Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import the zypper GPG key before templating the repo #6410

Merged
merged 10 commits into from
Oct 3, 2017
Merged

Import the zypper GPG key before templating the repo #6410

merged 10 commits into from
Oct 3, 2017

Conversation

tas50
Copy link
Contributor

@tas50 tas50 commented Sep 15, 2017

This prevents failures when the key is unknown.

This way is simple, but I'm not a fan of the way the :before notification results in double template logging. I'm open to a better way that provides some idempotency to the key import.

Signed-off-by: Tim Smith [email protected]

@tas50 tas50 requested a review from a team September 15, 2017 03:12
coderanger
coderanger reviewed Sep 16, 2017
View reviewed changes
Copy link
Contributor

@coderanger coderanger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love using a before notification here, we should make it actually idempotent like apt_repository. Otherwise you could get things out of sync if you monkey with the files manually.

@tas50
Copy link
Contributor Author

tas50 commented Sep 16, 2017

@coderanger I'm trying to find a better way to handle that import, but getting a reliable list is hard.

@tas50 tas50 force-pushed the zypper_gpg_key branch 3 times, most recently from b6415d7 to 8bb1b8a Compare September 27, 2017 20:36
@tas50
Copy link
Contributor Author

tas50 commented Sep 27, 2017 

        * zypper_repository[nginx] action create
           * remote_file[/tmp/kitchen/cache/nginx_signing.key] action create
             - create new file /tmp/kitchen/cache/nginx_signing.key
             - update content in file /tmp/kitchen/cache/nginx_signing.key from none to dd4da5
             --- /tmp/kitchen/cache/nginx_signing.key	2017-09-27 23:06:04.258040406 +0000
             +++ /tmp/chef-rest20170927-5040-17ow7o9	2017-09-27 23:06:04.258040406 +0000
             @@ -1 +1,29 @@
             +-----BEGIN PGP PUBLIC KEY BLOCK-----
             +Version: GnuPG v2.0.22 (GNU/Linux)
             +
             +mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
             +W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
             +QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
             +fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
             +97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
             +XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
             +a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
             +CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
             +kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
             +KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
             +F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
             +1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
             +oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
             +MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
             +YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
             +JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
             +Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
             +RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
             +SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
             +Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
             +cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
             +YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
             +Va3l3WuB+rgKjsQ=
             +=EWWI
             +-----END PGP PUBLIC KEY BLOCK-----
             - change mode from '' to '0644'
           * execute[import gpg key from https://nginx.org/keys/nginx_signing.key] action run
             - execute /bin/rpm --import https://nginx.org/keys/nginx_signing.key
           * template[/etc/zypp/repos.d/Nginx.org\ Repository.repo] action create
             - create new file /etc/zypp/repos.d/Nginx.org\ Repository.repo
             - update content in file /etc/zypp/repos.d/Nginx.org\ Repository.repo from none to 30350c
             --- /etc/zypp/repos.d/Nginx.org\ Repository.repo	2017-09-27 23:06:05.062442377 +0000
             +++ /etc/zypp/repos.d/.chef-Nginx20170927-5040-10sugso.org\ Repository.repo	2017-09-27 23:06:05.062442377 +0000
             @@ -1 +1,16 @@
             +# This file was generated by Chef
             +# Do NOT modify this file by hand.
             +
             +[Nginx.org Repository]
             +type=NONE
             +enabled=1
             +autorefresh=1
             +gpgcheck=1
             +gpgkey=https://nginx.org/keys/nginx_signing.key
             +baseurl=https://nginx.org/packages/sles/12
             +priority=99
             +keeppackages=0
             +mode=0644
             +refresh_cache=1
             +name=Nginx.org Repository
             - change mode from '' to '0644'
           * zypper_repository[nginx] action refresh
             * execute[zypper --quiet --non-interactive refresh --force Nginx.org\ Repository] action run
        - execute zypper --quiet --non-interactive refresh --force Nginx.org\ Repository

coderanger
coderanger reviewed Sep 27, 2017
View reviewed changes
Copy link
Contributor

@coderanger coderanger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, just some cleanup-y things.

One structural thing is this doesn't allow importing a key by fingerprint. Is that just not a thing the SuSE community does?

lib/chef/provider/zypper_repository.rb Outdated
end

declare_resource(:execute, "import gpg key from #{new_resource.gpgkey}") do
command "/bin/rpm --import #{new_resource.gpgkey}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can use the cache file to avoid downloading it twice.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh nice catch

lib/chef/provider/zypper_repository.rb Outdated
#
# @return [boolean] is the key already known by rpm
def key_installed?(key_path)
so = shell_out("rpm -qa gpg-pubkey*").run_command
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the run_command isn't needed, that's handed by our mixin.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was cargo culted from apt. I'll get that cleaned up there as well later

lib/chef/provider/zypper_repository.rb Outdated
#
# @return [String] the fingerprint of the key
def key_fingerprint(key_path)
so = shell_out("gpg --with-fingerprint #{key_path}").run_command
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be shell_out! since a failure is not expected, also no run_command.

@tas50
Copy link
Contributor Author

tas50 commented Sep 27, 2017

I'm not sure about the key importing via fingerprint to be honest. The goal here was to mostly just maintain compat with the behavior of the existing zypper cookbook. We have that and now we can take local keys as well, which is a nice addition thanks to the apt cargo culting.

@tas50
Copy link
Contributor Author

tas50 commented Sep 27, 2017

Next step here is to make sure it works on various versions of SLES and not just opensuse leap, which is where I did my testing. Once that's done I'll get testing on the various methods here.

@coderanger
Copy link
Contributor

Works for me re: importing from fingerprint, happy to YAGNI it until someone complains :)

coderanger
coderanger approved these changes Sep 28, 2017
View reviewed changes
Copy link
Contributor

@coderanger coderanger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me assuming it passes whatever functional tests you can throw at it.

@tas50
Copy link
Contributor Author

tas50 commented Sep 28, 2017

Converges were successful for the nginx repo on:

openSUSE Leap 42.2
SLES 11 SP3
SLES 11 SP4
SLES 12 SP1
SLES 12 SP3

@tas50
Import the zypper GPG key before templating the repo
d638f8b 
This prevents failures when the key is unknown.

This way is *simple*, but I'm not a fan of the way the :before notification results in double template logging. I'm open to a better way that provides some idempotency to the key import.

Signed-off-by: Tim Smith <[email protected]>
@tas50
Update the spec for the platform based provider matching
c6d924c 
Signed-off-by: Tim Smith <[email protected]>
@tas50
Run everything with --quiet and --non-interactive and move gpg import
0cfb61b 
GPG import doesn't actually work here.

Signed-off-by: Tim Smith <[email protected]>
@tas50
Add a few yard comments
ed3750c 
Signed-off-by: Tim Smith <[email protected]>
@tas50
Use apt-like gpg key management to avoid notifications
4df19b0 
Download the key to the cache
Grab the key's fingerprint
Check to see if that fingerprint is in the RPM database
Add it if it's not

Signed-off-by: Tim Smith <[email protected]>
@tas50
Remove run_command usage in shell_out
7432c31 
Signed-off-by: Tim Smith <[email protected]>
@tas50
Install the key using the cached copy
f7a832a 
Avoid double downloading the key

Signed-off-by: Tim Smith <[email protected]>
@tas50
shell_out -> shell_out!
e5e2f14 
Signed-off-by: Tim Smith <[email protected]>
@tas50
Allow specifying the cookbook for the source template
ede1667 
Also fix the cookbook_file lookup logic missing a method it needed for file based keys

Signed-off-by: Tim Smith <[email protected]>
@tas50 tas50 force-pushed the zypper_gpg_key branch 2 times, most recently from 1e643c3 to 0713896 Compare September 28, 2017 22:04
@tas50
Add more specs
7ec3601 
Signed-off-by: Tim Smith <[email protected]>
@tas50 tas50 requested a review from adamleff September 29, 2017 04:23
@tas50 tas50 merged commit 92212e7 into master Oct 3, 2017
@tas50 tas50 deleted the zypper_gpg_key branch October 27, 2017 20:31
@chef chef locked and limited conversation to collaborators Feb 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@coderanger coderanger coderanger approved these changes

@thommay thommay Awaiting requested review from thommay

@lamont-granquist lamont-granquist Awaiting requested review from lamont-granquist

@adamleff adamleff Awaiting requested review from adamleff

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tas50 @coderanger