X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/267c02294d7d5c1f161921f9dade6b692a7029a2..ca112fc69a5b85127d243d716b032d2c08bb393c:/tools/salt-install/provision.sh

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index ad01c691b9..dc4a7b70ff 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -200,7 +200,7 @@ WORKBENCH2_EXT_SSL_PORT=3001
 
 SSL_MODE="self-signed"
 USE_LETSENCRYPT_ROUTE53="no"
-CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
+CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
 
 ## These are ARVADOS-related parameters
 # For a stable release, change RELEASE "production" and VERSION to the
@@ -274,7 +274,7 @@ if [ ! -z "${HOSTNAME_EXT}" ] ; then
   # Make sure that the value configured as IP_INT is a real IP on the system.
   # If we don't error out early here when there is a mismatch, the formula will
   # fail with hard to interpret nginx errors later on.
-  ip addr list |grep -q "${IP_INT}/"
+  ip addr list |grep "${IP_INT}/" >/dev/null
   if [[ $? -ne 0 ]]; then
     echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..."
     exit 1
@@ -302,7 +302,10 @@ else
       yum install -y  curl git jq
       ;;
     "debian"|"ubuntu")
-      DEBIAN_FRONTEND=noninteractive apt update
+      # Wait 2 minutes for any apt locks to clear
+      # This option is supported from apt 1.9.1 and ignored in older apt versions.
+      # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/
+      DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update
       DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
       ;;
   esac
@@ -590,11 +593,27 @@ if [ -z "${ROLES}" ]; then
     fi
     grep -q "letsencrypt" ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
 
-    # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
-    for c in controller websocket workbench workbench2 webshell download collections keepproxy; do
-      sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${c}.${CLUSTER}.${DOMAIN}*/g;
-              s#__CERT_PEM__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
-              s#__CERT_KEY__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+    hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy")
+    if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then
+      hosts+=("download" "collections")
+    else
+      hosts+=("keepweb")
+    fi
+
+    for c in "${hosts[@]}"; do
+      # Are we in a single-host-single-hostname env?
+      if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
+        # Are we in a single-host-single-hostname env?
+        CERT_NAME=${HOSTNAME_EXT}
+      else
+        # We are in a multiple-hostnames env
+        CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
+      fi
+
+      # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
+      sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
+              s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
+              s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
       ${P_DIR}/nginx_${c}_configuration.sls
     done
   else