- Use action helper so that Plinth can run unprivilaged and action
script can run as root.
- Use Status-Fd feature of apt-get to report progress. Don't report
much detail.
- Capture all stderr of the apt-get process and present it only in case
of failure.
- Remove package installation using PackageKit. Remove dependency on
PackageKit.
- Merge --setup package installation with regular package installation.
This should fix the following problems:
- PackageKit throws errors when APT encounters an error and later
corrects them and proceeds well. This is reported upstream but not
fixed.
- PackageKit does not install recommends by default and there is no easy
way to tell it to do so.
- In some rare cases, PackageKit could get stuck for interactive input
even though interactive flag is set to false.
- PackageKit does not work without network manager connections. (Could
have been mitigated by altering packagekit configuration).
- PackageKit glib library leaks file descriptors after each operation.
This leads to running out of fds during long running refresh
operations such as OpenVPN setup. (This should have subsided by not
checking package install with the new setup mechanism.)]
Known issues:
- In development mode, inside action scripts the python modules are
always loaded from system path and not development directory.
- With PackageKit it is possible to run multiple operations
simultaneously. Others would wait while the first is being
installed. With new implementation, the others error out unable to
obtain lock.
- Break down setup process into methods.
- Make sure that LDAP entity setup is idempotent.
- Peform all entry updates while slapd is running instead of using
slapadd.
- Start slapd only when necessary. Shutdown (only) if we have started
slapd.
- adapted all modules to not use views.ConfigurationView anymore
- removed templates that are not needed anymore
- no more implicit 'enabled' and 'get_status' functions in __init__.py files
- (more coherent/explicit use of Django functionality)
The Service object now offers handling services on a system level,
and gathering information whether it's enabled or running.
New methods: enable, disable, is_enabled, is_running;
For this it needs the correct (system-level) service name.
All of the methods can be overridden/customized.
This changes all modules to the new Service object and deletes
action scripts that are not required anymore.
- API: start, stop, enable, disable, reload, is-running, is-enabled, list
- only allows access to a service if the service name is listed in a
'managed_services' variable of any plinth module.
- Installing dbcommon-pgsql and not install dbcommon-mysql does not
ensure that PostgreSQL is selected as the database for the
application. Set a debconf value to force selection of PostgreSQL.
- Minor styling fixes.
- Read Apache configuration to find the list of all available
certificates and their associated domains. Use this for setting UIDs
properly.
- Solve the issue of re-importing renewed certficiate. Use the SSH
fingerprints as unique keys instead of domain names. Compute SSH
fingerprints for SSH keys and HTTPS certficates inorder accurately
identify if they are currently imported into monkeysphere.
- Allow having more than one domains for a certficiate. Add action to
import new domains to an existing monkeysphere OpenPGP key.
- Import only once for a given certficiate and keep adding UIDs when
domains get added.
- Merge services SSH and HTTPS giving us the ability to deals with many
more services. Remove special handling for different kinds of
certificate sources.
- Supress monkeysphere prompts in case of reusing UIDs.
- Since we are trusting the remote user header, it is much safer not
listen on external addresses. We don't that since Apache connects on
internal address.
- When writing the configuration file for no NAT case, append then last
part of the file instead of overwriting.
- Also 'echo' statements are missing leading to attempt to execute the
config options instead of writing them to a file.
Currenly uptime is being taken as measure to decide whether update must
run. Uptime is the number of seconds since machine has booted. If a
machine has run for 30 hours, and rebooted, then update will not be done
until the machine has run for 30 hours + desinated time. Using seconds
since epoch fixes this.
- The current code to parse the configuration file does not work proper
if there is an '=' in the password. Fix it.
- Also if predesignated keyword like 'server' occurs in the password,
configuration can't be read properly. Fix it.
* Add an option to pass the password via cmdline (optional, not used by
plinth) if called manually.
* Fix: If -p option was not the last given option, everything after -p
was lost. Closes#310.
- Add note about resetarting firewalld.
- Refactor checking for running configuration process.
- Fix error message being show as info message.
- Minor indentation fixes.
- Allow setting multiple SSH keys one per line (which is already
allowed, but advertise it better).
- Use mkhomedir_helper to create the user's home directory. Avoid
security and accuracy complexities of creating a home directory.
- Allow homes that don't exist in /home.
- Closes#366 and closes#304 (all sub-tasks).
- Start new process group with setsid() by sending
start_new_session=True
- Detach from parent process fds by closing all FDs and attaching stdin,
stdou and stderr to /dev/null.
- Don't wait for the process to complete.
- This allows for upgrading Plinth while upgrades are trigged from
Plinth itself.
- Show log of upgrade exection instead of output and error log of the
process which can no longer be collected. This has the advantage of
showing automatic executions also.
- Rewrite the mechanism to detect whether upgrades can be run. It is
now based on whether the package manager is busy. This has the
advantage of working properly if other apt processes are running,
automatic upgrades are running, etc.
- Busy status works even if Plinth is restarted while upgrades are in
progress.
- More descriptive messages showing that upgrades don't have to be
triggered manually.
- Warn that other packages can't be installed while upgrades are
running, which may take a long time.
- Warn the users of potential temporary unavailability of
Plinth/Apache2.
This is the first implementation for obtaining certificates from Let's
Encrypt. Following the features and limitations.
- Requires manual operation.
- Registrations are done anonymously.
- Supports revoking and re-obtaining certificates. Does not have a way
to show if a certficate is already renewed.
- Automatic renewal is not available.
- Details messages in case of errors.
- Has ability to switch to testing mode by using LE's staging servers.
- Sets up Apache configuration for the domain and enables/disables it.
When certificates are not available for a domain, default website
configuration is used. When certificates are available, separate
SSL website configuration for each domain is used.
- Many domain will work with a single IP address with the help of Server
Name Indication (SNI) which is supported by all modern browsers.
- Supports diagnostics on websites.
Action:
- Don't use const for HOST_TOOL, it is unlikely to be ever changed.
- Don't pass multiple key ids as single string to monkeysphere-host.
- Use JSON for data transfer with action instead of custom format and
parsing.
- Minor styling fixes.
Template:
- More consistent indentation.
- Improve the description.
- Add headers to the table.
- List domains instead of domain types.
URLs:
- Take domain as argument for key generation.
- Narrow down fingerprint matching regex.
Views:
- Take domain as argument for key generation. Verify that domain is
valid.
- Minor grammer fix to cancel message.
- Use JSON format for getting key status.
- List domains instead of domain types.
monkeysphere: Run publish as background task, allow user to cancel.
Small fixes to names module:
- Remove unused ugettext import.
- Change SERVICES to tuple.
- If a domain is not available for a service type, return None instead
of (translated) "Not Available".
- Rename get_services -> get_enabled_services.
