Re: Accessing external https repo during install

Wed, 17 Jan 2024 23:24:05 -0800

IIUC that's the same as adding 'em to the basefile. Every time an install errors out, basefile/nfsroot must be regenerated to include updated root certs. Error prone and time consuming. 
I'm now trying to understand:
1) who is copying the whole /etc/apt/sources.list.d during task_repository, to disable salt.list 2) initialize salt repo with a script later in the configuration phase, when packages (including ca-certificates) are already installed 


Point 1 is really unexpected and shouldn't happen by default. Currently 
ruling out it gets done by one of my scripts. Just to be sure:

fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?

Diego

Il 17/01/2024 17:10, Markus Köberl ha scritto:

On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:

Il 17/01/2024 14:15, Carsten Aulbert ha scritto:

How can I have ca-certificates installed when the repository gets added?


I think you could either add it into your basefile


Thought that, but would require regular maintenance, regenerating
basefile every time ca-certificates is updated.


or add it to your
hook to install ca-certificates from Debian first.


That whould be the perfect solution.


Does that make sense?


Sure it does. I just have to understand how to do it the correct way :)

First issue (that deranged me): I forgot to set SALT class for the
test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
copied anyway... some script is fcopy-ing more than expected...
Fixed (partially) the first issue, hooks/repository.SALT (the one that
should create salt.list file...) finally got called and attempted to
install ca-certificate. But it failed. Seems I'm attempting to install
it too soon.
Uff. Work for tomorrow...

Tks for all the hints!


I have on the fai server in /etc/fai/nfsroot.conf:

FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"

and /etc/fai/nfsroot-hooks/ca-certificates:

# load deffinition of ${NFSROOT}
. /etc/fai/nfsroot.conf
mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
    
${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
chroot $NFSROOT update-ca-certificates


regards
Markus Köberl


--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786






















					Antwort per Email an