:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Copyright (c) 2017 Mirantis Inc., Enea AB and others. : : All rights reserved. This program and the accompanying materials : are made available under the terms of the Apache License, Version 2.0 : which accompanies this distribution, and is available at : http://www.apache.org/licenses/LICENSE-2.0 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: Alexandru Avadanii Date: Mon, 22 Jan 2018 00:28:09 +0100 Subject: [PATCH] system.repo: Debian: Add keyserver proxy support Introduce a new, optional set of parameters to configure the proxy used for key fetching / keyserver access under: linux:system:proxy:keyserver:http(s). Previously, when fetching GPG keys for APT keyring, either using public key download & import (as for default repos) or via keyserver, we relied on simple `curl` calls or passed it down to Salt aptpkg module. To be able to retrieve APT keys behind a proxy, one used to have to configure the proxy for the Salt minion, which does not yet have `no_proxy` support (either *all* or *no* traffic hits the proxy). When the new http(s) proxy param is set: - no longer pass key configuration to Salt aptpkg (until it properly supports `no_proxy`); - handle all keys explicitly with `curl` and `apt-key`; - set 'http(s)_proxy' env vars for `cmd.run`/`cmd.wait` calls; If linux:system:proxy:keyserver is not defined, the behavior is unchanged for backwards compatibility. Signed-off-by: Alexandru Avadanii --- README.rst | 16 ++++++++++++++++ linux/system/repo.sls | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/linux/system/repo.sls b/linux/system/repo.sls index 5d4d059..724db5a 100644 --- a/linux/system/repo.sls +++ b/linux/system/repo.sls @@ -96,13 +96,50 @@ linux_repo_{{ name }}_key: - name: "curl -s {{ repo.key_url }} | apt-key add -" - watch: - file: default_repo_list +{%- if system.proxy.keyserver is defined %} + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} +{%- endif %} {%- endif %} +{#- repo.default is false #} {%- else %} {%- if repo.get('enabled', True) %} +{%- if system.proxy.keyserver is defined %} + +{%- if repo.get('key') %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "echo '{{ repo.key }}' | apt-key add -" + +{%- elif repo.key_url|default(False) %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "curl -s {{ repo.key_url }} | apt-key add -" + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} + +{%- elif repo.key_id is defined and repo.key_server is defined %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "apt-key adv --keyserver {{ repo.key_server }} --recv {{ repo.key_id }}" + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} + +{%- endif %} + +{#- system.proxy.keyserver #} +{%- endif %} + linux_repo_{{ name }}: pkgrepo.managed: {%- if repo.ppa is defined %} @@ -115,6 +152,7 @@ linux_repo_{{ name }}: {%- endif %} - file: /etc/apt/sources.list.d/{{ name }}.list - clean_file: {{ repo.clean|default(True) }} + {%- if system.proxy.keyserver is not defined %} {%- if repo.key_id is defined %} - keyid: {{ repo.key_id }} {%- endif %} @@ -124,6 +162,7 @@ linux_repo_{{ name }}: {%- if repo.key_url is defined %} - key_url: {{ repo.key_url }} {%- endif %} + {%- endif %} - consolidate: {{ repo.get('consolidate', False) }} - clean_file: {{ repo.get('clean_file', False) }} - refresh_db: {{ repo.get('refresh_db', True) }} @@ -140,6 +179,7 @@ linux_repo_{{ name }}: {%- endif %} {%- endif %} +{#- repo.enabled is false #} {%- else %} linux_repo_{{ name }}_absent: