diff options
| author |   Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2018-01-22 02:10:03 +0100 |
|---|---|---|
| committer | Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2018-01-22 03:03:51 +0100 |
| commit | 6ab6935577900e598ca60aaed14d2e73f7b1633f (patch) | |
| tree | d754301c5bcf389108922ab7737e8da7e2e7aa4b /mcp/patches | |
| parent | d06bcfb72c44b507c3efee4de00f415869f48450 (diff) | |
[patch] system.repo: Add keyserver proxy support
Instead of defining a http proxy for all salt-minion traffic, which
also includes some Openstack API accesses we can't filter (no_proxy
is not yet supported), add & leverage support for proxy configuration
during APT keyserver access / key download.
JIRA: FUEL-331
Change-Id: I9470807633596c610cfafb141b139ddda2ff096b
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Diffstat (limited to 'mcp/patches')
| -rw-r--r-- | mcp/patches/0011-system.repo-Debian-Add-keyserver-proxy-support.patch | 108 | ||||
| -rw-r--r-- | mcp/patches/patches.list | 1 |
2 files changed, 109 insertions, 0 deletions
diff --git a/mcp/patches/0011-system.repo-Debian-Add-keyserver-proxy-support.patch b/mcp/patches/0011-system.repo-Debian-Add-keyserver-proxy-support.patch new file mode 100644 index 000000000..8fb9bafe7 --- /dev/null +++ b/mcp/patches/0011-system.repo-Debian-Add-keyserver-proxy-support.patch @@ -0,0 +1,108 @@ +From: Alexandru Avadanii <Alexandru.Avadanii@enea.com> +Date: Mon, 22 Jan 2018 00:28:09 +0100 +Subject: [PATCH] system.repo: Debian: Add keyserver proxy support + +Introduce a new, optional set of parameters to configure the proxy +used for key fetching / keyserver access under: +linux:system:proxy:keyserver:http(s). + +Previously, when fetching GPG keys for APT keyring, either using +public key download & import (as for default repos) or via keyserver, +we relied on simple `curl` calls or passed it down to Salt aptpkg +module. +To be able to retrieve APT keys behind a proxy, one used to have to +configure the proxy for the Salt minion, which does not yet have +`no_proxy` support (either *all* or *no* traffic hits the proxy). + +When the new http(s) proxy param is set: +- no longer pass key configuration to Salt aptpkg (until it properly + supports `no_proxy`); +- handle all keys explicitly with `curl` and `apt-key`; +- set 'http(s)_proxy' env vars for `cmd.run`/`cmd.wait` calls; + +If linux:system:proxy:keyserver is not defined, the behavior is +unchanged for backwards compatibility. + +Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com> +--- + README.rst | 16 ++++++++++++++++ + linux/system/repo.sls | 38 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+) + +diff --git a/linux/system/repo.sls b/linux/system/repo.sls +index 5d4d059..964db3f 100644 +--- a/linux/system/repo.sls ++++ b/linux/system/repo.sls +@@ -96,13 +96,48 @@ linux_repo_{{ name }}_key: + - name: "curl -s {{ repo.key_url }} | apt-key add -" + - watch: + - file: default_repo_list ++ - env: ++ - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', None) }} ++ - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', None) }} + + {%- endif %} + ++{#- repo.default is false #} + {%- else %} + + {%- if repo.get('enabled', True) %} + ++{%- if system.proxy.keyserver is defined %} ++ ++{%- if repo.get('key') %} ++ ++linux_repo_{{ name }}_key: ++ cmd.run: ++ - name: "echo '{{ repo.key }}' | apt-key add -" ++ ++{%- elif repo.key_url|default(False) %} ++ ++linux_repo_{{ name }}_key: ++ cmd.run: ++ - name: "curl -s {{ repo.key_url }} | apt-key add -" ++ - env: ++ - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', None) }} ++ - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', None) }} ++ ++{%- elif repo.key_id is defined and repo.key_server is defined %} ++ ++linux_repo_{{ name }}_key: ++ cmd.run: ++ - name: "apt-key adv --keyserver {{ repo.key_server }} --recv {{ repo.key_id }}" ++ - env: ++ - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', None) }} ++ - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', None) }} ++ ++{%- endif %} ++ ++{#- system.proxy.keyserver #} ++{%- endif %} ++ + linux_repo_{{ name }}: + pkgrepo.managed: + {%- if repo.ppa is defined %} +@@ -115,6 +150,7 @@ linux_repo_{{ name }}: + {%- endif %} + - file: /etc/apt/sources.list.d/{{ name }}.list + - clean_file: {{ repo.clean|default(True) }} ++ {%- if system.proxy.keyserver is not defined %} + {%- if repo.key_id is defined %} + - keyid: {{ repo.key_id }} + {%- endif %} +@@ -124,6 +160,7 @@ linux_repo_{{ name }}: + {%- if repo.key_url is defined %} + - key_url: {{ repo.key_url }} + {%- endif %} ++ {%- endif %} + - consolidate: {{ repo.get('consolidate', False) }} + - clean_file: {{ repo.get('clean_file', False) }} + - refresh_db: {{ repo.get('refresh_db', True) }} +@@ -140,6 +177,7 @@ linux_repo_{{ name }}: + {%- endif %} + {%- endif %} + ++{#- repo.enabled is false #} + {%- else %} + + linux_repo_{{ name }}_absent: diff --git a/mcp/patches/patches.list b/mcp/patches/patches.list index 284f1bcec..1b3bfeab0 100644 --- a/mcp/patches/patches.list +++ b/mcp/patches/patches.list @@ -15,4 +15,5 @@ /usr/share/salt-formulas/env: 0008-Handle-file_recv-option.patch /usr/share/salt-formulas/env: 0009-controller-Use-keystoneclient-to-check-project-ID.patch /usr/share/salt-formulas/env: 0010-maas-region-allow-timeout-override.patch +/usr/share/salt-formulas/env: 0011-system.repo-Debian-Add-keyserver-proxy-support.patch /usr/share/salt-formulas/env: 0012-linux.storage.lvm-Disable-filter.patch |