Skip to content

fix: certbot deploy hook uses Podman REST API via Python; fix EL9 cgr…#71

Merged
ShawnMcKee merged 1 commit intomasterfrom
host-network-tuning-apply-flags
Feb 24, 2026
Merged

fix: certbot deploy hook uses Podman REST API via Python; fix EL9 cgr…#71
ShawnMcKee merged 1 commit intomasterfrom
host-network-tuning-apply-flags

Conversation

@ShawnMcKee
Copy link
Contributor

…oup/SELinux settings

Root cause: certbot container (Alpine-based) does not include the podman binary, so the v1.0.0 deploy hook failed silently when trying to run podman restart. Separately, the compose files used cgroupns: private which crashes the testpoint container's internal systemd on EL9 hosts. Diagnosed and fixed on psum01.aglt2.org (Feb 2026).

certbot-deploy-hook.sh (v1.0.0 → v2.0.0):

  • Replace podman restart CLI call with Python HTTP client talking to the Podman REST API over the mounted Unix socket (/run/podman/podman.sock). python3 is available in the Alpine certbot image; no additional packages required.
  • Removes dependency on the podman binary inside the container.
  • Add SHA256 checksum file (certbot-deploy-hook.sh.sha256).

docker-compose.testpoint-le{,-auto}.yml:

  • testpoint: replace privileged: true + cgroupns: private with cgroup: host + /sys/fs/cgroup volume mount + tty: true. The old settings prevented systemd from running inside the container on EL9. Remove CAP_SYS_ADMIN and CAP_SYS_PTRACE (not needed). Increase healthcheck start_period to 60s (allows systemd more time).
  • certbot: add security_opt: label=disable so SELinux does not block the container from accessing the host Podman socket.

install-perfsonar-testpoint.md:

  • Correct deploy hook troubleshooting path from /opt/certbot/deploy-hook.sh to the correct /etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh.
  • Expand deploy hook description: note Python REST API usage and the SELinux security_opt requirement for EL9 hosts.
  • Add actionable verification commands to the troubleshooting section.

…oup/SELinux settings

Root cause: certbot container (Alpine-based) does not include the `podman`
binary, so the v1.0.0 deploy hook failed silently when trying to run
`podman restart`.  Separately, the compose files used `cgroupns: private`
which crashes the testpoint container's internal systemd on EL9 hosts.
Diagnosed and fixed on psum01.aglt2.org (Feb 2026).

certbot-deploy-hook.sh (v1.0.0 → v2.0.0):
- Replace `podman restart` CLI call with Python HTTP client talking to
  the Podman REST API over the mounted Unix socket
  (/run/podman/podman.sock). python3 is available in the Alpine certbot
  image; no additional packages required.
- Removes dependency on the `podman` binary inside the container.
- Add SHA256 checksum file (certbot-deploy-hook.sh.sha256).

docker-compose.testpoint-le{,-auto}.yml:
- testpoint: replace `privileged: true` + `cgroupns: private` with
  `cgroup: host` + `/sys/fs/cgroup` volume mount + `tty: true`.
  The old settings prevented systemd from running inside the container
  on EL9. Remove `CAP_SYS_ADMIN` and `CAP_SYS_PTRACE` (not needed).
  Increase healthcheck start_period to 60s (allows systemd more time).
- certbot: add `security_opt: label=disable` so SELinux does not block
  the container from accessing the host Podman socket.

install-perfsonar-testpoint.md:
- Correct deploy hook troubleshooting path from /opt/certbot/deploy-hook.sh
  to the correct /etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh.
- Expand deploy hook description: note Python REST API usage and the
  SELinux security_opt requirement for EL9 hosts.
- Add actionable verification commands to the troubleshooting section.
@ShawnMcKee ShawnMcKee force-pushed the host-network-tuning-apply-flags branch from 55c270e to 968303b Compare February 24, 2026 15:59
@ShawnMcKee ShawnMcKee merged commit dfea788 into master Feb 24, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant