Bug#1028481: marked as done (Feature request: Support for custom repository package signing key)

Debian Bug Tracking System Tue, 07 Nov 2023 01:51:21 -0800

Your message dated Tue, 07 Nov 2023 09:49:15 +0000
with message-id <[email protected]>
and subject line Bug#1028481: fixed in openstack-cluster-installer 42.3.2
has caused the Debian Bug report #1028481,
regarding Feature request: Support for custom repository package signing key
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1028481: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028481
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: openstack-cluster-installer
Version: 42.2.1~bpo11+1
Severity: wishlist
Tags: patch

Further to, and dependent upon, Bug#1028393, I would like to use
OpenStack Cluster Installer with packages from an internal aptly
mirror repository. Unfortunately as the packages hosted by aptly are
signed by its own keyring, this currently does not work.

The attached patches do the following:
- Add support to openstack-cluster-installer-build-live-image for using
  a custom archive keyring
- Add support to slave_install_server_os_command() in slave_actions.php
  to provide parameters to build-openstack-debian-image for custom
  archive keyring
- Add options to openstack-cluster-installer.conf for the above
- Update README with instructions for the above.

Please let me know if I'm following the correct process for raising this
request, and I'm happy to discuss the request/patches/etc.


Cheers
Jim

diff --git a/bin/openstack-cluster-installer-build-live-image b/bin/openstack-cluster-installer-build-live-image
index 12987332..4e6c97db 100755
--- a/bin/openstack-cluster-installer-build-live-image
+++ b/bin/openstack-cluster-installer-build-live-image
@@ -206,6 +206,13 @@ deb-src ${debian_incoming_buildd} buildd-sid main
 " >config/archives/incoming-buildd.list.binary
 fi
 
+# Install keyring, if configured
+if [ -n "${debian_keyring_package}" ]; then
+	cd config/archives
+	apt-get download ${debian_keyring_package}
+	cd ../..
+fi
+
 # Add the IP of the PXE server in a configuration file
 # for later use during the install process
 mkdir -p config/includes.chroot/etc/oci
@@ -863,6 +870,11 @@ if [ -d /etc/openstack-cluster-installer/live-image-additions ] ; then
 	fi
 fi
 	
+# Configure debootstrap to trust our archive keyring
+if [ -n "${debian_keyring_file}" ]; then
+	export DEBOOTSTRAP_OPTIONS="${DEBOOTSTRAP_OPTIONS} --keyring=${debian_keyring_file}"
+fi
+
 lb clean
 lb config --mirror-binary http://${OTCI_PXE_SERVER_IP}:9999/debian -b netboot --bootappend-live "boot=live iomem=relaxed console=tty0 console=ttyS0,115200 console=ttyS1,115200 earlyprintk=ttyS1,115200 consoleblank=0 systemd.show_status=true components url=http://${OTCI_PXE_SERVER_IP} fetch=http://${OTCI_PXE_SERVER_IP}/openstack-cluster-installer/filesystem.squashfs"; --net-root-path /var/lib/openstack-cluster-installer --net-root-server ${OTCI_PXE_SERVER_IP}

diff --git a/src/inc/slave_actions.php b/src/inc/slave_actions.php
index 9374346f..b6056ca5 100644
--- a/src/inc/slave_actions.php
+++ b/src/inc/slave_actions.php
@@ -1376,6 +1376,9 @@ function slave_install_server_os_command($con, $conf, $machine_id){
             $package_list_file .= file_get_contents($package_list_path);
         }
     }
+    if($conf["network"]["debian_keyring_package"] && $conf["network"]["install_debian_keyring_package"]){
+        $package_list_file .= "," . $conf["network"]["debian_keyring_package"];
+    }
 
     $cmd  = "oci-install-with-report";
     $cmd .= $network_params;
@@ -1383,6 +1386,12 @@ function slave_install_server_os_command($con, $conf, $machine_id){
     $cmd .= " --debootstrap-url ".$conf["network"]["debian_mirror"];
     $cmd .= " --sources.list-mirror ".$conf["network"]["debian_mirror"];
     $cmd .= " --security-mirror ".$conf["network"]["debian_security_mirror"];
+    if($conf["network"]["debian_keyring_file"]){
+        $cmd .= " --debootstrap-keyring-file " . $conf["network"]["debian_keyring_file"];
+        if ($conf["network"]["install_debian_keyring_file"]) {
+            $cmd .= " --copy-debootstrap-keyring-file";
+        }
+    }
 
     if($machine["boot_uefi"] == "yes"){
         $cmd .= " --boot-type uefi";

diff --git a/etc/openstack-cluster-installer/openstack-cluster-installer.conf b/etc/openstack-cluster-installer/openstack-cluster-installer.conf
index 9f9cb295..3d3e0935 100644
--- a/etc/openstack-cluster-installer/openstack-cluster-installer.conf
+++ b/etc/openstack-cluster-installer/openstack-cluster-installer.conf
@@ -28,6 +28,24 @@ debian_mirror=http://deb.debian.org/debian
 # Example: like http://mirror.infomaniak.com/debian-security
 debian_security_mirror=http://security.debian.org/debian-security
 
+# Package containing keyring used to sign packages in above repositories
+# this is useful when using self-hosted package repos which are not signed
+# by the official Debian archive keyring
+# Leave empty when using official debian packages
+debian_keyring_package=
+
+# Filename of keyring installed by above package (this also needs to be availble
+# on the OCI server)
+# Leave empty when using official debian packages
+debian_keyring_file=
+
+# Whether to install the keyring package specified above on OpenStack nodes
+install_debian_keyring_package=yes
+
+# Whether to copy above keyring file to OpenStack nodes (using a package instead
+# is preferred)
+install_debian_keyring_file=no
+
 # URL of the incoming buildd repo: useful for Sid development of OCI.
 debian_incoming_buildd=http://incoming.debian.org/debian-buildd

diff --git a/README.md b/README.md
index 642a0be1..f7cd1c97 100644
--- a/README.md
+++ b/README.md
@@ -431,6 +431,34 @@ individual servers using your private key. Therefore, it is strongly
 advise to customize /etc/openstack-cluster-installer/authorized_keys
 *before* you build the OCI Debian Live image.
 
+### Optional: using a self-hosted package repository ###
+
+If you are using a self-hosted package repository which signs packages
+with its own key (e.g. aptly), this requires additional configuration.
+If you are using the official Debian packages (either direct or via a
+caching proxy) then skip to the next section.
+
+You will need a package in your repo which contains the repository's
+signing key, and this package will need to already be installed on your
+OCI server.
+
+Configure the following entries in /etc/openstack-cluster-installer/openstack-cluster-installer.conf :
+```
+debian_keyring_package=my-archive-keyring
+debian_keyring_file=/usr/share/keyrings/my-archive-keyring.gpg
+install_debian_keyring_package=yes
+```
+
+If the keyring package is not available at install time (because it
+is not kept in the same repository as the mirrored debian packages),
+then set the following options to instead copy the keyring file from
+the live image:
+
+```
+install_debian_keyring_package=no
+install_debian_keyring_file=yes
+```
+
 ### Build OCI's live image ###
 
 ```

--- End Message ---

--- Begin Message ---

Source: openstack-cluster-installer
Source-Version: 42.3.2
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openstack-cluster-installer, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated 
openstack-cluster-installer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 10:25:21 +0100
Source: openstack-cluster-installer
Architecture: source
Version: 42.3.2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1028481 1054593 1054598 1054600 1054603 1054648 1054649 1055405
Changes:
 openstack-cluster-installer (42.3.2) unstable; urgency=medium
 .
   [ Thomas Goirand ]
   * [4d920f8] openstack-cluster-installer-utils: depends on gnupg, not gnupg2
     (Closes: #1055405).
 .
   [ Olivier Chaze ]
   * [d245a2d] Haproxy admin socket and reload haproxy instead of restart.
   * [1e2c431] Reload haproxy command misplaced.
 .
   [ Philippe Seraphin ]
   * [77b00f0] Update oci-hdd-maint for calling disk-firmware-installer.
 .
   [ Jim Scadden ]
   * [86783ee] Fix /etc/network/interfaces NIC names set to Array
     (Closes: #1054600).
   * [9370179] Support for custom repository package signing key
     (Closes: #1028481).
   * [eb18316] Fix puppet fails to determine cephnet IP address
     (Closes: #1054648).
   * [13c99f3] Factorize non-system block device list, fixing "Block device list
     can be incorrect when using NVMe drives and/or RAID" (Closes: #1054649).
   * [d2ea19c] ocicli: machine-guess-racking returns error when no match found
     (Closes: #1054593).
   * [afed002] Reduce PHP warnings in apache log (Closes: #1054598).
   * [5368c5a] Regex updates for Dell OS10 switches & BroadCom NXE NICs
     (Closes: #1054603).
Checksums-Sha1:
 bdf2d5544a570331ef72c111aaeba5a7f800ff98 2514 
openstack-cluster-installer_42.3.2.dsc
 7b0f589304389e29fb74e7fcd8f2c0d88f657864 380084 
openstack-cluster-installer_42.3.2.tar.xz
 4944334de9eba4275354780f3f7d8774e0608bc6 9388 
openstack-cluster-installer_42.3.2_amd64.buildinfo
Checksums-Sha256:
 a6e1ef048f3bc0235aadc02fbedd5c0d3a5ec2105ebca4d2aa64e08347d67d01 2514 
openstack-cluster-installer_42.3.2.dsc
 f11355f10e25448be15f8c1c71e6dd93c7f7343f7cf8f2710b72932c21241b56 380084 
openstack-cluster-installer_42.3.2.tar.xz
 0a9b45160502724067e3d734723d1cb97446d52105b24d6178d6a13638a288a8 9388 
openstack-cluster-installer_42.3.2_amd64.buildinfo
Files:
 d28050a75b72c554e42f65604d8a9552 2514 net optional 
openstack-cluster-installer_42.3.2.dsc
 8d52e6aaadd05bbd0f3b0db0b741eff2 380084 net optional 
openstack-cluster-installer_42.3.2.tar.xz
 42723dfe12a2128356e5185b1c5dcca4 9388 net optional 
openstack-cluster-installer_42.3.2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmVKA4sACgkQ1BatFaxr
Q/4+5xAAgK/xiLonlwhRnAOpF2vGs/JSkKl2bAlATzUnDkccISt+efBvZ01zeYC9
QEwH0WEvRtxXSaWuGfjqu5slFpmvbiDxbHOB3nGW4rSm3PVJEoKLPwo/cAcjOhSS
3C3w0rKd46t1dkxsqZdhrtwlk3iSACs4eVDwU5EsNc2epW2UgNcfjotbHoHp2hec
Qiw5Srv+tH82EzNAKC/eA1P45Szc1+QhbWaIDMAlnGMQSzvQBs9DFOopSLnMhLM1
IoBrNA8Hp/JreLmy/gX3bv93ShTVN3MG6MmbTRha3ekWFpkQWZHXqalF4gSy4p4X
cHE5wuPIutLbrZP+ciyBPAB2uOirDs2rKlqzSXJAW3tlQa8aFqblyPIrmkOji747
/xi6VRHZkaaJC/BWUFvLZFZ2fFzVBcKk/pdHVWSNzRGMHJqIR8w/hgpWuL8XPT+E
iHPo3Nu4RTZc6z1ghlXXxw5Ex1j47R7uccVayaipOLUfJPbFthaQKapGLrRA7+Di
tm3MrdkraeIv+ljQ9N8V9k1ak/zn+b65rqEmhrgKalnS4EQIKSswPCmYNTXnQfdB
VvoWLcYjFU2BLNhP8kd+h5mVPY0DSjA7vJHnHYo4wwtRwhdvSQiyFBC8yiMeiuk0
dr8HUqCI9ew1l0vlsZ1PMNW2CmLcVQCQ3TwCN4pdFeWRH5CQyFs=
=/dmp
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1028481: marked as done (Feature request: Support for custom repository package signing key)

Reply via email to