7 files changed, 31 insertions, 14 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index a938021ba..564438237 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -23,7 +23,6 @@ from vyos.base import Warning
 from vyos.config import Config
 from vyos.configdep import set_dependents, call_dependents
 from vyos.template import render
-from vyos.template import is_ip_network
 from vyos.utils.kernel import check_kmod
 from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_search_args
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index 7d01b6642..6522a3897 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -144,7 +144,7 @@ def certbot_request(name: str, config: dict, dry_run: bool=True):
 
     # When ACME is used behind a reverse proxy, we always bind to localhost
     # whatever the CLI listen-address is configured for.
-    if ('haproxy' in dict_search('used_by', config) and
+    if ('used_by' in config and 'haproxy' in config['used_by'] and
         is_systemd_service_running(systemd_services['haproxy']) and
         not check_port_availability(listen_address, 80)):
         tmp += f' --http-01-address 127.0.0.1 --http-01-port {internal_ports["certbot_haproxy"]}'
@@ -551,7 +551,7 @@ def generate(pki):
             if not ca_cert_present:
                 tmp = dict_search_args(pki, 'ca', f'{autochain_prefix}{cert}', 'certificate')
                 if not bool(tmp) or tmp != cert_chain_base64:
-                    Message(f'Add/replace automatically imported CA certificate for "{cert}"...')
+                    Message(f'Add/replace automatically imported CA certificate for "{cert}" ...')
                     add_cli_node(['pki', 'ca', f'{autochain_prefix}{cert}', 'certificate'], value=cert_chain_base64)
 
     return None
diff --git a/src/etc/systemd/system/certbot.service.d/10-override.conf b/src/etc/systemd/system/certbot.service.d/10-override.conf
deleted file mode 100644
index 542f77eb2..000000000
--- a/src/etc/systemd/system/certbot.service.d/10-override.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-
-[Service]
-ExecStart=
-ExecStart=/usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh"
diff --git a/src/helpers/teardown-config-session.py b/src/helpers/teardown-config-session.py
index c94876924..8d13e34cb 100755
--- a/src/helpers/teardown-config-session.py
+++ b/src/helpers/teardown-config-session.py
@@ -13,11 +13,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-#
 
 import sys
-import os
 
 from vyos.vyconf_session import VyconfSession
 
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 27371a18f..d1f670ae9 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -19,7 +19,7 @@
 
 from argparse import ArgumentParser, Namespace
 from pathlib import Path
-from shutil import copy, chown, rmtree, copytree
+from shutil import copy, chown, rmtree, copytree, disk_usage
 from glob import glob
 from sys import exit
 from os import environ
@@ -62,6 +62,7 @@ from vyos.version import get_version_data
 # define text messages
 MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.'
 MSG_ERR_LIVE: str = 'The system is in live-boot mode. Please use "install image" instead.'
+MSG_ERR_NOT_ENOUGH_SPACE: str = 'Image upgrade requires at least 2GB of free drive space.'
 MSG_ERR_NO_DISK: str = 'No suitable disk was found. There must be at least one disk of 2GB or greater size.'
 MSG_ERR_IMPROPER_IMAGE: str = 'Missing sha256sum.txt.\nEither this image is corrupted, or of era 1.2.x (md5sum) and would downgrade image tools;\ndisallowed in either case.'
 MSG_ERR_INCOMPATIBLE_IMAGE: str = 'Image compatibility check failed, aborting installation.'
@@ -976,6 +977,14 @@ def add_image(image_path: str, vrf: str = None, username: str = '',
     if image.is_live_boot():
         exit(MSG_ERR_LIVE)
 
+    # Trying to upgrade with insufficient space can break the system.
+    # It's better to be on the safe side:
+    # our images are a bit below 1G,
+    # so one gigabyte to download the image plus one more to install it
+    # sounds like a sensible estimate.
+    if disk_usage('/').free < (2 * 1024**3):
+        exit(MSG_ERR_NOT_ENOUGH_SPACE)
+
     environ['REMOTE_USERNAME'] = username
     environ['REMOTE_PASSWORD'] = password
 
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 49a461e9e..d928bd325 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -1373,6 +1373,21 @@ def show_all(raw: bool):
     print('\n')
     show_crl(raw)
 
+def renew_certbot(raw: bool, force: typing.Optional[bool] = False):
+    from vyos.defaults import directories
+
+    certbot_config = directories['certbot']
+    hook_dir = directories['base']
+
+    tmp = f'/usr/bin/certbot renew --no-random-sleep-on-renew ' \
+          f'--config-dir "{certbot_config}" ' \
+          f'--post-hook "{hook_dir}/vyos-certbot-renew-pki.sh"'
+    if force:
+        tmp += ' --force-renewal'
+
+    out = cmd(tmp)
+    if not raw:
+        print(out)
 
 if __name__ == '__main__':
     try:
diff --git a/src/services/vyos-commitd b/src/services/vyos-commitd
index e7f2d82c7..d67b44931 100755
--- a/src/services/vyos-commitd
+++ b/src/services/vyos-commitd
@@ -42,6 +42,7 @@ from vyos.defaults import directories
 from vyos.utils.boot import boot_configuration_complete
 from vyos.configsource import ConfigSourceCache
 from vyos.configsource import ConfigSourceError
+from vyos.configdiff import get_commit_scripts
 from vyos.config import Config
 from vyos.frrender import FRRender
 from vyos.frrender import get_frrender_dict
@@ -230,6 +231,9 @@ def initialization(session: Session) -> Session:
     dependent_func: dict[str, list[typing.Callable]] = {}
     setattr(config, 'dependent_func', dependent_func)
 
+    commit_scripts = get_commit_scripts(config)
+    logger.debug(f'commit_scripts: {commit_scripts}')
+
     scripts_called = []
     setattr(config, 'scripts_called', scripts_called)