aboutsummaryrefslogtreecommitdiffstats
path: root/mcp/patches/0011-system.repo-Debian-Add-keyserver-proxy-support.patch
blob: cf6009107dcfe29f33351934b6bf04924594542f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
: Copyright (c) 2017 Mirantis Inc., Enea AB and others.
:
: All rights reserved. This program and the accompanying materials
: are made available under the terms of the Apache License, Version 2.0
: which accompanies this distribution, and is available at
: http://www.apache.org/licenses/LICENSE-2.0
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Mon, 22 Jan 2018 00:28:09 +0100
Subject: [PATCH] system.repo: Debian: Add keyserver proxy support

Introduce a new, optional set of parameters to configure the proxy
used for key fetching / keyserver access under:
linux:system:proxy:keyserver:http(s).

Previously, when fetching GPG keys for APT keyring, either using
public key download & import (as for default repos) or via keyserver,
we relied on simple `curl` calls or passed it down to Salt aptpkg
module.
To be able to retrieve APT keys behind a proxy, one used to have to
configure the proxy for the Salt minion, which does not yet have
`no_proxy` support (either *all* or *no* traffic hits the proxy).

When the new http(s) proxy param is set:
- no longer pass key configuration to Salt aptpkg (until it properly
  supports `no_proxy`);
- handle all keys explicitly with `curl` and `apt-key`;
- set 'http(s)_proxy' env vars for `cmd.run`/`cmd.wait` calls;

If linux:system:proxy:keyserver is not defined, the behavior is
unchanged for backwards compatibility.

To allow runtime decisions whether the keyserver proxy should be used
add an additional condition for it to match the first nameserver.
This allows us to mix virtual nodes with MaaS-provisioned nodes in
Fuel@OPNFV, while keeping the ext_pillar common.

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
 README.rst            | 16 ++++++++++++++++
 linux/system/repo.sls | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/linux/system/repo.sls b/linux/system/repo.sls
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -96,13 +96,50 @@ linux_repo_{{ name }}_key:
     - name: "curl -s {{ repo.key_url }} | apt-key add -"
     - watch:
       - file: default_repo_list
+{%- if system.proxy.keyserver is defined and grains['dns']['nameservers'][0] in system.proxy.keyserver.http %}
+    - env:
+      - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }}
+      - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }}
+{%- endif %}

 {%- endif %}

+{#- repo.default is false #}
 {%- else %}

 {%- if repo.get('enabled', True) %}

+{%- if system.proxy.keyserver is defined and grains['dns']['nameservers'][0] in system.proxy.keyserver.http %}
+
+{%- if repo.get('key') %}
+
+linux_repo_{{ name }}_key:
+  cmd.run:
+    - name: "echo '{{ repo.key }}' | apt-key add -"
+
+{%- elif repo.key_url|default(False) %}
+
+linux_repo_{{ name }}_key:
+  cmd.run:
+    - name: "curl -s {{ repo.key_url }} | apt-key add -"
+    - env:
+      - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }}
+      - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }}
+
+{%- elif repo.key_id is defined and repo.key_server is defined %}
+
+linux_repo_{{ name }}_key:
+  cmd.run:
+    - name: "apt-key adv --keyserver {{ repo.key_server }} --recv {{ repo.key_id }}"
+    - env:
+      - http_proxy: {{ system.proxy.get('keyserver', {}).get('http', '') }}
+      - https_proxy: {{ system.proxy.get('keyserver', {}).get('https', '') }}
+
+{%- endif %}
+
+{#- system.proxy.keyserver #}
+{%- endif %}
+
 linux_repo_{{ name }}:
   pkgrepo.managed:
   {%- if repo.ppa is defined %}
@@ -115,6 +152,7 @@ linux_repo_{{ name }}:
   {%- endif %}
   - file: /etc/apt/sources.list.d/{{ name }}.list
   - clean_file: {{ repo.clean|default(True) }}
+  {%- if system.proxy.keyserver is not defined or grains['dns']['nameservers'][0] not in system.proxy.keyserver.http %}
   {%- if repo.key_id is defined %}
   - keyid: {{ repo.key_id }}
   {%- endif %}
@@ -124,6 +162,7 @@ linux_repo_{{ name }}:
   {%- if repo.key_url is defined %}
   - key_url: {{ repo.key_url }}
   {%- endif %}
+  {%- endif %}
   - consolidate: {{ repo.get('consolidate', False) }}
   - clean_file: {{ repo.get('clean_file', False) }}
   - refresh_db: {{ repo.get('refresh_db', True) }}
@@ -140,6 +179,7 @@ linux_repo_{{ name }}:
   {%- endif %}
   {%- endif %}

+{#- repo.enabled is false #}
 {%- else %}

 linux_repo_{{ name }}_absent: