Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] > So apparently, the Dell keys need to be imported in GPG as well as RPM > for DSU, and the bootstrap.cgi hack does that. Auto-importing keys into > GPG is bad (especially without notice); if DSU needs to use GPG to > check, then it should have a private GPG keyring, not use root's. Not to mention that the gpg key import could be significantly improved by using the key fingerprint instead of grepping for email addresses. ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] DSU 1.7 has other problems with nfs homes because sudo doesn't get access too the ~/.gpg directory of the user on nfs homes with root squash. This essentially breaks "sudo dsu", which does work with 1.6. On Tue, May 21, 2019 at 11:30 AM Chris Adams wrote: > > [EXTERNAL EMAIL] > > Once upon a time, Chris Adams said: > > Right. The correct way is to distribute the key, not expect it to be > > installed manually after a "yum update" (I expect an update to work > > automatically). > > So apparently, the Dell keys need to be imported in GPG as well as RPM > for DSU, and the bootstrap.cgi hack does that. Auto-importing keys into > GPG is bad (especially without notice); if DSU needs to use GPG to > check, then it should have a private GPG keyring, not use root's. > > -- > Chris Adams > > ___ > Linux-PowerEdge mailing list > Linux-PowerEdge@dell.com > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] Once upon a time, Chris Adams said: > Right. The correct way is to distribute the key, not expect it to be > installed manually after a "yum update" (I expect an update to work > automatically). So apparently, the Dell keys need to be imported in GPG as well as RPM for DSU, and the bootstrap.cgi hack does that. Auto-importing keys into GPG is bad (especially without notice); if DSU needs to use GPG to check, then it should have a private GPG keyring, not use root's. -- Chris Adams ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] On Tue, May 21, 2019 at 7:22 AM Gregory Matthews wrote: > and am I the only one who hates the idea of running a curl fetch and > piping it directly to a shell AS ROOT!? This is not just bad practice, > its a sackable offence. Yes, this has been brought up numerous times, with absolutely no effect. It's manifest that the DSU team at Dell couldn't care less about what their users think or need. Cheers, -- Kilian ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] Once upon a time, Gregory Matthews said: > On 20/05/2019 11:46, Ben Argyle wrote: > >I've been informed that I needed to rerun > > > >curl -s https://linux.dell.com/repo/hardware/dsu/bootstrap.cgi | bash > > but this will also write a repo file which breaks things if you > mirror locally. Also, it might not be clear - you need to import the > keys on EVERY server so this doesn't exactly scale. Right. The correct way is to distribute the key, not expect it to be installed manually after a "yum update" (I expect an update to work automatically). > and am I the only one who hates the idea of running a curl fetch and > piping it directly to a shell AS ROOT!? This is not just bad > practice, its a sackable offence. Yeah, this is a bad setup. Distribute an RPM with the repo files and keys, so it can be installed with regular automated tools. Right now, I just have the repos created manually with Ansible tasks. I didn't realize the key had changed (hadn't updated Dell stuff on a server yet). Other enterprise companies "get" this - Chrome, Slack, and Teamviewer for example (just things I have installed on my desktop) each have a repo file owned by an RPM that can be updated, including keys as necessary. -- Chris Adams ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] On 20/05/2019 11:46, Ben Argyle wrote: I've been informed that I needed to rerun curl -s https://linux.dell.com/repo/hardware/dsu/bootstrap.cgi | bash but this will also write a repo file which breaks things if you mirror locally. Also, it might not be clear - you need to import the keys on EVERY server so this doesn't exactly scale. Is there a better solution from Dell? or are we expected to brew our own again? to get the new keys. My fault for not checking https://linux.dell.com/repo/hardware/dsu/, but there must be other people out there who would sensibly assume that upgrading from 1.6.0 to 1.7.0 should just require running yum update? Why doesn't the package include those keys? indeed - I agree with you Ben. Or some other /automated/ way to apply new keys. GREG and am I the only one who hates the idea of running a curl fetch and piping it directly to a shell AS ROOT!? This is not just bad practice, its a sackable offence. Ben -Original Message- From: Linux-PowerEdge On Behalf Of Ben Argyle Sent: 20 May 2019 11:10 To: 'linux-poweredge@dell.com' Subject: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0 [EXTERNAL EMAIL] From another thread, which I'm putting here instead (apologies for hijacking the other one)... # dsu DELL EMC System Update 1.7.0 Copyright (C) 2014 DELL EMC Proprietary. Do you want to import public key(s) on the system (Y/N)? : y Unable to read public file /usr/libexec/dell_dup/0x756ba70b1019ced6.asc Exiting DSU! # ls /usr/libexec/dell_dup/0x756ba70b1019ced6.asc ls: cannot access /usr/libexec/dell_dup/0x756ba70b1019ced6.asc: No such file or directory As a solution I had to go to https://linux.dell.com/files/pgp_pubkeys/ and put all three .asc files there into /usr/libexec/dell_dup/ (which did exist, and had content) by hand before dsu would run. What package is responsible for adding these files? Normally I do the following when upgrading OMSA/dsu as it's always a vanilla install, and there's never been a reason to try and reconcile the .rpmnew files brought in by an upgrade: /opt/dell/srvadmin/sbin/srvadmin-services.sh stop yes | /opt/dell/srvadmin/sbin/srvadmin-uninstall.sh rm -rf /opt/dell/srvadmin/ yum install srvadmin-storageservices srvadmin-omcommon -y /opt/dell/srvadmin/sbin/srvadmin-services.sh start yum update dell* -y Ben ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge -- Greg Matthews 01235 778658 Scientific Computing Operations Manager Diamond Light Source Ltd Oxfordshire UK -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge
Re: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0
[EXTERNAL EMAIL] I've been informed that I needed to rerun curl -s https://linux.dell.com/repo/hardware/dsu/bootstrap.cgi | bash to get the new keys. My fault for not checking https://linux.dell.com/repo/hardware/dsu/, but there must be other people out there who would sensibly assume that upgrading from 1.6.0 to 1.7.0 should just require running yum update? Why doesn't the package include those keys? Ben -Original Message- From: Linux-PowerEdge On Behalf Of Ben Argyle Sent: 20 May 2019 11:10 To: 'linux-poweredge@dell.com' Subject: [Linux-PowerEdge] Missing PGP files for dsu 1.7.0 [EXTERNAL EMAIL] >From another thread, which I'm putting here instead (apologies for hijacking >the other one)... # dsu DELL EMC System Update 1.7.0 Copyright (C) 2014 DELL EMC Proprietary. Do you want to import public key(s) on the system (Y/N)? : y Unable to read public file /usr/libexec/dell_dup/0x756ba70b1019ced6.asc Exiting DSU! # ls /usr/libexec/dell_dup/0x756ba70b1019ced6.asc ls: cannot access /usr/libexec/dell_dup/0x756ba70b1019ced6.asc: No such file or directory As a solution I had to go to https://linux.dell.com/files/pgp_pubkeys/ and put all three .asc files there into /usr/libexec/dell_dup/ (which did exist, and had content) by hand before dsu would run. What package is responsible for adding these files? Normally I do the following when upgrading OMSA/dsu as it's always a vanilla install, and there's never been a reason to try and reconcile the .rpmnew files brought in by an upgrade: /opt/dell/srvadmin/sbin/srvadmin-services.sh stop yes | /opt/dell/srvadmin/sbin/srvadmin-uninstall.sh rm -rf /opt/dell/srvadmin/ yum install srvadmin-storageservices srvadmin-omcommon -y /opt/dell/srvadmin/sbin/srvadmin-services.sh start yum update dell* -y Ben ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge ___ Linux-PowerEdge mailing list Linux-PowerEdge@dell.com https://lists.us.dell.com/mailman/listinfo/linux-poweredge