From: Tom Clegg <tom@curii.com>
Date: Wed, 13 Apr 2022 15:07:21 +0000 (-0400)
Subject: Merge branch '18700-boot-wb2'
X-Git-Tag: 2.5.0~214
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/91d40ffe727119f7661e734f9535fd9005880e98?hp=66a90e37d9dbc9a6526a7de2a2d0b286e8e6f87f

Merge branch '18700-boot-wb2'

closes #18700

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---

diff --git a/build/run-build-packages.sh b/build/run-build-packages.sh
index 164755fda6..9b09b7fae0 100755
--- a/build/run-build-packages.sh
+++ b/build/run-build-packages.sh
@@ -204,6 +204,9 @@ if [[ ! -d "$WORKSPACE/packages/$TARGET" ]]; then
   chown --reference="$WORKSPACE" "$WORKSPACE/packages/$TARGET"
 fi
 
+# Required due to CVE-2022-24765
+git config --global --add safe.directory /arvados
+
 # Perl packages
 debug_echo -e "\nPerl packages\n"
 
diff --git a/cmd/arvados-server/keepproxy.service b/cmd/arvados-server/keepproxy.service
new file mode 100644
index 0000000000..7d4d092677
--- /dev/null
+++ b/cmd/arvados-server/keepproxy.service
@@ -0,0 +1,27 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+[Unit]
+Description=Arvados Keep Proxy
+Documentation=https://doc.arvados.org/
+After=network.target
+AssertPathExists=/etc/arvados/config.yml
+
+# systemd>=230 (debian:9) obeys StartLimitIntervalSec in the [Unit] section
+StartLimitIntervalSec=0
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/arvados/environment
+ExecStart=/usr/bin/keepproxy
+# Set a reasonable default for the open file limit
+LimitNOFILE=65536
+Restart=always
+RestartSec=1
+
+# systemd<=219 (centos:7, debian:8, ubuntu:trusty) obeys StartLimitInterval in the [Service] section
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 44f3d4dffc..669d04d92f 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -549,14 +549,15 @@ if [ -z "${ROLES}" ]; then
     fi
     grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   else
-    # Use custom certs, as both bring-your-own and self-signed are copied using this state
-    # Copy certs to formula extra/files
-    # In dev mode, the files will be created and put in the destination directory by the
-    # snakeoil_certs.sls state file
     mkdir -p /srv/salt/certs
-    cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
-    # We add the custom_certs state
-    grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
+    if [ "${SSL_MODE}" = "bring-your-own" ]; then
+      # Copy certs to formula extra/files
+      cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+      # We add the custom_certs state
+      grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
+    fi
+    # In self-signed mode, the certificate files will be created and put in the
+    # destination directory by the snakeoil_certs.sls state file
   fi
 
   echo "    - postgres" >> ${S_DIR}/top.sls