Juju Charms Collection
conn-check package

Merge lp:~verterok/charms/xenial/conn-check/focal into lp:~ubuntuone-hackers/charms/xenial/conn-check/focal

Xenial Xerus (16.04)
focal
Merge into focal

Proposed by Guillermo Gonzalez on 2023-06-30

Status:	Merged
Approved by:	Guillermo Gonzalez on 2023-06-30
Approved revision:	62
Merged at revision:	58
Proposed branch:	lp:~verterok/charms/xenial/conn-check/focal
Merge into:	lp:~ubuntuone-hackers/charms/xenial/conn-check/focal
Diff against target:	5838 lines (+3744/-563) 33 files modified hooks/charmhelpers/__init__.py (+67/-19) hooks/charmhelpers/contrib/ansible/__init__.py (+153/-89) hooks/charmhelpers/contrib/charmsupport/nrpe.py (+187/-31) hooks/charmhelpers/contrib/templating/contexts.py (+7/-7) hooks/charmhelpers/core/decorators.py (+38/-0) hooks/charmhelpers/core/hookenv.py (+658/-59) hooks/charmhelpers/core/host.py (+655/-102) hooks/charmhelpers/core/host_factory/centos.py (+16/-0) hooks/charmhelpers/core/host_factory/ubuntu.py (+73/-5) hooks/charmhelpers/core/kernel.py (+2/-2) hooks/charmhelpers/core/services/base.py (+22/-10) hooks/charmhelpers/core/services/helpers.py (+2/-2) hooks/charmhelpers/core/strutils.py (+75/-14) hooks/charmhelpers/core/sysctl.py (+32/-11) hooks/charmhelpers/core/templating.py (+21/-17) hooks/charmhelpers/core/unitdata.py (+17/-9) hooks/charmhelpers/fetch/__init__.py (+29/-18) hooks/charmhelpers/fetch/archiveurl.py (+35/-27) hooks/charmhelpers/fetch/bzrurl.py (+2/-2) hooks/charmhelpers/fetch/centos.py (+4/-5) hooks/charmhelpers/fetch/giturl.py (+2/-2) hooks/charmhelpers/fetch/python/__init__.py (+13/-0) hooks/charmhelpers/fetch/python/debug.py (+52/-0) hooks/charmhelpers/fetch/python/packages.py (+148/-0) hooks/charmhelpers/fetch/python/rpdb.py (+56/-0) hooks/charmhelpers/fetch/python/version.py (+32/-0) hooks/charmhelpers/fetch/snap.py (+150/-0) hooks/charmhelpers/fetch/ubuntu.py (+822/-125) hooks/charmhelpers/fetch/ubuntu_apt_pkg.py (+327/-0) hooks/charmhelpers/osplatform.py (+32/-2) hooks/hooks.py (+1/-1) playbook.yaml (+13/-3) roles/nrpe-external-master/tasks/main.yaml (+1/-1)
To merge this branch:	bzr merge lp:~verterok/charms/xenial/conn-check/focal
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
John Paraskevopoulos		2023-06-30	Approve on 2023-06-30
Review via email: mp+445757@code.launchpad.net

Commit message

update charm to work in focal

Description of the change

Most of the changes are from the automated pull of a newer charmhelpers with python3.8 support. Please check the individual commits for easier reviewing

Revision history for this message

John Paraskevopoulos (quantifics) wrote on 2023-06-30:

lgtm thanks!

review: Approve

lp:~verterok/charms/xenial/conn-check/focal updated on 2023-06-30

62. By Guillermo Gonzalez on 2023-06-30: use xenial for all distribution release comparisons

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Guillermo Gonzalez

Ubuntu One hackers

 === modified file 'hooks/charmhelpers/__init__.py'
 --- hooks/charmhelpers/__init__.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/__init__.py	2023-06-30 13:58:42 +0000
@@ -14,23 +14,71 @@
  # Bootstrap charm-helpers, installing its dependencies if necessary using
  # only standard libraries.
++import functools
++import inspect
  import subprocess
--import sys
--
--try:
--    import six  # flake8: noqa
--except ImportError:
--    if sys.version_info.major == 2:
--        subprocess.check_call(['apt-get', 'install', '-y', 'python-six'])
--    else:
--        subprocess.check_call(['apt-get', 'install', '-y', 'python3-six'])
--    import six  # flake8: noqa
--
--try:
--    import yaml  # flake8: noqa
--except ImportError:
--    if sys.version_info.major == 2:
--        subprocess.check_call(['apt-get', 'install', '-y', 'python-yaml'])
--    else:
--        subprocess.check_call(['apt-get', 'install', '-y', 'python3-yaml'])
--    import yaml  # flake8: noqa
++
++
++try:
++    import yaml  # NOQA:F401
++except ImportError:
++    subprocess.check_call(['apt-get', 'install', '-y', 'python3-yaml'])
++    import yaml  # NOQA:F401
++
++
++# Holds a list of mapping of mangled function names that have been deprecated
++# using the @deprecate decorator below.  This is so that the warning is only
++# printed once for each usage of the function.
++__deprecated_functions = {}
++
++
++def deprecate(warning, date=None, log=None):
++    """Add a deprecation warning the first time the function is used.
++
++    The date which is a string in semi-ISO8660 format indicates the year-month
++    that the function is officially going to be removed.
++
++    usage:
++
++    @deprecate('use core/fetch/add_source() instead', '2017-04')
++    def contributed_add_source_thing(...):
++        ...
++
++    And it then prints to the log ONCE that the function is deprecated.
++    The reason for passing the logging function (log) is so that hookenv.log
++    can be used for a charm if needed.
++
++    :param warning: String to indicate what is to be used instead.
++    :param date: Optional string in YYYY-MM format to indicate when the
++                 function will definitely (probably) be removed.
++    :param log: The log function to call in order to log. If None, logs to
++                stdout
++    """
++    def wrap(f):
++
++        @functools.wraps(f)
++        def wrapped_f(*args, **kwargs):
++            try:
++                module = inspect.getmodule(f)
++                file = inspect.getsourcefile(f)
++                lines = inspect.getsourcelines(f)
++                f_name = "{}-{}-{}..{}-{}".format(
++                    module.__name__, file, lines[0], lines[-1], f.__name__)
++            except (IOError, TypeError):
++                # assume it was local, so just use the name of the function
++                f_name = f.__name__
++            if f_name not in __deprecated_functions:
++                __deprecated_functions[f_name] = True
++                s = "DEPRECATION WARNING: Function {} is being removed".format(
++                    f.__name__)
++                if date:
++                    s = "{} on/around {}".format(s, date)
++                if warning:
++                    s = "{} : {}".format(s, warning)
++                if log:
++                    log(s)
++                else:
++                    print(s)
++            return f(*args, **kwargs)
++        return wrapped_f
++    return wrap
 === modified file 'hooks/charmhelpers/contrib/ansible/__init__.py'
 --- hooks/charmhelpers/contrib/ansible/__init__.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/contrib/ansible/__init__.py	2023-06-30 13:58:42 +0000
@@ -16,90 +16,107 @@
+ #
  # Authors:
  #  Charm Helpers Developers <juju@lists.ubuntu.com>
--"""Charm Helpers ansible - declare the state of your machines.
--
--This helper enables you to declare your machine state, rather than
--program it procedurally (and have to test each change to your procedures).
--Your install hook can be as simple as::
--
--    {{{
--    import charmhelpers.contrib.ansible
--
--
++"""
++The ansible package enables you to easily use the configuration management
++tool `Ansible`_ to setup and configure your charm. All of your charm
++configuration options and relation-data are available as regular Ansible
++variables which can be used in your playbooks and templates.
++
++.. _Ansible: https://www.ansible.com/
++
++Usage
++=====
++
++Here is an example directory structure for a charm to get you started::
++
++    charm-ansible-example/
++    |-- ansible
++    |   |-- playbook.yaml
++    |   `-- templates
++    |       `-- example.j2
++    |-- config.yaml
++    |-- copyright
++    |-- icon.svg
++    |-- layer.yaml
++    |-- metadata.yaml
++    |-- reactive
++    |   `-- example.py
++    |-- README.md
++
++Running a playbook called ``playbook.yaml`` when the ``install`` hook is run
++can be as simple as::
++
++    from charmhelpers.contrib import ansible
++    from charms.reactive import hook
++
++    @hook('install')
      def install():
--        charmhelpers.contrib.ansible.install_ansible_support()
--        charmhelpers.contrib.ansible.apply_playbook('playbooks/install.yaml')
--    }}}
--
--and won't need to change (nor will its tests) when you change the machine
--state.
--
--All of your juju config and relation-data are available as template
--variables within your playbooks and templates. An install playbook looks
--something like::
--
--    {{{
++        ansible.install_ansible_support()
++        ansible.apply_playbook('ansible/playbook.yaml')
++
++Here is an example playbook that uses the ``template`` module to template the
++file ``example.j2`` to the charm host and then uses the ``debug`` module to
++print out all the host and Juju variables that you can use in your playbooks.
++Note that you must target ``localhost`` as the playbook is run locally on the
++charm host::
++
      ---
      - hosts: localhost
--      user: root
--
        tasks:
--        - name: Add private repositories.
++        - name: Template a file
            template:
--            src: ../templates/private-repositories.list.jinja2
--            dest: /etc/apt/sources.list.d/private.list
--
--        - name: Update the cache.
--          apt: update_cache=yes
--
--        - name: Install dependencies.
--          apt: pkg={{ item }}
--          with_items:
--            - python-mimeparse
--            - python-webob
--            - sunburnt
--
--        - name: Setup groups.
--          group: name={{ item.name }} gid={{ item.gid }}
--          with_items:
--            - { name: 'deploy_user', gid: 1800 }
--            - { name: 'service_user', gid: 1500 }
--
--      ...
--    }}}
--
--Read more online about `playbooks`_ and standard ansible `modules`_.
--
--.. _playbooks: http://www.ansibleworks.com/docs/playbooks.html
--.. _modules: http://www.ansibleworks.com/docs/modules.html
--
--A further feature os the ansible hooks is to provide a light weight "action"
++            src: templates/example.j2
++            dest: /tmp/example.j2
++
++        - name: Print all variables available to Ansible
++          debug:
++            var: vars
++
++Read more online about `playbooks`_ and standard Ansible `modules`_.
++
++.. _playbooks: https://docs.ansible.com/ansible/latest/user_guide/playbooks.html
++.. _modules: https://docs.ansible.com/ansible/latest/user_guide/modules.html
++
++A further feature of the Ansible hooks is to provide a light weight "action"
  scripting tool. This is a decorator that you apply to a function, and that
--function can now receive cli args, and can pass extra args to the playbook.
--
--e.g.
--
--
--@hooks.action()
--def some_action(amount, force="False"):
--    "Usage: some-action AMOUNT [force=True]"  # <-- shown on error
--    # process the arguments
--    # do some calls
--    # return extra-vars to be passed to ansible-playbook
--    return {
--        'amount': int(amount),
--        'type': force,
--    }
++function can now receive cli args, and can pass extra args to the playbook::
++
++    @hooks.action()
++    def some_action(amount, force="False"):
++        "Usage: some-action AMOUNT [force=True]"  # <-- shown on error
++        # process the arguments
++        # do some calls
++        # return extra-vars to be passed to ansible-playbook
++        return {
++            'amount': int(amount),
++            'type': force,
++        }
  You can now create a symlink to hooks.py that can be invoked like a hook, but
--with cli params:
--
--# link actions/some-action to hooks/hooks.py
--
--actions/some-action amount=10 force=true
++with cli params::
++
++    # link actions/some-action to hooks/hooks.py
++
++    actions/some-action amount=10 force=true
++
++Install Ansible via pip
++=======================
++
++If you want to install a specific version of Ansible via pip instead of
++``install_ansible_support`` which uses APT, consider using the layer options
++of `layer-basic`_ to install Ansible in a virtualenv::
++
++    options:
++      basic:
++        python_packages: ['ansible==2.9.0']
++        include_system_packages: true
++        use_venv: true
++
++.. _layer-basic: https://charmsreactive.readthedocs.io/en/latest/layer-basic.html#layer-configuration
  """
  import os
++import json
  import stat
  import subprocess
  import functools
@@ -117,27 +134,63 @@
  ansible_vars_path = '/etc/ansible/host_vars/localhost'
--def install_ansible_support(from_ppa=True, ppa_location='ppa:rquillo/ansible'):
--    """Installs the ansible package.
--
--    By default it is installed from the `PPA`_ linked from
--    the ansible `website`_ or from a ppa specified by a charm config..
--
--    .. _PPA: https://launchpad.net/~rquillo/+archive/ansible
++def install_ansible_support(from_ppa=True, ppa_location='ppa:ansible/ansible'):
++    """Installs Ansible via APT.
++
++    By default this installs Ansible from the `PPA`_ linked from
++    the Ansible `website`_ or from a PPA set in ``ppa_location``.
++
++    .. _PPA: https://launchpad.net/~ansible/+archive/ubuntu/ansible
      .. _website: http://docs.ansible.com/intro_installation.html#latest-releases-via-apt-ubuntu
--    If from_ppa is empty, you must ensure that the package is available
--    from a configured repository.
++    If ``from_ppa`` is ``False``, then Ansible will be installed from
++    Ubuntu's Universe repositories.
      """
      if from_ppa:
          charmhelpers.fetch.add_source(ppa_location)
          charmhelpers.fetch.apt_update(fatal=True)
      charmhelpers.fetch.apt_install('ansible')
      with open(ansible_hosts_path, 'w+') as hosts_file:
--        hosts_file.write('localhost ansible_connection=local')
++        hosts_file.write('localhost ansible_connection=local ansible_remote_tmp=/root/.ansible/tmp')
  def apply_playbook(playbook, tags=None, extra_vars=None):
++    """Run a playbook.
++
++    This helper runs a playbook with juju state variables as context,
++    therefore variables set in application config can be used directly.
++    List of tags (--tags) and dictionary with extra_vars (--extra-vars)
++    can be passed as additional parameters.
++
++    Read more about playbook `_variables`_ online.
++
++    .. _variables: https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html
++
++    Example::
++
++        # Run ansible/playbook.yaml with tag install and pass extra
++        # variables var_a and var_b
++        apply_playbook(
++            playbook='ansible/playbook.yaml',
++            tags=['install'],
++            extra_vars={'var_a': 'val_a', 'var_b': 'val_b'}
++        )
++
++        # Run ansible/playbook.yaml with tag config and extra variable nested,
++        # which is passed as json and can be used as dictionary in playbook
++        apply_playbook(
++            playbook='ansible/playbook.yaml',
++            tags=['config'],
++            extra_vars={'nested': {'a': 'value1', 'b': 'value2'}}
++        )
++
++        # Custom config file can be passed within extra_vars
++        apply_playbook(
++            playbook='ansible/playbook.yaml',
++            extra_vars="@some_file.json"
++        )
++
++    """
      tags = tags or []
      tags = ",".join(tags)
      charmhelpers.contrib.templating.contexts.juju_state_to_yaml(
@@ -146,9 +199,13 @@
      # we want ansible's log output to be unbuffered
      env = os.environ.copy()
++    proxy_settings = charmhelpers.core.hookenv.env_proxy_settings()
++    if proxy_settings:
++        env.update(proxy_settings)
      env['PYTHONUNBUFFERED'] = "1"
      call = [
          'ansible-playbook',
++        '-vvv',
          '-c',
          'local',
          playbook,
@@ -156,9 +213,17 @@
      if tags:
          call.extend(['--tags', '{}'.format(tags)])
      if extra_vars:
--        extra = ["%s=%s" % (k, v) for k, v in extra_vars.items()]
--        call.extend(['--extra-vars', " ".join(extra)])
--    subprocess.check_call(call, env=env)
++        call.extend(['--extra-vars', json.dumps(extra_vars)])
++    try:
++        subprocess.check_output(call, env=env)
++    except subprocess.CalledProcessError as e:
++        err_msg = e.output.decode().strip()
++        charmhelpers.core.hookenv.log("Ansible playbook failed with "
++                                      "{}".format(e),
++                                      level="ERROR")
++        charmhelpers.core.hookenv.log("Stdout: {}".format(err_msg),
++                                      level="ERROR")
++        raise e
  class AnsibleHooks(charmhelpers.core.hookenv.Hooks):
@@ -170,7 +235,7 @@
      Example::
--        hooks = AnsibleHooks(playbook_path='playbooks/my_machine_state.yaml')
++        hooks = AnsibleHooks(playbook_path='ansible/my_machine_state.yaml')
          # All the tasks within my_machine_state.yaml tagged with 'install'
          # will be run automatically after do_custom_work()
@@ -188,13 +253,12 @@
          # the hooks which are handled by ansible-only and they'll be registered
          # for you:
          # hooks = AnsibleHooks(
--        #     'playbooks/my_machine_state.yaml',
++        #     'ansible/my_machine_state.yaml',
          #     default_hooks=['config-changed', 'start', 'stop'])
          if __name__ == "__main__":
              # execute a hook based on the name the program is called by
              hooks.execute(sys.argv)
--
      """
      def __init__(self, playbook_path, default_hooks=None):
 === modified file 'hooks/charmhelpers/contrib/charmsupport/nrpe.py'
 --- hooks/charmhelpers/contrib/charmsupport/nrpe.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/contrib/charmsupport/nrpe.py	2023-06-30 13:58:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2012-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -13,25 +13,29 @@
  # limitations under the License.
  """Compatibility with the nrpe-external-master charm"""
--# Copyright 2012 Canonical Ltd.
+ #
  # Authors:
  #  Matthew Wedgwood <matthew.wedgwood@canonical.com>
--import subprocess
--import pwd
++import glob
  import grp
++import json
  import os
--import glob
--import shutil
++import pwd
  import re
  import shlex
++import shutil
++import subprocess
  import yaml
  from charmhelpers.core.hookenv import (
++    application_name,
      config,
++    ERROR,
++    hook_name,
      local_unit,
      log,
++    relation_get,
      relation_ids,
      relation_set,
      relations_of_type,
@@ -125,7 +129,7 @@
  class Check(object):
--    shortname_re = '[A-Za-z0-9-_]+$'
++    shortname_re = '[A-Za-z0-9-_.@]+$'
      service_template = ("""
  #---------------------------------------------------
  # This file is Juju managed
@@ -137,10 +141,11 @@
                          """{description}
      check_command                   check_nrpe!{command}
      servicegroups                   {nagios_servicegroup}
++{service_config_overrides}
  }}
  """)
--    def __init__(self, shortname, description, check_cmd):
++    def __init__(self, shortname, description, check_cmd, max_check_attempts=None):
          super(Check, self).__init__()
          # XXX: could be better to calculate this from the service name
          if not re.match(self.shortname_re, shortname):
@@ -153,6 +158,7 @@
          # The default is: illegal_object_name_chars=`~!$%^&*"|'<>?,()=
          self.description = description
          self.check_cmd = self._locate_cmd(check_cmd)
++        self.max_check_attempts = max_check_attempts
      def _get_check_filename(self):
          return os.path.join(NRPE.nrpe_confdir, '{}.cfg'.format(self.command))
@@ -171,7 +177,8 @@
              if os.path.exists(os.path.join(path, parts[0])):
                  command = os.path.join(path, parts[0])
                  if len(parts) > 1:
--                    command += " " + " ".join(parts[1:])
++                    safe_args = [shlex.quote(arg) for arg in parts[1:]]
++                    command += " " + " ".join(safe_args)
                  return command
          log('Check command not found: {}'.format(parts[0]))
          return ''
@@ -193,6 +200,13 @@
          nrpe_check_file = self._get_check_filename()
          with open(nrpe_check_file, 'w') as nrpe_check_config:
              nrpe_check_config.write("# check {}\n".format(self.shortname))
++            if nagios_servicegroups:
++                nrpe_check_config.write(
++                    "# The following header was added automatically by juju\n")
++                nrpe_check_config.write(
++                    "# Modifying it will affect nagios monitoring and alerting\n")
++                nrpe_check_config.write(
++                    "# servicegroups: {}\n".format(nagios_servicegroups))
              nrpe_check_config.write("command[{}]={}\n".format(
                  self.command, self.check_cmd))
@@ -207,12 +221,19 @@
                               nagios_servicegroups):
          self._remove_service_files()
++        if self.max_check_attempts:
++            service_config_overrides = '    max_check_attempts              {}'.format(
++                self.max_check_attempts
++            )  # Note indentation is here rather than in the template to avoid trailing spaces
++        else:
++            service_config_overrides = ''  # empty string to avoid printing 'None'
          templ_vars = {
              'nagios_hostname': hostname,
              'nagios_servicegroup': nagios_servicegroups,
              'description': self.description,
              'shortname': self.shortname,
              'command': self.command,
++            'service_config_overrides': service_config_overrides,
+         }
          nrpe_service_text = Check.service_template.format(**templ_vars)
          nrpe_service_file = self._get_service_filename(hostname)
@@ -227,6 +248,7 @@
      nagios_logdir = '/var/log/nagios'
      nagios_exportdir = '/var/lib/nagios/export'
      nrpe_confdir = '/etc/nagios/nrpe.d'
++    homedir = '/var/lib/nagios'  # home dir provided by nagios-nrpe-server
      def __init__(self, hostname=None, primary=True):
          super(NRPE, self).__init__()
@@ -251,11 +273,28 @@
          relation = relation_ids('nrpe-external-master')
          if relation:
              log("Setting charm primary status {}".format(primary))
--            for rid in relation_ids('nrpe-external-master'):
++            for rid in relation:
                  relation_set(relation_id=rid, relation_settings={'primary': self.primary})
++        self.remove_check_queue = set()
++
++    @classmethod
++    def does_nrpe_conf_dir_exist(cls):
++        """Return True if th nrpe_confdif directory exists."""
++        return os.path.isdir(cls.nrpe_confdir)
      def add_check(self, *args, **kwargs):
++        shortname = None
++        if kwargs.get('shortname') is None:
++            if len(args) > 0:
++                shortname = args[0]
++        else:
++            shortname = kwargs['shortname']
++
          self.checks.append(Check(*args, **kwargs))
++        try:
++            self.remove_check_queue.remove(shortname)
++        except KeyError:
++            pass
      def remove_check(self, *args, **kwargs):
          if kwargs.get('shortname') is None:
@@ -272,12 +311,13 @@
          check = Check(*args, **kwargs)
          check.remove(self.hostname)
++        self.remove_check_queue.add(kwargs['shortname'])
      def write(self):
          try:
              nagios_uid = pwd.getpwnam('nagios').pw_uid
              nagios_gid = grp.getgrnam('nagios').gr_gid
--        except:
++        except Exception:
              log("Nagios user not set up, nrpe checks not updated")
              return
@@ -287,19 +327,50 @@
          nrpe_monitors = {}
          monitors = {"monitors": {"remote": {"nrpe": nrpe_monitors}}}
++
++        # check that the charm can write to the conf dir.  If not, then nagios
++        # probably isn't installed, and we can defer.
++        if not self.does_nrpe_conf_dir_exist():
++            return
++
          for nrpecheck in self.checks:
              nrpecheck.write(self.nagios_context, self.hostname,
                              self.nagios_servicegroups)
              nrpe_monitors[nrpecheck.shortname] = {
                  "command": nrpecheck.command,
+             }
++            # If we were passed max_check_attempts, add that to the relation data
++            if nrpecheck.max_check_attempts is not None:
++                nrpe_monitors[nrpecheck.shortname]['max_check_attempts'] = nrpecheck.max_check_attempts
--        service('restart', 'nagios-nrpe-server')
++        # update-status hooks are configured to firing every 5 minutes by
++        # default. When nagios-nrpe-server is restarted, the nagios server
++        # reports checks failing causing unnecessary alerts. Let's not restart
++        # on update-status hooks.
++        if not hook_name() == 'update-status':
++            service('restart', 'nagios-nrpe-server')
          monitor_ids = relation_ids("local-monitors") + \
              relation_ids("nrpe-external-master")
          for rid in monitor_ids:
--            relation_set(relation_id=rid, monitors=yaml.dump(monitors))
++            reldata = relation_get(unit=local_unit(), rid=rid)
++            if 'monitors' in reldata:
++                # update the existing set of monitors with the new data
++                old_monitors = yaml.safe_load(reldata['monitors'])
++                old_nrpe_monitors = old_monitors['monitors']['remote']['nrpe']
++                # remove keys that are in the remove_check_queue
++                old_nrpe_monitors = {k: v for k, v in old_nrpe_monitors.items()
++                                     if k not in self.remove_check_queue}
++                # update/add nrpe_monitors
++                old_nrpe_monitors.update(nrpe_monitors)
++                old_monitors['monitors']['remote']['nrpe'] = old_nrpe_monitors
++                # write back to the relation
++                relation_set(relation_id=rid, monitors=yaml.dump(old_monitors))
++            else:
++                # write a brand new set of monitors, as no existing ones.
++                relation_set(relation_id=rid, monitors=yaml.dump(monitors))
++
++        self.remove_check_queue.clear()
  def get_nagios_hostcontext(relation_name='nrpe-external-master'):
@@ -338,14 +409,29 @@
      return unit
--def add_init_service_checks(nrpe, services, unit_name):
++def add_init_service_checks(nrpe, services, unit_name, immediate_check=True):
      """
      Add checks for each service in list
      :param NRPE nrpe: NRPE object to add check to
      :param list services: List of services to check
      :param str unit_name: Unit name to use in check description
++    :param bool immediate_check: For sysv init, run the service check immediately
      """
++    # check_haproxy is redundant in the presence of check_crm. See LP Bug#1880601 for details.
++    # just remove check_haproxy if haproxy is added as a lsb resource in hacluster.
++    for rid in relation_ids("ha"):
++        ha_resources = relation_get("json_resources", rid=rid, unit=local_unit())
++        if ha_resources:
++            try:
++                ha_resources_parsed = json.loads(ha_resources)
++            except ValueError as e:
++                log('Could not parse JSON from ha resources. {}'.format(e), level=ERROR)
++                raise
++            if "lsb:haproxy" in ha_resources_parsed.values():
++                if "haproxy" in services:
++                    log("removed check_haproxy. This service will be monitored by check_crm")
++                    services.remove("haproxy")
      for svc in services:
          # Don't add a check for these services from neutron-gateway
          if svc in ['ext-port', 'os-charm-phy-nic-mtu']:
@@ -354,7 +440,7 @@
          upstart_init = '/etc/init/%s.conf' % svc
          sysv_init = '/etc/init.d/%s' % svc
--        if host.init_is_systemd():
++        if host.init_is_systemd(service_name=svc):
              nrpe.add_check(
                  shortname=svc,
                  description='process check {%s}' % unit_name,
@@ -368,33 +454,53 @@
+             )
          elif os.path.exists(sysv_init):
              cronpath = '/etc/cron.d/nagios-service-check-%s' % svc
--            cron_file = ('*/5 * * * * root '
--                         '/usr/local/lib/nagios/plugins/check_exit_status.pl '
--                         '-s /etc/init.d/%s status > '
--                         '/var/lib/nagios/service-check-%s.txt\n' % (svc,
--                                                                     svc)
--                         )
++            checkpath = '%s/service-check-%s.txt' % (nrpe.homedir, svc)
++            croncmd = (
++                '/usr/local/lib/nagios/plugins/check_exit_status.pl '
++                '-e -s /etc/init.d/%s status' % svc
++            )
++            cron_file = '*/5 * * * * root %s > %s\n' % (croncmd, checkpath)
              f = open(cronpath, 'w')
              f.write(cron_file)
              f.close()
              nrpe.add_check(
                  shortname=svc,
--                description='process check {%s}' % unit_name,
--                check_cmd='check_status_file.py -f '
--                          '/var/lib/nagios/service-check-%s.txt' % svc,
++                description='service check {%s}' % unit_name,
++                check_cmd='check_status_file.py -f %s' % checkpath,
+             )
--
--
--def copy_nrpe_checks():
++            # if /var/lib/nagios doesn't exist open(checkpath, 'w') will fail
++            # (LP: #1670223).
++            if immediate_check and os.path.isdir(nrpe.homedir):
++                f = open(checkpath, 'w')
++                subprocess.call(
++                    croncmd.split(),
++                    stdout=f,
++                    stderr=subprocess.STDOUT
++                )
++                f.close()
++                os.chmod(checkpath, 0o644)
++
++
++def copy_nrpe_checks(nrpe_files_dir=None):
      """
      Copy the nrpe checks into place
      """
      NAGIOS_PLUGINS = '/usr/local/lib/nagios/plugins'
--    nrpe_files_dir = os.path.join(os.getenv('CHARM_DIR'), 'hooks',
--                                  'charmhelpers', 'contrib', 'openstack',
--                                  'files')
--
++    if nrpe_files_dir is None:
++        # determine if "charmhelpers" is in CHARMDIR or CHARMDIR/hooks
++        for segment in ['.', 'hooks']:
++            nrpe_files_dir = os.path.abspath(os.path.join(
++                os.getenv('CHARM_DIR'),
++                segment,
++                'charmhelpers',
++                'contrib',
++                'openstack',
++                'files'))
++            if os.path.isdir(nrpe_files_dir):
++                break
++        else:
++            raise RuntimeError("Couldn't find charmhelpers directory")
      if not os.path.exists(NAGIOS_PLUGINS):
          os.makedirs(NAGIOS_PLUGINS)
      for fname in glob.glob(os.path.join(nrpe_files_dir, "check_*")):
@@ -418,3 +524,53 @@
          shortname='haproxy_queue',
          description='Check HAProxy queue depth {%s}' % unit_name,
          check_cmd='check_haproxy_queue_depth.sh')
++
++
++def remove_deprecated_check(nrpe, deprecated_services):
++    """
++    Remove checks for deprecated services in list
++
++    :param nrpe: NRPE object to remove check from
++    :type nrpe: NRPE
++    :param deprecated_services: List of deprecated services that are removed
++    :type deprecated_services: list
++    """
++    for dep_svc in deprecated_services:
++        log('Deprecated service: {}'.format(dep_svc))
++        nrpe.remove_check(shortname=dep_svc)
++
++
++def add_deferred_restarts_check(nrpe):
++    """
++    Add NRPE check for services with deferred restarts.
++
++    :param NRPE nrpe: NRPE object to add check to
++    """
++    unit_name = local_unit().replace('/', '-')
++    shortname = unit_name + '_deferred_restarts'
++    check_cmd = 'check_deferred_restarts.py --application {}'.format(
++        application_name())
++
++    log('Adding deferred restarts nrpe check: {}'.format(shortname))
++    nrpe.add_check(
++        shortname=shortname,
++        description='Check deferred service restarts {}'.format(unit_name),
++        check_cmd=check_cmd)
++
++
++def remove_deferred_restarts_check(nrpe):
++    """
++    Remove NRPE check for services with deferred service restarts.
++
++    :param NRPE nrpe: NRPE object to remove check from
++    """
++    unit_name = local_unit().replace('/', '-')
++    shortname = unit_name + '_deferred_restarts'
++    check_cmd = 'check_deferred_restarts.py --application {}'.format(
++        application_name())
++
++    log('Removing deferred restarts nrpe check: {}'.format(shortname))
++    nrpe.remove_check(
++        shortname=shortname,
++        description='Check deferred service restarts {}'.format(unit_name),
++        check_cmd=check_cmd)
 === modified file 'hooks/charmhelpers/contrib/templating/contexts.py'
 --- hooks/charmhelpers/contrib/templating/contexts.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/contrib/templating/contexts.py	2023-06-30 13:58:42 +0000
@@ -20,8 +20,6 @@
  import os
  import yaml
--import six
--
  import charmhelpers.core.hookenv
@@ -93,7 +91,8 @@
      By default, hyphens are allowed in keys as this is supported
      by yaml, but for tools like ansible, hyphens are not valid [1].
--    [1] http://www.ansibleworks.com/docs/playbooks_variables.html#what-makes-a-valid-variable-name
++    [1] http://www.ansibleworks.com/docs/playbooks_variables.html
++            #what-makes-a-valid-variable-name
      """
      config = charmhelpers.core.hookenv.config()
@@ -101,16 +100,17 @@
      # file resources etc.
      config['charm_dir'] = charm_dir
      config['local_unit'] = charmhelpers.core.hookenv.local_unit()
--    config['unit_private_address'] = charmhelpers.core.hookenv.unit_private_ip()
++    config['unit_private_address'] = (
++        charmhelpers.core.hookenv.unit_private_ip())
      config['unit_public_address'] = charmhelpers.core.hookenv.unit_get(
          'public-address'
+     )
      # Don't use non-standard tags for unicode which will not
      # work when salt uses yaml.load_safe.
--    yaml.add_representer(six.text_type,
++    yaml.add_representer(str,
                           lambda dumper, value: dumper.represent_scalar(
--                             six.u('tag:yaml.org,2002:str'), value))
++                             'tag:yaml.org,2002:str', value))
      yaml_dir = os.path.dirname(yaml_path)
      if not os.path.exists(yaml_dir):
@@ -118,7 +118,7 @@
      if os.path.exists(yaml_path):
          with open(yaml_path, "r") as existing_vars_file:
--            existing_vars = yaml.load(existing_vars_file.read())
++            existing_vars = yaml.safe_load(existing_vars_file.read())
      else:
          with open(yaml_path, "w+"):
              pass
 === modified file 'hooks/charmhelpers/core/decorators.py'
 --- hooks/charmhelpers/core/decorators.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/decorators.py	2023-06-30 13:58:42 +0000
@@ -53,3 +53,41 @@
          return _retry_on_exception_inner_2
      return _retry_on_exception_inner_1
++
++
++def retry_on_predicate(num_retries, predicate_fun, base_delay=0):
++    """Retry based on return value
++
++    The return value of the decorated function is passed to the given predicate_fun. If the
++    result of the predicate is False, retry the decorated function up to num_retries times
++
++    An exponential backoff up to base_delay^num_retries seconds can be introduced by setting
++    base_delay to a nonzero value. The default is to run with a zero (i.e. no) delay
++
++    :param num_retries: Max. number of retries to perform
++    :type num_retries: int
++    :param predicate_fun: Predicate function to determine if a retry is necessary
++    :type predicate_fun: callable
++    :param base_delay: Starting value in seconds for exponential delay, defaults to 0 (no delay)
++    :type base_delay: float
++    """
++    def _retry_on_pred_inner_1(f):
++        def _retry_on_pred_inner_2(*args, **kwargs):
++            retries = num_retries
++            multiplier = 1
++            delay = base_delay
++            while True:
++                result = f(*args, **kwargs)
++                if predicate_fun(result) or retries <= 0:
++                    return result
++                delay *= multiplier
++                multiplier += 1
++                log("Result {}, retrying '{}' {} more times (delay={})".format(
++                    result, f.__name__, retries, delay), level=INFO)
++                retries -= 1
++                if delay:
++                    time.sleep(delay)
++
++        return _retry_on_pred_inner_2
++
++    return _retry_on_pred_inner_1
 === modified file 'hooks/charmhelpers/core/hookenv.py'
 --- hooks/charmhelpers/core/hookenv.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/hookenv.py	2023-06-30 13:58:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2013-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -13,37 +13,50 @@
  # limitations under the License.
  "Interactions with the Juju environment"
--# Copyright 2013 Canonical Ltd.
+ #
  # Authors:
  #  Charm Helpers Developers <juju@lists.ubuntu.com>
--from __future__ import print_function
  import copy
  from distutils.version import LooseVersion
++from enum import Enum
  from functools import wraps
++from collections import namedtuple, UserDict
  import glob
  import os
  import json
  import yaml
++import re
  import subprocess
  import sys
  import errno
  import tempfile
  from subprocess import CalledProcessError
--import six
--if not six.PY3:
--    from UserDict import UserDict
--else:
--    from collections import UserDict
++from charmhelpers import deprecate
++
  CRITICAL = "CRITICAL"
  ERROR = "ERROR"
  WARNING = "WARNING"
  INFO = "INFO"
  DEBUG = "DEBUG"
++TRACE = "TRACE"
  MARKER = object()
++SH_MAX_ARG = 131071
++
++
++RANGE_WARNING = ('Passing NO_PROXY string that includes a cidr. '
++                 'This may not be compatible with software you are '
++                 'running in your shell.')
++
++
++class WORKLOAD_STATES(Enum):
++    ACTIVE = 'active'
++    BLOCKED = 'blocked'
++    MAINTENANCE = 'maintenance'
++    WAITING = 'waiting'
++
  cache = {}
@@ -64,7 +77,7 @@
      @wraps(func)
      def wrapper(*args, **kwargs):
          global cache
--        key = str((func, args, kwargs))
++        key = json.dumps((func, args, kwargs), sort_keys=True, default=str)
          try:
              return cache[key]
          except KeyError:
@@ -92,9 +105,9 @@
      command = ['juju-log']
      if level:
          command += ['-l', level]
--    if not isinstance(message, six.string_types):
++    if not isinstance(message, str):
          message = repr(message)
--    command += [message]
++    command += [message[:SH_MAX_ARG]]
      # Missing juju-log should not cause failures in unit tests
      # Send log output to stderr
      try:
@@ -109,6 +122,24 @@
              raise
++def function_log(message):
++    """Write a function progress message"""
++    command = ['function-log']
++    if not isinstance(message, str):
++        message = repr(message)
++    command += [message[:SH_MAX_ARG]]
++    # Missing function-log should not cause failures in unit tests
++    # Send function_log output to stderr
++    try:
++        subprocess.call(command)
++    except OSError as e:
++        if e.errno == errno.ENOENT:
++            message = "function-log: {}".format(message)
++            print(message, file=sys.stderr)
++        else:
++            raise
++
++
  class Serializable(UserDict):
      """Wrapper, an object that can be serialized to yaml or json"""
@@ -187,6 +218,17 @@
          raise ValueError('Must specify neither or both of relation_name and service_or_unit')
++def departing_unit():
++    """The departing unit for the current relation hook.
++
++    Available since juju 2.8.
++
++    :returns: the departing unit, or None if the information isn't available.
++    :rtype: Optional[str]
++    """
++    return os.environ.get('JUJU_DEPARTING_UNIT', None)
++
++
  def local_unit():
      """Local unit ID"""
      return os.environ['JUJU_UNIT_NAME']
@@ -197,9 +239,56 @@
      return os.environ.get('JUJU_REMOTE_UNIT', None)
++def application_name():
++    """
++    The name of the deployed application this unit belongs to.
++    """
++    return local_unit().split('/')[0]
++
++
  def service_name():
--    """The name service group this unit belongs to"""
--    return local_unit().split('/')[0]
++    """
++    .. deprecated:: 0.19.1
++       Alias for :func:`application_name`.
++    """
++    return application_name()
++
++
++def model_name():
++    """
++    Name of the model that this unit is deployed in.
++    """
++    return os.environ['JUJU_MODEL_NAME']
++
++
++def model_uuid():
++    """
++    UUID of the model that this unit is deployed in.
++    """
++    return os.environ['JUJU_MODEL_UUID']
++
++
++def principal_unit():
++    """Returns the principal unit of this unit, otherwise None"""
++    # Juju 2.2 and above provides JUJU_PRINCIPAL_UNIT
++    principal_unit = os.environ.get('JUJU_PRINCIPAL_UNIT', None)
++    # If it's empty, then this unit is the principal
++    if principal_unit == '':
++        return os.environ['JUJU_UNIT_NAME']
++    elif principal_unit is not None:
++        return principal_unit
++    # For Juju 2.1 and below, let's try work out the principle unit by
++    # the various charms' metadata.yaml.
++    for reltype in relation_types():
++        for rid in relation_ids(reltype):
++            for unit in related_units(rid):
++                md = _metadata_unit(unit)
++                if not md:
++                    continue
++                subordinate = md.pop('subordinate', None)
++                if not subordinate:
++                    return unit
++    return None
  @cached
@@ -263,7 +352,7 @@
          self.implicit_save = True
          self._prev_dict = None
          self.path = os.path.join(charm_dir(), Config.CONFIG_FILE_NAME)
--        if os.path.exists(self.path):
++        if os.path.exists(self.path) and os.stat(self.path).st_size:
              self.load_previous()
          atexit(self._implicit_save)
@@ -283,7 +372,13 @@
          """
          self.path = path or self.path
          with open(self.path) as f:
--            self._prev_dict = json.load(f)
++            try:
++                self._prev_dict = json.load(f)
++            except ValueError as e:
++                log('Found but was unable to parse previous config data, '
++                    'ignoring which will report all values as changed - {}'
++                    .format(str(e)), level=ERROR)
++                return
          for k, v in copy.deepcopy(self._prev_dict).items():
              if k not in self:
                  self[k] = v
@@ -319,6 +414,7 @@
          """
          with open(self.path, 'w') as f:
++            os.fchmod(f.fileno(), 0o600)
              json.dump(self, f)
      def _implicit_save(self):
@@ -326,35 +422,52 @@
              self.save()
--@cached
++_cache_config = None
++
++
  def config(scope=None):
--    """Juju charm configuration"""
--    config_cmd_line = ['config-get']
--    if scope is not None:
--        config_cmd_line.append(scope)
--    else:
--        config_cmd_line.append('--all')
--    config_cmd_line.append('--format=json')
++    """
++    Get the juju charm configuration (scope==None) or individual key,
++    (scope=str).  The returned value is a Python data structure loaded as
++    JSON from the Juju config command.
++
++    :param scope: If set, return the value for the specified key.
++    :type scope: Optional[str]
++    :returns: Either the whole config as a Config, or a key from it.
++    :rtype: Any
++    """
++    global _cache_config
++    config_cmd_line = ['config-get', '--all', '--format=json']
      try:
--        config_data = json.loads(
--            subprocess.check_output(config_cmd_line).decode('UTF-8'))
++        if _cache_config is None:
++            config_data = json.loads(
++                subprocess.check_output(config_cmd_line).decode('UTF-8'))
++            _cache_config = Config(config_data)
          if scope is not None:
--            return config_data
--        return Config(config_data)
--    except ValueError:
++            return _cache_config.get(scope)
++        return _cache_config
++    except (json.decoder.JSONDecodeError, UnicodeDecodeError) as e:
++        log('Unable to parse output from config-get: config_cmd_line="{}" '
++            'message="{}"'
++            .format(config_cmd_line, str(e)), level=ERROR)
          return None
  @cached
--def relation_get(attribute=None, unit=None, rid=None):
++def relation_get(attribute=None, unit=None, rid=None, app=None):
      """Get relation information"""
      _args = ['relation-get', '--format=json']
++    if app is not None:
++        if unit is not None:
++            raise ValueError("Cannot use both 'unit' and 'app'")
++        _args.append('--app')
      if rid:
          _args.append('-r')
          _args.append(rid)
      _args.append(attribute or '-')
--    if unit:
--        _args.append(unit)
++    # unit or application name
++    if unit or app:
++        _args.append(unit or app)
      try:
          return json.loads(subprocess.check_output(_args).decode('UTF-8'))
      except ValueError:
@@ -365,12 +478,28 @@
          raise
--def relation_set(relation_id=None, relation_settings=None, **kwargs):
++@cached
++def _relation_set_accepts_file():
++    """Return True if the juju relation-set command accepts a file.
++
++    Cache the result as it won't change during the execution of a hook, and
++    thus we can make relation_set() more efficient by only checking for the
++    first relation_set() call.
++
++    :returns: True if relation_set accepts a file.
++    :rtype: bool
++    :raises: subprocess.CalledProcessError if the check fails.
++    """
++    return "--file" in subprocess.check_output(
++        ["relation-set", "--help"], universal_newlines=True)
++
++
++def relation_set(relation_id=None, relation_settings=None, app=False, **kwargs):
      """Set relation information for the current unit"""
      relation_settings = relation_settings if relation_settings else {}
      relation_cmd_line = ['relation-set']
--    accepts_file = "--file" in subprocess.check_output(
--        relation_cmd_line + ["--help"], universal_newlines=True)
++    if app:
++        relation_cmd_line.append('--app')
      if relation_id is not None:
          relation_cmd_line.extend(('-r', relation_id))
      settings = relation_settings.copy()
@@ -380,7 +509,7 @@
          # sites pass in things like dicts or numbers.
          if value is not None:
              settings[key] = "{}".format(value)
--    if accepts_file:
++    if _relation_set_accepts_file():
          # --file was introduced in Juju 1.23.2. Use it by default if
          # available, since otherwise we'll break if the relation data is
          # too big. Ideally we should tell relation-set to read the data from
@@ -435,9 +564,70 @@
          subprocess.check_output(units_cmd_line).decode('UTF-8')) or []
++def expected_peer_units():
++    """Get a generator for units we expect to join peer relation based on
++    goal-state.
++
++    The local unit is excluded from the result to make it easy to gauge
++    completion of all peers joining the relation with existing hook tools.
++
++    Example usage:
++    log('peer {} of {} joined peer relation'
++        .format(len(related_units()),
++                len(list(expected_peer_units()))))
++
++    This function will raise NotImplementedError if used with juju versions
++    without goal-state support.
++
++    :returns: iterator
++    :rtype: types.GeneratorType
++    :raises: NotImplementedError
++    """
++    if not has_juju_version("2.4.0"):
++        # goal-state first appeared in 2.4.0.
++        raise NotImplementedError("goal-state")
++    _goal_state = goal_state()
++    return (key for key in _goal_state['units']
++            if '/' in key and key != local_unit())
++
++
++def expected_related_units(reltype=None):
++    """Get a generator for units we expect to join relation based on
++    goal-state.
++
++    Note that you can not use this function for the peer relation, take a look
++    at expected_peer_units() for that.
++
++    This function will raise KeyError if you request information for a
++    relation type for which juju goal-state does not have information.  It will
++    raise NotImplementedError if used with juju versions without goal-state
++    support.
++
++    Example usage:
++    log('participant {} of {} joined relation {}'
++        .format(len(related_units()),
++                len(list(expected_related_units())),
++                relation_type()))
++
++    :param reltype: Relation type to list data for, default is to list data for
++                    the relation type we are currently executing a hook for.
++    :type reltype: str
++    :returns: iterator
++    :rtype: types.GeneratorType
++    :raises: KeyError, NotImplementedError
++    """
++    if not has_juju_version("2.4.4"):
++        # goal-state existed in 2.4.0, but did not list individual units to
++        # join a relation in 2.4.1 through 2.4.3. (LP: #1794739)
++        raise NotImplementedError("goal-state relation unit count")
++    reltype = reltype or relation_type()
++    _goal_state = goal_state()
++    return (key for key in _goal_state['relations'][reltype] if '/' in key)
++
++
  @cached
  def relation_for_unit(unit=None, rid=None):
--    """Get the json represenation of a unit's relation"""
++    """Get the json representation of a unit's relation"""
      unit = unit or remote_unit()
      relation = relation_get(unit=unit, rid=rid)
      for key in relation:
@@ -478,6 +668,24 @@
          return yaml.safe_load(md)
++def _metadata_unit(unit):
++    """Given the name of a unit (e.g. apache2/0), get the unit charm's
++    metadata.yaml. Very similar to metadata() but allows us to inspect
++    other units. Unit needs to be co-located, such as a subordinate or
++    principal/primary.
++
++    :returns: metadata.yaml as a python object.
++
++    """
++    basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
++    unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
++    joineddir = os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')
++    if not os.path.exists(joineddir):
++        return None
++    with open(joineddir) as md:
++        return yaml.safe_load(md)
++
++
  @cached
  def relation_types():
      """Get a list of relation types supported by this charm"""
@@ -602,18 +810,31 @@
      return False
++def _port_op(op_name, port, protocol="TCP"):
++    """Open or close a service network port"""
++    _args = [op_name]
++    icmp = protocol.upper() == "ICMP"
++    if icmp:
++        _args.append(protocol)
++    else:
++        _args.append('{}/{}'.format(port, protocol))
++    try:
++        subprocess.check_call(_args)
++    except subprocess.CalledProcessError:
++        # Older Juju pre 2.3 doesn't support ICMP
++        # so treat it as a no-op if it fails.
++        if not icmp:
++            raise
++
++
  def open_port(port, protocol="TCP"):
      """Open a service network port"""
--    _args = ['open-port']
--    _args.append('{}/{}'.format(port, protocol))
--    subprocess.check_call(_args)
++    _port_op('open-port', port, protocol)
  def close_port(port, protocol="TCP"):
      """Close a service network port"""
--    _args = ['close-port']
--    _args.append('{}/{}'.format(port, protocol))
--    subprocess.check_call(_args)
++    _port_op('close-port', port, protocol)
  def open_ports(start, end, protocol="TCP"):
@@ -630,6 +851,17 @@
      subprocess.check_call(_args)
++def opened_ports():
++    """Get the opened ports
++
++    *Note that this will only show ports opened in a previous hook*
++
++    :returns: Opened ports as a list of strings: ``['8080/tcp', '8081-8083/tcp']``
++    """
++    _args = ['opened-ports', '--format=json']
++    return json.loads(subprocess.check_output(_args).decode('UTF-8'))
++
++
  @cached
  def unit_get(attribute):
      """Get the unit ID for the remote unit"""
@@ -751,14 +983,29 @@
          return wrapper
++class NoNetworkBinding(Exception):
++    pass
++
++
  def charm_dir():
      """Return the root directory of the current charm"""
++    d = os.environ.get('JUJU_CHARM_DIR')
++    if d is not None:
++        return d
      return os.environ.get('CHARM_DIR')
++def cmd_exists(cmd):
++    """Return True if the specified cmd exists in the path"""
++    return any(
++        os.access(os.path.join(path, cmd), os.X_OK)
++        for path in os.environ["PATH"].split(os.pathsep)
++    )
++
++
  @cached
  def action_get(key=None):
--    """Gets the value of an action parameter, or all key/value param pairs"""
++    """Gets the value of an action parameter, or all key/value param pairs."""
      cmd = ['action-get']
      if key is not None:
          cmd.append(key)
@@ -767,52 +1014,132 @@
      return action_data
++@cached
++@deprecate("moved to action_get()", log=log)
++def function_get(key=None):
++    """
++    .. deprecated::
++    Gets the value of an action parameter, or all key/value param pairs.
++    """
++    cmd = ['function-get']
++    # Fallback for older charms.
++    if not cmd_exists('function-get'):
++        cmd = ['action-get']
++
++    if key is not None:
++        cmd.append(key)
++    cmd.append('--format=json')
++    function_data = json.loads(subprocess.check_output(cmd).decode('UTF-8'))
++    return function_data
++
++
  def action_set(values):
--    """Sets the values to be returned after the action finishes"""
++    """Sets the values to be returned after the action finishes."""
      cmd = ['action-set']
      for k, v in list(values.items()):
          cmd.append('{}={}'.format(k, v))
      subprocess.check_call(cmd)
++@deprecate("moved to action_set()", log=log)
++def function_set(values):
++    """
++    .. deprecated::
++    Sets the values to be returned after the function finishes.
++    """
++    cmd = ['function-set']
++    # Fallback for older charms.
++    if not cmd_exists('function-get'):
++        cmd = ['action-set']
++
++    for k, v in list(values.items()):
++        cmd.append('{}={}'.format(k, v))
++    subprocess.check_call(cmd)
++
++
  def action_fail(message):
--    """Sets the action status to failed and sets the error message.
++    """
++    Sets the action status to failed and sets the error message.
--    The results set by action_set are preserved."""
++    The results set by action_set are preserved.
++    """
      subprocess.check_call(['action-fail', message])
++@deprecate("moved to action_fail()", log=log)
++def function_fail(message):
++    """
++    .. deprecated::
++    Sets the function status to failed and sets the error message.
++
++    The results set by function_set are preserved.
++    """
++    cmd = ['function-fail']
++    # Fallback for older charms.
++    if not cmd_exists('function-fail'):
++        cmd = ['action-fail']
++    cmd.append(message)
++
++    subprocess.check_call(cmd)
++
++
  def action_name():
      """Get the name of the currently executing action."""
      return os.environ.get('JUJU_ACTION_NAME')
++def function_name():
++    """Get the name of the currently executing function."""
++    return os.environ.get('JUJU_FUNCTION_NAME') or action_name()
++
++
  def action_uuid():
      """Get the UUID of the currently executing action."""
      return os.environ.get('JUJU_ACTION_UUID')
++def function_id():
++    """Get the ID of the currently executing function."""
++    return os.environ.get('JUJU_FUNCTION_ID') or action_uuid()
++
++
  def action_tag():
      """Get the tag for the currently executing action."""
      return os.environ.get('JUJU_ACTION_TAG')
--def status_set(workload_state, message):
++def function_tag():
++    """Get the tag for the currently executing function."""
++    return os.environ.get('JUJU_FUNCTION_TAG') or action_tag()
++
++
++def status_set(workload_state, message, application=False):
      """Set the workload state with a message
      Use status-set to set the workload state with a message which is visible
      to the user via juju status. If the status-set command is not found then
--    assume this is juju < 1.23 and juju-log the message unstead.
++    assume this is juju < 1.23 and juju-log the message instead.
--    workload_state -- valid juju workload state.
--    message        -- status update message
++    workload_state   -- valid juju workload state. str or WORKLOAD_STATES
++    message          -- status update message
++    application      -- Whether this is an application state set
      """
--    valid_states = ['maintenance', 'blocked', 'waiting', 'active']
--    if workload_state not in valid_states:
--        raise ValueError(
--            '{!r} is not a valid workload state'.format(workload_state)
--        )
--    cmd = ['status-set', workload_state, message]
++    bad_state_msg = '{!r} is not a valid workload state'
++
++    if isinstance(workload_state, str):
++        try:
++            # Convert string to enum.
++            workload_state = WORKLOAD_STATES[workload_state.upper()]
++        except KeyError:
++            raise ValueError(bad_state_msg.format(workload_state))
++
++    if workload_state not in WORKLOAD_STATES:
++        raise ValueError(bad_state_msg.format(workload_state))
++
++    cmd = ['status-set']
++    if application:
++        cmd.append('--application')
++    cmd.extend([workload_state.value, message])
      try:
          ret = subprocess.call(cmd)
          if ret == 0:
@@ -820,7 +1147,7 @@
      except OSError as e:
          if e.errno != errno.ENOENT:
              raise
--    log_message = 'status-set failed: {} {}'.format(workload_state,
++    log_message = 'status-set failed: {} {}'.format(workload_state.value,
                                                      message)
      log(log_message, level='INFO')
@@ -874,6 +1201,14 @@
  @translate_exc(from_exc=OSError, to_exc=NotImplementedError)
++@cached
++def goal_state():
++    """Juju goal state values"""
++    cmd = ['goal-state', '--format=json']
++    return json.loads(subprocess.check_output(cmd).decode('UTF-8'))
++
++
++@translate_exc(from_exc=OSError, to_exc=NotImplementedError)
  def is_leader():
      """Does the current unit hold the juju leadership
@@ -967,7 +1302,6 @@
                                     universal_newlines=True).strip()
--@cached
  def has_juju_version(minimum_version):
      """Return True if the Juju version is at least the provided version"""
      return LooseVersion(juju_version()) >= LooseVersion(minimum_version)
@@ -1027,6 +1361,8 @@
  @translate_exc(from_exc=OSError, to_exc=NotImplementedError)
  def network_get_primary_address(binding):
      '''
++    Deprecated since Juju 2.3; use network_get()
++
      Retrieve the primary network address for a named binding
      :param binding: string. The name of a relation of extra-binding
@@ -1034,4 +1370,267 @@
      :raise: NotImplementedError if run on Juju < 2.0
      '''
      cmd = ['network-get', '--primary-address', binding]
--    return subprocess.check_output(cmd).decode('UTF-8').strip()
++    try:
++        response = subprocess.check_output(
++            cmd,
++            stderr=subprocess.STDOUT).decode('UTF-8').strip()
++    except CalledProcessError as e:
++        if 'no network config found for binding' in e.output.decode('UTF-8'):
++            raise NoNetworkBinding("No network binding for {}"
++                                   .format(binding))
++        else:
++            raise
++    return response
++
++
++def network_get(endpoint, relation_id=None):
++    """
++    Retrieve the network details for a relation endpoint
++
++    :param endpoint: string. The name of a relation endpoint
++    :param relation_id: int. The ID of the relation for the current context.
++    :return: dict. The loaded YAML output of the network-get query.
++    :raise: NotImplementedError if request not supported by the Juju version.
++    """
++    if not has_juju_version('2.2'):
++        raise NotImplementedError(juju_version())  # earlier versions require --primary-address
++    if relation_id and not has_juju_version('2.3'):
++        raise NotImplementedError  # 2.3 added the -r option
++
++    cmd = ['network-get', endpoint, '--format', 'yaml']
++    if relation_id:
++        cmd.append('-r')
++        cmd.append(relation_id)
++    response = subprocess.check_output(
++        cmd,
++        stderr=subprocess.STDOUT).decode('UTF-8').strip()
++    return yaml.safe_load(response)
++
++
++def add_metric(*args, **kwargs):
++    """Add metric values. Values may be expressed with keyword arguments. For
++    metric names containing dashes, these may be expressed as one or more
++    'key=value' positional arguments. May only be called from the collect-metrics
++    hook."""
++    _args = ['add-metric']
++    _kvpairs = []
++    _kvpairs.extend(args)
++    _kvpairs.extend(['{}={}'.format(k, v) for k, v in kwargs.items()])
++    _args.extend(sorted(_kvpairs))
++    try:
++        subprocess.check_call(_args)
++        return
++    except EnvironmentError as e:
++        if e.errno != errno.ENOENT:
++            raise
++    log_message = 'add-metric failed: {}'.format(' '.join(_kvpairs))
++    log(log_message, level='INFO')
++
++
++def meter_status():
++    """Get the meter status, if running in the meter-status-changed hook."""
++    return os.environ.get('JUJU_METER_STATUS')
++
++
++def meter_info():
++    """Get the meter status information, if running in the meter-status-changed
++    hook."""
++    return os.environ.get('JUJU_METER_INFO')
++
++
++def iter_units_for_relation_name(relation_name):
++    """Iterate through all units in a relation
++
++    Generator that iterates through all the units in a relation and yields
++    a named tuple with rid and unit field names.
++
++    Usage:
++    data = [(u.rid, u.unit)
++            for u in iter_units_for_relation_name(relation_name)]
++
++    :param relation_name: string relation name
++    :yield: Named Tuple with rid and unit field names
++    """
++    RelatedUnit = namedtuple('RelatedUnit', 'rid, unit')
++    for rid in relation_ids(relation_name):
++        for unit in related_units(rid):
++            yield RelatedUnit(rid, unit)
++
++
++def ingress_address(rid=None, unit=None):
++    """
++    Retrieve the ingress-address from a relation when available.
++    Otherwise, return the private-address.
++
++    When used on the consuming side of the relation (unit is a remote
++    unit), the ingress-address is the IP address that this unit needs
++    to use to reach the provided service on the remote unit.
++
++    When used on the providing side of the relation (unit == local_unit()),
++    the ingress-address is the IP address that is advertised to remote
++    units on this relation. Remote units need to use this address to
++    reach the local provided service on this unit.
++
++    Note that charms may document some other method to use in
++    preference to the ingress_address(), such as an address provided
++    on a different relation attribute or a service discovery mechanism.
++    This allows charms to redirect inbound connections to their peers
++    or different applications such as load balancers.
++
++    Usage:
++    addresses = [ingress_address(rid=u.rid, unit=u.unit)
++                 for u in iter_units_for_relation_name(relation_name)]
++
++    :param rid: string relation id
++    :param unit: string unit name
++    :side effect: calls relation_get
++    :return: string IP address
++    """
++    settings = relation_get(rid=rid, unit=unit)
++    return (settings.get('ingress-address') or
++            settings.get('private-address'))
++
++
++def egress_subnets(rid=None, unit=None):
++    """
++    Retrieve the egress-subnets from a relation.
++
++    This function is to be used on the providing side of the
++    relation, and provides the ranges of addresses that client
++    connections may come from. The result is uninteresting on
++    the consuming side of a relation (unit == local_unit()).
++
++    Returns a stable list of subnets in CIDR format.
++    eg. ['192.168.1.0/24', '2001::F00F/128']
++
++    If egress-subnets is not available, falls back to using the published
++    ingress-address, or finally private-address.
++
++    :param rid: string relation id
++    :param unit: string unit name
++    :side effect: calls relation_get
++    :return: list of subnets in CIDR format. eg. ['192.168.1.0/24', '2001::F00F/128']
++    """
++    def _to_range(addr):
++        if re.search(r'^(?:\d{1,3}\.){3}\d{1,3}$', addr) is not None:
++            addr += '/32'
++        elif ':' in addr and '/' not in addr:  # IPv6
++            addr += '/128'
++        return addr
++
++    settings = relation_get(rid=rid, unit=unit)
++    if 'egress-subnets' in settings:
++        return [n.strip() for n in settings['egress-subnets'].split(',') if n.strip()]
++    if 'ingress-address' in settings:
++        return [_to_range(settings['ingress-address'])]
++    if 'private-address' in settings:
++        return [_to_range(settings['private-address'])]
++    return []  # Should never happen
++
++
++def unit_doomed(unit=None):
++    """Determines if the unit is being removed from the model
++
++    Requires Juju 2.4.1.
++
++    :param unit: string unit name, defaults to local_unit
++    :side effect: calls goal_state
++    :side effect: calls local_unit
++    :side effect: calls has_juju_version
++    :return: True if the unit is being removed, already gone, or never existed
++    """
++    if not has_juju_version("2.4.1"):
++        # We cannot risk blindly returning False for 'we don't know',
++        # because that could cause data loss; if call sites don't
++        # need an accurate answer, they likely don't need this helper
++        # at all.
++        # goal-state existed in 2.4.0, but did not handle removals
++        # correctly until 2.4.1.
++        raise NotImplementedError("is_doomed")
++    if unit is None:
++        unit = local_unit()
++    gs = goal_state()
++    units = gs.get('units', {})
++    if unit not in units:
++        return True
++    # I don't think 'dead' units ever show up in the goal-state, but
++    # check anyway in addition to 'dying'.
++    return units[unit]['status'] in ('dying', 'dead')
++
++
++def env_proxy_settings(selected_settings=None):
++    """Get proxy settings from process environment variables.
++
++    Get charm proxy settings from environment variables that correspond to
++    juju-http-proxy, juju-https-proxy juju-no-proxy (available as of 2.4.2, see
++    lp:1782236) and juju-ftp-proxy in a format suitable for passing to an
++    application that reacts to proxy settings passed as environment variables.
++    Some applications support lowercase or uppercase notation (e.g. curl), some
++    support only lowercase (e.g. wget), there are also subjectively rare cases
++    of only uppercase notation support. no_proxy CIDR and wildcard support also
++    varies between runtimes and applications as there is no enforced standard.
++
++    Some applications may connect to multiple destinations and expose config
++    options that would affect only proxy settings for a specific destination
++    these should be handled in charms in an application-specific manner.
++
++    :param selected_settings: format only a subset of possible settings
++    :type selected_settings: list
++    :rtype: Option(None, dict[str, str])
++    """
++    SUPPORTED_SETTINGS = {
++        'http': 'HTTP_PROXY',
++        'https': 'HTTPS_PROXY',
++        'no_proxy': 'NO_PROXY',
++        'ftp': 'FTP_PROXY'
++    }
++    if selected_settings is None:
++        selected_settings = SUPPORTED_SETTINGS
++
++    selected_vars = [v for k, v in SUPPORTED_SETTINGS.items()
++                     if k in selected_settings]
++    proxy_settings = {}
++    for var in selected_vars:
++        var_val = os.getenv(var)
++        if var_val:
++            proxy_settings[var] = var_val
++            proxy_settings[var.lower()] = var_val
++        # Now handle juju-prefixed environment variables. The legacy vs new
++        # environment variable usage is mutually exclusive
++        charm_var_val = os.getenv('JUJU_CHARM_{}'.format(var))
++        if charm_var_val:
++            proxy_settings[var] = charm_var_val
++            proxy_settings[var.lower()] = charm_var_val
++    if 'no_proxy' in proxy_settings:
++        if _contains_range(proxy_settings['no_proxy']):
++            log(RANGE_WARNING, level=WARNING)
++    return proxy_settings if proxy_settings else None
++
++
++def _contains_range(addresses):
++    """Check for cidr or wildcard domain in a string.
++
++    Given a string comprising a comma separated list of ip addresses
++    and domain names, determine whether the string contains IP ranges
++    or wildcard domains.
++
++    :param addresses: comma separated list of domains and ip addresses.
++    :type addresses: str
++    """
++    return (
++        # Test for cidr (e.g. 10.20.20.0/24)
++        "/" in addresses or
++        # Test for wildcard domains (*.foo.com or .foo.com)
++        "*" in addresses or
++        addresses.startswith(".") or
++        ",." in addresses or
++        " ." in addresses)
++
++
++def is_subordinate():
++    """Check whether charm is subordinate in unit metadata.
++
++    :returns: True if unit is subordniate, False otherwise.
++    :rtype: bool
++    """
++    return metadata().get('subordinate') is True
 === modified file 'hooks/charmhelpers/core/host.py'
 --- hooks/charmhelpers/core/host.py	2017-01-16 16:28:40 +0000
 +++ hooks/charmhelpers/core/host.py	2023-06-30 13:58:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2014-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
  #  Nick Moffitt <nick.moffitt@canonical.com>
  #  Matthew Wedgwood <matthew.wedgwood@canonical.com>
++import errno
  import os
  import re
  import pwd
@@ -30,66 +31,199 @@
  import hashlib
  import functools
  import itertools
--import six
  from contextlib import contextmanager
--from collections import OrderedDict
--from .hookenv import log
++from collections import OrderedDict, defaultdict
++from .hookenv import log, INFO, DEBUG, local_unit, charm_name
  from .fstab import Fstab
  from charmhelpers.osplatform import get_platform
  __platform__ = get_platform()
  if __platform__ == "ubuntu":
--    from charmhelpers.core.host_factory.ubuntu import (
++    from charmhelpers.core.host_factory.ubuntu import (  # NOQA:F401
          service_available,
          add_new_group,
          lsb_release,
          cmp_pkgrevno,
++        CompareHostReleases,
++        get_distrib_codename,
++        arch
      )  # flake8: noqa -- ignore F401 for this import
  elif __platform__ == "centos":
--    from charmhelpers.core.host_factory.centos import (
++    from charmhelpers.core.host_factory.centos import (  # NOQA:F401
          service_available,
          add_new_group,
          lsb_release,
          cmp_pkgrevno,
++        CompareHostReleases,
      )  # flake8: noqa -- ignore F401 for this import
--
--def service_start(service_name):
--    """Start a system service"""
--    return service('start', service_name)
--
--
--def service_stop(service_name):
--    """Stop a system service"""
--    return service('stop', service_name)
--
--
--def service_restart(service_name):
--    """Restart a system service"""
++UPDATEDB_PATH = '/etc/updatedb.conf'
++CA_CERT_DIR = '/usr/local/share/ca-certificates'
++
++
++def service_start(service_name, **kwargs):
++    """Start a system service.
++
++    The specified service name is managed via the system level init system.
++    Some init systems (e.g. upstart) require that additional arguments be
++    provided in order to directly control service instances whereas other init
++    systems allow for addressing instances of a service directly by name (e.g.
++    systemd).
++
++    The kwargs allow for the additional parameters to be passed to underlying
++    init systems for those systems which require/allow for them. For example,
++    the ceph-osd upstart script requires the id parameter to be passed along
++    in order to identify which running daemon should be reloaded. The follow-
++    ing example stops the ceph-osd service for instance id=4:
++
++    service_stop('ceph-osd', id=4)
++
++    :param service_name: the name of the service to stop
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for systemd enabled systems.
++    """
++    return service('start', service_name, **kwargs)
++
++
++def service_stop(service_name, **kwargs):
++    """Stop a system service.
++
++    The specified service name is managed via the system level init system.
++    Some init systems (e.g. upstart) require that additional arguments be
++    provided in order to directly control service instances whereas other init
++    systems allow for addressing instances of a service directly by name (e.g.
++    systemd).
++
++    The kwargs allow for the additional parameters to be passed to underlying
++    init systems for those systems which require/allow for them. For example,
++    the ceph-osd upstart script requires the id parameter to be passed along
++    in order to identify which running daemon should be reloaded. The follow-
++    ing example stops the ceph-osd service for instance id=4:
++
++    service_stop('ceph-osd', id=4)
++
++    :param service_name: the name of the service to stop
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for systemd enabled systems.
++    """
++    return service('stop', service_name, **kwargs)
++
++
++def service_enable(service_name, **kwargs):
++    """Enable a system service.
++
++    The specified service name is managed via the system level init system.
++    Some init systems (e.g. upstart) require that additional arguments be
++    provided in order to directly control service instances whereas other init
++    systems allow for addressing instances of a service directly by name (e.g.
++    systemd).
++
++    The kwargs allow for the additional parameters to be passed to underlying
++    init systems for those systems which require/allow for them. For example,
++    the ceph-osd upstart script requires the id parameter to be passed along
++    in order to identify which running daemon should be restarted. The follow-
++    ing example restarts the ceph-osd service for instance id=4:
++
++    service_enable('ceph-osd', id=4)
++
++    :param service_name: the name of the service to enable
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for init systems not allowing additional
++                     parameters via the commandline (systemd).
++    """
++    return service('enable', service_name, **kwargs)
++
++
++def service_restart(service_name, **kwargs):
++    """Restart a system service.
++
++    The specified service name is managed via the system level init system.
++    Some init systems (e.g. upstart) require that additional arguments be
++    provided in order to directly control service instances whereas other init
++    systems allow for addressing instances of a service directly by name (e.g.
++    systemd).
++
++    The kwargs allow for the additional parameters to be passed to underlying
++    init systems for those systems which require/allow for them. For example,
++    the ceph-osd upstart script requires the id parameter to be passed along
++    in order to identify which running daemon should be restarted. The follow-
++    ing example restarts the ceph-osd service for instance id=4:
++
++    service_restart('ceph-osd', id=4)
++
++    :param service_name: the name of the service to restart
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for init systems not allowing additional
++                     parameters via the commandline (systemd).
++    """
      return service('restart', service_name)
--def service_reload(service_name, restart_on_failure=False):
++def service_reload(service_name, restart_on_failure=False, **kwargs):
      """Reload a system service, optionally falling back to restart if
--    reload fails"""
--    service_result = service('reload', service_name)
++    reload fails.
++
++    The specified service name is managed via the system level init system.
++    Some init systems (e.g. upstart) require that additional arguments be
++    provided in order to directly control service instances whereas other init
++    systems allow for addressing instances of a service directly by name (e.g.
++    systemd).
++
++    The kwargs allow for the additional parameters to be passed to underlying
++    init systems for those systems which require/allow for them. For example,
++    the ceph-osd upstart script requires the id parameter to be passed along
++    in order to identify which running daemon should be reloaded. The follow-
++    ing example restarts the ceph-osd service for instance id=4:
++
++    service_reload('ceph-osd', id=4)
++
++    :param service_name: the name of the service to reload
++    :param restart_on_failure: boolean indicating whether to fallback to a
++                               restart if the reload fails.
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the  init system's commandline. kwargs
++                     are ignored for init systems not allowing additional
++                     parameters via the commandline (systemd).
++    """
++    service_result = service('reload', service_name, **kwargs)
      if not service_result and restart_on_failure:
--        service_result = service('restart', service_name)
++        service_result = service('restart', service_name, **kwargs)
      return service_result
--def service_pause(service_name, init_dir="/etc/init", initd_dir="/etc/init.d"):
++def service_pause(service_name, init_dir="/etc/init", initd_dir="/etc/init.d",
++                  **kwargs):
      """Pause a system service.
--    Stop it, and prevent it from starting again at boot."""
++    Stop it, and prevent it from starting again at boot.
++
++    :param service_name: the name of the service to pause
++    :param init_dir: path to the upstart init directory
++    :param initd_dir: path to the sysv init directory
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for init systems which do not support
++                     key=value arguments via the commandline.
++    """
      stopped = True
--    if service_running(service_name):
--        stopped = service_stop(service_name)
++    if service_running(service_name, **kwargs):
++        stopped = service_stop(service_name, **kwargs)
      upstart_file = os.path.join(init_dir, "{}.conf".format(service_name))
      sysv_file = os.path.join(initd_dir, service_name)
--    if init_is_systemd():
++    if init_is_systemd(service_name=service_name):
          service('disable', service_name)
++        service('mask', service_name)
      elif os.path.exists(upstart_file):
          override_path = os.path.join(
              init_dir, '{}.override'.format(service_name))
@@ -106,13 +240,23 @@
  def service_resume(service_name, init_dir="/etc/init",
--                   initd_dir="/etc/init.d"):
++                   initd_dir="/etc/init.d", **kwargs):
      """Resume a system service.
--    Reenable starting again at boot. Start the service"""
++    Re-enable starting again at boot. Start the service.
++
++    :param service_name: the name of the service to resume
++    :param init_dir: the path to the init dir
++    :param initd dir: the path to the initd dir
++    :param **kwargs: additional parameters to pass to the init system when
++                     managing services. These will be passed as key=value
++                     parameters to the init system's commandline. kwargs
++                     are ignored for systemd enabled systems.
++    """
      upstart_file = os.path.join(init_dir, "{}.conf".format(service_name))
      sysv_file = os.path.join(initd_dir, service_name)
--    if init_is_systemd():
++    if init_is_systemd(service_name=service_name):
++        service('unmask', service_name)
          service('enable', service_name)
      elif os.path.exists(upstart_file):
          override_path = os.path.join(
@@ -126,19 +270,30 @@
              "Unable to detect {0} as SystemD, Upstart {1} or"
              " SysV {2}".format(
                  service_name, upstart_file, sysv_file))
++    started = service_running(service_name, **kwargs)
--    started = service_running(service_name)
      if not started:
--        started = service_start(service_name)
++        started = service_start(service_name, **kwargs)
      return started
--def service(action, service_name):
--    """Control a system service"""
--    if init_is_systemd():
--        cmd = ['systemctl', action, service_name]
++def service(action, service_name=None, **kwargs):
++    """Control a system service.
++
++    :param action: the action to take on the service
++    :param service_name: the name of the service to perform th action on
++    :param **kwargs: additional params to be passed to the service command in
++                    the form of key=value.
++    """
++    if init_is_systemd(service_name=service_name):
++        cmd = ['systemctl', action]
++        if service_name is not None:
++            cmd.append(service_name)
      else:
          cmd = ['service', service_name, action]
++        for key, value in kwargs.items():
++            parameter = '%s=%s' % (key, value)
++            cmd.append(parameter)
      return subprocess.call(cmd) == 0
@@ -146,16 +301,27 @@
  _INIT_D_CONF = "/etc/init.d/{}"
--def service_running(service_name):
--    """Determine whether a system service is running"""
--    if init_is_systemd():
++def service_running(service_name, **kwargs):
++    """Determine whether a system service is running.
++
++    :param service_name: the name of the service
++    :param **kwargs: additional args to pass to the service command. This is
++                     used to pass additional key=value arguments to the
++                     service command line for managing specific instance
++                     units (e.g. service ceph-osd status id=2). The kwargs
++                     are ignored in systemd services.
++    """
++    if init_is_systemd(service_name=service_name):
          return service('is-active', service_name)
      else:
          if os.path.exists(_UPSTART_CONF.format(service_name)):
              try:
++                cmd = ['status', service_name]
++                for key, value in kwargs.items():
++                    parameter = '%s=%s' % (key, value)
++                    cmd.append(parameter)
                  output = subprocess.check_output(
--                    ['status', service_name],
--                    stderr=subprocess.STDOUT).decode('UTF-8')
++                    cmd, stderr=subprocess.STDOUT).decode('UTF-8')
              except subprocess.CalledProcessError:
                  return False
              else:
@@ -175,8 +341,16 @@
  SYSTEMD_SYSTEM = '/run/systemd/system'
--def init_is_systemd():
--    """Return True if the host system uses systemd, False otherwise."""
++def init_is_systemd(service_name=None):
++    """
++    Returns whether the host uses systemd for the specified service.
++
++    @param Optional[str] service_name: specific name of service
++    """
++    if str(service_name).startswith("snap."):
++        return True
++    if lsb_release()['DISTRIB_CODENAME'] == 'trusty':
++        return False
      return os.path.isdir(SYSTEMD_SYSTEM)
@@ -306,6 +480,51 @@
      subprocess.check_call(cmd)
++def chage(username, lastday=None, expiredate=None, inactive=None,
++          mindays=None, maxdays=None, root=None, warndays=None):
++    """Change user password expiry information
++
++    :param str username: User to update
++    :param str lastday: Set when password was changed in YYYY-MM-DD format
++    :param str expiredate: Set when user's account will no longer be
++                           accessible in YYYY-MM-DD format.
++                           -1 will remove an account expiration date.
++    :param str inactive: Set the number of days of inactivity after a password
++                         has expired before the account is locked.
++                         -1 will remove an account's inactivity.
++    :param str mindays: Set the minimum number of days between password
++                        changes to MIN_DAYS.
++                        0 indicates the password can be changed anytime.
++    :param str maxdays: Set the maximum number of days during which a
++                        password is valid.
++                        -1 as MAX_DAYS will remove checking maxdays
++    :param str root: Apply changes in the CHROOT_DIR directory
++    :param str warndays: Set the number of days of warning before a password
++                         change is required
++    :raises subprocess.CalledProcessError: if call to chage fails
++    """
++    cmd = ['chage']
++    if root:
++        cmd.extend(['--root', root])
++    if lastday:
++        cmd.extend(['--lastday', lastday])
++    if expiredate:
++        cmd.extend(['--expiredate', expiredate])
++    if inactive:
++        cmd.extend(['--inactive', inactive])
++    if mindays:
++        cmd.extend(['--mindays', mindays])
++    if maxdays:
++        cmd.extend(['--maxdays', maxdays])
++    if warndays:
++        cmd.extend(['--warndays', warndays])
++    cmd.append(username)
++    subprocess.check_call(cmd)
++
++
++remove_password_expiry = functools.partial(chage, expiredate='-1', inactive='-1', mindays='0', maxdays='-1')
++
++
  def rsync(from_path, to_path, flags='-r', options=None, timeout=None):
      """Replicate the contents of a path"""
      options = options or ['--delete', '--executability']
@@ -352,13 +571,45 @@
  def write_file(path, content, owner='root', group='root', perms=0o444):
      """Create or overwrite a file with the contents of a byte string."""
--    log("Writing file {} {}:{} {:o}".format(path, owner, group, perms))
      uid = pwd.getpwnam(owner).pw_uid
      gid = grp.getgrnam(group).gr_gid
--    with open(path, 'wb') as target:
--        os.fchown(target.fileno(), uid, gid)
--        os.fchmod(target.fileno(), perms)
--        target.write(content)
++    # lets see if we can grab the file and compare the context, to avoid doing
++    # a write.
++    existing_content = None
++    existing_uid, existing_gid, existing_perms = None, None, None
++    try:
++        with open(path, 'rb') as target:
++            existing_content = target.read()
++        stat = os.stat(path)
++        existing_uid, existing_gid, existing_perms = (
++            stat.st_uid, stat.st_gid, stat.st_mode
++        )
++    except Exception:
++        pass
++    if content != existing_content:
++        log("Writing file {} {}:{} {:o}".format(path, owner, group, perms),
++            level=DEBUG)
++        with open(path, 'wb') as target:
++            os.fchown(target.fileno(), uid, gid)
++            os.fchmod(target.fileno(), perms)
++            if isinstance(content, str):
++                content = content.encode('UTF-8')
++            target.write(content)
++        return
++    # the contents were the same, but we might still need to change the
++    # ownership or permissions.
++    if existing_uid != uid:
++        log("Changing uid on already existing content: {} -> {}"
++            .format(existing_uid, uid), level=DEBUG)
++        os.chown(path, uid, -1)
++    if existing_gid != gid:
++        log("Changing gid on already existing content: {} -> {}"
++            .format(existing_gid, gid), level=DEBUG)
++        os.chown(path, -1, gid)
++    if existing_perms != perms:
++        log("Changing permissions on existing content: {} -> {}"
++            .format(existing_perms, perms), level=DEBUG)
++        os.chmod(path, perms)
  def fstab_remove(mp):
@@ -456,7 +707,7 @@
      :param str checksum: Value of the checksum used to validate the file.
      :param str hash_type: Hash algorithm used to generate `checksum`.
--        Can be any hash alrgorithm supported by :mod:`hashlib`,
++        Can be any hash algorithm supported by :mod:`hashlib`,
          such as md5, sha1, sha256, sha512, etc.
      :raises ChecksumError: If the file fails the checksum
@@ -471,78 +722,227 @@
      pass
--def restart_on_change(restart_map, stopstart=False, restart_functions=None):
--    """Restart services based on configuration files changing
--
--    This function is used a decorator, for example::
--
--        @restart_on_change({
--            '/etc/ceph/ceph.conf': [ 'cinder-api', 'cinder-volume' ]
--            '/etc/apache/sites-enabled/*': [ 'apache2' ]
--            })
--        def config_changed():
--            pass  # your code here
--
--    In this example, the cinder-api and cinder-volume services
--    would be restarted if /etc/ceph/ceph.conf is changed by the
--    ceph_client_changed function. The apache2 service would be
--    restarted if any file matching the pattern got changed, created
--    or removed. Standard wildcards are supported, see documentation
--    for the 'glob' module for more information.
--
--    @param restart_map: {path_file_name: [service_name, ...]
--    @param stopstart: DEFAULT false; whether to stop, start OR restart
--    @param restart_functions: nonstandard functions to use to restart services
--                              {svc: func, ...}
--    @returns result from decorated function
++class restart_on_change(object):
++    """Decorator and context manager to handle restarts.
++
++    Usage:
++
++       @restart_on_change(restart_map, ...)
++       def function_that_might_trigger_a_restart(...)
++           ...
++
++    Or:
++
++       with restart_on_change(restart_map, ...):
++           do_stuff_that_might_trigger_a_restart()
++           ...
      """
--    def wrap(f):
++
++    def __init__(self, restart_map, stopstart=False, restart_functions=None,
++                 can_restart_now_f=None, post_svc_restart_f=None,
++                 pre_restarts_wait_f=None):
++        """
++        :param restart_map: {file: [service, ...]}
++        :type restart_map: Dict[str, List[str,]]
++        :param stopstart: whether to stop, start or restart a service
++        :type stopstart: booleean
++        :param restart_functions: nonstandard functions to use to restart
++                                  services {svc: func, ...}
++        :type restart_functions: Dict[str, Callable[[str], None]]
++        :param can_restart_now_f: A function used to check if the restart is
++                                  permitted.
++        :type can_restart_now_f: Callable[[str, List[str]], boolean]
++        :param post_svc_restart_f: A function run after a service has
++                                   restarted.
++        :type post_svc_restart_f: Callable[[str], None]
++        :param pre_restarts_wait_f: A function called before any restarts.
++        :type pre_restarts_wait_f: Callable[None, None]
++        """
++        self.restart_map = restart_map
++        self.stopstart = stopstart
++        self.restart_functions = restart_functions
++        self.can_restart_now_f = can_restart_now_f
++        self.post_svc_restart_f = post_svc_restart_f
++        self.pre_restarts_wait_f = pre_restarts_wait_f
++
++    def __call__(self, f):
++        """Work like a decorator.
++
++        Returns a wrapped function that performs the restart if triggered.
++
++        :param f: The function that is being wrapped.
++        :type f: Callable[[Any], Any]
++        :returns: the wrapped function
++        :rtype: Callable[[Any], Any]
++        """
          @functools.wraps(f)
          def wrapped_f(*args, **kwargs):
              return restart_on_change_helper(
--                (lambda: f(*args, **kwargs)), restart_map, stopstart,
--                restart_functions)
++                (lambda: f(*args, **kwargs)),
++                self.restart_map,
++                stopstart=self.stopstart,
++                restart_functions=self.restart_functions,
++                can_restart_now_f=self.can_restart_now_f,
++                post_svc_restart_f=self.post_svc_restart_f,
++                pre_restarts_wait_f=self.pre_restarts_wait_f)
          return wrapped_f
--    return wrap
++
++    def __enter__(self):
++        """Enter the runtime context related to this object. """
++        self.checksums = _pre_restart_on_change_helper(self.restart_map)
++
++    def __exit__(self, exc_type, exc_val, exc_tb):
++        """Exit the runtime context related to this object.
++
++        The parameters describe the exception that caused the context to be
++        exited. If the context was exited without an exception, all three
++        arguments will be None.
++        """
++        if exc_type is None:
++            _post_restart_on_change_helper(
++                self.checksums,
++                self.restart_map,
++                stopstart=self.stopstart,
++                restart_functions=self.restart_functions,
++                can_restart_now_f=self.can_restart_now_f,
++                post_svc_restart_f=self.post_svc_restart_f,
++                pre_restarts_wait_f=self.pre_restarts_wait_f)
++        # All is good, so return False; any exceptions will propagate.
++        return False
  def restart_on_change_helper(lambda_f, restart_map, stopstart=False,
--                             restart_functions=None):
++                             restart_functions=None,
++                             can_restart_now_f=None,
++                             post_svc_restart_f=None,
++                             pre_restarts_wait_f=None):
      """Helper function to perform the restart_on_change function.
      This is provided for decorators to restart services if files described
      in the restart_map have changed after an invocation of lambda_f().
--    @param lambda_f: function to call.
--    @param restart_map: {file: [service, ...]}
--    @param stopstart: whether to stop, start or restart a service
--    @param restart_functions: nonstandard functions to use to restart services
--                              {svc: func, ...}
--    @returns result of lambda_f()
++    This functions allows for a number of helper functions to be passed.
++
++    `restart_functions` is a map with a service as the key and the
++    corresponding value being the function to call to restart the service. For
++    example if `restart_functions={'some-service': my_restart_func}` then
++    `my_restart_func` should a function which takes one argument which is the
++    service name to be retstarted.
++
++    `can_restart_now_f` is a function which checks that a restart is permitted.
++    It should return a bool which indicates if a restart is allowed and should
++    take a service name (str) and a list of changed files (List[str]) as
++    arguments.
++
++    `post_svc_restart_f` is a function which runs after a service has been
++    restarted. It takes the service name that was restarted as an argument.
++
++    `pre_restarts_wait_f` is a function which is called before any restarts
++    occur. The use case for this is an application which wants to try and
++    stagger restarts between units.
++
++    :param lambda_f: function to call.
++    :type lambda_f: Callable[[], ANY]
++    :param restart_map: {file: [service, ...]}
++    :type restart_map: Dict[str, List[str,]]
++    :param stopstart: whether to stop, start or restart a service
++    :type stopstart: booleean
++    :param restart_functions: nonstandard functions to use to restart services
++                              {svc: func, ...}
++    :type restart_functions: Dict[str, Callable[[str], None]]
++    :param can_restart_now_f: A function used to check if the restart is
++                              permitted.
++    :type can_restart_now_f: Callable[[str, List[str]], boolean]
++    :param post_svc_restart_f: A function run after a service has
++                               restarted.
++    :type post_svc_restart_f: Callable[[str], None]
++    :param pre_restarts_wait_f: A function called before any restarts.
++    :type pre_restarts_wait_f: Callable[None, None]
++    :returns: result of lambda_f()
++    :rtype: ANY
++    """
++    checksums = _pre_restart_on_change_helper(restart_map)
++    r = lambda_f()
++    _post_restart_on_change_helper(checksums,
++                                   restart_map,
++                                   stopstart,
++                                   restart_functions,
++                                   can_restart_now_f,
++                                   post_svc_restart_f,
++                                   pre_restarts_wait_f)
++    return r
++
++
++def _pre_restart_on_change_helper(restart_map):
++    """Take a snapshot of file hashes.
++
++    :param restart_map: {file: [service, ...]}
++    :type restart_map: Dict[str, List[str,]]
++    :returns: Dictionary of file paths and the files checksum.
++    :rtype: Dict[str, str]
++    """
++    return {path: path_hash(path) for path in restart_map}
++
++
++def _post_restart_on_change_helper(checksums,
++                                   restart_map,
++                                   stopstart=False,
++                                   restart_functions=None,
++                                   can_restart_now_f=None,
++                                   post_svc_restart_f=None,
++                                   pre_restarts_wait_f=None):
++    """Check whether files have changed.
++
++    :param checksums: Dictionary of file paths and the files checksum.
++    :type checksums: Dict[str, str]
++    :param restart_map: {file: [service, ...]}
++    :type restart_map: Dict[str, List[str,]]
++    :param stopstart: whether to stop, start or restart a service
++    :type stopstart: booleean
++    :param restart_functions: nonstandard functions to use to restart services
++                              {svc: func, ...}
++    :type restart_functions: Dict[str, Callable[[str], None]]
++    :param can_restart_now_f: A function used to check if the restart is
++                              permitted.
++    :type can_restart_now_f: Callable[[str, List[str]], boolean]
++    :param post_svc_restart_f: A function run after a service has
++                               restarted.
++    :type post_svc_restart_f: Callable[[str], None]
++    :param pre_restarts_wait_f: A function called before any restarts.
++    :type pre_restarts_wait_f: Callable[None, None]
      """
      if restart_functions is None:
          restart_functions = {}
--    checksums = {path: path_hash(path) for path in restart_map}
--    r = lambda_f()
++    changed_files = defaultdict(list)
++    restarts = []
      # create a list of lists of the services to restart
--    restarts = [restart_map[path]
--                for path in restart_map
--                if path_hash(path) != checksums[path]]
++    for path, services in restart_map.items():
++        if path_hash(path) != checksums[path]:
++            restarts.append(services)
++            for svc in services:
++                changed_files[svc].append(path)
      # create a flat list of ordered services without duplicates from lists
      services_list = list(OrderedDict.fromkeys(itertools.chain(*restarts)))
      if services_list:
++        if pre_restarts_wait_f:
++            pre_restarts_wait_f()
          actions = ('stop', 'start') if stopstart else ('restart',)
          for service_name in services_list:
++            if can_restart_now_f:
++                if not can_restart_now_f(service_name,
++                                         changed_files[service_name]):
++                    continue
              if service_name in restart_functions:
                  restart_functions[service_name](service_name)
              else:
                  for action in actions:
                      service(action, service_name)
--    return r
++            if post_svc_restart_f:
++                post_svc_restart_f(service_name)
  def pwgen(length=None):
--    """Generate a random pasword."""
++    """Generate a random password."""
      if length is None:
          # A random length is ok to use a weak PRNG
          length = random.choice(range(35, 45))
@@ -554,7 +954,7 @@
      random_generator = random.SystemRandom()
      random_chars = [
          random_generator.choice(alphanumeric_chars) for _ in range(length)]
--    return(''.join(random_chars))
++    return ''.join(random_chars)
  def is_phy_iface(interface):
@@ -595,7 +995,7 @@
  def list_nics(nic_type=None):
      """Return a list of nics of given type(s)"""
--    if isinstance(nic_type, six.string_types):
++    if isinstance(nic_type, str):
          int_types = [nic_type]
      else:
          int_types = nic_type
@@ -604,7 +1004,8 @@
      if nic_type:
          for int_type in int_types:
              cmd = ['ip', 'addr', 'show', 'label', int_type + '*']
--            ip_output = subprocess.check_output(cmd).decode('UTF-8')
++            ip_output = subprocess.check_output(
++                cmd).decode('UTF-8', errors='replace')
              ip_output = ip_output.split('\n')
              ip_output = (line for line in ip_output if line)
              for line in ip_output:
@@ -620,10 +1021,11 @@
                          interfaces.append(iface)
      else:
          cmd = ['ip', 'a']
--        ip_output = subprocess.check_output(cmd).decode('UTF-8').split('\n')
++        ip_output = subprocess.check_output(
++            cmd).decode('UTF-8', errors='replace').split('\n')
          ip_output = (line.strip() for line in ip_output if line)
--        key = re.compile('^[0-9]+:\s+(.+):')
++        key = re.compile(r'^[0-9]+:\s+(.+):')
          for line in ip_output:
              matched = re.search(key, line)
              if matched:
@@ -644,7 +1046,8 @@
  def get_nic_mtu(nic):
      """Return the Maximum Transmission Unit (MTU) for a network interface."""
      cmd = ['ip', 'addr', 'show', nic]
--    ip_output = subprocess.check_output(cmd).decode('UTF-8').split('\n')
++    ip_output = subprocess.check_output(
++        cmd).decode('UTF-8', errors='replace').split('\n')
      mtu = ""
      for line in ip_output:
          words = line.split()
@@ -656,7 +1059,7 @@
  def get_nic_hwaddr(nic):
      """Return the Media Access Control (MAC) for a network interface."""
      cmd = ['ip', '-o', '-0', 'addr', 'show', nic]
--    ip_output = subprocess.check_output(cmd).decode('UTF-8')
++    ip_output = subprocess.check_output(cmd).decode('UTF-8', errors='replace')
      hwaddr = ""
      words = ip_output.split()
      if 'link/ether' in words:
@@ -668,7 +1071,7 @@
  def chdir(directory):
      """Change the current working directory to a different directory for a code
      block and return the previous directory after the block exits. Useful to
--    run commands from a specificed directory.
++    run commands from a specified directory.
      :param str directory: The directory path to change to for this context.
      """
@@ -703,9 +1106,12 @@
      for root, dirs, files in os.walk(path, followlinks=follow_links):
          for name in dirs + files:
              full = os.path.join(root, name)
--            broken_symlink = os.path.lexists(full) and not os.path.exists(full)
--            if not broken_symlink:
++            try:
                  chown(full, uid, gid)
++            except (IOError, OSError) as e:
++                # Intended to ignore "file not found".
++                if e.errno == errno.ENOENT:
++                    pass
  def lchownr(path, owner, group):
@@ -720,6 +1126,20 @@
      chownr(path, owner, group, follow_links=False)
++def owner(path):
++    """Returns a tuple containing the username & groupname owning the path.
++
++    :param str path: the string path to retrieve the ownership
++    :return tuple(str, str): A (username, groupname) tuple containing the
++                             name of the user and group owning the path.
++    :raises OSError: if the specified path does not exist
++    """
++    stat = os.stat(path)
++    username = pwd.getpwuid(stat.st_uid)[0]
++    groupname = grp.getgrgid(stat.st_gid)[0]
++    return username, groupname
++
++
  def get_total_ram():
      """The total amount of system RAM in bytes.
@@ -751,3 +1171,136 @@
      else:
          # Detect using upstart container file marker
          return os.path.exists(UPSTART_CONTAINER_TYPE)
++
++
++def add_to_updatedb_prunepath(path, updatedb_path=UPDATEDB_PATH):
++    """Adds the specified path to the mlocate's udpatedb.conf PRUNEPATH list.
++
++    This method has no effect if the path specified by updatedb_path does not
++    exist or is not a file.
++
++    @param path: string the path to add to the updatedb.conf PRUNEPATHS value
++    @param updatedb_path: the path the updatedb.conf file
++    """
++    if not os.path.exists(updatedb_path) or os.path.isdir(updatedb_path):
++        # If the updatedb.conf file doesn't exist then don't attempt to update
++        # the file as the package providing mlocate may not be installed on
++        # the local system
++        return
++
++    with open(updatedb_path, 'r+') as f_id:
++        updatedb_text = f_id.read()
++        output = updatedb(updatedb_text, path)
++        f_id.seek(0)
++        f_id.write(output)
++        f_id.truncate()
++
++
++def updatedb(updatedb_text, new_path):
++    lines = [line for line in updatedb_text.split("\n")]
++    for i, line in enumerate(lines):
++        if line.startswith("PRUNEPATHS="):
++            paths_line = line.split("=")[1].replace('"', '')
++            paths = paths_line.split(" ")
++            if new_path not in paths:
++                paths.append(new_path)
++                lines[i] = 'PRUNEPATHS="{}"'.format(' '.join(paths))
++    output = "\n".join(lines)
++    return output
++
++
++def modulo_distribution(modulo=3, wait=30, non_zero_wait=False):
++    """ Modulo distribution
++
++    This helper uses the unit number, a modulo value and a constant wait time
++    to produce a calculated wait time distribution. This is useful in large
++    scale deployments to distribute load during an expensive operation such as
++    service restarts.
++
++    If you have 1000 nodes that need to restart 100 at a time 1 minute at a
++    time:
++
++      time.wait(modulo_distribution(modulo=100, wait=60))
++      restart()
++
++    If you need restarts to happen serially set modulo to the exact number of
++    nodes and set a high constant wait time:
++
++      time.wait(modulo_distribution(modulo=10, wait=120))
++      restart()
++
++    @param modulo: int The modulo number creates the group distribution
++    @param wait: int The constant time wait value
++    @param non_zero_wait: boolean Override unit % modulo == 0,
++                          return modulo * wait. Used to avoid collisions with
++                          leader nodes which are often given priority.
++    @return: int Calculated time to wait for unit operation
++    """
++    unit_number = int(local_unit().split('/')[1])
++    calculated_wait_time = (unit_number % modulo) * wait
++    if non_zero_wait and calculated_wait_time == 0:
++        return modulo * wait
++    else:
++        return calculated_wait_time
++
++
++def ca_cert_absolute_path(basename_without_extension):
++    """Returns absolute path to CA certificate.
++
++    :param basename_without_extension: Filename without extension
++    :type basename_without_extension: str
++    :returns: Absolute full path
++    :rtype: str
++    """
++    return '{}/{}.crt'.format(CA_CERT_DIR, basename_without_extension)
++
++
++def install_ca_cert(ca_cert, name=None):
++    """
++    Install the given cert as a trusted CA.
++
++    The ``name`` is the stem of the filename where the cert is written, and if
++    not provided, it will default to ``juju-{charm_name}``.
++
++    If the cert is empty or None, or is unchanged, nothing is done.
++    """
++    if not ca_cert:
++        return
++    if not isinstance(ca_cert, bytes):
++        ca_cert = ca_cert.encode('utf8')
++    if not name:
++        name = 'juju-{}'.format(charm_name())
++    cert_file = ca_cert_absolute_path(name)
++    new_hash = hashlib.md5(ca_cert).hexdigest()
++    if file_hash(cert_file) == new_hash:
++        return
++    log("Installing new CA cert at: {}".format(cert_file), level=INFO)
++    write_file(cert_file, ca_cert)
++    subprocess.check_call(['update-ca-certificates', '--fresh'])
++
++
++def get_system_env(key, default=None):
++    """Get data from system environment as represented in ``/etc/environment``.
++
++    :param key: Key to look up
++    :type key: str
++    :param default: Value to return if key is not found
++    :type default: any
++    :returns: Value for key if found or contents of default parameter
++    :rtype: any
++    :raises: subprocess.CalledProcessError
++    """
++    env_file = '/etc/environment'
++    # use the shell and env(1) to parse the global environments file.  This is
++    # done to get the correct result even if the user has shell variable
++    # substitutions or other shell logic in that file.
++    output = subprocess.check_output(
++        ['env', '-i', '/bin/bash', '-c',
++         'set -a && source {} && env'.format(env_file)],
++        universal_newlines=True)
++    for k, v in (line.split('=', 1)
++                 for line in output.splitlines() if '=' in line):
++        if k == key:
++            return v
++    else:
++        return default
 === modified file 'hooks/charmhelpers/core/host_factory/centos.py'
 --- hooks/charmhelpers/core/host_factory/centos.py	2016-12-20 20:15:28 +0000
 +++ hooks/charmhelpers/core/host_factory/centos.py	2023-06-30 13:58:42 +0000
@@ -2,6 +2,22 @@
  import yum
  import os
++from charmhelpers.core.strutils import BasicStringComparator
++
++
++class CompareHostReleases(BasicStringComparator):
++    """Provide comparisons of Host releases.
++
++    Use in the form of
++
++    if CompareHostReleases(release) > 'trusty':
++        # do something with mitaka
++    """
++
++    def __init__(self, item):
++        raise NotImplementedError(
++            "CompareHostReleases() is not implemented for CentOS")
++
  def service_available(service_name):
      # """Determine whether a system service is available."""
 === modified file 'hooks/charmhelpers/core/host_factory/ubuntu.py'
 --- hooks/charmhelpers/core/host_factory/ubuntu.py	2016-12-20 20:15:28 +0000
 +++ hooks/charmhelpers/core/host_factory/ubuntu.py	2023-06-30 13:58:42 +0000
@@ -1,5 +1,50 @@
  import subprocess
++from charmhelpers.core.hookenv import cached
++from charmhelpers.core.strutils import BasicStringComparator
++
++
++UBUNTU_RELEASES = (
++    'lucid',
++    'maverick',
++    'natty',
++    'oneiric',
++    'precise',
++    'quantal',
++    'raring',
++    'saucy',
++    'trusty',
++    'utopic',
++    'vivid',
++    'wily',
++    'xenial',
++    'yakkety',
++    'zesty',
++    'artful',
++    'bionic',
++    'cosmic',
++    'disco',
++    'eoan',
++    'focal',
++    'groovy',
++    'hirsute',
++    'impish',
++    'jammy',
++    'kinetic',
++    'lunar',
++)
++
++
++class CompareHostReleases(BasicStringComparator):
++    """Provide comparisons of Ubuntu releases.
++
++    Use in the form of
++
++    if CompareHostReleases(release) > 'trusty':
++        # do something with mitaka
++    """
++    _list = UBUNTU_RELEASES
++
  def service_available(service_name):
      """Determine whether a system service is available"""
@@ -37,6 +82,14 @@
      return d
++def get_distrib_codename():
++    """Return the codename of the distribution
++    :returns: The codename
++    :rtype: str
++    """
++    return lsb_release()['DISTRIB_CODENAME'].lower()
++
++
  def cmp_pkgrevno(package, revno, pkgcache=None):
      """Compare supplied revno with the revno of the installed package.
@@ -48,9 +101,24 @@
      the pkgcache argument is None. Be sure to add charmhelpers.fetch if
      you call this function, or pass an apt_pkg.Cache() instance.
      """
--    import apt_pkg
++    from charmhelpers.fetch import apt_pkg, get_installed_version
      if not pkgcache:
--        from charmhelpers.fetch import apt_cache
--        pkgcache = apt_cache()
--    pkg = pkgcache[package]
--    return apt_pkg.version_compare(pkg.current_ver.ver_str, revno)
++        current_ver = get_installed_version(package)
++    else:
++        pkg = pkgcache[package]
++        current_ver = pkg.current_ver
++
++    return apt_pkg.version_compare(current_ver.ver_str, revno)
++
++
++@cached
++def arch():
++    """Return the package architecture as a string.
++
++    :returns: the architecture
++    :rtype: str
++    :raises: subprocess.CalledProcessError if dpkg command fails
++    """
++    return subprocess.check_output(
++        ['dpkg', '--print-architecture']
++    ).rstrip().decode('UTF-8')
 === modified file 'hooks/charmhelpers/core/kernel.py'
 --- hooks/charmhelpers/core/kernel.py	2016-12-20 20:15:28 +0000
 +++ hooks/charmhelpers/core/kernel.py	2023-06-30 13:58:42 +0000
@@ -26,12 +26,12 @@
  __platform__ = get_platform()
  if __platform__ == "ubuntu":
--    from charmhelpers.core.kernel_factory.ubuntu import (
++    from charmhelpers.core.kernel_factory.ubuntu import (  # NOQA:F401
          persistent_modprobe,
          update_initramfs,
      )  # flake8: noqa -- ignore F401 for this import
  elif __platform__ == "centos":
--    from charmhelpers.core.kernel_factory.centos import (
++    from charmhelpers.core.kernel_factory.centos import (  # NOQA:F401
          persistent_modprobe,
          update_initramfs,
      )  # flake8: noqa -- ignore F401 for this import
 === modified file 'hooks/charmhelpers/core/services/base.py'
 --- hooks/charmhelpers/core/services/base.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/services/base.py	2023-06-30 13:58:42 +0000
@@ -14,8 +14,9 @@
  import os
  import json
--from inspect import getargspec
--from collections import Iterable, OrderedDict
++import inspect
++from collections import OrderedDict
++from collections.abc import Iterable
  from charmhelpers.core import host
  from charmhelpers.core import hookenv
@@ -169,7 +170,7 @@
                      if not units:
                          continue
                      remote_service = units[0].split('/')[0]
--                    argspec = getargspec(provider.provide_data)
++                    argspec = inspect.getfullargspec(provider.provide_data)
                      if len(argspec.args) > 1:
                          data = provider.provide_data(remote_service, service_ready)
                      else:
@@ -307,23 +308,34 @@
      """
      def __call__(self, manager, service_name, event_name):
          service = manager.get_service(service_name)
--        new_ports = service.get('ports', [])
++        # turn this generator into a list,
++        # as we'll be going over it multiple times
++        new_ports = list(service.get('ports', []))
          port_file = os.path.join(hookenv.charm_dir(), '.{}.ports'.format(service_name))
          if os.path.exists(port_file):
              with open(port_file) as fp:
                  old_ports = fp.read().split(',')
              for old_port in old_ports:
--                if bool(old_port):
--                    old_port = int(old_port)
--                    if old_port not in new_ports:
--                        hookenv.close_port(old_port)
++                if bool(old_port) and not self.ports_contains(old_port, new_ports):
++                    hookenv.close_port(old_port)
          with open(port_file, 'w') as fp:
              fp.write(','.join(str(port) for port in new_ports))
          for port in new_ports:
++            # A port is either a number or 'ICMP'
++            protocol = 'TCP'
++            if str(port).upper() == 'ICMP':
++                protocol = 'ICMP'
              if event_name == 'start':
--                hookenv.open_port(port)
++                hookenv.open_port(port, protocol)
              elif event_name == 'stop':
--                hookenv.close_port(port)
++                hookenv.close_port(port, protocol)
++
++    def ports_contains(self, port, ports):
++        if not bool(port):
++            return False
++        if str(port).upper() != 'ICMP':
++            port = int(port)
++        return port in ports
  def service_stop(service_name):
 === modified file 'hooks/charmhelpers/core/services/helpers.py'
 --- hooks/charmhelpers/core/services/helpers.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/services/helpers.py	2023-06-30 13:58:42 +0000
@@ -179,7 +179,7 @@
          self.required_options = args
          self['config'] = hookenv.config()
          with open(os.path.join(hookenv.charm_dir(), 'config.yaml')) as fp:
--            self.config = yaml.load(fp).get('options', {})
++            self.config = yaml.safe_load(fp).get('options', {})
      def __bool__(self):
          for option in self.required_options:
@@ -227,7 +227,7 @@
          if not os.path.isabs(file_name):
              file_name = os.path.join(hookenv.charm_dir(), file_name)
          with open(file_name, 'r') as file_stream:
--            data = yaml.load(file_stream)
++            data = yaml.safe_load(file_stream)
              if not data:
                  raise OSError("%s is empty" % file_name)
              return data
 === modified file 'hooks/charmhelpers/core/strutils.py'
 --- hooks/charmhelpers/core/strutils.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/strutils.py	2023-06-30 13:58:42 +0000
@@ -15,26 +15,28 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
--import six
  import re
--
--def bool_from_string(value):
++TRUTHY_STRINGS = {'y', 'yes', 'true', 't', 'on'}
++FALSEY_STRINGS = {'n', 'no', 'false', 'f', 'off'}
++
++
++def bool_from_string(value, truthy_strings=TRUTHY_STRINGS, falsey_strings=FALSEY_STRINGS, assume_false=False):
      """Interpret string value as boolean.
      Returns True if value translates to True otherwise False.
      """
--    if isinstance(value, six.string_types):
--        value = six.text_type(value)
++    if isinstance(value, str):
++        value = str(value)
      else:
          msg = "Unable to interpret non-string value '%s' as boolean" % (value)
          raise ValueError(msg)
      value = value.strip().lower()
--    if value in ['y', 'yes', 'true', 't', 'on']:
++    if value in truthy_strings:
          return True
--    elif value in ['n', 'no', 'false', 'f', 'off']:
++    elif value in falsey_strings or assume_false:
          return False
      msg = "Unable to interpret string value '%s' as boolean" % (value)
@@ -58,13 +60,72 @@
          'P': 5,
          'PB': 5,
+     }
--    if isinstance(value, six.string_types):
--        value = six.text_type(value)
++    if isinstance(value, str):
++        value = str(value)
      else:
--        msg = "Unable to interpret non-string value '%s' as boolean" % (value)
++        msg = "Unable to interpret non-string value '%s' as bytes" % (value)
          raise ValueError(msg)
      matches = re.match("([0-9]+)([a-zA-Z]+)", value)
--    if not matches:
--        msg = "Unable to interpret string value '%s' as bytes" % (value)
--        raise ValueError(msg)
--    return int(matches.group(1)) * (1024 ** BYTE_POWER[matches.group(2)])
++    if matches:
++        size = int(matches.group(1)) * (1024 ** BYTE_POWER[matches.group(2)])
++    else:
++        # Assume that value passed in is bytes
++        try:
++            size = int(value)
++        except ValueError:
++            msg = "Unable to interpret string value '%s' as bytes" % (value)
++            raise ValueError(msg)
++    return size
++
++
++class BasicStringComparator(object):
++    """Provides a class that will compare strings from an iterator type object.
++    Used to provide > and < comparisons on strings that may not necessarily be
++    alphanumerically ordered.  e.g. OpenStack or Ubuntu releases AFTER the
++    z-wrap.
++    """
++
++    _list = None
++
++    def __init__(self, item):
++        if self._list is None:
++            raise Exception("Must define the _list in the class definition!")
++        try:
++            self.index = self._list.index(item)
++        except Exception:
++            raise KeyError("Item '{}' is not in list '{}'"
++                           .format(item, self._list))
++
++    def __eq__(self, other):
++        assert isinstance(other, str) or isinstance(other, self.__class__)
++        return self.index == self._list.index(other)
++
++    def __ne__(self, other):
++        return not self.__eq__(other)
++
++    def __lt__(self, other):
++        assert isinstance(other, str) or isinstance(other, self.__class__)
++        return self.index < self._list.index(other)
++
++    def __ge__(self, other):
++        return not self.__lt__(other)
++
++    def __gt__(self, other):
++        assert isinstance(other, str) or isinstance(other, self.__class__)
++        return self.index > self._list.index(other)
++
++    def __le__(self, other):
++        return not self.__gt__(other)
++
++    def __str__(self):
++        """Always give back the item at the index so it can be used in
++        comparisons like:
++
++        s_mitaka = CompareOpenStack('mitaka')
++        s_newton = CompareOpenstack('newton')
++
++        assert s_newton > s_mitaka
++
++        @returns: <string>
++        """
++        return self._list[self.index]
 === modified file 'hooks/charmhelpers/core/sysctl.py'
 --- hooks/charmhelpers/core/sysctl.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/sysctl.py	2023-06-30 13:58:42 +0000
@@ -17,38 +17,59 @@
  import yaml
--from subprocess import check_call
++from subprocess import check_call, CalledProcessError
  from charmhelpers.core.hookenv import (
      log,
      DEBUG,
      ERROR,
++    WARNING,
+ )
++from charmhelpers.core.host import is_container
++
  __author__ = 'Jorge Niedbalski R. <jorge.niedbalski@canonical.com>'
--def create(sysctl_dict, sysctl_file):
++def create(sysctl_dict, sysctl_file, ignore=False):
      """Creates a sysctl.conf file from a YAML associative array
--    :param sysctl_dict: a YAML-formatted string of sysctl options eg "{ 'kernel.max_pid': 1337 }"
++    :param sysctl_dict: a dict or YAML-formatted string of sysctl
++                        options eg "{ 'kernel.max_pid': 1337 }"
      :type sysctl_dict: str
      :param sysctl_file: path to the sysctl file to be saved
      :type sysctl_file: str or unicode
++    :param ignore: If True, ignore "unknown variable" errors.
++    :type ignore: bool
      :returns: None
      """
--    try:
--        sysctl_dict_parsed = yaml.safe_load(sysctl_dict)
--    except yaml.YAMLError:
--        log("Error parsing YAML sysctl_dict: {}".format(sysctl_dict),
--            level=ERROR)
--        return
++    if type(sysctl_dict) is not dict:
++        try:
++            sysctl_dict_parsed = yaml.safe_load(sysctl_dict)
++        except yaml.YAMLError:
++            log("Error parsing YAML sysctl_dict: {}".format(sysctl_dict),
++                level=ERROR)
++            return
++    else:
++        sysctl_dict_parsed = sysctl_dict
      with open(sysctl_file, "w") as fd:
          for key, value in sysctl_dict_parsed.items():
              fd.write("{}={}\n".format(key, value))
--    log("Updating sysctl_file: %s values: %s" % (sysctl_file, sysctl_dict_parsed),
++    log("Updating sysctl_file: {} values: {}".format(sysctl_file,
++                                                     sysctl_dict_parsed),
          level=DEBUG)
--    check_call(["sysctl", "-p", sysctl_file])
++    call = ["sysctl", "-p", sysctl_file]
++    if ignore:
++        call.append("-e")
++
++    try:
++        check_call(call)
++    except CalledProcessError as e:
++        if is_container():
++            log("Error setting some sysctl keys in this container: {}".format(e.output),
++                level=WARNING)
++        else:
++            raise e
 === modified file 'hooks/charmhelpers/core/templating.py'
 --- hooks/charmhelpers/core/templating.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/templating.py	2023-06-30 13:58:42 +0000
@@ -13,14 +13,14 @@
  # limitations under the License.
  import os
--import sys
  from charmhelpers.core import host
  from charmhelpers.core import hookenv
  def render(source, target, context, owner='root', group='root',
--           perms=0o444, templates_dir=None, encoding='UTF-8', template_loader=None):
++           perms=0o444, templates_dir=None, encoding='UTF-8',
++           template_loader=None, config_template=None):
      """
      Render a template.
@@ -32,6 +32,9 @@
      The context should be a dict containing the values to be replaced in the
      template.
++    config_template may be provided to render from a provided template instead
++    of loading from a file.
++
      The `owner`, `group`, and `perms` options will be passed to `write_file`.
      If omitted, `templates_dir` defaults to the `templates` folder in the charm.
@@ -39,9 +42,8 @@
      The rendered template will be written to the file as well as being returned
      as a string.
--    Note: Using this requires python-jinja2 or python3-jinja2; if it is not
--    installed, calling this will attempt to use charmhelpers.fetch.apt_install
--    to install it.
++    Note: Using this requires python3-jinja2; if it is not installed, calling
++    this will attempt to use charmhelpers.fetch.apt_install to install it.
      """
      try:
          from jinja2 import FileSystemLoader, Environment, exceptions
@@ -53,10 +55,7 @@
                          'charmhelpers.fetch to install it',
                          level=hookenv.ERROR)
              raise
--        if sys.version_info.major == 2:
--            apt_install('python-jinja2', fatal=True)
--        else:
--            apt_install('python3-jinja2', fatal=True)
++        apt_install('python3-jinja2', fatal=True)
          from jinja2 import FileSystemLoader, Environment, exceptions
      if template_loader:
@@ -65,14 +64,19 @@
          if templates_dir is None:
              templates_dir = os.path.join(hookenv.charm_dir(), 'templates')
          template_env = Environment(loader=FileSystemLoader(templates_dir))
--    try:
--        source = source
--        template = template_env.get_template(source)
--    except exceptions.TemplateNotFound as e:
--        hookenv.log('Could not load template %s from %s.' %
--                    (source, templates_dir),
--                    level=hookenv.ERROR)
--        raise e
++
++    # load from a string if provided explicitly
++    if config_template is not None:
++        template = template_env.from_string(config_template)
++    else:
++        try:
++            source = source
++            template = template_env.get_template(source)
++        except exceptions.TemplateNotFound as e:
++            hookenv.log('Could not load template %s from %s.' %
++                        (source, templates_dir),
++                        level=hookenv.ERROR)
++            raise e
      content = template.render(context)
      if target is not None:
          target_dir = os.path.dirname(target)
 === modified file 'hooks/charmhelpers/core/unitdata.py'
 --- hooks/charmhelpers/core/unitdata.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/core/unitdata.py	2023-06-30 13:58:42 +0000
@@ -1,7 +1,7 @@
  #!/usr/bin/env python
  # -*- coding: utf-8 -*-
+ #
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2014-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -61,7 +61,7 @@
                       'previous value', prev,
                       'current value',  cur)
--           # Get some unit specific bookeeping
++           # Get some unit specific bookkeeping
             if not db.get('pkg_key'):
                 key = urllib.urlopen('https://example.com/pkg_key').read()
                 db.set('pkg_key', key)
@@ -166,15 +166,23 @@
      To support dicts, lists, integer, floats, and booleans values
      are automatically json encoded/decoded.
++
++    Note: to facilitate unit testing, ':memory:' can be passed as the
++    path parameter which causes sqlite3 to only build the db in memory.
++    This should only be used for testing purposes.
      """
--    def __init__(self, path=None):
++    def __init__(self, path=None, keep_revisions=False):
          self.db_path = path
++        self.keep_revisions = keep_revisions
          if path is None:
              if 'UNIT_STATE_DB' in os.environ:
                  self.db_path = os.environ['UNIT_STATE_DB']
              else:
                  self.db_path = os.path.join(
                      os.environ.get('CHARM_DIR', ''), '.unit-state.db')
++        if self.db_path != ':memory:':
++            with open(self.db_path, 'a') as f:
++                os.fchmod(f.fileno(), 0o600)
          self.conn = sqlite3.connect('%s' % self.db_path)
          self.cursor = self.conn.cursor()
          self.revision = None
@@ -235,7 +243,7 @@
          Remove a key from the database entirely.
          """
          self.cursor.execute('delete from kv where key=?', [key])
--        if self.revision and self.cursor.rowcount:
++        if self.keep_revisions and self.revision and self.cursor.rowcount:
              self.cursor.execute(
                  'insert into kv_revisions values (?, ?, ?)',
                  [key, self.revision, json.dumps('DELETED')])
@@ -252,14 +260,14 @@
          if keys is not None:
              keys = ['%s%s' % (prefix, key) for key in keys]
              self.cursor.execute('delete from kv where key in (%s)' % ','.join(['?'] * len(keys)), keys)
--            if self.revision and self.cursor.rowcount:
++            if self.keep_revisions and self.revision and self.cursor.rowcount:
                  self.cursor.execute(
                      'insert into kv_revisions values %s' % ','.join(['(?, ?, ?)'] * len(keys)),
                      list(itertools.chain.from_iterable((key, self.revision, json.dumps('DELETED')) for key in keys)))
          else:
              self.cursor.execute('delete from kv where key like ?',
                                  ['%s%%' % prefix])
--            if self.revision and self.cursor.rowcount:
++            if self.keep_revisions and self.revision and self.cursor.rowcount:
                  self.cursor.execute(
                      'insert into kv_revisions values (?, ?, ?)',
                      ['%s%%' % prefix, self.revision, json.dumps('DELETED')])
@@ -292,7 +300,7 @@
              where key = ?''', [serialized, key])
          # Save
--        if not self.revision:
++        if (not self.keep_revisions) or (not self.revision):
              return value
          self.cursor.execute(
@@ -358,7 +366,7 @@
          try:
              yield self.revision
              self.revision = None
--        except:
++        except Exception:
              self.flush(False)
              self.revision = None
              raise
@@ -442,7 +450,7 @@
                       'previous value', prev,
                       'current value',  cur)
--           # Get some unit specific bookeeping
++           # Get some unit specific bookkeeping
             if not db.get('pkg_key'):
                 key = urllib.urlopen('https://example.com/pkg_key').read()
                 db.set('pkg_key', key)
 === modified file 'hooks/charmhelpers/fetch/__init__.py'
 --- hooks/charmhelpers/fetch/__init__.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/fetch/__init__.py	2023-06-30 13:58:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2014-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -20,11 +20,7 @@
      log,
+ )
--import six
--if six.PY3:
--    from urllib.parse import urlparse, urlunparse
--else:
--    from urlparse import urlparse, urlunparse
++from urllib.parse import urlparse, urlunparse
  # The order of this list is very important. Handlers should be listed in from
@@ -48,6 +44,13 @@
      pass
++class GPGKeyError(Exception):
++    """Exception occurs when a GPG key cannot be fetched or used.  The message
++    indicates what the problem is.
++    """
++    pass
++
++
  class BaseFetchHandler(object):
      """Base class for FetchHandler implementations in fetch plugins"""
@@ -77,22 +80,30 @@
  fetch = importlib.import_module(module)
  filter_installed_packages = fetch.filter_installed_packages
--install = fetch.install
--upgrade = fetch.upgrade
--update = fetch.update
--purge = fetch.purge
++filter_missing_packages = fetch.filter_missing_packages
++install = fetch.apt_install
++upgrade = fetch.apt_upgrade
++update = _fetch_update = fetch.apt_update
++purge = fetch.apt_purge
  add_source = fetch.add_source
  if __platform__ == "ubuntu":
      apt_cache = fetch.apt_cache
--    apt_install = fetch.install
--    apt_update = fetch.update
--    apt_upgrade = fetch.upgrade
--    apt_purge = fetch.purge
++    apt_install = fetch.apt_install
++    apt_update = fetch.apt_update
++    apt_upgrade = fetch.apt_upgrade
++    apt_purge = fetch.apt_purge
++    apt_autoremove = fetch.apt_autoremove
      apt_mark = fetch.apt_mark
      apt_hold = fetch.apt_hold
      apt_unhold = fetch.apt_unhold
++    import_key = fetch.import_key
      get_upstream_version = fetch.get_upstream_version
++    apt_pkg = fetch.ubuntu_apt_pkg
++    get_apt_dpkg_env = fetch.get_apt_dpkg_env
++    get_installed_version = fetch.get_installed_version
++    OPENSTACK_RELEASES = fetch.OPENSTACK_RELEASES
++    UBUNTU_OPENSTACK_RELEASE = fetch.UBUNTU_OPENSTACK_RELEASE
  elif __platform__ == "centos":
      yum_search = fetch.yum_search
@@ -119,14 +130,14 @@
      sources = safe_load((config(sources_var) or '').strip()) or []
      keys = safe_load((config(keys_var) or '').strip()) or None
--    if isinstance(sources, six.string_types):
++    if isinstance(sources, str):
          sources = [sources]
      if keys is None:
          for source in sources:
              add_source(source, None)
      else:
--        if isinstance(keys, six.string_types):
++        if isinstance(keys, str):
              keys = [keys]
          if len(sources) != len(keys):
@@ -135,7 +146,7 @@
          for source, key in zip(sources, keys):
              add_source(source, key)
      if update:
--        fetch.update(fatal=True)
++        _fetch_update(fatal=True)
  def install_remote(source, *args, **kwargs):
@@ -190,7 +201,7 @@
                  classname)
              plugin_list.append(handler_class())
          except NotImplementedError:
--            # Skip missing plugins so that they can be ommitted from
++            # Skip missing plugins so that they can be omitted from
              # installation if desired
              log("FetchHandler {} not found, skipping plugin".format(
                  handler_name))
 === modified file 'hooks/charmhelpers/fetch/archiveurl.py'
 --- hooks/charmhelpers/fetch/archiveurl.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/fetch/archiveurl.py	2023-06-30 13:58:42 +0000
@@ -12,6 +12,7 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
++import contextlib
  import os
  import hashlib
  import re
@@ -24,28 +25,21 @@
      get_archive_handler,
      extract,
+ )
++from charmhelpers.core.hookenv import (
++    env_proxy_settings,
++)
  from charmhelpers.core.host import mkdir, check_hash
--import six
--if six.PY3:
--    from urllib.request import (
--        build_opener, install_opener, urlopen, urlretrieve,
--        HTTPPasswordMgrWithDefaultRealm, HTTPBasicAuthHandler,
--    )
--    from urllib.parse import urlparse, urlunparse, parse_qs
--    from urllib.error import URLError
--else:
--    from urllib import urlretrieve
--    from urllib2 import (
--        build_opener, install_opener, urlopen,
--        HTTPPasswordMgrWithDefaultRealm, HTTPBasicAuthHandler,
--        URLError
--    )
--    from urlparse import urlparse, urlunparse, parse_qs
++from urllib.request import (
++    build_opener, install_opener, urlopen, urlretrieve,
++    HTTPPasswordMgrWithDefaultRealm, HTTPBasicAuthHandler,
++    ProxyHandler
++)
++from urllib.parse import urlparse, urlunparse, parse_qs
++from urllib.error import URLError
  def splituser(host):
--    '''urllib.splituser(), but six's support of this seems broken'''
      _userprog = re.compile('^(.*)@(.*)$')
      match = _userprog.match(host)
      if match:
@@ -54,7 +48,6 @@
  def splitpasswd(user):
--    '''urllib.splitpasswd(), but six's support of this is missing'''
      _passwdprog = re.compile('^([^:]*):(.*)$', re.S)
      match = _passwdprog.match(user)
      if match:
@@ -62,6 +55,20 @@
      return user, None
++@contextlib.contextmanager
++def proxy_env():
++    """
++    Creates a context which temporarily modifies the proxy settings in os.environ.
++    """
++    restore = {**os.environ}  # Copy the current os.environ
++    juju_proxies = env_proxy_settings() or {}
++    os.environ.update(**juju_proxies)  # Insert or Update the os.environ
++    yield os.environ
++    for key in juju_proxies:
++        del os.environ[key]  # remove any keys which were added or updated
++    os.environ.update(**restore)  # restore any original values
++
++
  class ArchiveUrlFetchHandler(BaseFetchHandler):
      """
      Handler to download archive files from arbitrary URLs.
@@ -89,9 +96,10 @@
          :param str source: URL pointing to an archive file.
          :param str dest: Local path location to download archive file to.
          """
--        # propogate all exceptions
++        # propagate all exceptions
          # URLError, OSError, etc
          proto, netloc, path, params, query, fragment = urlparse(source)
++        handlers = []
          if proto in ('http', 'https'):
              auth, barehost = splituser(netloc)
              if auth is not None:
@@ -101,10 +109,13 @@
                  # Realm is set to None in add_password to force the username and password
                  # to be used whatever the realm
                  passman.add_password(None, source, username, password)
--                authhandler = HTTPBasicAuthHandler(passman)
--                opener = build_opener(authhandler)
--                install_opener(opener)
--        response = urlopen(source)
++                handlers.append(HTTPBasicAuthHandler(passman))
++
++        with proxy_env():
++            handlers.append(ProxyHandler())
++            opener = build_opener(*handlers)
++            install_opener(opener)
++            response = urlopen(source)
          try:
              with open(dest, 'wb') as dest_file:
                  dest_file.write(response.read())
@@ -150,10 +161,7 @@
              raise UnhandledSource(e.strerror)
          options = parse_qs(url_parts.fragment)
          for key, value in options.items():
--            if not six.PY3:
--                algorithms = hashlib.algorithms
--            else:
--                algorithms = hashlib.algorithms_available
++            algorithms = hashlib.algorithms_available
              if key in algorithms:
                  if len(value) != 1:
                      raise TypeError(
 === modified file 'hooks/charmhelpers/fetch/bzrurl.py'
 --- hooks/charmhelpers/fetch/bzrurl.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/fetch/bzrurl.py	2023-06-30 13:58:42 +0000
@@ -13,7 +13,7 @@
  # limitations under the License.
  import os
--from subprocess import check_call
++from subprocess import STDOUT, check_output
  from charmhelpers.fetch import (
      BaseFetchHandler,
      UnhandledSource,
@@ -55,7 +55,7 @@
              cmd = ['bzr', 'branch']
              cmd += cmd_opts
              cmd += [source, dest]
--        check_call(cmd)
++        check_output(cmd, stderr=STDOUT)
      def install(self, source, dest=None, revno=None):
          url_parts = self.parse_url(source)
 === modified file 'hooks/charmhelpers/fetch/centos.py'
 --- hooks/charmhelpers/fetch/centos.py	2016-12-20 20:15:28 +0000
 +++ hooks/charmhelpers/fetch/centos.py	2023-06-30 13:58:42 +0000
@@ -15,7 +15,6 @@
  import subprocess
  import os
  import time
--import six
  import yum
  from tempfile import NamedTemporaryFile
@@ -42,7 +41,7 @@
      if options is not None:
          cmd.extend(options)
      cmd.append('install')
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
@@ -71,7 +70,7 @@
  def purge(packages, fatal=False):
      """Purge one or more packages."""
      cmd = ['yum', '--assumeyes', 'remove']
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
@@ -83,7 +82,7 @@
      """Search for a package."""
      output = {}
      cmd = ['yum', 'search']
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
@@ -132,7 +131,7 @@
                  key_file.write(key)
                  key_file.flush()
                  key_file.seek(0)
--            subprocess.check_call(['rpm', '--import', key_file])
++                subprocess.check_call(['rpm', '--import', key_file.name])
          else:
              subprocess.check_call(['rpm', '--import', key])
 === modified file 'hooks/charmhelpers/fetch/giturl.py'
 --- hooks/charmhelpers/fetch/giturl.py	2016-12-20 14:35:00 +0000
 +++ hooks/charmhelpers/fetch/giturl.py	2023-06-30 13:58:42 +0000
@@ -13,7 +13,7 @@
  # limitations under the License.
  import os
--from subprocess import check_call, CalledProcessError
++from subprocess import check_output, CalledProcessError, STDOUT
  from charmhelpers.fetch import (
      BaseFetchHandler,
      UnhandledSource,
@@ -50,7 +50,7 @@
              cmd = ['git', 'clone', source, dest, '--branch', branch]
              if depth:
                  cmd.extend(['--depth', depth])
--        check_call(cmd)
++        check_output(cmd, stderr=STDOUT)
      def install(self, source, branch="master", dest=None, depth=None):
          url_parts = self.parse_url(source)
 === added directory 'hooks/charmhelpers/fetch/python'
 === added file 'hooks/charmhelpers/fetch/python/__init__.py'
 --- hooks/charmhelpers/fetch/python/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/python/__init__.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,13 @@
++# Copyright 2014-2019 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
 === added file 'hooks/charmhelpers/fetch/python/debug.py'
 --- hooks/charmhelpers/fetch/python/debug.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/python/debug.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,52 @@
++#!/usr/bin/env python
++# coding: utf-8
++
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import atexit
++import sys
++
++from charmhelpers.fetch.python.rpdb import Rpdb
++from charmhelpers.core.hookenv import (
++    open_port,
++    close_port,
++    ERROR,
++    log
++)
++
++__author__ = "Jorge Niedbalski <jorge.niedbalski@canonical.com>"
++
++DEFAULT_ADDR = "0.0.0.0"
++DEFAULT_PORT = 4444
++
++
++def _error(message):
++    log(message, level=ERROR)
++
++
++def set_trace(addr=DEFAULT_ADDR, port=DEFAULT_PORT):
++    """
++    Set a trace point using the remote debugger
++    """
++    atexit.register(close_port, port)
++    try:
++        log("Starting a remote python debugger session on %s:%s" % (addr,
++                                                                    port))
++        open_port(port)
++        debugger = Rpdb(addr=addr, port=port)
++        debugger.set_trace(sys._getframe().f_back)
++    except Exception:
++        _error("Cannot start a remote debug session on %s:%s" % (addr,
++                                                                 port))
 === added file 'hooks/charmhelpers/fetch/python/packages.py'
 --- hooks/charmhelpers/fetch/python/packages.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/python/packages.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,148 @@
++#!/usr/bin/env python
++# coding: utf-8
++
++# Copyright 2014-2021 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import os
++import subprocess
++import sys
++
++from charmhelpers.fetch import apt_install, apt_update
++from charmhelpers.core.hookenv import charm_dir, log
++
++__author__ = "Jorge Niedbalski <jorge.niedbalski@canonical.com>"
++
++
++def pip_execute(*args, **kwargs):
++    """Overridden pip_execute() to stop sys.path being changed.
++
++    The act of importing main from the pip module seems to cause add wheels
++    from the /usr/share/python-wheels which are installed by various tools.
++    This function ensures that sys.path remains the same after the call is
++    executed.
++    """
++    try:
++        _path = sys.path
++        try:
++            from pip import main as _pip_execute
++        except ImportError:
++            apt_update()
++            apt_install('python3-pip')
++            from pip import main as _pip_execute
++        _pip_execute(*args, **kwargs)
++    finally:
++        sys.path = _path
++
++
++def parse_options(given, available):
++    """Given a set of options, check if available"""
++    for key, value in sorted(given.items()):
++        if not value:
++            continue
++        if key in available:
++            yield "--{0}={1}".format(key, value)
++
++
++def pip_install_requirements(requirements, constraints=None, **options):
++    """Install a requirements file.
++
++    :param constraints: Path to pip constraints file.
++    http://pip.readthedocs.org/en/stable/user_guide/#constraints-files
++    """
++    command = ["install"]
++
++    available_options = ('proxy', 'src', 'log', )
++    for option in parse_options(options, available_options):
++        command.append(option)
++
++    command.append("-r {0}".format(requirements))
++    if constraints:
++        command.append("-c {0}".format(constraints))
++        log("Installing from file: {} with constraints {} "
++            "and options: {}".format(requirements, constraints, command))
++    else:
++        log("Installing from file: {} with options: {}".format(requirements,
++                                                               command))
++    pip_execute(command)
++
++
++def pip_install(package, fatal=False, upgrade=False, venv=None,
++                constraints=None, **options):
++    """Install a python package"""
++    if venv:
++        venv_python = os.path.join(venv, 'bin/pip')
++        command = [venv_python, "install"]
++    else:
++        command = ["install"]
++
++    available_options = ('proxy', 'src', 'log', 'index-url', )
++    for option in parse_options(options, available_options):
++        command.append(option)
++
++    if upgrade:
++        command.append('--upgrade')
++
++    if constraints:
++        command.extend(['-c', constraints])
++
++    if isinstance(package, list):
++        command.extend(package)
++    else:
++        command.append(package)
++
++    log("Installing {} package with options: {}".format(package,
++                                                        command))
++    if venv:
++        subprocess.check_call(command)
++    else:
++        pip_execute(command)
++
++
++def pip_uninstall(package, **options):
++    """Uninstall a python package"""
++    command = ["uninstall", "-q", "-y"]
++
++    available_options = ('proxy', 'log', )
++    for option in parse_options(options, available_options):
++        command.append(option)
++
++    if isinstance(package, list):
++        command.extend(package)
++    else:
++        command.append(package)
++
++    log("Uninstalling {} package with options: {}".format(package,
++                                                          command))
++    pip_execute(command)
++
++
++def pip_list():
++    """Returns the list of current python installed packages
++    """
++    return pip_execute(["list"])
++
++
++def pip_create_virtualenv(path=None):
++    """Create an isolated Python environment."""
++    apt_install(['python3-virtualenv', 'virtualenv'])
++    extra_flags = ['--python=python3']
++
++    if path:
++        venv_path = path
++    else:
++        venv_path = os.path.join(charm_dir(), 'venv')
++
++    if not os.path.exists(venv_path):
++        subprocess.check_call(['virtualenv', venv_path] + extra_flags)
 === added file 'hooks/charmhelpers/fetch/python/rpdb.py'
 --- hooks/charmhelpers/fetch/python/rpdb.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/python/rpdb.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,56 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++"""Remote Python Debugger (pdb wrapper)."""
++
++import pdb
++import socket
++import sys
++
++__author__ = "Bertrand Janin <b@janin.com>"
++__version__ = "0.1.3"
++
++
++class Rpdb(pdb.Pdb):
++
++    def __init__(self, addr="127.0.0.1", port=4444):
++        """Initialize the socket and initialize pdb."""
++
++        # Backup stdin and stdout before replacing them by the socket handle
++        self.old_stdout = sys.stdout
++        self.old_stdin = sys.stdin
++
++        # Open a 'reusable' socket to let the webapp reload on the same port
++        self.skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++        self.skt.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, True)
++        self.skt.bind((addr, port))
++        self.skt.listen(1)
++        (clientsocket, address) = self.skt.accept()
++        handle = clientsocket.makefile('rw')
++        pdb.Pdb.__init__(self, completekey='tab', stdin=handle, stdout=handle)
++        sys.stdout = sys.stdin = handle
++
++    def shutdown(self):
++        """Revert stdin and stdout, close the socket."""
++        sys.stdout = self.old_stdout
++        sys.stdin = self.old_stdin
++        self.skt.close()
++        self.set_continue()
++
++    def do_continue(self, arg):
++        """Stop all operation on ``continue``."""
++        self.shutdown()
++        return 1
++
++    do_EOF = do_quit = do_exit = do_c = do_cont = do_continue
 === added file 'hooks/charmhelpers/fetch/python/version.py'
 --- hooks/charmhelpers/fetch/python/version.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/python/version.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,32 @@
++#!/usr/bin/env python
++# coding: utf-8
++
++# Copyright 2014-2015 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import sys
++
++__author__ = "Jorge Niedbalski <jorge.niedbalski@canonical.com>"
++
++
++def current_version():
++    """Current system python version"""
++    return sys.version_info
++
++
++def current_version_string():
++    """Current system python version as string major.minor.micro"""
++    return "{0}.{1}.{2}".format(sys.version_info.major,
++                                sys.version_info.minor,
++                                sys.version_info.micro)
 === added file 'hooks/charmhelpers/fetch/snap.py'
 --- hooks/charmhelpers/fetch/snap.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/fetch/snap.py	2023-06-30 13:58:42 +0000
@@ -0,0 +1,150 @@
++# Copyright 2014-2021 Canonical Limited.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#  http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++"""
++Charm helpers snap for classic charms.
++
++If writing reactive charms, use the snap layer:
++https://lists.ubuntu.com/archives/snapcraft/2016-September/001114.html
++"""
++import subprocess
++import os
++from time import sleep
++from charmhelpers.core.hookenv import log
++
++__author__ = 'Joseph Borg <joseph.borg@canonical.com>'
++
++# The return code for "couldn't acquire lock" in Snap
++# (hopefully this will be improved).
++SNAP_NO_LOCK = 1
++SNAP_NO_LOCK_RETRY_DELAY = 10  # Wait X seconds between Snap lock checks.
++SNAP_NO_LOCK_RETRY_COUNT = 30  # Retry to acquire the lock X times.
++SNAP_CHANNELS = [
++    'edge',
++    'beta',
++    'candidate',
++    'stable',
++]
++
++
++class CouldNotAcquireLockException(Exception):
++    pass
++
++
++class InvalidSnapChannel(Exception):
++    pass
++
++
++def _snap_exec(commands):
++    """
++    Execute snap commands.
++
++    :param commands: List commands
++    :return: Integer exit code
++    """
++    assert type(commands) == list
++
++    retry_count = 0
++    return_code = None
++
++    while return_code is None or return_code == SNAP_NO_LOCK:
++        try:
++            return_code = subprocess.check_call(['snap'] + commands,
++                                                env=os.environ)
++        except subprocess.CalledProcessError as e:
++            retry_count += + 1
++            if retry_count > SNAP_NO_LOCK_RETRY_COUNT:
++                raise CouldNotAcquireLockException(
++                    'Could not acquire lock after {} attempts'
++                    .format(SNAP_NO_LOCK_RETRY_COUNT))
++            return_code = e.returncode
++            log('Snap failed to acquire lock, trying again in {} seconds.'
++                .format(SNAP_NO_LOCK_RETRY_DELAY), level='WARN')
++            sleep(SNAP_NO_LOCK_RETRY_DELAY)
++
++    return return_code
++
++
++def snap_install(packages, *flags):
++    """
++    Install a snap package.
++
++    :param packages: String or List String package name
++    :param flags: List String flags to pass to install command
++    :return: Integer return code from snap
++    """
++    if type(packages) is not list:
++        packages = [packages]
++
++    flags = list(flags)
++
++    message = 'Installing snap(s) "%s"' % ', '.join(packages)
++    if flags:
++        message += ' with option(s) "%s"' % ', '.join(flags)
++
++    log(message, level='INFO')
++    return _snap_exec(['install'] + flags + packages)
++
++
++def snap_remove(packages, *flags):
++    """
++    Remove a snap package.
++
++    :param packages: String or List String package name
++    :param flags: List String flags to pass to remove command
++    :return: Integer return code from snap
++    """
++    if type(packages) is not list:
++        packages = [packages]
++
++    flags = list(flags)
++
++    message = 'Removing snap(s) "%s"' % ', '.join(packages)
++    if flags:
++        message += ' with options "%s"' % ', '.join(flags)
++
++    log(message, level='INFO')
++    return _snap_exec(['remove'] + flags + packages)
++
++
++def snap_refresh(packages, *flags):
++    """
++    Refresh / Update snap package.
++
++    :param packages: String or List String package name
++    :param flags: List String flags to pass to refresh command
++    :return: Integer return code from snap
++    """
++    if type(packages) is not list:
++        packages = [packages]
++
++    flags = list(flags)
++
++    message = 'Refreshing snap(s) "%s"' % ', '.join(packages)
++    if flags:
++        message += ' with options "%s"' % ', '.join(flags)
++
++    log(message, level='INFO')
++    return _snap_exec(['refresh'] + flags + packages)
++
++
++def valid_snap_channel(channel):
++    """ Validate snap channel exists
++
++    :raises InvalidSnapChannel: When channel does not exist
++    :return: Boolean
++    """
++    if channel.lower() in SNAP_CHANNELS:
++        return True
++    else:
++        raise InvalidSnapChannel("Invalid Snap Channel: {}".format(channel))
 === modified file 'hooks/charmhelpers/fetch/ubuntu.py'
 --- hooks/charmhelpers/fetch/ubuntu.py	2016-12-20 20:15:28 +0000
 +++ hooks/charmhelpers/fetch/ubuntu.py	2023-06-30 13:58:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2014-2015 Canonical Limited.
++# Copyright 2014-2021 Canonical Limited.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -12,29 +12,49 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
--import os
--import six
++from collections import OrderedDict
++import platform
++import re
++import subprocess
++import sys
  import time
--import subprocess
--
--from tempfile import NamedTemporaryFile
--from charmhelpers.core.host import (
--    lsb_release
++
++from charmhelpers import deprecate
++from charmhelpers.core.host import get_distrib_codename, get_system_env
++
++from charmhelpers.core.hookenv import (
++    log,
++    DEBUG,
++    WARNING,
++    env_proxy_settings,
+ )
--from charmhelpers.core.hookenv import log
--from charmhelpers.fetch import SourceConfigError
++from charmhelpers.fetch import SourceConfigError, GPGKeyError
++from charmhelpers.fetch import ubuntu_apt_pkg
++PROPOSED_POCKET = (
++    "# Proposed\n"
++    "deb http://archive.ubuntu.com/ubuntu {}-proposed main universe "
++    "multiverse restricted\n")
++PROPOSED_PORTS_POCKET = (
++    "# Proposed\n"
++    "deb http://ports.ubuntu.com/ubuntu-ports {}-proposed main universe "
++    "multiverse restricted\n")
++# Only supports 64bit and ppc64 at the moment.
++ARCH_TO_PROPOSED_POCKET = {
++    'x86_64': PROPOSED_POCKET,
++    'ppc64le': PROPOSED_PORTS_POCKET,
++    'aarch64': PROPOSED_PORTS_POCKET,
++    's390x': PROPOSED_PORTS_POCKET,
++}
++CLOUD_ARCHIVE_URL = "http://ubuntu-cloud.archive.canonical.com/ubuntu"
++CLOUD_ARCHIVE_KEY_ID = '5EDB1B62EC4926EA'
  CLOUD_ARCHIVE = """# Ubuntu Cloud Archive
  deb http://ubuntu-cloud.archive.canonical.com/ubuntu {} main
  """
--
--PROPOSED_POCKET = """# Proposed
--deb http://archive.ubuntu.com/ubuntu {}-proposed main universe multiverse restricted
--"""
--
  CLOUD_ARCHIVE_POCKETS = {
      # Folsom
      'folsom': 'precise-updates/folsom',
++    'folsom/updates': 'precise-updates/folsom',
      'precise-folsom': 'precise-updates/folsom',
      'precise-folsom/updates': 'precise-updates/folsom',
      'precise-updates/folsom': 'precise-updates/folsom',
@@ -43,6 +63,7 @@
      'precise-proposed/folsom': 'precise-proposed/folsom',
      # Grizzly
      'grizzly': 'precise-updates/grizzly',
++    'grizzly/updates': 'precise-updates/grizzly',
      'precise-grizzly': 'precise-updates/grizzly',
      'precise-grizzly/updates': 'precise-updates/grizzly',
      'precise-updates/grizzly': 'precise-updates/grizzly',
@@ -51,6 +72,7 @@
      'precise-proposed/grizzly': 'precise-proposed/grizzly',
      # Havana
      'havana': 'precise-updates/havana',
++    'havana/updates': 'precise-updates/havana',
      'precise-havana': 'precise-updates/havana',
      'precise-havana/updates': 'precise-updates/havana',
      'precise-updates/havana': 'precise-updates/havana',
@@ -59,6 +81,7 @@
      'precise-proposed/havana': 'precise-proposed/havana',
      # Icehouse
      'icehouse': 'precise-updates/icehouse',
++    'icehouse/updates': 'precise-updates/icehouse',
      'precise-icehouse': 'precise-updates/icehouse',
      'precise-icehouse/updates': 'precise-updates/icehouse',
      'precise-updates/icehouse': 'precise-updates/icehouse',
@@ -67,6 +90,7 @@
      'precise-proposed/icehouse': 'precise-proposed/icehouse',
      # Juno
      'juno': 'trusty-updates/juno',
++    'juno/updates': 'trusty-updates/juno',
      'trusty-juno': 'trusty-updates/juno',
      'trusty-juno/updates': 'trusty-updates/juno',
      'trusty-updates/juno': 'trusty-updates/juno',
@@ -75,6 +99,7 @@
      'trusty-proposed/juno': 'trusty-proposed/juno',
      # Kilo
      'kilo': 'trusty-updates/kilo',
++    'kilo/updates': 'trusty-updates/kilo',
      'trusty-kilo': 'trusty-updates/kilo',
      'trusty-kilo/updates': 'trusty-updates/kilo',
      'trusty-updates/kilo': 'trusty-updates/kilo',
@@ -83,6 +108,7 @@
      'trusty-proposed/kilo': 'trusty-proposed/kilo',
      # Liberty
      'liberty': 'trusty-updates/liberty',
++    'liberty/updates': 'trusty-updates/liberty',
      'trusty-liberty': 'trusty-updates/liberty',
      'trusty-liberty/updates': 'trusty-updates/liberty',
      'trusty-updates/liberty': 'trusty-updates/liberty',
@@ -91,6 +117,7 @@
      'trusty-proposed/liberty': 'trusty-proposed/liberty',
      # Mitaka
      'mitaka': 'trusty-updates/mitaka',
++    'mitaka/updates': 'trusty-updates/mitaka',
      'trusty-mitaka': 'trusty-updates/mitaka',
      'trusty-mitaka/updates': 'trusty-updates/mitaka',
      'trusty-updates/mitaka': 'trusty-updates/mitaka',
@@ -99,6 +126,7 @@
      'trusty-proposed/mitaka': 'trusty-proposed/mitaka',
      # Newton
      'newton': 'xenial-updates/newton',
++    'newton/updates': 'xenial-updates/newton',
      'xenial-newton': 'xenial-updates/newton',
      'xenial-newton/updates': 'xenial-updates/newton',
      'xenial-updates/newton': 'xenial-updates/newton',
@@ -107,17 +135,175 @@
      'xenial-proposed/newton': 'xenial-proposed/newton',
      # Ocata
      'ocata': 'xenial-updates/ocata',
++    'ocata/updates': 'xenial-updates/ocata',
      'xenial-ocata': 'xenial-updates/ocata',
      'xenial-ocata/updates': 'xenial-updates/ocata',
      'xenial-updates/ocata': 'xenial-updates/ocata',
      'ocata/proposed': 'xenial-proposed/ocata',
      'xenial-ocata/proposed': 'xenial-proposed/ocata',
--    'xenial-ocata/newton': 'xenial-proposed/ocata',
++    'xenial-proposed/ocata': 'xenial-proposed/ocata',
++    # Pike
++    'pike': 'xenial-updates/pike',
++    'xenial-pike': 'xenial-updates/pike',
++    'xenial-pike/updates': 'xenial-updates/pike',
++    'xenial-updates/pike': 'xenial-updates/pike',
++    'pike/proposed': 'xenial-proposed/pike',
++    'xenial-pike/proposed': 'xenial-proposed/pike',
++    'xenial-proposed/pike': 'xenial-proposed/pike',
++    # Queens
++    'queens': 'xenial-updates/queens',
++    'xenial-queens': 'xenial-updates/queens',
++    'xenial-queens/updates': 'xenial-updates/queens',
++    'xenial-updates/queens': 'xenial-updates/queens',
++    'queens/proposed': 'xenial-proposed/queens',
++    'xenial-queens/proposed': 'xenial-proposed/queens',
++    'xenial-proposed/queens': 'xenial-proposed/queens',
++    # Rocky
++    'rocky': 'bionic-updates/rocky',
++    'bionic-rocky': 'bionic-updates/rocky',
++    'bionic-rocky/updates': 'bionic-updates/rocky',
++    'bionic-updates/rocky': 'bionic-updates/rocky',
++    'rocky/proposed': 'bionic-proposed/rocky',
++    'bionic-rocky/proposed': 'bionic-proposed/rocky',
++    'bionic-proposed/rocky': 'bionic-proposed/rocky',
++    # Stein
++    'stein': 'bionic-updates/stein',
++    'bionic-stein': 'bionic-updates/stein',
++    'bionic-stein/updates': 'bionic-updates/stein',
++    'bionic-updates/stein': 'bionic-updates/stein',
++    'stein/proposed': 'bionic-proposed/stein',
++    'bionic-stein/proposed': 'bionic-proposed/stein',
++    'bionic-proposed/stein': 'bionic-proposed/stein',
++    # Train
++    'train': 'bionic-updates/train',
++    'bionic-train': 'bionic-updates/train',
++    'bionic-train/updates': 'bionic-updates/train',
++    'bionic-updates/train': 'bionic-updates/train',
++    'train/proposed': 'bionic-proposed/train',
++    'bionic-train/proposed': 'bionic-proposed/train',
++    'bionic-proposed/train': 'bionic-proposed/train',
++    # Ussuri
++    'ussuri': 'bionic-updates/ussuri',
++    'bionic-ussuri': 'bionic-updates/ussuri',
++    'bionic-ussuri/updates': 'bionic-updates/ussuri',
++    'bionic-updates/ussuri': 'bionic-updates/ussuri',
++    'ussuri/proposed': 'bionic-proposed/ussuri',
++    'bionic-ussuri/proposed': 'bionic-proposed/ussuri',
++    'bionic-proposed/ussuri': 'bionic-proposed/ussuri',
++    # Victoria
++    'victoria': 'focal-updates/victoria',
++    'focal-victoria': 'focal-updates/victoria',
++    'focal-victoria/updates': 'focal-updates/victoria',
++    'focal-updates/victoria': 'focal-updates/victoria',
++    'victoria/proposed': 'focal-proposed/victoria',
++    'focal-victoria/proposed': 'focal-proposed/victoria',
++    'focal-proposed/victoria': 'focal-proposed/victoria',
++    # Wallaby
++    'wallaby': 'focal-updates/wallaby',
++    'focal-wallaby': 'focal-updates/wallaby',
++    'focal-wallaby/updates': 'focal-updates/wallaby',
++    'focal-updates/wallaby': 'focal-updates/wallaby',
++    'wallaby/proposed': 'focal-proposed/wallaby',
++    'focal-wallaby/proposed': 'focal-proposed/wallaby',
++    'focal-proposed/wallaby': 'focal-proposed/wallaby',
++    # Xena
++    'xena': 'focal-updates/xena',
++    'focal-xena': 'focal-updates/xena',
++    'focal-xena/updates': 'focal-updates/xena',
++    'focal-updates/xena': 'focal-updates/xena',
++    'xena/proposed': 'focal-proposed/xena',
++    'focal-xena/proposed': 'focal-proposed/xena',
++    'focal-proposed/xena': 'focal-proposed/xena',
++    # Yoga
++    'yoga': 'focal-updates/yoga',
++    'focal-yoga': 'focal-updates/yoga',
++    'focal-yoga/updates': 'focal-updates/yoga',
++    'focal-updates/yoga': 'focal-updates/yoga',
++    'yoga/proposed': 'focal-proposed/yoga',
++    'focal-yoga/proposed': 'focal-proposed/yoga',
++    'focal-proposed/yoga': 'focal-proposed/yoga',
++    # Zed
++    'zed': 'jammy-updates/zed',
++    'jammy-zed': 'jammy-updates/zed',
++    'jammy-zed/updates': 'jammy-updates/zed',
++    'jammy-updates/zed': 'jammy-updates/zed',
++    'zed/proposed': 'jammy-proposed/zed',
++    'jammy-zed/proposed': 'jammy-proposed/zed',
++    'jammy-proposed/zed': 'jammy-proposed/zed',
++    # antelope
++    'antelope': 'jammy-updates/antelope',
++    'jammy-antelope': 'jammy-updates/antelope',
++    'jammy-antelope/updates': 'jammy-updates/antelope',
++    'jammy-updates/antelope': 'jammy-updates/antelope',
++    'antelope/proposed': 'jammy-proposed/antelope',
++    'jammy-antelope/proposed': 'jammy-proposed/antelope',
++    'jammy-proposed/antelope': 'jammy-proposed/antelope',
++
++    # OVN
++    'focal-ovn-22.03': 'focal-updates/ovn-22.03',
++    'focal-ovn-22.03/proposed': 'focal-proposed/ovn-22.03',
+ }
++
++OPENSTACK_RELEASES = (
++    'diablo',
++    'essex',
++    'folsom',
++    'grizzly',
++    'havana',
++    'icehouse',
++    'juno',
++    'kilo',
++    'liberty',
++    'mitaka',
++    'newton',
++    'ocata',
++    'pike',
++    'queens',
++    'rocky',
++    'stein',
++    'train',
++    'ussuri',
++    'victoria',
++    'wallaby',
++    'xena',
++    'yoga',
++    'zed',
++    'antelope',
++)
++
++
++UBUNTU_OPENSTACK_RELEASE = OrderedDict([
++    ('oneiric', 'diablo'),
++    ('precise', 'essex'),
++    ('quantal', 'folsom'),
++    ('raring', 'grizzly'),
++    ('saucy', 'havana'),
++    ('trusty', 'icehouse'),
++    ('utopic', 'juno'),
++    ('vivid', 'kilo'),
++    ('wily', 'liberty'),
++    ('xenial', 'mitaka'),
++    ('yakkety', 'newton'),
++    ('zesty', 'ocata'),
++    ('artful', 'pike'),
++    ('bionic', 'queens'),
++    ('cosmic', 'rocky'),
++    ('disco', 'stein'),
++    ('eoan', 'train'),
++    ('focal', 'ussuri'),
++    ('groovy', 'victoria'),
++    ('hirsute', 'wallaby'),
++    ('impish', 'xena'),
++    ('jammy', 'yoga'),
++    ('kinetic', 'zed'),
++    ('lunar', 'antelope'),
++])
++
++
  APT_NO_LOCK = 100  # The return code for "couldn't acquire lock" in APT.
--APT_NO_LOCK_RETRY_DELAY = 10  # Wait 10 seconds between apt lock checks.
--APT_NO_LOCK_RETRY_COUNT = 30  # Retry to acquire the lock X times.
++CMD_RETRY_DELAY = 10  # Wait 10 seconds between command retries.
++CMD_RETRY_COUNT = 10  # Retry a failing fatal command X times.
  def filter_installed_packages(packages):
@@ -135,35 +321,93 @@
      return _pkgs
--def apt_cache(in_memory=True, progress=None):
--    """Build and return an apt cache."""
--    from apt import apt_pkg
--    apt_pkg.init()
--    if in_memory:
--        apt_pkg.config.set("Dir::Cache::pkgcache", "")
--        apt_pkg.config.set("Dir::Cache::srcpkgcache", "")
--    return apt_pkg.Cache(progress)
--
--
--def install(packages, options=None, fatal=False):
--    """Install one or more packages."""
++def filter_missing_packages(packages):
++    """Return a list of packages that are installed.
++
++    :param packages: list of packages to evaluate.
++    :returns list: Packages that are installed.
++    """
++    return list(
++        set(packages) -
++        set(filter_installed_packages(packages))
++    )
++
++
++def apt_cache(*_, **__):
++    """Shim returning an object simulating the apt_pkg Cache.
++
++    :param _: Accept arguments for compatibility, not used.
++    :type _: any
++    :param __: Accept keyword arguments for compatibility, not used.
++    :type __: any
++    :returns:Object used to interrogate the system apt and dpkg databases.
++    :rtype:ubuntu_apt_pkg.Cache
++    """
++    if 'apt_pkg' in sys.modules:
++        # NOTE(fnordahl): When our consumer use the upstream ``apt_pkg`` module
++        # in conjunction with the apt_cache helper function, they may expect us
++        # to call ``apt_pkg.init()`` for them.
++        #
++        # Detect this situation, log a warning and make the call to
++        # ``apt_pkg.init()`` to avoid the consumer Python interpreter from
++        # crashing with a segmentation fault.
++        @deprecate(
++            'Support for use of upstream ``apt_pkg`` module in conjunction'
++            'with charm-helpers is deprecated since 2019-06-25',
++            date=None, log=lambda x: log(x, level=WARNING))
++        def one_shot_log():
++            pass
++
++        one_shot_log()
++        sys.modules['apt_pkg'].init()
++    return ubuntu_apt_pkg.Cache()
++
++
++def apt_install(packages, options=None, fatal=False, quiet=False):
++    """Install one or more packages.
++
++    :param packages: Package(s) to install
++    :type packages: Option[str, List[str]]
++    :param options: Options to pass on to apt-get
++    :type options: Option[None, List[str]]
++    :param fatal: Whether the command's output should be checked and
++                  retried.
++    :type fatal: bool
++    :param quiet: if True (default), suppress log message to stdout/stderr
++    :type quiet: bool
++    :raises: subprocess.CalledProcessError
++    """
++    if not packages:
++        log("Nothing to install", level=DEBUG)
++        return
      if options is None:
          options = ['--option=Dpkg::Options::=--force-confold']
      cmd = ['apt-get', '--assume-yes']
      cmd.extend(options)
      cmd.append('install')
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
--    log("Installing {} with options: {}".format(packages,
--                                                options))
--    _run_apt_command(cmd, fatal)
--
--
--def upgrade(options=None, fatal=False, dist=False):
--    """Upgrade all packages."""
++    if not quiet:
++        log("Installing {} with options: {}"
++            .format(packages, options))
++    _run_apt_command(cmd, fatal, quiet=quiet)
++
++
++def apt_upgrade(options=None, fatal=False, dist=False):
++    """Upgrade all packages.
++
++    :param options: Options to pass on to apt-get
++    :type options: Option[None, List[str]]
++    :param fatal: Whether the command's output should be checked and
++                  retried.
++    :type fatal: bool
++    :param dist: Whether ``dist-upgrade`` should be used over ``upgrade``
++    :type dist: bool
++    :raises: subprocess.CalledProcessError
++    """
      if options is None:
          options = ['--option=Dpkg::Options::=--force-confold']
@@ -177,16 +421,24 @@
      _run_apt_command(cmd, fatal)
--def update(fatal=False):
++def apt_update(fatal=False):
      """Update local apt cache."""
      cmd = ['apt-get', 'update']
      _run_apt_command(cmd, fatal)
--def purge(packages, fatal=False):
--    """Purge one or more packages."""
++def apt_purge(packages, fatal=False):
++    """Purge one or more packages.
++
++    :param packages: Package(s) to install
++    :type packages: Option[str, List[str]]
++    :param fatal: Whether the command's output should be checked and
++                  retried.
++    :type fatal: bool
++    :raises: subprocess.CalledProcessError
++    """
      cmd = ['apt-get', '--assume-yes', 'purge']
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
@@ -194,11 +446,26 @@
      _run_apt_command(cmd, fatal)
++def apt_autoremove(purge=True, fatal=False):
++    """Purge one or more packages.
++    :param purge: Whether the ``--purge`` option should be passed on or not.
++    :type purge: bool
++    :param fatal: Whether the command's output should be checked and
++                  retried.
++    :type fatal: bool
++    :raises: subprocess.CalledProcessError
++    """
++    cmd = ['apt-get', '--assume-yes', 'autoremove']
++    if purge:
++        cmd.append('--purge')
++    _run_apt_command(cmd, fatal)
++
++
  def apt_mark(packages, mark, fatal=False):
      """Flag one or more packages using apt-mark."""
      log("Marking {} as {}".format(packages, mark))
      cmd = ['apt-mark', mark]
--    if isinstance(packages, six.string_types):
++    if isinstance(packages, str):
          cmd.append(packages)
      else:
          cmd.extend(packages)
@@ -217,7 +484,154 @@
      return apt_mark(packages, 'unhold', fatal=fatal)
--def add_source(source, key=None):
++def import_key(key):
++    """Import an ASCII Armor key.
++
++    A Radix64 format keyid is also supported for backwards
++    compatibility. In this case Ubuntu keyserver will be
++    queried for a key via HTTPS by its keyid. This method
++    is less preferable because https proxy servers may
++    require traffic decryption which is equivalent to a
++    man-in-the-middle attack (a proxy server impersonates
++    keyserver TLS certificates and has to be explicitly
++    trusted by the system).
++
++    :param key: A GPG key in ASCII armor format,
++                  including BEGIN and END markers or a keyid.
++    :type key: (bytes, str)
++    :raises: GPGKeyError if the key could not be imported
++    """
++    key = key.strip()
++    if '-' in key or '\n' in key:
++        # Send everything not obviously a keyid to GPG to import, as
++        # we trust its validation better than our own. eg. handling
++        # comments before the key.
++        log("PGP key found (looks like ASCII Armor format)", level=DEBUG)
++        if ('-----BEGIN PGP PUBLIC KEY BLOCK-----' in key and
++                '-----END PGP PUBLIC KEY BLOCK-----' in key):
++            log("Writing provided PGP key in the binary format", level=DEBUG)
++            key_bytes = key.encode('utf-8')
++            key_name = _get_keyid_by_gpg_key(key_bytes)
++            key_gpg = _dearmor_gpg_key(key_bytes)
++            _write_apt_gpg_keyfile(key_name=key_name, key_material=key_gpg)
++        else:
++            raise GPGKeyError("ASCII armor markers missing from GPG key")
++    else:
++        log("PGP key found (looks like Radix64 format)", level=WARNING)
++        log("SECURELY importing PGP key from keyserver; "
++            "full key not provided.", level=WARNING)
++        # as of bionic add-apt-repository uses curl with an HTTPS keyserver URL
++        # to retrieve GPG keys. `apt-key adv` command is deprecated as is
++        # apt-key in general as noted in its manpage. See lp:1433761 for more
++        # history. Instead, /etc/apt/trusted.gpg.d is used directly to drop
++        # gpg
++        key_asc = _get_key_by_keyid(key)
++        # write the key in GPG format so that apt-key list shows it
++        key_gpg = _dearmor_gpg_key(key_asc)
++        _write_apt_gpg_keyfile(key_name=key, key_material=key_gpg)
++
++
++def _get_keyid_by_gpg_key(key_material):
++    """Get a GPG key fingerprint by GPG key material.
++    Gets a GPG key fingerprint (40-digit, 160-bit) by the ASCII armor-encoded
++    or binary GPG key material. Can be used, for example, to generate file
++    names for keys passed via charm options.
++
++    :param key_material: ASCII armor-encoded or binary GPG key material
++    :type key_material: bytes
++    :raises: GPGKeyError if invalid key material has been provided
++    :returns: A GPG key fingerprint
++    :rtype: str
++    """
++    # Use the same gpg command for both Xenial and Bionic
++    cmd = 'gpg --with-colons --with-fingerprint'
++    ps = subprocess.Popen(cmd.split(),
++                          stdout=subprocess.PIPE,
++                          stderr=subprocess.PIPE,
++                          stdin=subprocess.PIPE)
++    out, err = ps.communicate(input=key_material)
++    out = out.decode('utf-8')
++    err = err.decode('utf-8')
++    if 'gpg: no valid OpenPGP data found.' in err:
++        raise GPGKeyError('Invalid GPG key material provided')
++    # from gnupg2 docs: fpr :: Fingerprint (fingerprint is in field 10)
++    return re.search(r"^fpr:{9}([0-9A-F]{40}):$", out, re.MULTILINE).group(1)
++
++
++def _get_key_by_keyid(keyid):
++    """Get a key via HTTPS from the Ubuntu keyserver.
++    Different key ID formats are supported by SKS keyservers (the longer ones
++    are more secure, see "dead beef attack" and https://evil32.com/). Since
++    HTTPS is used, if SSLBump-like HTTPS proxies are in place, they will
++    impersonate keyserver.ubuntu.com and generate a certificate with
++    keyserver.ubuntu.com in the CN field or in SubjAltName fields of a
++    certificate. If such proxy behavior is expected it is necessary to add the
++    CA certificate chain containing the intermediate CA of the SSLBump proxy to
++    every machine that this code runs on via ca-certs cloud-init directive (via
++    cloudinit-userdata model-config) or via other means (such as through a
++    custom charm option). Also note that DNS resolution for the hostname in a
++    URL is done at a proxy server - not at the client side.
++
++    8-digit (32 bit) key ID
++    https://keyserver.ubuntu.com/pks/lookup?search=0x4652B4E6
++    16-digit (64 bit) key ID
++    https://keyserver.ubuntu.com/pks/lookup?search=0x6E85A86E4652B4E6
++    40-digit key ID:
++    https://keyserver.ubuntu.com/pks/lookup?search=0x35F77D63B5CEC106C577ED856E85A86E4652B4E6
++
++    :param keyid: An 8, 16 or 40 hex digit keyid to find a key for
++    :type keyid: (bytes, str)
++    :returns: A key material for the specified GPG key id
++    :rtype: (str, bytes)
++    :raises: subprocess.CalledProcessError
++    """
++    # options=mr - machine-readable output (disables html wrappers)
++    keyserver_url = ('https://keyserver.ubuntu.com'
++                     '/pks/lookup?op=get&options=mr&exact=on&search=0x{}')
++    curl_cmd = ['curl', keyserver_url.format(keyid)]
++    # use proxy server settings in order to retrieve the key
++    return subprocess.check_output(curl_cmd,
++                                   env=env_proxy_settings(['https', 'no_proxy']))
++
++
++def _dearmor_gpg_key(key_asc):
++    """Converts a GPG key in the ASCII armor format to the binary format.
++
++    :param key_asc: A GPG key in ASCII armor format.
++    :type key_asc: (str, bytes)
++    :returns: A GPG key in binary format
++    :rtype: (str, bytes)
++    :raises: GPGKeyError
++    """
++    ps = subprocess.Popen(['gpg', '--dearmor'],
++                          stdout=subprocess.PIPE,
++                          stderr=subprocess.PIPE,
++                          stdin=subprocess.PIPE)
++    out, err = ps.communicate(input=key_asc)
++    # no need to decode output as it is binary (invalid utf-8), only error
++    err = err.decode('utf-8')
++    if 'gpg: no valid OpenPGP data found.' in err:
++        raise GPGKeyError('Invalid GPG key material. Check your network setup'
++                          ' (MTU, routing, DNS) and/or proxy server settings'
++                          ' as well as destination keyserver status.')
++    else:
++        return out
++
++
++def _write_apt_gpg_keyfile(key_name, key_material):
++    """Writes GPG key material into a file at a provided path.
++
++    :param key_name: A key name to use for a key file (could be a fingerprint)
++    :type key_name: str
++    :param key_material: A GPG key material (binary)
++    :type key_material: (str, bytes)
++    """
++    with open('/etc/apt/trusted.gpg.d/{}.gpg'.format(key_name),
++              'wb') as keyf:
++        keyf.write(key_material)
++
++
++def add_source(source, key=None, fail_invalid=False):
      """Add a package source to this system.
      @param source: a URL or sources.list entry, as supported by
@@ -233,95 +647,349 @@
          such as 'cloud:icehouse'
          'distro' may be used as a noop
++    Full list of source specifications supported by the function are:
++
++    'distro': A NOP; i.e. it has no effect.
++    'proposed': the proposed deb spec [2] is wrtten to
++      /etc/apt/sources.list/proposed
++    'distro-proposed': adds <version>-proposed to the debs [2]
++    'ppa:<ppa-name>': add-apt-repository --yes <ppa_name>
++    'deb <deb-spec>': add-apt-repository --yes deb <deb-spec>
++    'http://....': add-apt-repository --yes http://...
++    'cloud-archive:<spec>': add-apt-repository -yes cloud-archive:<spec>
++    'cloud:<release>[-staging]': specify a Cloud Archive pocket <release> with
++      optional staging version.  If staging is used then the staging PPA [2]
++      with be used.  If staging is NOT used then the cloud archive [3] will be
++      added, and the 'ubuntu-cloud-keyring' package will be added for the
++      current distro.
++    '<openstack-version>': translate to cloud:<release> based on the current
++      distro version (i.e. for 'ussuri' this will either be 'bionic-ussuri' or
++      'distro'.
++    '<openstack-version>/proposed': as above, but for proposed.
++
++    Otherwise the source is not recognised and this is logged to the juju log.
++    However, no error is raised, unless sys_error_on_exit is True.
++
++    [1] deb http://ubuntu-cloud.archive.canonical.com/ubuntu {} main
++        where {} is replaced with the derived pocket name.
++    [2] deb http://archive.ubuntu.com/ubuntu {}-proposed \
++        main universe multiverse restricted
++        where {} is replaced with the lsb_release codename (e.g. xenial)
++    [3] deb http://ubuntu-cloud.archive.canonical.com/ubuntu <pocket>
++        to /etc/apt/sources.list.d/cloud-archive-list
++
      @param key: A key to be added to the system's APT keyring and used
      to verify the signatures on packages. Ideally, this should be an
      ASCII format GPG public key including the block headers. A GPG key
      id may also be used, but be aware that only insecure protocols are
      available to retrieve the actual public key from a public keyserver
      placing your Juju environment at risk. ppa and cloud archive keys
--    are securely added automtically, so sould not be provided.
++    are securely added automatically, so should not be provided.
++
++    @param fail_invalid: (boolean) if True, then the function raises a
++    SourceConfigError is there is no matching installation source.
++
++    @raises SourceConfigError() if for cloud:<pocket>, the <pocket> is not a
++    valid pocket in CLOUD_ARCHIVE_POCKETS
      """
++    # extract the OpenStack versions from the CLOUD_ARCHIVE_POCKETS; can't use
++    # the list in contrib.openstack.utils as it might not be included in
++    # classic charms and would break everything.  Having OpenStack specific
++    # code in this file is a bit of an antipattern, anyway.
++    os_versions_regex = "({})".format("|".join(OPENSTACK_RELEASES))
++
++    _mapping = OrderedDict([
++        (r"^distro$", lambda: None),  # This is a NOP
++        (r"^(?:proposed|distro-proposed)$", _add_proposed),
++        (r"^cloud-archive:(.*)$", _add_apt_repository),
++        (r"^((?:deb |http:|https:|ppa:).*)$", _add_apt_repository),
++        (r"^cloud:(.*)-(.*)\/staging$", _add_cloud_staging),
++        (r"^cloud:(.*)-(ovn-.*)$", _add_cloud_distro_check),
++        (r"^cloud:(.*)-(.*)$", _add_cloud_distro_check),
++        (r"^cloud:(.*)$", _add_cloud_pocket),
++        (r"^snap:.*-(.*)-(.*)$", _add_cloud_distro_check),
++        (r"^{}\/proposed$".format(os_versions_regex),
++         _add_bare_openstack_proposed),
++        (r"^{}$".format(os_versions_regex), _add_bare_openstack),
++    ])
      if source is None:
--        log('Source is not present. Skipping')
--        return
--
--    if (source.startswith('ppa:') or
--        source.startswith('http') or
--        source.startswith('deb ') or

Juju Charms Collectionconn-check package