fix: orchestrator deploy via systemd unit and certbot via podman run

- Replace 'podman-compose up -d' in step_deploy_option_a/b with
  'systemctl start perfsonar-testpoint': the compose invocation
  lacks --systemd=always and --cgroupns host, causing systemd inside
  the Ubuntu container to fail with 'cgroup Permission denied' on
  fresh RHEL 9 hosts. The systemd unit (installed by install-systemd-
  units.sh) already has the correct flags.
- Replace 'podman-compose up -d certbot' with a direct 'podman run'
  command that includes the Podman socket mount (/run/podman/podman.sock)
  needed by the certbot-deploy-hook.sh to restart the testpoint container
  after successful certificate renewal.
- Bump version to 1.1.2.

Both issues discovered during psmsu01.aglt2.org fresh install.

Author: root

docs/perfsonar/tools_scripts/perfSONAR-orchestrator.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# Version: 1.1.1
+# Version: 1.1.2
 # Author: Shawn McKee, University of Michigan
 # Acknowledgements: Supported by IRIS-HEP and OSG-LHC
 
@@ -218,14 +218,24 @@ step_auto_update_compose() {
 step_deploy_option_a() {
   run /opt/perfsonar-tp/tools_scripts/seed_testpoint_host_dirs.sh
   run bash -c "curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/docker-compose.testpoint.yml -o /opt/perfsonar-tp/docker-compose.yml"
-  run bash -c "cd /opt/perfsonar-tp && podman-compose up -d"
+  # Start via the systemd unit (which has --systemd=always --cgroupns host needed
+  # for systemd inside the container); podman-compose up -d lacks these flags.
+  run systemctl daemon-reload
+  run systemctl start perfsonar-testpoint
+  log "Waiting 30s for container to initialise..."
+  sleep 30
   run podman ps
 }
 
 step_deploy_option_b() {
   run /opt/perfsonar-tp/tools_scripts/seed_testpoint_host_dirs.sh
   run bash -c "curl -fsSL https://raw.githubusercontent.com/osg-htc/networking/master/docs/perfsonar/tools_scripts/docker-compose.testpoint-le-auto.yml -o /opt/perfsonar-tp/docker-compose.yml"
-  run bash -c "cd /opt/perfsonar-tp && podman-compose up -d"
+  # Start via the systemd unit (which has --systemd=always --cgroupns host needed
+  # for systemd inside the container); podman-compose up -d lacks these flags.
+  run systemctl daemon-reload
+  run systemctl start perfsonar-testpoint
+  log "Waiting 30s for container to initialise..."
+  sleep 30
   run podman ps
 
   # Auto-detect FQDNs from reverse DNS of all configured IPs
@@ -318,8 +328,19 @@ step_deploy_option_b() {
       log "Continuing installation — certificate can be obtained later."
     fi
 
-    run podman restart perfsonar-testpoint || true
-    run podman start certbot || true
+    run systemctl restart perfsonar-testpoint || true
+    # Start the certbot renewal container with Podman socket for the deploy hook
+    run podman rm -f certbot || true
+    run podman run -d --name certbot --net=host \
+      --security-opt label=disable \
+      -v /etc/letsencrypt:/etc/letsencrypt:Z \
+      -v /var/www/html:/var/www/html:z \
+      -v /run/podman/podman.sock:/run/podman/podman.sock:ro \
+      -v "/opt/perfsonar-tp/tools_scripts/certbot-deploy-hook.sh:/etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh:ro" \
+      --entrypoint /bin/sh \
+      docker.io/certbot/certbot:latest \
+      '-c' 'trap exit TERM; while :; do certbot renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh; sleep 12h & wait ${!}; done' \
+      || log "WARNING: certbot renewal container failed to start; set it up manually."
     run podman exec certbot certbot renew --dry-run || true
   else
     log "Skipping certificate issuance (missing --fqdn/--email or no FQDNs detected). You can do this later."

docs/perfsonar/tools_scripts/scripts.sha256

@@ -17,7 +17,7 @@ e1944123e17c89e8f202cca960f147397d64ae1e675af132c84b02ced2564abb  node_exporter.
 76f49ce6e5ee00a0f35026ee6b87b44448355549fe78b3b0873b49bbece1ccf1  testpoint-entrypoint-wrapper.sh
 50dfab90bc21d5c566b713f48b00b079a32a8b8756432a0d0f66ac6a64e6e581  perfSONAR-health-monitor.sh
 d8e3cc4a03725c7fb6e12c13e5036e7c6a3af301a1f1e728690ce9ad3ab8aa96  install_tools_scripts.sh
-f127c37eb2441cd9c674b1286e3bd1333c09435bc393c0c43245327d2cc012e7  perfSONAR-orchestrator.sh
+084538e013a84e8e475bb601b3cfca4774df4c708363673697bc975cb04e7360  perfSONAR-orchestrator.sh
 2615a29d65e285391adb547046584c4534ea548e69571b67e0cf35773b010c57  perfSONAR-diagnostic-report.sh
 b8ef81ab410cfe1a8a5732290c01cf9f2acc6fc8fdfa0068fd21854f3d7fec9c  docs/perfsonar/tools_scripts/perfSONAR-install-flowd-go.sh
 39d226a857eb1a0956003c75ca8b558fcb55c63176286ca9597f031d08cb38a7  docs/perfsonar/tools_scripts/update-perfsonar-deployment.sh