-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: implement postRun using ExecStartPost #76052
Conversation
In 5532065, acme was changed to be RemainAfterExit=true, but `postRun` commands are implemented as `ExecStopPost`. Systemd now considers the service to be still running after simp_le is finished, so won't run these commands (e.g. to reload certificates in a webserver). Change `postRun` to use `ExecStartPost` to ensure the commands are run in a timely manner.
@GrahamcOfBorg test acme |
AH good catch. That's also what probably broke the tests on master |
Lgtm! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch :) Looks like a good change. Can't think of any reason this would cause issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉 Nice catch!
Thanks for fixing this! |
nixos/acme: implement postRun using ExecStartPost (cherry picked from commit 749857f)
This reverts commit 5532065. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in NixOS#76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests.
This reverts commit 5532065. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in NixOS#76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests.
This reverts commit 5532065. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in NixOS#76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests.
This reverts commit 5532065. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in NixOS#76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests. (cherry picked from commit 5c1c642)
This reverts commit 5532065. As far as I can tell setting RemainAfterExit=true here completely breaks certificate renewal, which is really bad! the sytemd timer will activate the service unit every OnCalendar=, however with RemainAfterExit=true the service is already active! So the timer doesn't rerun the service! The commit also broke the actual tests, (As it broke activation too) but this was fixed later in NixOS#76052 I wrongly assumed that PR fixed renewal too, which it didn't! testing renewals is hard, as we need to sleep in tests.
Motivation for this change
Consider
security.acme.certs.<name>.postRun = "systemctl reload nginx.service";
.I would expect this to reload the certificates into nginx whenever new ones arrive.
However, it appears this does not happen after 5532065.
That commit changed the systemd service to be
Type=oneshot, RemainAfterExit=true
, but thepostRun
commands are implemented asExecStopPost
.Systemd believes the service is still running, because of
RemainAfterExit
, and thus will not reload nginx. Moving toExecStartPost
will reload nginx when the new certificates arrive.Things done
I've built this change and deployed using NixOps, and tested it on the remote server.
I'm happy to do more tests (please yell!), but may need more detailed instructions
(in particular, my machine swiftly OOMs with nix-review, I'm not sure what I'm doing wrong here!)
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)