Git doesn't track file permissions (except for the executable
flag). For sensitive data (like the 'ssl' directory and file
'constants.yml' with passwords included) we've to prevent
non-root users from accessing those files.
hooks/pre-commit is inspired and based on the implementation
as present in etckeeper (and luckily we're license compatible)
and takes care of storing the file permissions inside file
/etc/ngcp-config/.ngcpcfg_perms.
The restore-permissions helper script takes care of restoring the
permissions after cloning the ngcpcfg repository via ngcpcfg
itself (being actions decrypt, pull (PRO-only) + initialise
(PRO-only)). It can be executed manually as well via
`usr/share/ngcp-ngcpcfg/helper/restore-permissions /etc/ngcp-config/`
(or wherever the according ngcpcfg repository is placed at).
Regarding the commit integration: git(1) itself doesn't track
file permissions, so we can't detect changes to file permissions
using git itself. Our new pre-commit hook records file
permissions via the .ngcpcfg_perms file. Now by just invoking it
during 'ngcpcfg commit' time we can ensure that even if there
have been any file permission changes in the working directory
the file .ngcpcfg_perms is then up2date and committed.
JFTR: The solution via the git pre-commit hook ensures that no
matter whether you're using 'ngcpcfg commit …' or 'git commit …'
you always get the file permissions handled via .ngcpcfg_perms.
Now if you want to change file permissions in a clean working
directory and commit *without* using 'ngcpcfg commit' but
directly via git itself then you've to use 'git commit
--allow-empty ...' and thanks to the pre-commit hook the file
.ngcpcfg_perms will still be up2date.
Change-Id: I84d608585c626b52112ff649893e232e441c59d8
The file should be accessible only to user root.
Also don't leave the unencrypted file /etc/ngcp-config-crypted.tgz around.
Change-Id: I82f7f36d8561d8d5e82435edb70e11170fa6c082
- ngcp-sync-grants is responsible for ngcp mysql
grants sync from a template
- it is executed by the 'commit' trigger before ngcp-sync-constants
Change-Id: I082256e57b1394a3f056ad1ca56a5443bfb5a745
Mainly nobody validate the schema in trunk right now
as it requires manual changes for ngcpcfg.cfg.
Also having force validation will allow us to add
validation in ngcp-upgrade and Jenkins nightly builds.
Change-Id: Ia48a778ecf7dae30b26bdff0c5dd5b9000c9d089
Verify that the user is operating on branch master,
otherwise the result might be unexpected.
If branch master is checked out:
| root@spce:/etc/ngcp-config# ngcpcfg check
| root@spce:/etc/ngcp-config# ngcpcfg status
| [...]
| 2016-02-23 05:48:32: Checking currently active branch:
| 2016-02-23 05:48:32: OK: branch master active
If a branch other than 'master' is checked out:
| root@spce:/etc/ngcp-config# ngcpcfg check
| 2016-02-23 05:47:42: Error: branch 'mika' in '/etc/ngcp-config' active - please switch to branch 'master' before continuing.
| root@spce:/etc/ngcp-config# echo $?
| 1
| root@spce:/etc/ngcp-config# ngcpcfg status
| [...]
| 2016-02-23 05:47:47: Checking currently active branch:
| 2016-02-23 05:47:47: ACTION_NEEDED: branch 'mika' active - please switch to branch 'master'
| [...]
Change-Id: I5df92075905cafa3b714211581c8cfe749df04ba
The commit action already takes care of invoking etckeeper, so there's
no need to call it from the apply action. In addition calling it after
record_commit_id is either pointless or buggy.
Change-Id: I8ccd40f962c24f99b2ae26655c083bb976e47ce9
Make the relationship internal, instead of external. So that anything
that might end up calling the build script will always do the right
thing and we will not forget to perform required actions.
Change-Id: Iafc3bc7230c59750de7ec8bf825005011b48f403
In a previous implementation using timestamps we ran into timing
problems on slower systems. So instead lets record the git commit
ID of the latest ngcpcfg commit and check whether we have a match
between this commit and an according ngcpcfg build.
If the "ngcpcfg build" was executed without an "ngcpcfg commit"
before then we mark it as dirty since we don't have an according
git commit available for testing against. Since that's a common
workflow we don't report it as a real problem though, instead we
inform the user using:
| OK: nothing to build (latest build newer than latest commit)
As we commit AFTER the build in the apply action we can use a
workaround for this situation, so build and commit state match
with each other in that case then.
Change-Id: I48e32db6f42b53fe97a0b88805e7ddbee8576133
This reverts commit db373d3927.
Conflicts:
etc/ngcp-config/ngcpcfg.cfg
Until we've a working solution for this let's revert
the broken change so we avoid this being a release
stopper.
Change-Id: If03d9b3913de23c698b430d583dc7babfcc4ff04
There are some times when a configuration, service or system upgrade
requires a reboot to take effect. When a component requires a reboot,
it will record this fact in the file system through the file
«/var/run/reboot-required», and «ngcpcfg status» will notify the user
that a reboot has been requested.
We use the «/var/run/reboot-required» because it is already being used
in the unattended-upgrades package on Debian/Ubuntu which does something
similar.
Change-Id: I43997bfb83892f67bd57bb55ad3ec0a41a5e088d
If the latest git commit has a newer timestamp than
our latest "build" action then a "build" (or apply)
run is required, inform the user about it.
Change-Id: I83e2ff47ba54da733d368d78b6616d13d31a66d4
Provide "apply" action as separate script.
We don't care about changes related to etckeeper, but just
about outstanding commits in /etc/ngcp-config.
Change-Id: I47411f00a5085d65cacf9e24fc8a468258d57c31
This allows us to abort in 'ngcpcfg status' whenever there are
outstanding changes to pull/push from the shared storage. Using
the --no-action-failure option allows the user to continue anyway.
Change-Id: I4062d5bb627bb553b98705bb122575651b035849
`which $function` doesn't work as intended, commit
dc984aa2e7 in ngcpcfg-ha.git broke the HA features
in 'ngcpcfg status' therefore.
Change-Id: I2bb9ed9b3276e63fc6d127559df32ae229a43b33
Disabled by default as we need a time to check it carefuly.
Also we need to solve the "tilda" problem reported upstream:
https://github.com/eserte/p5-Kwalify/issues/1
Change-Id: Ia2c3d48f0ac6fc6ac9899d44f4291544373806d9
- added quiet option to disable loading output at tt2-daemon
- detect arrays and output values joined by space
Change-Id: I0b7694a366a284ca2b24ea2df55cb285b598e66d
We will use first free port instead which will be stored into
/var/run/ngcpcfg.port file while tt2-daemon is up and running.
Change-Id: I1a918f865d87863eef7d34be8abd1032282220b8
Otherwise users notice error during upgrade mr3.7->mr3.8:
> ngcpcfg commit 'snapshot during /usr/share/ngcp-upgrade-mr3.8/upgrade-2.8-to-mr3.8 - Mon Apr 13 10:29:24 CEST 2015'
> YAML Error: Couldn't open /etc/ngcp-rtpengine-daemon/interfaces.yml for input:\nNo such file or directory
> Code: YAML_LOAD_ERR_FILE_INPUT
> at /usr/share/perl5/YAML.pm line 71
> OK
> Synchronizing data from /etc/ngcp-config/constants.yml
Change-Id: I2e4b8780d2ada64854186da93b03b8817eac99bf
A random order of service restarts might not work because
a service might depend on specific monit resource(s).
Therefore restart monit before any other service(s).
Change-Id: If6eae434014f00a76fdd66aac8c82dfd69b86f1b
On a multi directory config, the services depends on git. Check
first if the git repository exists and warn about it
Change-Id: I52e335c85ecf4a330da44b3088725623f3c04531
`git diff-index --name-only HEAD` was used because it was the
only reasonable way to check for modified files back in Git 1.5.
Sadly this command can't detect files that didn't exist inside
the Git repository at all yet (so if a file was generated for the
very first time the according services script wasn't executed
necessarily).
Instead nowadays we can rely on `git status --porcelain`, which
wasn't available in Git 1.5 back then yet. Even in Debian/squeeze
there's Git version 1.7.2.5-3 available, so it's save to depend
on it. Updated Git package dependency accordingly, also switch
from transitional git-core package to the actual git one.
Tested-by: Alexander Lutay <alutay@sipwise.com>
When runnning 'ngcpcfg build' (which is also executed when
running 'ngcpcfg apply') we waste quite some time with loading
the same YAML configuration files and merging them again and
again.
In a 'ngcpcfg build' run we don't have to re-load and merge those
configuration files again and again (since they won't modify
during a single run), instead just load+merge them *once* and
re-use the result on all the following execution steps in the
same run.
Original:
| # time ngcpcfg apply >/dev/null
| ngcpcfg apply > /dev/null 149.01s user 9.49s system 96% cpu 2:43.57 total
Reworked optimized runs:
| # time ngcpcfg apply >/dev/null
| ngcpcfg apply > /dev/null 81.25s user 8.62s system 95% cpu 1:34.17 total
For debugging purposes you can execute 'ngcpcfg build' under
NO_REUSE=1 to not use this feature, executing it under 'DEBUG=1'
won't remove the so called reuse file which stores the merged
configuration data.
Thanks: Alexander Lutay for the initial patch and idea
Files in configuration directory EXTRA_CONFIG_DIR (being
/etc/ngcp-config/config.d/ by default) with the suffix yml (so
e.g. a file named pbx.yml can be shipped by an external Debian
package) are additionally taken into consideration as main
configuration files.
Those extra configuration file(s) have higher precedence than
the other yml configuration files (config.yml, network.yml,...),
*except* for constants.yml which has the power to override all
settings, including the ones from files inside EXTRA_CONFIG_DIR.
Closes: sipwise-#3059
Michael Prokop
Kirill Solomko
Alexander Lutay
Victor Seva
Guillem Jover
Richard Fuchs