Re: Accessing external https repo during install
That wouldn't work, since salt.list is copied too early, before the first update, so the update fails (well, in ignores the repo but logs an error in error.log) because it can't authenticate the external repo (it misses ca-certificates, but to install ca-certificates it needs to update the repositories... circular dependency). Diego Il 18/01/2024 11:50, Andrew Ruthven ha scritto: On Wed, 2024-01-17 at 17:10 +0100, Markus Köberl wrote: FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" Hey, My approach for this kind of thing is to have a hook that install ca- certificates. Probably updatebase.SALT - or better, updatebase.CACERTIFICATES and have SALT set CACERTIFICATES Cheers, Andrew -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
On Wed, 2024-01-17 at 17:10 +0100, Markus Köberl wrote: > FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" Hey, My approach for this kind of thing is to have a hook that install ca- certificates. Probably updatebase.SALT - or better, updatebase.CACERTIFICATES and have SALT set CACERTIFICATES Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
Re: Accessing external https repo during install
Seems the copy is done by line 1115 of usr/lib/fai/subroutines: fcopy -SBMir /etc/apt # copy all other apt config files from the config space It probably should be documented, especially since docs currently state that files under files/ are not copied automatically but require an fcopy. Or I just missed the special treatment of sources.list.d ... Now I have commented the repo definitions in sources.list.d/salt.list and uncomment 'em from hooks/configure.SALT : -8<-- #! /bin/bash sed -i 's/^#//' $target/etc/apt/sources.list.d/salt.list fcopy -r /etc/salt/minion.d/ $ROOTCMD apt-get update $ROOTCMD apt-get install -y salt-minion -8<-- Finally it seems to work as expected. Thanks again! Diego Il 18/01/2024 08:23, Diego Zuccato ha scritto: IIUC that's the same as adding 'em to the basefile. Every time an install errors out, basefile/nfsroot must be regenerated to include updated root certs. Error prone and time consuming. I'm now trying to understand: 1) who is copying the whole /etc/apt/sources.list.d during task_repository, to disable salt.list 2) initialize salt repo with a script later in the configuration phase, when packages (including ca-certificates) are already installed Point 1 is really unexpected and shouldn't happen by default. Currently ruling out it gets done by one of my scripts. Just to be sure: fcopy /etc/apt/sources does *not* touch /etc/apt/sources.list.d/, right? Diego Il 17/01/2024 17:10, Markus Köberl ha scritto: On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote: Il 17/01/2024 14:15, Carsten Aulbert ha scritto: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile Thought that, but would require regular maintenance, regenerating basefile every time ca-certificates is updated. or add it to your hook to install ca-certificates from Debian first. That whould be the perfect solution. Does that make sense? Sure it does. I just have to understand how to do it the correct way :) First issue (that deranged me): I forgot to set SALT class for the test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got copied anyway... some script is fcopy-ing more than expected... Fixed (partially) the first issue, hooks/repository.SALT (the one that should create salt.list file...) finally got called and attempted to install ca-certificate. But it failed. Seems I'm attempting to install it too soon. Uff. Work for tomorrow... Tks for all the hints! I have on the fai server in /etc/fai/nfsroot.conf: FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" and /etc/fai/nfsroot-hooks/ca-certificates: # load deffinition of ${NFSROOT} . /etc/fai/nfsroot.conf mkdir -p ${NFSROOT}/usr/local/share/ca-certificates cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \ ${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt chroot $NFSROOT update-ca-certificates regards Markus Köberl -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
IIUC that's the same as adding 'em to the basefile. Every time an install errors out, basefile/nfsroot must be regenerated to include updated root certs. Error prone and time consuming. I'm now trying to understand: 1) who is copying the whole /etc/apt/sources.list.d during task_repository, to disable salt.list 2) initialize salt repo with a script later in the configuration phase, when packages (including ca-certificates) are already installed Point 1 is really unexpected and shouldn't happen by default. Currently ruling out it gets done by one of my scripts. Just to be sure: fcopy /etc/apt/sources does *not* touch /etc/apt/sources.list.d/, right? Diego Il 17/01/2024 17:10, Markus Köberl ha scritto: On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote: Il 17/01/2024 14:15, Carsten Aulbert ha scritto: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile Thought that, but would require regular maintenance, regenerating basefile every time ca-certificates is updated. or add it to your hook to install ca-certificates from Debian first. That whould be the perfect solution. Does that make sense? Sure it does. I just have to understand how to do it the correct way :) First issue (that deranged me): I forgot to set SALT class for the test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got copied anyway... some script is fcopy-ing more than expected... Fixed (partially) the first issue, hooks/repository.SALT (the one that should create salt.list file...) finally got called and attempted to install ca-certificate. But it failed. Seems I'm attempting to install it too soon. Uff. Work for tomorrow... Tks for all the hints! I have on the fai server in /etc/fai/nfsroot.conf: FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" and /etc/fai/nfsroot-hooks/ca-certificates: # load deffinition of ${NFSROOT} . /etc/fai/nfsroot.conf mkdir -p ${NFSROOT}/usr/local/share/ca-certificates cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \ ${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt chroot $NFSROOT update-ca-certificates regards Markus Köberl -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang. This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.--- Begin Message --- On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote: > Il 17/01/2024 14:15, Carsten Aulbert ha scritto: > >> How can I have ca-certificates installed when the repository gets added? > > > > I think you could either add it into your basefile > > Thought that, but would require regular maintenance, regenerating > basefile every time ca-certificates is updated. > > > or add it to your > > hook to install ca-certificates from Debian first. > > That whould be the perfect solution. > > > Does that make sense? > > Sure it does. I just have to understand how to do it the correct way :) > > First issue (that deranged me): I forgot to set SALT class for the > test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got > copied anyway... some script is fcopy-ing more than expected... > Fixed (partially) the first issue, hooks/repository.SALT (the one that > should create salt.list file...) finally got called and attempted to > install ca-certificate. But it failed. Seems I'm attempting to install > it too soon. > Uff. Work for tomorrow... > > Tks for all the hints! I have on the fai server in /etc/fai/nfsroot.conf: FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https" and /etc/fai/nfsroot-hooks/ca-certificates: # load deffinition of ${NFSROOT} . /etc/fai/nfsroot.conf mkdir -p ${NFSROOT}/usr/local/share/ca-certificates cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \ ${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt chroot $NFSROOT update-ca-certificates regards Markus Köberl -- Markus Koeberl Graz University of Technology Signal Processing and Speech Communication Laboratory E-mail: markus.koeb...@tugraz.at signature.asc Description: This is a digitally signed message part. --- End Message ---
Re: Accessing external https repo during install
Il 17/01/2024 14:15, Carsten Aulbert ha scritto: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile Thought that, but would require regular maintenance, regenerating basefile every time ca-certificates is updated. or add it to your hook to install ca-certificates from Debian first. That whould be the perfect solution. Does that make sense? Sure it does. I just have to understand how to do it the correct way :) First issue (that deranged me): I forgot to set SALT class for the test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got copied anyway... some script is fcopy-ing more than expected... Fixed (partially) the first issue, hooks/repository.SALT (the one that should create salt.list file...) finally got called and attempted to install ca-certificate. But it failed. Seems I'm attempting to install it too soon. Uff. Work for tomorrow... Tks for all the hints! -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Accessing external https repo during install
Hi On 1/17/24 14:10, Diego Zuccato wrote: How can I have ca-certificates installed when the repository gets added? I think you could either add it into your basefile or add it to your hook to install ca-certificates from Debian first. Does that make sense? Cheers Carsten -- Dr. Carsten Aulbert, Max Planck Institute for Gravitational Physics, Callinstraße 38, 30167 Hannover, Germany, Phone +49 511 762 17185 smime.p7s Description: S/MIME Cryptographic Signature