Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the release documentation #85369

Closed
wants to merge 1 commit into from
Closed

Update the release documentation #85369

wants to merge 1 commit into from

Conversation

immae
Copy link
Contributor

@immae immae commented Apr 16, 2020
edited
Loading

Motivation for this change

See this comment on the issue: #84633 (comment)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@immae immae mentioned this pull request Apr 16, 2020
Merged
10 tasks
@immae
Copy link
Contributor Author

immae commented Apr 16, 2020

cc @arianvp @emilazy @m1cr0man @aanderse @flokli

@immae immae mentioned this pull request Apr 16, 2020
Closed
4 tasks
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels Apr 16, 2020
arianvp
arianvp reviewed Apr 16, 2020
View reviewed changes
nixos/doc/manual/release-notes/rl-2003.xml
Certificates will be regenerated anew on the next renewal date. The credentials for simp-le are
preserved and thus it is possible to roll back to previous versions without breaking certificate
generation.
Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

simp_le state and lego state are stored in different directories no? or at different places? So rollback should work? if that isn't the case anymore than that's a new bug.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We dont say it's backwards compatible. We just say that rollback is an option. Those are different things

Copy link
Contributor Author

@immae immae Apr 16, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, if that’s what you mean for "rollback". However:

  • a new account will be recreated by lego anwyay, he won’t be able to use the one created by simp_le
  • lego will generate new certificates when switching from simp-le to lego the first time, because it doesn’t use the content of /var/lib/acme/your_cert to make its decision. Switching back I don’t know (that will depend on how simp-le computes if a certificate is too old)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We mean rollback in the sense of nixos-rebuild switch --rollback. i.e. the switch to lego doesn't destroy any simp_le state so if something goes bad with upgrade, you can go back to 19.09 and figure out what went wrong

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I’ll put back the last line then

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed

@immae immae force-pushed the fix_acme_reuse_key branch from 6b6d30e to 7c5fce5 Compare April 16, 2020 12:23
@arianvp
Copy link
Member

arianvp commented Apr 16, 2020

@GrahamcOfBorg test acme

m1cr0man
m1cr0man approved these changes Apr 17, 2020
View reviewed changes
Copy link
Contributor

@m1cr0man m1cr0man left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :) I'm a fan of well worded options, in hope that if the agent changes we can reuse/maintain them.

@immae immae force-pushed the fix_acme_reuse_key branch from 7c5fce5 to 7d7b6c1 Compare April 17, 2020 20:20
@flokli
Copy link
Contributor

flokli commented Apr 18, 2020

Thanks! Maybe future work, but can we test this feature in a VM test?

@immae
Copy link
Contributor Author

immae commented Apr 18, 2020

Thanks! Maybe future work, but can we test this feature in a VM test?

I agree. I already tried to understand how tests worked, but I’m not fully at ease with the language yet, it’s still new to me. If you think it’s necessary for this PR it may take me a bit longer to manage to write it (or someone else to write it)

@flokli
Copy link
Contributor

flokli commented Apr 18, 2020

@immae what do you think about forward-porting the release notes from #85370 into master, and picking this up once the test refactorings took place?

cc @emilazy

@immae immae force-pushed the fix_acme_reuse_key branch from 7d7b6c1 to 5eae566 Compare April 19, 2020 11:37
@immae
nixos/acme: Update the release documentation
b3e8c0e 
It currently says that everything will be backward compatible between lego and simp-le certificates, but it’s not.
@immae immae force-pushed the fix_acme_reuse_key branch from 5eae566 to b3e8c0e Compare April 19, 2020 11:38
@immae immae changed the title Add an option to re-use private keys for lego certificates Update the release documentation Apr 19, 2020
@immae
Copy link
Contributor Author

immae commented Apr 19, 2020

@flokli : done

@ofborg ofborg bot removed the 8.has: module (update) This PR changes an existing module in `nixos/` label Apr 19, 2020
@flokli
Copy link
Contributor

flokli commented Apr 21, 2020

forward-ported from #85370 into master as 3dbd3f2, closing here.

@flokli flokli closed this Apr 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m1cr0man m1cr0man m1cr0man approved these changes

@arianvp arianvp arianvp approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@immae @arianvp @flokli @m1cr0man