:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Copyright (c) 2018 Mirantis Inc., Enea AB and others. : : All rights reserved. This program and the accompanying materials : are made available under the terms of the Apache License, Version 2.0 : which accompanies this distribution, and is available at : http://www.apache.org/licenses/LICENSE-2.0 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: From: Alexandru Avadanii Date: Mon, 22 Jan 2018 00:28:09 +0100 Subject: [PATCH] system.repo: Debian: Add keyserver proxy support Introduce a new, optional set of parameters to configure the proxy used for key fetching / keyserver access under: linux:system:proxy:keyserver:http(s). Previously, when fetching GPG keys for APT keyring, either using public key download & import (as for default repos) or via keyserver, we relied on simple `curl` calls or passed it down to Salt aptpkg module. To be able to retrieve APT keys behind a proxy, one used to have to configure the proxy for the Salt minion, which does not yet have `no_proxy` support (either *all* or *no* traffic hits the proxy). When the new http(s) proxy param is set: - no longer pass key configuration to Salt aptpkg (until it properly supports `no_proxy`); - handle all keys explicitly with `curl` and `apt-key`; - set 'http(s)_proxy' env vars for `cmd.run`/`cmd.wait` calls; If linux:system:proxy:keyserver is not defined, the behavior is unchanged for backwards compatibility. To allow runtime decisions whether the keyserver proxy should be used add an additional condition for it to match the first nameserver. This allows us to mix virtual nodes with MaaS-provisioned nodes in Fuel@OPNFV, while keeping the ext_pillar common. Signed-off-by: Alexandru Avadanii --- README.rst | 16 ++++++++++++++++ linux/system/repo.sls | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/linux/system/repo.sls b/linux/system/repo.sls --- a/linux/system/repo.sls +++ b/linux/system/repo.sls @@ -96,13 +96,50 @@ linux_repo_{{ name }}_key: - name: "curl -s {{ repo.key_url }} | apt-key add -" - watch: - file: default_repo_list +{%- if system.proxy.keyserver is defined and grains['dns']['nameservers'][0] in system.proxy.keyserver.http %} + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} +{%- endif %} {%- endif %} +{#- repo.default is false #} {%- else %} {%- if repo.get('enabled', True) %} +{%- if system.proxy.keyserver is defined and grains['dns']['nameservers'][0] in system.proxy.keyserver.http %} + +{%- if repo.get('key') %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "echo '{{ repo.key }}' | apt-key add -" + +{%- elif repo.key_url|default(False) %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "curl -s {{ repo.key_url }} | apt-key add -" + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} + +{%- elif repo.key_id is defined and repo.key_server is defined %} + +linux_repo_{{ name }}_key: + cmd.run: + - name: "apt-key adv --keyserver {{ repo.key_server }} --recv {{ repo.key_id }}" + - env: + - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }} + - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }} + +{%- endif %} + +{#- system.proxy.keyserver #} +{%- endif %} + linux_repo_{{ name }}: pkgrepo.managed: {%- if repo.ppa is defined %} @@ -115,6 +152,7 @@ linux_repo_{{ name }}: {%- endif %} - file: /etc/apt/sources.list.d/{{ name }}.list - clean_file: {{ repo.clean|default(True) }} + {%- if system.proxy.keyserver is not defined or grains['dns']['nameservers'][0] not in system.proxy.keyserver.http %} {%- if repo.key_id is defined %} - keyid: {{ repo.key_id }} {%- endif %} @@ -124,6 +162,7 @@ linux_repo_{{ name }}: {%- if repo.key_url is defined %} - key_url: {{ repo.key_url }} {%- endif %} + {%- endif %} - consolidate: {{ repo.get('consolidate', False) }} - clean_file: {{ repo.get('clean_file', False) }} - refresh_db: {{ repo.get('refresh_db', True) }} @@ -140,6 +179,7 @@ linux_repo_{{ name }}: {%- endif %} {%- endif %} +{#- repo.enabled is false #} {%- else %} linux_repo_{{ name }}_absent: