Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/acme: implement postRun using ExecStartPost #76052

Merged
merged 1 commit into from
Dec 20, 2019

Conversation

brprice
Copy link
Contributor

@brprice brprice commented Dec 19, 2019

Motivation for this change

Consider
security.acme.certs.<name>.postRun = "systemctl reload nginx.service";.
I would expect this to reload the certificates into nginx whenever new ones arrive.
However, it appears this does not happen after 5532065.
That commit changed the systemd service to be Type=oneshot, RemainAfterExit=true, but the postRun commands are implemented as ExecStopPost.
Systemd believes the service is still running, because of RemainAfterExit, and thus will not reload nginx. Moving to ExecStartPost will reload nginx when the new certificates arrive.

Things done

I've built this change and deployed using NixOps, and tested it on the remote server.
I'm happy to do more tests (please yell!), but may need more detailed instructions
(in particular, my machine swiftly OOMs with nix-review, I'm not sure what I'm doing wrong here!)

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions, and deployed via NixOps
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

In 5532065, acme was changed to be
RemainAfterExit=true, but `postRun` commands are implemented as
`ExecStopPost`. Systemd now considers the service to be still running
after simp_le is finished, so won't run these commands (e.g. to reload
certificates in a webserver). Change `postRun` to use `ExecStartPost` to
ensure the commands are run in a timely manner.
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Dec 19, 2019
@aanderse
Copy link
Member

ping @arianvp @m1cr0man @petabyteboy

@arianvp
Copy link
Member

arianvp commented Dec 20, 2019

@GrahamcOfBorg test acme

@arianvp
Copy link
Member

arianvp commented Dec 20, 2019

AH good catch. That's also what probably broke the tests on master

@arianvp
Copy link
Member

arianvp commented Dec 20, 2019

Lgtm!

Copy link
Contributor

@m1cr0man m1cr0man left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch :) Looks like a good change. Can't think of any reason this would cause issues.

Copy link
Member

@picnoir picnoir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Nice catch!

@flokli
Copy link
Contributor

flokli commented Dec 20, 2019

Thanks for fixing this!

@flokli flokli merged commit 749857f into NixOS:master Dec 20, 2019
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Dec 24, 2019
nixos/acme: implement postRun using ExecStartPost

(cherry picked from commit 749857f)
arianvp added a commit to arianvp/nixpkgs that referenced this pull request Apr 15, 2020
This reverts commit 5532065.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in NixOS#76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
arianvp added a commit to arianvp/nixpkgs that referenced this pull request Apr 16, 2020
This reverts commit 5532065.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in NixOS#76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
arianvp added a commit to arianvp/nixpkgs that referenced this pull request Apr 16, 2020
This reverts commit 5532065.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in NixOS#76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request May 21, 2020
This reverts commit 5532065.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in NixOS#76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.

(cherry picked from commit 5c1c642)
stigok pushed a commit to stigok/nixpkgs that referenced this pull request Jun 12, 2020
This reverts commit 5532065.

As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!

the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!

The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in NixOS#76052
I wrongly assumed that PR fixed renewal too, which it didn't!

testing renewals is hard, as we need to sleep in tests.
@Janik-Haag Janik-Haag added the 12. first-time contribution This PR is the author's first one; please be gentle! label Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants