propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit 8ee42c05d85b424ce26bd9caf5a63668c4791787
parent f779735526882126d2dbf2269982c7ac42d456c7
Author: rsiddharth <s@ricketyspace.net>
Date:   Wed, 25 Sep 2019 22:25:36 -0400

Merge tag '5.9.1'

tagging package propellor version 5.9.1

Diffstat:
config-freebsd.hs | 2+-
debian/changelog | 14++++++++++++++
doc/forum/Contribution_and_community.mdwn | 10++++++++++
doc/forum/apt_releaseinfo.mdwn | 17+++++++++++++++++
doc/forum/apt_releaseinfo/comment_1_a6897e3cb6089c4f3db3d37e71ff9659._comment | 12++++++++++++
doc/forum/apt_releaseinfo/comment_2_d8381b5e727b6e54f8e4a5cd9792e09c._comment | 12++++++++++++
doc/forum/apt_releaseinfo/comment_3_14f13cddb537766dc2b8234c731e0834._comment | 8++++++++
doc/news/version_5.5.0.mdwn | 21---------------------
doc/news/version_5.9.0.mdwn | 27+++++++++++++++++++++++++++
joeyconfig.hs | 10++++++----
propellor.cabal | 2+-
src/Propellor/Info.hs | 4++--
src/Propellor/Property/Apt.hs | 26++++++++++++++++++++++----
src/Propellor/Property/Sbuild.hs | 2+-
src/Propellor/Property/Systemd.hs | 2+-
src/Propellor/Types/OS.hs | 2+-
16 files changed, 135 insertions(+), 36 deletions(-)

diff --git a/config-freebsd.hs b/config-freebsd.hs @@ -59,7 +59,7 @@ linuxbox = host "linuxbox.example.com" $ props -- A generic webserver in a Docker container. webserverContainer :: Docker.Container webserverContainer = Docker.container "webserver" (Docker.latestImage "debian") $ props - & osDebian' KFreeBSD (Stable "stretch") X86_64 + & osDebian' KFreeBSD (Stable "buster") X86_64 & Apt.stdSourcesList & Docker.publish "80:80" & Docker.volume "/var/www:/var/www" diff --git a/debian/changelog b/debian/changelog @@ -1,3 +1,17 @@ +propellor (5.9.1) unstable; urgency=medium + + * Apt: Debian has changed the name of the suite for testing security updates + from testing to testing-security. + * Apt: Also the suite for stable releases from bullseye on will be + suffixed with "-security". + * Apt.update: Pass --allow-releaseinfo-change when updating Unstable + or Testing, so that code name changes that happen in those suites + during a stable release don't prevent updating the rolling suites. + * Systemd.machined: Fix a bug that caused the systemd-container package + to not be installed when used with Debian buster. + + -- Joey Hess <id@joeyh.name> Wed, 17 Jul 2019 15:59:29 -0400 + propellor (5.9.0) unstable; urgency=medium * Added custom type error messages when Properties don't combine due to diff --git a/doc/forum/Contribution_and_community.mdwn b/doc/forum/Contribution_and_community.mdwn @@ -0,0 +1,10 @@ +Propellor seems inaccessible to me. + +The contribution workflow is based on emails or unstructured todo wiki subpages. It is unclear where to get help. + +I suggest you switch to using https://gitlab.haskell.org for example + +Getting contributions in open source is about how accessible your project is. That includes not only codebase, but especially workflow. +I also barely see anyone respond to propellor topics on #haskell freenode. + +We use propellor at work and I'm already wondering if ansible would have been a better choice. diff --git a/doc/forum/apt_releaseinfo.mdwn b/doc/forum/apt_releaseinfo.mdwn @@ -0,0 +1,17 @@ +Since apt-get has changed behavior and refuses to update if the code name +in a Release file has changed from the one it saw before, propellor systems +that are tracking Unstable or Testing need a manual intervention after each +major stable release (`apt-get update --allow-releaseinfo-change`). + +(It seems that when unattended-updates is available, it does automatically +accept the change.) + +I am seeking advice about what propellor should do about this. Should +Apt.update include --allow-releaseinfo-change when the host is following a +rolling suite? + +Or does doing so defeat whatever presumably good rationalle there is for +making this a manual action? Or perhaps there is no really good reason apt +does this when following a folling suite? + +--[[Joey]] diff --git a/doc/forum/apt_releaseinfo/comment_1_a6897e3cb6089c4f3db3d37e71ff9659._comment b/doc/forum/apt_releaseinfo/comment_1_a6897e3cb6089c4f3db3d37e71ff9659._comment @@ -0,0 +1,12 @@ +[[!comment format=mdwn + username="spwhitton" + avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb" + subject="comment 1" + date="2019-07-12T06:39:18Z" + content=""" +I think that the point of this was to prevent people with 'stable' in their sources.list from accidentally upgrading to a new stable release. Similarly, to prevent users with 'testing' in their sources.list from upgrading to the new testing, when what they wanted to do was track stable+1. + +I think that when a user uses propellor's `Testing` and `Unstable` types they are explicitly requesting a rolling release, so it seems find to pass it for those suites. + +This is not based on reading any discussions about the new feature. Just my own inference as to its purpose. +"""]] diff --git a/doc/forum/apt_releaseinfo/comment_2_d8381b5e727b6e54f8e4a5cd9792e09c._comment b/doc/forum/apt_releaseinfo/comment_2_d8381b5e727b6e54f8e4a5cd9792e09c._comment @@ -0,0 +1,12 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 2""" + date="2019-07-16T15:09:57Z" + content=""" +That matches my intuition of it. And propellor's Unstable and Testing +are indeed intended to explicitly request a rolling release. +(I thought that "unstable" and "testing" were also intended to explicitly +request that?) + +Anyway, I've made Apt.update add the new argument for Unstable and Testing. +"""]] diff --git a/doc/forum/apt_releaseinfo/comment_3_14f13cddb537766dc2b8234c731e0834._comment b/doc/forum/apt_releaseinfo/comment_3_14f13cddb537766dc2b8234c731e0834._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="spwhitton" + avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb" + subject="comment 3" + date="2019-07-17T15:47:26Z" + content=""" +I think so, but presumably they are being often misused. +"""]] diff --git a/doc/news/version_5.5.0.mdwn b/doc/news/version_5.5.0.mdwn @@ -1,20 +0,0 @@ -propellor 5.5.0 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * letsencrypt': Pass --expand to support expanding the list of domains - * Split mailname property out of Hostname.sane, since bad mailname - guesses can lead to ugly surprises. (API change) - * Removed HostingProvider.CloudatCost module as it lacks a maintainer. - (If anyone would like to maintain it, send a patch adding it back.) - (API change) - * Added Systemd.escapePath helper function useful when creating mount - units. - * Added Sudo.sudoersDFile property. - * Sudo.enabledFor: Write to /etc/sudoers.d/000users rather than to - /etc/sudoers. (Any old lines it wrote to /etc/sudoers will be removed.) - This fixes a potential ordering problem; the property used to append - the line to /etc/sudoers, but that would override more specific lines - in the include directory. - * Borg: Added UsesEnvVar. - * Added DiskImage.noBootloader, useful for eg, direct booting with - qemu. Thanks, David Bremner. - * Added Apt.backportInstalledMin."""]]- \ No newline at end of file diff --git a/doc/news/version_5.9.0.mdwn b/doc/news/version_5.9.0.mdwn @@ -0,0 +1,26 @@ +propellor 5.9.0 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Added custom type error messages when Properties don't combine due to + conflicting MetaTypes. + * Added custom type error messages for ensureProperty and tightenTargets. + * Note that those changes made ghc 8.0.1 in a few cases unable to infer + types when ensureProperty or tightenTargets is used, while later ghc + versions had no difficulty. If this affects building your properties, + adding a type annotation to the code will work around the problem. + * Added custom type error messages displayed when type inference + fails when using ensureProperty and tightenTargets, that suggest + adding a type annotation. + * Use the type-errors library to detect when the type checker gets stuck + unable to reduce type-level operations on MetaTypes, and avoid + displaying massive error messages. + * But, since type-errors is a new library not available in eg Debian + yet, added a WithTypeErrors build flag. When the library is not + available, cabal will automatically disable that build flag, + and it will build without the type-errors library. + * EnsurePropertyAllowed, TightenTargetsAllowed, and CheckCombinable + types have changed to Constraint. + (API change) + * Try harder to avoid displaying an excessive amount of type error + messages when many properties have been combined in a props list. + * Libvirt.installed: install libvirt-daemon-system + Thanks, David Bremner"""]]+ \ No newline at end of file diff --git a/joeyconfig.hs b/joeyconfig.hs @@ -397,8 +397,9 @@ pell = host "pell.branchable.com" $ props & alias "dist-bugs.kitenet.net" & alias "family.kitenet.net" - & osDebian (Stable "stretch") X86_64 + & osDebian (Stable "buster") X86_32 & Apt.installed ["linux-image-686-pae"] + & Apt.stdSourcesList `onChange` Apt.upgrade & Apt.unattendedUpgrades & Branchable.server hosts & Linode.serialGrub @@ -409,7 +410,7 @@ keysafe = host "keysafe.joeyh.name" $ props & ipv4 "139.59.17.168" & Hostname.sane & Hostname.mailname - & osDebian (Stable "stretch") X86_64 + & osDebian (Stable "buster") X86_64 & Apt.stdSourcesList `onChange` Apt.upgrade & Apt.unattendedUpgrades & DigitalOcean.distroKernel @@ -469,7 +470,7 @@ keysafe = host "keysafe.joeyh.name" $ props -- Exhibit: kite's 90's website on port 1994. ancientKitenet :: Systemd.Container ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props - & standardContainer (Stable "stretch") + & standardContainer (Stable "buster") & alias hn & Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html" (Just "remotes/origin/old-kitenet.net") @@ -483,7 +484,7 @@ ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props oldusenetShellBox :: Systemd.Container oldusenetShellBox = Systemd.debContainer "oldusenet-shellbox" $ props - & standardContainer (Stable "stretch") + & standardContainer (Stable "buster") & alias "shell.olduse.net" & JoeySites.oldUseNetShellBox @@ -491,6 +492,7 @@ oldusenetShellBox = Systemd.debContainer "oldusenet-shellbox" $ props -- and administrative sanity. openidProvider :: Systemd.Container openidProvider = Systemd.debContainer "openid-provider" $ props + -- simpleid is not in buster & standardContainer (Stable "stretch") & alias hn & OpenId.providerFor [User "joey", User "liw"] hn (Just (Port 8086)) diff --git a/propellor.cabal b/propellor.cabal @@ -1,5 +1,5 @@ Name: propellor -Version: 5.9.0 +Version: 5.9.1 Cabal-Version: 1.20 License: BSD2 Maintainer: Joey Hess <id@joeyh.name> diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs @@ -91,13 +91,13 @@ hasContainerCapability c = elem c -- It also lets the type checker know that all the properties of the -- host must support Debian. -- --- > & osDebian (Stable "stretch") X86_64 +-- > & osDebian (Stable "buster") X86_64 osDebian :: DebianSuite -> Architecture -> Property (HasInfo + Debian) osDebian = osDebian' Linux -- Use to specify a different `DebianKernel` than the default `Linux` -- --- > & osDebian' KFreeBSD (Stable "stretch") X86_64 +-- > & osDebian' KFreeBSD (Stable "buster") X86_64 osDebian' :: DebianKernel -> DebianSuite -> Architecture -> Property (HasInfo + Debian) osDebian' kernel suite arch = tightenTargets $ os (System (Debian kernel suite) arch) diff --git a/src/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs @@ -110,9 +110,16 @@ stdArchiveLines = return . binandsrc =<< getMirror securityUpdates :: SourcesGenerator securityUpdates suite | isStable suite || suite == Testing = - let l = "deb http://security.debian.org/ " ++ showSuite suite ++ "/updates " ++ unwords stdSections + let l = "deb http://security.debian.org/debian-security " ++ securitysuite ++ " " ++ unwords stdSections in [l, srcLine l] | otherwise = [] + where + securitysuite + | suite == Testing = "testing-security" + | suite `elem` map Stable releasesusingoldname = + showSuite suite ++ "/updates" + | otherwise = showSuite suite ++ "-security" + releasesusingoldname = ["jessie", "buster", "stretch"] -- | Makes sources.list have a standard content using the Debian mirror CDN -- (or other host specified using the `mirror` property), with the @@ -207,10 +214,21 @@ noninteractiveEnv = -- | Have apt update its lists of packages, but without upgrading anything. update :: Property DebianLike -update = combineProperties ("apt update") $ props +update = combineProperties desc $ props & pendingConfigured - & runApt ["update"] - `assume` MadeChange + & aptupdate + where + desc = "apt update" + aptupdate :: Property DebianLike + aptupdate = withOS desc $ \w o -> case o of + (Just (System (Debian _ suite) _)) + | not (isStable suite) -> ensureProperty w $ + -- rolling suites' release info can change + runApt ["update", "--allow-releaseinfo-change"] + `assume` MadeChange + _ -> ensureProperty w $ + runApt ["update"] + `assume` MadeChange -- | Have apt upgrade packages, adding new packages and removing old as -- necessary. Often used in combination with the `update` property. diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs @@ -21,7 +21,7 @@ stretch, which older sbuild can't handle. Suggested usage in @config.hs@: > mybox = host "mybox.example.com" $ props -> & osDebian (Stable "stretch") X86_64 +> & osDebian (Stable "buster") X86_64 > & Apt.useLocalCacher > & sidSchrootBuilt > & Sbuild.usableBy (User "spwhitton") diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs @@ -210,7 +210,7 @@ machined = installeddebian `pickOS` assumeinstalled case o of -- Split into separate debian package since systemd 225. (Just (System (Debian _ suite) _)) - | not (isStable suite) || suite == (Stable "stretch") -> + | not (isStable suite) || suite /= (Stable "jessie") -> ensureProperty w $ Apt.installed ["systemd-container"] _ -> noChange assumeinstalled :: Property Linux diff --git a/src/Propellor/Types/OS.hs b/src/Propellor/Types/OS.hs @@ -59,7 +59,7 @@ data DebianKernel = Linux | KFreeBSD | Hurd deriving (Show, Eq) -- | Debian has several rolling suites, and a number of stable releases, --- such as Stable "stretch". +-- such as Stable "buster". data DebianSuite = Experimental | Unstable | Testing | Stable Release deriving (Show, Eq)