[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/fetch-rootca-cert-net-fix] 2 commits: Disable cf-execd on installation
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Fri Aug 18 15:42:19 BST 2023
Mike Gabriel pushed to branch personal/gber/fetch-rootca-cert-net-fix at Debian Edu / debian-edu-config
Commits:
75b4e3f7 by Guido Berhoerster at 2023-08-18T08:16:28+02:00
Disable cf-execd on installation
Currently cf-execd is enabled by default if systemd is used (see #1043353) but
the agent should only be run on installation. (Closes #1041323)
- - - - -
8412a3d9 by Guido Berhoerster at 2023-08-18T14:42:15+00:00
Do not attempt to fetch the rootCA cert outside of a DebianEdu network
An error should only be reported if the machine is inside a DebianEdu network,
i.e. www.intern is resolvable, but the download fails. (Closes: #1008599)
- - - - -
4 changed files:
- Makefile
- + cf3/cf.cf-execd
- cf3/promises.cf
- share/debian-edu-config/tools/fetch-rootca-cert
Changes:
=====================================
Makefile
=====================================
@@ -52,6 +52,7 @@ wwwdir = /etc/debian-edu/www
CF3FILES = \
cf.adduser \
cf.apache2 \
+ cf.cf-execd \
cf.cups \
cf.desktop-networked \
cf.dhcpserver \
=====================================
cf3/cf.cf-execd
=====================================
@@ -0,0 +1,15 @@
+bundle agent cf_execd
+{
+# Disable cf-execd which is enabled by default when systemd is used (#1043353)
+
+services:
+
+ debian.systemd.(server|ltspserver).installation::
+
+ "cf-execd.service"
+ service_policy => "stop";
+
+ "cf-execd.service"
+ service_policy => "disable";
+
+}
=====================================
cf3/promises.cf
=====================================
@@ -28,6 +28,7 @@ body common control
bundlesequence => {
edu,
+ cf_execd,
permission_homes,
editline_homes,
editline_bind,
@@ -70,9 +71,11 @@ body common control
"lib/common.cf",
"lib/commands.cf",
"lib/files.cf",
+ "lib/services.cf",
"debian-edu/cf.adduser",
"debian-edu/cf.apache2",
"debian-edu/cf.bind",
+ "debian-edu/cf.cf-execd",
"debian-edu/cf.chromium",
"debian-edu/cf.cups",
"debian-edu/cf.samba",
=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -25,36 +25,44 @@ case $PROFILE in
;;
esac
-if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
- # Since Debian Edu 10, the RootCA file is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
- grep -q CERTIFICATE $LOCALCACRT ; then
- # Make rootCA certificate available in /etc/ssl/certs/
- ln -nsf $LOCALCACRT $ROOTCACRT
- # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
- update-ca-certificates
- logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
- else
- # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
- # 404 http error message in html.
- rm -f $LOCALCACRT
- rm -f $ROOTCACRT
- logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
- fi
+if [ -f $LOCALCACRT ] && [ -s $LOCALCACRT ] ; then
+ # The cert file already exists, nothing to do.
+ exit 0
+fi
+
+if [ -z "$(dig +short A www.intern)" ] ; then
+ # If the main server is not resolvable, we are not part of a DebianEdu
+ # network, no need to report an error.
+ exit 0
+fi
+
+# Since Debian Edu 10, the RootCA file is distributed
+# over http (always via the host serving www.intern, by default: TJENER)
+#
+# We do an availability check for the webserver first, to provide proper
+# error reporting (see below). So, the following check merely discovers,
+# if the webserver is online at all.
+if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+ # Now let's see if the webserver has the "Debian Edu RootCA" file.
+ # This has been the case for Debian Edu main servers (TJENER) since
+ # Debian Edu 10.1.
+ if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+ grep -q CERTIFICATE $LOCALCACRT ; then
+ # Make rootCA certificate available in /etc/ssl/certs/
+ ln -nsf $LOCALCACRT $ROOTCACRT
+ # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+ update-ca-certificates
+ logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
else
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
- exit 1
+ # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+ # 404 http error message in html.
+ rm -f $LOCALCACRT
+ rm -f $ROOTCACRT
+ logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
fi
+else
+ # Report an error, if www.intern is down http-wise. This can happen and is probably
+ # a temporary problem that needs an admin to fix it.
+ logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+ exit 1
fi
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/499e86f464c15229590d4eeb6cb03e9cbdf5a72b...8412a3d917233ac414b05315f3dc95275bcb75b9
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/499e86f464c15229590d4eeb6cb03e9cbdf5a72b...8412a3d917233ac414b05315f3dc95275bcb75b9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230818/07a1625c/attachment-0001.htm>
More information about the debian-edu-commits
mailing list