Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2021-03-30 21:23:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dehydrated (Old)
and /work/SRC/openSUSE:Factory/.dehydrated.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dehydrated"
Tue Mar 30 21:23:47 2021 rev:22 rq:882190 version:0.7.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2021-03-05 13:49:35.331857403 +0100
+++ /work/SRC/openSUSE:Factory/.dehydrated.new.2401/dehydrated.changes 2021-03-30 21:50:45.686931158 +0200
@@ -1,0 +2,42 @@
+Tue Mar 30 14:20:42 UTC 2021 - Marcus Rueckert
+
+- Enable instantiated services (boo#1184165)
+
+-------------------------------------------------------------------
+Mon Mar 29 16:18:57 UTC 2021 - Marcus Rueckert
+
+- Prepare instantiated service/timer support but not enable it:
+ This seems to fail due to missing systemd support right now.
+ So the only option at the moment is to copy the timer and unit
+ file for a 2nd instance. Mark all files as part of dehydrated.target
+
+-------------------------------------------------------------------
+Mon Mar 29 16:18:27 UTC 2021 - Marcus Rueckert
+
+- Rework support for /etc/dehydrated/postrun-hooks.d/:
+ dehydrated.service nolonger starts them directly, the support was
+ moved to a separate unit file. Please run:
+
+ systemctl enable dehydrated-postrun-hooks.service
+
+ to restore this functionality
+- Run dehydrated as dehydrated user again
+
+-------------------------------------------------------------------
+Mon Mar 29 16:08:09 UTC 2021 - Marcus Rueckert
+
+- Do not use the full path for config.d in the config files, which
+ will simplify implementing multi instance support.
+
+-------------------------------------------------------------------
+Mon Mar 29 16:07:44 UTC 2021 - Marcus Rueckert
+
+- Added more-examples.patch:
+ Explain how we can have per certificate key algorithms
+
+-------------------------------------------------------------------
+Sun Mar 14 22:29:06 UTC 2021 - Olav Reinert
+
+- Add directory where cleanup can archive unused certificates
+
+-------------------------------------------------------------------
Old:
----
dehydrated.service.in
New:
----
dehydrated-postrun-hooks.service
dehydrated-postrun-hooks@.service
dehydrated.service
dehydrated.target
dehydrated@.service
dehydrated@.timer
more-examples.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dehydrated.spec ++++++
--- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:46.798932100 +0200
+++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:46.798932100 +0200
@@ -16,6 +16,14 @@
#
+%bcond_without instantiated_service
+%define base_services dehydrated.timer dehydrated.service dehydrated-postrun-hooks.service
+%if %{with instantiated_service}
+%define services dehydrated.target %{base_services} dehydrated@.timer dehydrated@.service dehydrated-postrun-hooks@.service
+%else
+%define services %{base_services}
+%endif
+
%define _challengedir %{_localstatedir}/lib/acme-challenge
%define _user dehydrated
%define _home %{_sysconfdir}/dehydrated
@@ -55,7 +63,7 @@
Source2: acme-challenge.conf.nginx.in
Source4: dehydrated.cron.in
Source5: dehydrated.tmpfiles.d
-Source6: dehydrated.service.in
+Source6: dehydrated.service
Source7: dehydrated.timer
Source9: README.maintainer
Source10: README.Fedora
@@ -63,6 +71,12 @@
Source12: %{name}-%{version}.tar.gz.asc
Source13: %{name}.keyring
Source14: %{name}-rpmlintrc
+Source15: dehydrated@.service
+Source16: dehydrated@.timer
+Source17: dehydrated.target
+Source18: dehydrated-postrun-hooks.service
+Source19: dehydrated-postrun-hooks@.service
+Patch: more-examples.patch
BuildRequires: %{_apache}
Requires: coreutils
Requires: curl
@@ -142,21 +156,22 @@
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
%if %{with systemd}
-%service_add_pre dehydrated.service dehydrated.timer
+%service_add_pre %{services}
%post
-systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
-%service_add_post dehydrated.service dehydrated.timer
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf ||:
+%service_add_post %{services}
%preun
-%service_del_preun dehydrated.service dehydrated.timer
+%service_del_preun %{services}
%postun
-%service_del_postun dehydrated.service dehydrated.timer
+%service_del_postun %{services}
%endif
%prep
%setup -q
+%patch -p1
cp %{SOURCE9} .
cp %{SOURCE10} .
@@ -164,7 +179,7 @@
%install
# sensitive keys
-mkdir -p %{buildroot}%{_home}/{accounts,certs,chains}
+mkdir -p %{buildroot}%{_home}/{accounts,archive,certs,chains}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_home}/config.d
@@ -195,9 +210,20 @@
%if %{with systemd}
install -D -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
# Use timer
-sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
-install -D -m 644 dehydrated.service %{buildroot}%{_unitdir}/dehydrated.service
+install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/dehydrated.service
install -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/dehydrated.timer
+install -D -m 644 %{SOURCE18} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks.service
+
+%if %{with instantiated_service}
+install -D -m 644 %{SOURCE15} %{buildroot}%{_unitdir}/dehydrated@.service
+install -D -m 644 %{SOURCE16} %{buildroot}%{_unitdir}/dehydrated@.timer
+install -D -m 644 %{SOURCE19} %{buildroot}%{_unitdir}/dehydrated-postrun-hooks@.service
+install -D -m 644 %{SOURCE17} %{buildroot}%{_unitdir}/dehydrated.target
+%else
+perl -p -i -e 's|PartOf=dehydrated.target\n||g' %{buildroot}%{_unitdir}/*
+
+%endif
+
if [ $(rpm -q --queryformat='%{VERSION}' systemd) -lt 229 ]; then
# No support for this attribute in systemd < v229
sed -i 's/^RandomizedDelaySec/#&/' %{buildroot}%{_unitdir}/dehydrated.timer
@@ -215,7 +241,7 @@
# Adjust config file
perl -p -i -e 's|#LOCKFILE="\$\{BASEDIR\}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
-perl -p -i -e 's|#CONFIG_D=|CONFIG_D="%{_home}/config.d"|' %{buildroot}%{_home}/config
+perl -p -i -e 's|#CONFIG_D=|CONFIG_D="\${BASEDIR}/config.d"|' %{buildroot}%{_home}/config
perl -p -i -e 's|#DEHYDRATED_USER=|DEHYDRATED_USER="%{_user}"|' %{buildroot}%{_home}/config
perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{_home}/config
@@ -232,6 +258,7 @@
%defattr(-,root,root)
%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
+%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/archive
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/chains
%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
@@ -250,8 +277,11 @@
%endif
%if %{with systemd}
%{_tmpfilesdir}/%{name}.conf
-%{_unitdir}/dehydrated.service
-%{_unitdir}/dehydrated.timer
+%{_unitdir}/dehydrated*.service
+%{_unitdir}/dehydrated*.timer
+%if %{with instantiated_service}
+%{_unitdir}/dehydrated.target
+%endif
%if 0%{?suse_version}
%{_sbindir}/rcdehydrated
%endif
++++++ README.maintainer ++++++
--- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:46.874932164 +0200
+++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:46.874932164 +0200
@@ -165,6 +165,19 @@
v0.7.0
------
+Postrun Hooks
+~~~~~~~~~~~~~
+
+dehydrated.service no longer starts scripts in /etc/dehydrated/postrun-hooks.d/
+directly, the support was moved to a separate unit file. Please run
+
+ systemctl enable dehydrated-postrun-hooks.service
+
+to restore this functionality.
+
+This change was required to ensure that the output of the dehydrated script stays
+attached to the dehydrated unit in the journal.
+
Key Algorithm
~~~~~~~~~~~~~
++++++ dehydrated-postrun-hooks.service ++++++
[Unit]
Description=Postrun Hooks Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/postrun-hooks.d
After=dehydrated.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated/postrun-hooks.d -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated.service++++++ dehydrated-postrun-hooks@.service ++++++
[Unit]
Description=Postrun Hooks Runner for Dehydrated: %i
ConditionPathExists=/etc/dehydrated-%i/postrun-hooks.d/
After=dehydrated@%i.service
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=-/usr/bin/find -L /etc/dehydrated-%i/postrun-hooks.d/ -maxdepth 1 -executable -type f -exec {} \;
User=root
Group=root
[Install]
RequiredBy=dehydrated@%i.service
++++++ dehydrated.service ++++++
[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated --cron
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
User=dehydrated
Group=dehydrated
++++++ dehydrated.target ++++++
[Unit]
Description=Target to allow restarting and stopping of all parts of dehydrated
PartOf=dehydrated.target
++++++ dehydrated.timer ++++++
--- /var/tmp/diff_new_pack.gCUTQr/_old 2021-03-30 21:50:47.010932279 +0200
+++ /var/tmp/diff_new_pack.gCUTQr/_new 2021-03-30 21:50:47.010932279 +0200
@@ -1,10 +1,11 @@
[Unit]
-Description=Run Certificate Update Runner for Dehydrated
+Description=Timer for Certificate Update Runner for Dehydrated
+PartOf=dehydrated.target
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
-
+
[Install]
WantedBy=timers.target
++++++ dehydrated@.service ++++++
[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket
PartOf=dehydrated.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dehydrated --cron --config /etc/dehydrated-%i/config
User=dehydrated
Group=dehydrated
++++++ dehydrated@.timer ++++++
[Unit]
Description=Timer for Certificate Update Runner for Dehydrated
PartOf=dehydrated.target
[Timer]
OnCalendar=daily
# Two hour window
RandomizedDelaySec=7200
[Install]
WantedBy=timers.target
++++++ more-examples.patch ++++++
Index: dehydrated-0.7.0/docs/domains_txt.md
===================================================================
--- dehydrated-0.7.0.orig/docs/domains_txt.md
+++ dehydrated-0.7.0/docs/domains_txt.md
@@ -34,6 +34,30 @@ under your `CERTDIR`.
example.net www.example.net wiki.example.net > certalias
```
+This allows to set per certificates options. The options you can change are
+explained in [Per Certificate Config](per-certificate-config.md).
+
+If you want to create different certificate types for the same domain
+you can use:
+
+```text
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+```
+
+Then add a config file `certs/star_service_example_org_rsa/config` with
+the value
+
+```
+KEY_ALGO="rsa"
+```
+
+or respectively
+
+```
+KEY_ALGO="ecdsa"
+```
+
### Wildcards
Support for wildcards was added by the ACME v2 protocol.
Index: dehydrated-0.7.0/docs/examples/domains.txt
===================================================================
--- dehydrated-0.7.0.orig/docs/examples/domains.txt
+++ dehydrated-0.7.0/docs/examples/domains.txt
@@ -24,6 +24,15 @@ example.net www.example.net > certalias
# NOTE: It is a certificate for 'service.example.org'
*.service.example.org service.example.org > star_service_example_org
+# Optionally you can also append the certificate algorithm here to create
+# multiple certificate types for the same domain.
+#
+# This allows to set per certificates options. The options you can change are
+# explained in [domains.txt documentation](domains_txt.md).
+#
+*.service.example.org service.example.org > star_service_example_org_rsa
+*.service.example.org service.example.org > star_service_example_org_ecdsa
+
# Create a certificate for 'service.example.net' with an alternative name of
# '*.service.example.net' (which is a wildcard domain) and store it in the
# directory ${CERTDIR}/service.example.net