available certificates | ||||||
|  | 	certificates="$(_certbot)" | ||||||
|  | 
 | ||||||
|  | 	# Check whether or not the certificate exists | ||||||
|  | 	certificate_exists="$(echo "${certificates}" | _certificate_exists)" | ||||||
|  | 
 | ||||||
|  | 	# Check whether or not the certificate is for testing | ||||||
|  | 	certificate_is_test="$(echo "${certificates}" | _certificate_is_test)" | ||||||
|  | 
 | ||||||
|  | 	# Get domains for certificate | ||||||
|  | 	certificate_domains="$(echo "${certificates}" | _certificate_domains)" | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | # Return received data | ||||||
|  | cat <<EOF | ||||||
|  | certbot_path:${certbot_path} | ||||||
|  | certificate_exists:${certificate_exists} | ||||||
|  | certificate_is_test:${certificate_is_test} | ||||||
|  | ${certificate_domains} | ||||||
|  | EOF | ||||||
|  | @ -1,8 +0,0 @@ | ||||||
| #!/bin/sh -e |  | ||||||
| 
 |  | ||||||
| certbot_path=$("${__type_explorer}/certbot-path") |  | ||||||
| if [ -n "${certbot_path}" ] |  | ||||||
| then |  | ||||||
| 	certbot certificates --cert-name "${__object_id:?}" | grep '    Domains: ' | \ |  | ||||||
| 		cut -d ' ' -f 6- | tr ' ' '\n' |  | ||||||
| fi |  | ||||||
|  | @ -1,13 +0,0 @@ | ||||||
| #!/bin/sh -e |  | ||||||
| 
 |  | ||||||
| certbot_path=$("${__type_explorer}/certbot-path") |  | ||||||
| if [ -n "${certbot_path}" ] |  | ||||||
| then |  | ||||||
| 	if certbot certificates | grep -q "  Certificate Name: ${__object_id:?}$"; then |  | ||||||
| 		echo yes |  | ||||||
| 	else |  | ||||||
| 		echo no |  | ||||||
| 	fi |  | ||||||
| else |  | ||||||
| 	echo no |  | ||||||
| fi |  | ||||||
|  | @ -1,14 +0,0 @@ | ||||||
| #!/bin/sh -e |  | ||||||
| 
 |  | ||||||
| certbot_path=$("${__type_explorer}/certbot-path") |  | ||||||
| if [ -n "${certbot_path}" ] |  | ||||||
| then |  | ||||||
| 	if certbot certificates --cert-name "${__object_id:?}" | \ |  | ||||||
| 		grep -q 'INVALID: TEST_CERT'; then |  | ||||||
| 		echo yes |  | ||||||
| 	else |  | ||||||
| 		echo no |  | ||||||
| 	fi |  | ||||||
| else |  | ||||||
| 	echo no |  | ||||||
| fi |  | ||||||
|  | @ -1,6 +1,10 @@ | ||||||
| #!/bin/sh -e | #!/bin/sh -e | ||||||
| 
 | 
 | ||||||
| certificate_exists=$(cat "${__object:?}/explorer/certificate-exists") | _explorer_var() { | ||||||
|  | 	grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2- | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | certificate_exists="$(_explorer_var certificate_exists)" | ||||||
| name="${__object_id:?}" | name="${__object_id:?}" | ||||||
| state=$(cat "${__object}/parameter/state") | state=$(cat "${__object}/parameter/state") | ||||||
| 
 | 
 | ||||||
|  | @ -29,8 +33,9 @@ case "${state}" in | ||||||
| 		fi | 		fi | ||||||
| 
 | 
 | ||||||
| 		if [ "${certificate_exists}" = "yes" ]; then | 		if [ "${certificate_exists}" = "yes" ]; then | ||||||
| 			existing_domains="${__object}/explorer/certificate-domains" | 			existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX") | ||||||
| 			certificate_is_test=$(cat "${__object}/explorer/certificate-is-test") | 			tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}" | ||||||
|  | 			certificate_is_test="$(_explorer_var certificate_is_test)" | ||||||
| 
 | 
 | ||||||
| 			sort -uo "${requested_domains}" "${requested_domains}" | 			sort -uo "${requested_domains}" "${requested_domains}" | ||||||
| 			sort -uo "${existing_domains}" "${existing_domains}" | 			sort -uo "${existing_domains}" "${existing_domains}" | ||||||
|  |  | ||||||
|  | @ -1,6 +1,6 @@ | ||||||
| #!/bin/sh | #!/bin/sh | ||||||
| 
 | 
 | ||||||
| certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")" | certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)" | ||||||
| state=$(cat "${__object}/parameter/state") | state=$(cat "${__object}/parameter/state") | ||||||
| os="$(cat "${__global:?}/explorer/os")" | os="$(cat "${__global:?}/explorer/os")" | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue