Re: Accessing external https repo during install
That wouldn't work, since salt.list is copied too early, before the first update, so the update fails (well, in ignores the repo but logs an error in error.log) because it can't authenticate the external repo (it misses ca-certificates, but to install ca-certificates it needs to update the repositories... circular dependency). Diego Il 18/01/2024 11:50, Andrew Ruthven ha scritto: On Wed, 2024-01-17 at 17:10 +0100, Markus Köberl wrote: FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" Hey, My approach for this kind of thing is to have a hook that install ca- certificates. Probably updatebase.SALT - or better, updatebase.CACERTIFICATES and have SALT set CACERTIFICATES Cheers, Andrew -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
On Wed, 2024-01-17 at 17:10 +0100, Markus Köberl wrote: > FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" Hey, My approach for this kind of thing is to have a hook that install ca- certificates. Probably updatebase.SALT - or better, updatebase.CACERTIFICATES and have SALT set CACERTIFICATES Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
Re: Accessing external https repo during install
Seems the copy is done by line 1115 of usr/lib/fai/subroutines:
fcopy -SBMir /etc/apt # copy all other apt config files from the config
space
It probably should be documented, especially since docs currently state
that files under files/ are not copied automatically but require an
fcopy. Or I just missed the special treatment of sources.list.d ...
Now I have commented the repo definitions in sources.list.d/salt.list
and uncomment 'em from hooks/configure.SALT :
-8<--
#! /bin/bash
sed -i 's/^#//' $target/etc/apt/sources.list.d/salt.list
fcopy -r /etc/salt/minion.d/
$ROOTCMD apt-get update
$ROOTCMD apt-get install -y salt-minion
-8<--
Finally it seems to work as expected.
Thanks again!
Diego
Il 18/01/2024 08:23, Diego Zuccato ha scritto:
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot must be regenerated to include
updated root certs. Error prone and time consuming.
I'm now trying to understand:
1) who is copying the whole /etc/apt/sources.list.d during
task_repository, to disable salt.list
2) initialize salt repo with a script later in the configuration phase,
when packages (including ca-certificates) are already installed
Point 1 is really unexpected and shouldn't happen by default. Currently
ruling out it gets done by one of my scripts. Just to be sure:
fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed when the repository gets
added?
I think you could either add it into your basefile
Thought that, but would require regular maintenance, regenerating
basefile every time ca-certificates is updated.
or add it to your
hook to install ca-certificates from Debian first.
That whould be the perfect solution.
Does that make sense?
Sure it does. I just have to understand how to do it the correct way :)
First issue (that deranged me): I forgot to set SALT class for the
test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
copied anyway... some script is fcopy-ing more than expected...
Fixed (partially) the first issue, hooks/repository.SALT (the one that
should create salt.list file...) finally got called and attempted to
install ca-certificate. But it failed. Seems I'm attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
I have on the fai server in /etc/fai/nfsroot.conf:
FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
and /etc/fai/nfsroot-hooks/ca-certificates:
# load deffinition of ${NFSROOT}
. /etc/fai/nfsroot.conf
mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
chroot $NFSROOT update-ca-certificates
regards
Markus Köberl
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Re: Accessing external https repo during install
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot must be regenerated to include
updated root certs. Error prone and time consuming.
I'm now trying to understand:
1) who is copying the whole /etc/apt/sources.list.d during
task_repository, to disable salt.list
2) initialize salt repo with a script later in the configuration phase,
when packages (including ca-certificates) are already installed
Point 1 is really unexpected and shouldn't happen by default. Currently
ruling out it gets done by one of my scripts. Just to be sure:
fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed when the repository gets added?
I think you could either add it into your basefile
Thought that, but would require regular maintenance, regenerating
basefile every time ca-certificates is updated.
or add it to your
hook to install ca-certificates from Debian first.
That whould be the perfect solution.
Does that make sense?
Sure it does. I just have to understand how to do it the correct way :)
First issue (that deranged me): I forgot to set SALT class for the
test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
copied anyway... some script is fcopy-ing more than expected...
Fixed (partially) the first issue, hooks/repository.SALT (the one that
should create salt.list file...) finally got called and attempted to
install ca-certificate. But it failed. Seems I'm attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
I have on the fai server in /etc/fai/nfsroot.conf:
FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
and /etc/fai/nfsroot-hooks/ca-certificates:
# load deffinition of ${NFSROOT}
. /etc/fai/nfsroot.conf
mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
chroot $NFSROOT update-ca-certificates
regards
Markus Köberl
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
Re: Accessing external https repo during install
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die
eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message
text is therefore in an attachment.--- Begin Message ---
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
> Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
> >> How can I have ca-certificates installed when the repository gets added?
> >
> > I think you could either add it into your basefile
>
> Thought that, but would require regular maintenance, regenerating
> basefile every time ca-certificates is updated.
>
> > or add it to your
> > hook to install ca-certificates from Debian first.
>
> That whould be the perfect solution.
>
> > Does that make sense?
>
> Sure it does. I just have to understand how to do it the correct way :)
>
> First issue (that deranged me): I forgot to set SALT class for the
> test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
> copied anyway... some script is fcopy-ing more than expected...
> Fixed (partially) the first issue, hooks/repository.SALT (the one that
> should create salt.list file...) finally got called and attempted to
> install ca-certificate. But it failed. Seems I'm attempting to install
> it too soon.
> Uff. Work for tomorrow...
>
> Tks for all the hints!
I have on the fai server in /etc/fai/nfsroot.conf:
FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
and /etc/fai/nfsroot-hooks/ca-certificates:
# load deffinition of ${NFSROOT}
. /etc/fai/nfsroot.conf
mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
chroot $NFSROOT update-ca-certificates
regards
Markus Köberl
--
Markus Koeberl
Graz University of Technology
Signal Processing and Speech Communication Laboratory
E-mail: markus.koeb...@tugraz.at
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
Re: Accessing external https repo during install
Il 17/01/2024 14:15, Carsten Aulbert ha scritto: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile Thought that, but would require regular maintenance, regenerating basefile every time ca-certificates is updated. or add it to your hook to install ca-certificates from Debian first. That whould be the perfect solution. Does that make sense? Sure it does. I just have to understand how to do it the correct way :) First issue (that deranged me): I forgot to set SALT class for the test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got copied anyway... some script is fcopy-ing more than expected... Fixed (partially) the first issue, hooks/repository.SALT (the one that should create salt.list file...) finally got called and attempted to install ca-certificate. But it failed. Seems I'm attempting to install it too soon. Uff. Work for tomorrow... Tks for all the hints! -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
Hi On 1/17/24 14:10, Diego Zuccato wrote: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile or add it to your hook to install ca-certificates from Debian first. Does that make sense? Cheers Carsten -- Dr. Carsten Aulbert, Max Planck Institute for Gravitational Physics, Callinstraße 38, 30167 Hannover, Germany, Phone +49 511 762 17185 smime.p7s Description: S/MIME Cryptographic Signature
