mirror of
https://github.com/chatmail/relay.git
synced 2026-05-10 16:04:37 +00:00
3df3c031d4
* refactor: Move all imports to top of cmdeploy/__init__.py
* refactor: Move addition of 9.9.9.9 resolver earlier
- Moved the "Add 9.9.9.9 to resolv.conf" step earlier, before the
creation of users or updates to any config files. This should not
affect any of those operations. Moving this step earlier makes it
easier to accommodate the restructuring of the deployment process
into separate components with separate stages for install,
configure, and activate.
- Added a Deployer class that defines the base for objects that will
handle installation of individual components, with install,
configure, and activate stages.
- The CMDEPLOY_STAGES environment variable is used to determine what
stages to run. If this is not defined, all stages run as usual.
- Added import of Deployer to cmdeploy/__init__.py. This is not yet
used, but the next series of commits will use it.
- In deploy_chatmail(), define an empty list of deployers, and call
the create_groups() and create_users() methods for the items in the
list. This list will get filled with Deployer objects in the next
series of commits.
* refactor: Add DovecotDeployer
* refactor: Add PostfixDeployer
- Removed now-unused 'debug' variable from deploy_chatmail().
* refactor: Add NginxDeployer
- Use policy-rc.d during nginx install. This is needed to keep nginx
from starting up and interfering with acmetool. For more information see:
- https://serverfault.com/questions/861583/how-to-stop-nginx-from-being-automatically-started-on-install
- https://major.io/p/install-debian-packages-without-starting-daemons/
- https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
* refactor: Add OpendkimDeployer
- Note that this moves the installation of the opendkim package
earlier in the deployment sequence. Previously, it was installed
during the _configure_opendkim() routine.
* refactor: Add UnboundDeployer
* refactor: Add IrohDeployer
- This splits the existing deploy_iroh_relay() routine into methods
for the install, configure, and activate stages.
* refactor: Add JournaldDeployer
* refactor: Add AcmetoolDeployer
- This splits the existing deploy_acmetool() routine into methods for
the install, configure, and activate stages.
* refactor: Add MtailDeployer
- This splits the existing deploy_mtail() routine into methods for the
install, configure, and activate stages.
* refactor: Add MtastsDeployer
- This splits the existing _uninstall_mta_sts_daemon() routine into
methods for the configure and activate stages.
* refactor: Add RspamdDeployer
- This replaces the existing _remove_rspamd() routine with a method
for the install stage.
* refactor: Split _install_remote_venv_with_chatmaild into stages
- Split _install_remote_venv_with_chatmaild() into three routines, to
handle the install, configure, and activate stages.
- This moves the upload of chatmail.ini later in the deployment
process, because it is a configuration file specific to the
instance, not software installation that would be uniform across all
deployments.
* refactor: Add ChatmailVenvDeployer
* refactor: Add ChatmailDeployer
- This moves the installation of cron earlier in the deployment sequence.
* refactor: Add FcgiwrapDeployer
* refactor: Add EchobotDeployer
- This class is a special case because it has a dependency on the
Postfix and Dovecot deployers. When deciding whether to restart the
echobot service, it needs to know whether the Postfix and Dovecot
deployers restarted their services. To support this dependency, the
PostfixDeployer and DovecotDeployer objects are passed to the
EchobotDeployer object, so it can check their was_restarted
attributes.
* refactor: Add WebsiteDeployer
- This adds a step to create /var/www in the install stage, because
the directory needs to exist for the rsync in the configure stage to
work.
* refactor: Add TurnDeployer
- This splits the existing deploy_turn_server() routine into methods
for the install, configure, and activate stages.
* refactor: Move curl installation from IrohDeployer to ChatmailDeployer
- The 'curl' program is used in TurnDeployer and IrohDeployer, so it
makes more sense to install it at the beginning in ChatmailDeployer,
rather than have each thing that uses it install it separately.
* refactor: Reorder deploy_chatmail()
- The previous commits that added Deployer classes mostly kept
deployment operations in the same order that they were in before.
To organize the process into separate stages for install, configure,
and activate, we need to reorder the method calls. This is the
commit that does that, and thus this is the commit that has the
largest effect on the order of operations.
- The calls for the deployer objects are all reordered here so that
the methods are called in the same sequence for each stage. This
will allow us to collect the calls into loops in the next commit.
This commit provides a way to see a diff showing exactly how the
sequence changed.
- The sequence of deployers was largely based on preserving the order
of the "activate" stage, as this seems like the place order might be
the most likely to matter. Installation of packages and
configuration of files should generally be able to run in any order.
(ChatmailDeployer handles updating the apt data, and therefore needs
to be first, however.)
* refactor: Call install, configure, and activate methods in loops
- Revised deploy_chatmail() to use all_deployers to call the
install(), configure(), and activate() methods on all the deployers,
rather than listing them explicitly in the code.
* docs: Add architectural information about deployer classes
- Updated overview.rst to describe the Deployer class hierarchy and
the motivations behind it.
* fix: Block unbound from starting up on install
- On an IPv4-only system, if unbound is started but not configured, it
causes subsequent steps to fail to resolve hosts.
- Revised UnboundDeployer.install_impl() to use policy-rc.d to prevent
the service from starting when installed. This is the same
mechanism used to keep nginx from starting on install.
* feat: Remove obs-home-deltachat.gpg
- We don't install Dovecot from OBS anymore.
- Removed files.put() that creates
/etc/apt/keyrings/obs-home-deltachat.gpg; replaced this with a
files.file() that sets present=False to remove the file from any
existing installations where it already has been installed.
- Removed now-unused obs-home-deltachat.gpg file.
- Clarified description of sources.list operation.
- Suggested in review by missytake and hpk42.
* feat: Reorder deployers
- Moved fcgiwrap before nginx.
- Exchanged order of turn and unbound.
- Moved journald as early as possible.
- Suggested in review by missytake.
* chore: Add CHANGELOG.md entry for cmdeploy refactor
* refactor: Move unit list to ChatmailVenvDeployer
- Split _configure_remote_venv_with_chatmaild() into two functions.
_configure_remote_venv_with_chatmaild() handles details specific to
the "venv", while the new _configure_remote_units() is a more
general function that is applicable to several services.
- Renamed _activate_remote_venv_with_chatmaild() to
_activate_remote_units() because doesn't have anything
venv-specific.
- Removed list of units from helper functions (where it appeared
twice); moved it to ChatmailVenvDeployer, where its is passed as an
argument to _configure_remote_units() and _activate_remote_units().
* refactor: Move turnserver out of ChatmailVenvDeployer
- Revised TurnDeployer to use _configure_remote_units() and
_activate_remote_units(). This class no longer uses need_restart
and daemon_reload attributes to keep track of state. The activate
stage of ChatmailVenvDeployer was unconditionally restarting the
service every time, so we don't need to keep track of extra state in
an attempt to avoid restarting it; we can just handle the
unconditional restart in TurnDeployer.activate_impl().
- Removed turnserver from the unit list in ChatmailVenvDeployer.
* refactor: Move echobot out of ChatmailVenvDeployer
- Revised EchobotDeployer to use _configure_remote_units() and
_activate_remote_units(). The 'activate' stage of
ChatmailVenvDeployer was unconditionally restarting the service
every time, so EchobotDeployer no longer needs to depend on the
was_restarted attributes of the postfix and dovecot deployers in an
attempt to avoid restarting it; we can just handle the unconditional
restart in EchobotDeployer.activate_impl().
- Removed echobot from the unit list in ChatmailVenvDeployer.
- Removed now-unused was_restarted attribute from PostfixDeployer and
DovecotDeployer.
* refactor: Move doveauth out of ChatmailVenvDeployer
- Revised DovecotDeployer to use _configure_remote_units() and
_activate_remote_units() to deploy doveauth. This keeps the
Dovecot-related services in a single deployer class, leaving only
services that are part of the chatmail project in
ChatmailVenvDeployer.
- Removed doveauth from the unit list in ChatmailVenvDeployer.
* strike unnccessary deployer variables
* remove indirection with "stages"
* simplify required_users configuration (a method is not needed for now)
* further reduce indirections for staged install
* now that Deployer class is clean and not mixed with what is in Deployment, use the simpler "install", "configure" and "activate" namings instead of *_impl
* remove static method and Make Deployer instances not set any default state
* strike unneccessary *,** argument flexibility
* use a Deployer for setting the remote git hash
* refactor: Revise AcmetoolDeployer for new Deployer interface
* style: Formatting revisions
* refactor: Pass all constructor arguments by position
- The constructor arguments do not have default values; they are all
required. Revised deploy_chatmail() to pass them by position rather
than name, so that the caller is not coupled to the names of the
arguments inside the method definition.
* refactor: Simplify interface to Deployer.install()
- In the current code, the only class using the interface that sets
need_restart() from the return value of the install() method was
IrohDeployer. That interface was created when the install method
was a static method, but now it is an instance method with access to
'self'. Therefore, we don't need to pass anything up to the caller
to have them set the attribute, we can just set it.
- Revised IrohDeployer.install() to set self.need_restart directly,
rather than returning a value.
- Revised Deployment.install() to ignore the return value of the
deployers' install() methods.
- need_restart is still present in the base Deployer class to ensure
that it is always defined, even when classes do not set it in a
constructor. Apart from this initialization for convenience, there
is no longer any specific exposure of need_restart in the interface
of the Deployer class.
- In general, install() methods should use 'self' as little as
possible, preferably not at all. In particular, install() methods
should never depend on "config" data, such as the config dictionary
in self.config or specific values like self.mail_domain. This
ensures that these methods can be used to perform generic
installation operations that are applicable across multiple relay
deployments, and therefore can be called in the process of building
a general-purpose container image.
* docs: Update cmdeploy architecture details
- Revised cmdeploy documentation in doc/source/overview.rst to reflect
the recent revisions to the Deployer interface.
* docs: Remove section about use of objects
---------
Co-authored-by: holger krekel <holger@merlinux.eu>
345 lines
13 KiB
ReStructuredText
345 lines
13 KiB
ReStructuredText
|
||
Technical overview
|
||
======================
|
||
|
||
|
||
Directories of the relay repository
|
||
-----------------------------------
|
||
|
||
The `chatmail relay repository <https://github.com/chatmail/relay/tree/main/>`_
|
||
has four main directories.
|
||
|
||
``scripts/``
|
||
~~~~~~~~~~~~~
|
||
|
||
`scripts <https://github.com/chatmail/relay/tree/main/scripts>`_
|
||
offers two convenience tools for beginners:
|
||
|
||
- ``initenv.sh`` installs a local virtualenv Python environment and
|
||
installs necessary dependencies
|
||
|
||
- ``scripts/cmdeploy`` script enables you to run the ``cmdeploy``
|
||
command line tool in the local Python virtual environment.
|
||
|
||
|
||
``cmdeploy/``
|
||
~~~~~~~~~~~~~
|
||
|
||
The ``cmdeploy`` directory contains the Python package and command line tool
|
||
to setup a chatmail relay remotely via SSH:
|
||
|
||
- ``cmdeploy init`` creates the ``chatmail.ini`` config file locally.
|
||
|
||
- ``cmdeploy run`` under the hood uses pyinfra_
|
||
to automatically install or upgrade all chatmail components on a relay,
|
||
according to the local ``chatmail.ini`` config.
|
||
|
||
The deployed system components of a chatmail relay are:
|
||
|
||
- Postfix_ is the Mail Transport Agent (MTA) and
|
||
accepts messages from, and sends messages to, the wider email MTA network
|
||
|
||
- Dovecot_ is the Mail Delivery Agent (MDA) and
|
||
stores messages for users until they download them
|
||
|
||
- Nginx_ shows the web page with privacy policy and additional information
|
||
|
||
- `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
|
||
certificates for Dovecot, Postfix, and Nginx
|
||
|
||
- `OpenDKIM <http://www.opendkim.org/>`_ for signing messages with
|
||
DKIM and rejecting inbound messages without DKIM
|
||
|
||
- `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
|
||
metrics in case you have monitoring
|
||
|
||
- `Iroh relay <https://www.iroh.computer/docs/concepts/relay>`_ which
|
||
helps client devices to establish Peer-to-Peer connections
|
||
|
||
- `TURN <https://github.com/chatmail/chatmail-turn>`_ to enable relay
|
||
users to start webRTC calls even if a p2p connection can’t be
|
||
established
|
||
|
||
- and the chatmaild services, explained in the next section:
|
||
|
||
|
||
``chatmaild/``
|
||
~~~~~~~~~~~~~~
|
||
|
||
`chatmaild <https://github.com/chatmail/relay/tree/main/chatmaild>`_
|
||
is a Python package containing several small services which handle
|
||
authentication, trigger push notifications on new messages, ensure
|
||
that outbound mails are encrypted, delete inactive users, and some
|
||
other minor things. chatmaild can also be installed as a stand-alone
|
||
Python package.
|
||
|
||
``chatmaild`` implements various systemd-controlled services
|
||
that integrate with Dovecot and Postfix to achieve instant-onboarding
|
||
and only relaying OpenPGP end-to-end messages encrypted messages. A
|
||
short overview of ``chatmaild`` services:
|
||
|
||
- `doveauth <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/doveauth.py>`_
|
||
implements create-on-login address semantics and is used by Dovecot
|
||
during IMAP login and by Postfix during SMTP/SUBMISSION login which
|
||
in turn uses `Dovecot SASL
|
||
<https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
|
||
to authenticate logins.
|
||
|
||
- `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
|
||
prevents unencrypted email from leaving or entering the chatmail
|
||
service and is integrated into Postfix’s outbound and inbound mail
|
||
pipelines.
|
||
|
||
- `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
|
||
is contacted by a `Dovecot lua
|
||
script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
|
||
to store user-specific relay-side config. On new messages, it `passes
|
||
the user’s push notification
|
||
token <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/notifier.py>`_
|
||
to
|
||
`notifications.delta.chat <https://delta.chat/en/help#instant-delivery>`_
|
||
so the push notifications on the user’s phone can be triggered by
|
||
Apple/Google/Huawei.
|
||
|
||
- `chatmail-expire <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/expire.py>`_
|
||
deletes users if they have not logged in for a longer while.
|
||
The timeframe can be configured in ``chatmail.ini``.
|
||
|
||
- `lastlogin <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/lastlogin.py>`_
|
||
is contacted by Dovecot when a user logs in and stores the date of
|
||
the login.
|
||
|
||
- `echobot <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/echo.py>`_
|
||
is a small bot for test purposes. It simply echoes back messages from
|
||
users.
|
||
|
||
- `metrics <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metrics.py>`_
|
||
collects some metrics and displays them at
|
||
``https://example.org/metrics``.
|
||
|
||
``www/``
|
||
~~~~~~~~~
|
||
|
||
`www <https://github.com/chatmail/relay/tree/main/www>`_ contains
|
||
the html, css, and markdown files which make up a chatmail relay’s
|
||
web page. Edit them before deploying to make your chatmail relay
|
||
stand out.
|
||
|
||
|
||
Component dependency diagram
|
||
--------------------------------------
|
||
|
||
.. mermaid::
|
||
:caption: This diagram shows relay components and dependencies/communication paths.
|
||
|
||
graph LR;
|
||
cmdeploy --- sshd;
|
||
letsencrypt --- |80|acmetool-redirector;
|
||
acmetool-redirector --- |443|nginx-right(["`nginx
|
||
(external)`"]);
|
||
nginx-external --- |465|postfix;
|
||
nginx-external(["`nginx
|
||
(external)`"]) --- |8443|nginx-internal["`nginx
|
||
(internal)`"];
|
||
nginx-internal --- website["`Website
|
||
/var/www/html`"];
|
||
nginx-internal --- newemail.py;
|
||
nginx-internal --- autoconfig.xml;
|
||
certs-nginx[("`TLS certs
|
||
/var/lib/acme`")] --> nginx-internal;
|
||
cron --- chatmail-metrics;
|
||
cron --- acmetool;
|
||
chatmail-metrics --- website;
|
||
acmetool --> certs[("`TLS certs
|
||
/var/lib/acme`")];
|
||
nginx-external --- |993|dovecot;
|
||
autoconfig.xml --- postfix;
|
||
autoconfig.xml --- dovecot;
|
||
postfix --- echobot;
|
||
postfix --- |10080,10081|filtermail;
|
||
postfix --- users["`User data
|
||
home/vmail/mail`"];
|
||
postfix --- |doveauth.socket|doveauth;
|
||
dovecot --- |doveauth.socket|doveauth;
|
||
dovecot --- users;
|
||
dovecot --- |metadata.socket|chatmail-metadata;
|
||
doveauth --- users;
|
||
chatmail-expire-daily --- users;
|
||
chatmail-fsreport-daily --- users;
|
||
chatmail-metadata --- iroh-relay;
|
||
certs-nginx --> postfix;
|
||
certs-nginx --> dovecot;
|
||
style certs fill:#ff6;
|
||
style certs-nginx fill:#ff6;
|
||
style nginx-external fill:#fc9;
|
||
style nginx-right fill:#fc9;
|
||
|
||
|
||
Operational details of a chatmail relay
|
||
----------------------------------------
|
||
|
||
Mailbox directory layout
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Fresh chatmail addresses have a mailbox directory that contains:
|
||
|
||
- a ``password`` file with the salted password required for
|
||
authenticating whether a login may use the address to send/receive
|
||
messages. If you modify the password file manually, you effectively
|
||
block the user.
|
||
|
||
- ``enforceE2EEincoming`` is a default-created file with each address.
|
||
If present the file indicates that this chatmail address rejects
|
||
incoming cleartext messages. If absent the address accepts incoming
|
||
cleartext messages.
|
||
|
||
- ``dovecot*``, ``cur``, ``new`` and ``tmp`` represent IMAP/mailbox
|
||
state. If the address is only used by one device, the Maildir
|
||
directories will typically be empty unless the user of that address
|
||
hasn’t been online for a while.
|
||
|
||
Active ports
|
||
~~~~~~~~~~~~
|
||
|
||
Postfix_ listens on ports
|
||
|
||
- 25 (SMTP)
|
||
|
||
- 587 (SUBMISSION) and
|
||
|
||
- 465 (SUBMISSIONS)
|
||
|
||
Dovecot_ listens on ports
|
||
|
||
- 143 (IMAP) and
|
||
|
||
- 993 (IMAPS)
|
||
|
||
Nginx_ listens on port
|
||
|
||
- 8443 (HTTPS-ALT) and
|
||
|
||
- 443 (HTTPS) which multiplexes HTTPS, IMAP and SMTP using ALPN
|
||
to redirect connections to ports 8443, 465 or 993.
|
||
|
||
`acmetool <https://hlandau.github.io/acmetool/>`_ listens on port:
|
||
|
||
- 80 (HTTP).
|
||
|
||
`chatmail-turn <https://github.com/chatmail/chatmail-turn>`_ listens on port
|
||
|
||
- 3478 UDP (STUN/TURN), and temporarily opens further UDP ports
|
||
when users request them. UDP port range is not restricted, any free port
|
||
may be allocated.
|
||
|
||
chatmail-core based apps will, however, discover all ports and
|
||
configurations automatically by reading the `autoconfig XML
|
||
file <https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html>`_
|
||
from the chatmail relay server.
|
||
|
||
Email domain authentication (DKIM)
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
|
||
Incoming emails must have a valid DKIM signature with
|
||
Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
|
||
header) equal to the ``From:`` header domain. This property is checked
|
||
by OpenDKIM screen policy script before validating the signatures. This
|
||
correpsonds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
|
||
If there is no valid DKIM signature on the incoming email, the
|
||
sender receives a “5.7.1 No valid DKIM signature found” error.
|
||
|
||
Note that chatmail relays
|
||
|
||
- do **not** rely on DMARC and do not consult the sender policy published in DMARC records;
|
||
|
||
- do **not** rely on legacy authentication mechanisms such as
|
||
:rfc:`iprev <8601#section-2.7.3>` and :rfc:`SPF <7208>`.
|
||
Any IP address is accepted if the DKIM signature was valid.
|
||
|
||
Outgoing emails must be sent over authenticated connection with envelope
|
||
``MAIL FROM`` (return path) corresponding to the login.
|
||
This is ensured by Postfix which maps login username to ``MAIL FROM`` with
|
||
`smtpd_sender_login_maps <https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>`_
|
||
and rejects incorrectly authenticated emails with
|
||
`reject_sender_login_mismatch <https://www.postfix.org/postconf.5.html#reject_sender_login_mismatch>`_ policy.
|
||
``From:`` header must correspond to envelope ``MAIL FROM``, this is
|
||
ensured by ``filtermail`` proxy.
|
||
|
||
TLS requirements
|
||
~~~~~~~~~~~~~~~~
|
||
|
||
Postfix is configured to require valid TLS by setting
|
||
`smtp_tls_security_level <https://www.postfix.org/postconf.5.html#smtp_tls_security_level>`_
|
||
to ``verify``. If emails don’t arrive at your chatmail relay server, the
|
||
problem is likely that your relay does not have a valid TLS certificate.
|
||
|
||
You can test it by resolving ``MX`` records of your relay domain and
|
||
then connecting to MX relays (e.g ``mx.example.org``) with
|
||
``openssl s_client -connect mx.example.org:25 -verify_hostname mx.example.org -verify_return_error -starttls smtp``
|
||
from the host that has open port 25 to verify that certificate is valid.
|
||
|
||
When providing a TLS certificate to your chatmail relay server, make
|
||
sure to provide the full certificate chain and not just the last
|
||
certificate.
|
||
|
||
If you are running an Exim server and don’t see incoming connections
|
||
from a chatmail relay server in the logs, make sure ``smtp_no_mail`` log
|
||
item is enabled in the config with ``log_selector = +smtp_no_mail``. By
|
||
default Exim does not log sessions that are closed before sending the
|
||
``MAIL`` command. This happens if certificate is not recognized as valid
|
||
by Postfix, so you might think that connection is not established while
|
||
actually it is a problem with your TLS certificate.
|
||
|
||
|
||
.. _dovecot: https://dovecot.org
|
||
.. _postfix: https://www.postfix.org
|
||
.. _nginx: https://nginx.org
|
||
.. _pyinfra: https://pyinfra.com
|
||
|
||
|
||
Architecture of cmdeploy
|
||
------------------------
|
||
|
||
cmdeploy is a Python program that uses the pyinfra library to deploy
|
||
chatmail relays, with all the necessary software, configuration, and
|
||
services. The deployment process performs three primary types of
|
||
operation:
|
||
|
||
1. Installation of software, universal across all deployments.
|
||
2. Configuration of software, with deploy-specific variations.
|
||
3. Activation of services.
|
||
|
||
The process is implemented through a family of "deployer" objects
|
||
which all derive from a common ``Deployer`` base class, defined in
|
||
cmdeploy/src/cmdeploy/deployer.py. Each object provides
|
||
implementation methods for the three stages -- install, configure, and
|
||
activate. The top-level procedure in ``deploy_chatmail()`` calls
|
||
these methods for all the deployer objects, via the
|
||
``Deployment.perform_stages()`` method, also defined in deployer.py.
|
||
This first calls all the install methods, then the configure methods,
|
||
then the activate methods.
|
||
|
||
The ``Deployment`` class also implements support for a CMDEPLOY_STAGES
|
||
environment variable, which allows limiting the process to specific
|
||
stages. Note that some deployers are stateful between the stages
|
||
(this is one reason why they are implemented as objects), and that
|
||
state will not get propagated between stages when run in separate
|
||
invocations of cmdeploy. This environment variable is intended for
|
||
use in future revisions to support building Docker images with
|
||
software pre-installed, and configuration of containers at run time
|
||
from environment variables.
|
||
|
||
The, ``install()`` methods for the deployer classes should use 'self'
|
||
as little as possible, preferably not at all. In particular,
|
||
``install()`` methods should never depend on "config" data, such as
|
||
the config dictionary in ``self.config`` or specific values like
|
||
``self.mail_domain``. This ensures that these methods can be used to
|
||
perform generic installation operations that are applicable across
|
||
multiple relay deployments, and therefore can be called in the process
|
||
of building a general-purpose container image.
|
||
|
||
Operations that start services for systemd-based deployments should
|
||
only be called from the ``activate_impl()`` methods. These methods
|
||
will not be called in non-systemd container environments.
|