X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b161916d6b97e8b7205670ecc972a590749dd93c..ca112fc69a5b85127d243d716b032d2c08bb393c:/tools/salt-install/provision.sh

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 44f3d4dffc..dc4a7b70ff 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -200,7 +200,7 @@ WORKBENCH2_EXT_SSL_PORT=3001
 
 SSL_MODE="self-signed"
 USE_LETSENCRYPT_ROUTE53="no"
-CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
+CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
 
 ## These are ARVADOS-related parameters
 # For a stable release, change RELEASE "production" and VERSION to the
@@ -274,7 +274,7 @@ if [ ! -z "${HOSTNAME_EXT}" ] ; then
   # Make sure that the value configured as IP_INT is a real IP on the system.
   # If we don't error out early here when there is a mismatch, the formula will
   # fail with hard to interpret nginx errors later on.
-  ip addr list |grep -q "${IP_INT}/"
+  ip addr list |grep "${IP_INT}/" >/dev/null
   if [[ $? -ne 0 ]]; then
     echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..."
     exit 1
@@ -302,7 +302,10 @@ else
       yum install -y  curl git jq
       ;;
     "debian"|"ubuntu")
-      DEBIAN_FRONTEND=noninteractive apt update
+      # Wait 2 minutes for any apt locks to clear
+      # This option is supported from apt 1.9.1 and ignored in older apt versions.
+      # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/
+      DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update
       DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
       ;;
   esac
@@ -549,14 +552,15 @@ if [ -z "${ROLES}" ]; then
     fi
     grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   else
-    # Use custom certs, as both bring-your-own and self-signed are copied using this state
-    # Copy certs to formula extra/files
-    # In dev mode, the files will be created and put in the destination directory by the
-    # snakeoil_certs.sls state file
     mkdir -p /srv/salt/certs
-    cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
-    # We add the custom_certs state
-    grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
+    if [ "${SSL_MODE}" = "bring-your-own" ]; then
+      # Copy certs to formula extra/files
+      cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+      # We add the custom_certs state
+      grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
+    fi
+    # In self-signed mode, the certificate files will be created and put in the
+    # destination directory by the snakeoil_certs.sls state file
   fi
 
   echo "    - postgres" >> ${S_DIR}/top.sls
@@ -564,6 +568,7 @@ if [ -z "${ROLES}" ]; then
   echo "    - arvados" >> ${S_DIR}/top.sls
   echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
   echo "    - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
+  echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
 
   # Pillars
   echo "    - docker" >> ${P_DIR}/top.sls
@@ -588,11 +593,27 @@ if [ -z "${ROLES}" ]; then
     fi
     grep -q "letsencrypt" ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
 
-    # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
-    for c in controller websocket workbench workbench2 webshell download collections keepproxy; do
-      sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${c}.${CLUSTER}.${DOMAIN}*/g;
-              s#__CERT_PEM__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
-              s#__CERT_KEY__#/etc/letsencrypt/live/${c}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+    hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy")
+    if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then
+      hosts+=("download" "collections")
+    else
+      hosts+=("keepweb")
+    fi
+
+    for c in "${hosts[@]}"; do
+      # Are we in a single-host-single-hostname env?
+      if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
+        # Are we in a single-host-single-hostname env?
+        CERT_NAME=${HOSTNAME_EXT}
+      else
+        # We are in a multiple-hostnames env
+        CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
+      fi
+
+      # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
+      sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
+              s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
+              s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
       ${P_DIR}/nginx_${c}_configuration.sls
     done
   else
@@ -656,6 +677,7 @@ else
         else
           echo "    - nginx.passenger" >> ${S_DIR}/top.sls
         fi
+        echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
         ### If we don't install and run LE before arvados-api-server, it fails and breaks everything
         ### after it. So we add this here as we are, after all, sharing the host for api and controller
         if [ "${SSL_MODE}" = "lets-encrypt" ]; then