Adapt RPM repository to not cause errors on openSUSE

[tacerus]

What

Hello! I am aware that openSUSE is not a supported operating system. However, the RPM package works absolutely flawlessly on a good dozen openSUSE machines I deployed. Unfortunately though, the RPM repository lacks a few optimizations in order not to cause errors, and in order to comply with the security policies employed by the openSUSE developers. I would absolutely love if you could perform these minor changes in order for the experience on SUSE based operating systems to be less troubled.

How

• Sign the file "repomd.xml" - an unsigned repomd.xml file causes zypper (the package manager), as well as YaST (the system management tool), to display warning messages, which are only able to be bypassed either by disabling security features, or by manually accepting the issue every time a repository refresh is being performed. Image 1 (adding the repository) Image 2 (disabling and enabling the repository)
• Publish the signatures public key. Image Part 1 Image Part 2
• Soften the permissions of the directory structure - other RPM repositories are freely browsable, which is not the case with your repository. It seems your repository employs more strict permissions, which would need to be adjusted in order to allow the package managers to access desired metadata files and directories. Image Part 1 Image Part 2
• Alternatively, if maintaining these additional changes is a challenge, the packages could be hosted on openSUSE's OBS (happily as a non-supported mirror), which takes care of the requirements.

Why

Since the RPM package itself is working flawlessly on openSUSE, even if installed through the repository (after skipping the errors, of course), it would, in my opinion, be a minor task to also adjust the repository accordingly, in order for openSUSE users (and likely SUSE Enterprise Linux users as well) to enjoy installations and updates using already established package management routines.

A particular annoyance is found during automated deployments. I included the repository and package in an AutoYaST installation profile - while the security checks in such a profile can be softened, manual user intervention to accept the errors during the deployment is still required.

Workaround

• Manually accepting the errors during installations and upgrades -> annoying.
• Disabling the repository after the installation and only enabling it on demand -> possibly missing out on crucial security updates and risking accidental teleport uninstalls during cleanups of orphaned packages (zypper marks packages from disabled repositories as orphaned).
• Self-hosting the repository -> possibly missing out on crucial security updates and annoying to maintain for a single package.

I would like to use this opportunity to thank for the marvelous piece of software - I will keep using it no matter of the outcome of my request. :-)

[wadells]

Thanks for the detailed report @tacerus. I'm taking a look at our rpm and deb repo managment, and this issue is a wealth of info. I'll report back here once I have some updates.

[wadells]

@tacerus: Can you give me further repro steps? E.g. what commands do I need to run to reproduce your issues? For example, I've been working off the following Dockerfile for testing:

FROM registry.suse.com/suse/sle15
RUN zypper addrepo --gpgcheck-strict https://rpm.releases.teleport.dev/teleport.repo
RUN zypper --non-interactive --gpg-auto-import-keys install teleport
RUN teleport version

• Sign the file "repomd.xml"

I've got a PR up for this: #9027. It'll need backports, but should be relatively quick and uncontroversial. 🤞

• Publish the signatures public key. Image Part 1 Image Part 2

The public key is published: https://rpm.releases.teleport.dev/RPM-GPG-KEY-teleport, and referenced in the repo:

$ curl -s https://rpm.releases.teleport.dev/teleport.repo | grep gpg
gpgcheck=1
gpgkey=https://rpm.releases.teleport.dev/RPM-GPG-KEY-teleport

Does it need to be published in a certain keyserver or location to work with zypper/YaST/suse?

• Soften the permissions of the directory structure - other RPM repositories are freely browsable, which is not the case with your repository. It seems your repository employs more strict permissions, which would need to be adjusted in order to allow the package managers to access desired metadata files and directories. Image Part 1 Image Part 2

This doesn't look like a permissions issue -- we don't have a media directory at all. https://rpm.releases.teleport.dev/media.1/media doesn't exist, and isn't created by createrepo. Can you link some documentation or further info about what is expected to be here and why YaST needs it, or provide an alternate example of a permissions issue with files/directories that do exist?

For more info, see our rpm repo metadata publishing workflow here:

teleport/.drone.yml

Lines 4347 to 4391 in d67e9b3

	- name: Download RPM repo contents
	image: amazon/aws-cli
	environment:
	AWS_S3_BUCKET:
	from_secret: RPMREPO_AWS_S3_BUCKET
	AWS_ACCESS_KEY_ID:
	from_secret: RPMREPO_AWS_ACCESS_KEY_ID
	AWS_SECRET_ACCESS_KEY:
	from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY
	volumes:
	- name: rpmrepo
	path: /rpmrepo
	commands:
	- mkdir -p /rpmrepo/teleport/cache
	# we explicitly want to delete anything present locally which has been deleted
	# from the upstream S3 bucket
	- aws s3 sync s3://$AWS_S3_BUCKET/teleport/ /rpmrepo/teleport/ --delete
	- mkdir -p /rpmrepo/teleport/${DRONE_TAG##v}
	- cp -a /go/artifacts/*.rpm /rpmrepo/teleport/${DRONE_TAG##v}/
	# we do this using a CentOS 7 container to make sure that the repo files are
	# compatible with older versions, also there's no createrepo package in alpine main
	- name: Regenerate RPM repo metadata
	image: centos:7
	volumes:
	- name: rpmrepo
	path: /rpmrepo
	commands:
	- yum -y install createrepo
	- createrepo --cachedir /rpmrepo/teleport/cache --update /rpmrepo/teleport
	- name: Sync RPM repo changes to S3
	image: amazon/aws-cli
	environment:
	AWS_S3_BUCKET:
	from_secret: RPMREPO_AWS_S3_BUCKET
	AWS_ACCESS_KEY_ID:
	from_secret: RPMREPO_AWS_ACCESS_KEY_ID
	AWS_SECRET_ACCESS_KEY:
	from_secret: RPMREPO_AWS_SECRET_ACCESS_KEY
	volumes:
	- name: rpmrepo
	path: /rpmrepo
	commands:
	- aws s3 sync /rpmrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/

• Alternatively, if maintaining these additional changes is a challenge, the packages could be hosted on openSUSE's OBS (happily as a non-supported mirror), which takes care of the requirements.

IMO, this is unlikely. Because we distribute security software, and Teleport enterprise has some non-free code, we typicaly avoid involving 3rd parties in distribution. I'd need to know a lot more about OBS (and maybe talk to one of the engineers maintaining it) before we'd consider building/publishing there. If OBS is more of a mirror situation, that may be easier, but I still need further info about how to get https://rpm.releases.teleport.dev/ packages mirrored there.

[wadells]

Hi @tacerus. The RPM repo metadata is now signed using the same key that signs the packages:

walt@work:/tmp/suse$ curl -O https://rpm.releases.teleport.dev/repodata/repomd.xml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2985  100  2985    0     0   7192      0 --:--:-- --:--:-- --:--:--  7192
walt@work:/tmp/suse$ curl -O https://rpm.releases.teleport.dev/repodata/repomd.xml.asc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   833  100   833    0     0   5553      0 --:--:-- --:--:-- --:--:--  5553
walt@work:/tmp/suse$ gpg --verify repomd.xml.asc repomd.xml
gpg: Signature made Tue 11 Jan 2022 05:57:35 PM PST
gpg:                using RSA key 0C5E8BA5658E320D1B031179C87ED53A6282C411
gpg: Good signature from "Gravitational, Inc <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0C5E 8BA5 658E 320D 1B03  1179 C87E D53A 6282 C411

You can find the public key here:

https://rpm.releases.teleport.dev/RPM-GPG-KEY-teleport

If there are other things SUSE needs to work with the repo, please reopen with specific details, per #6445 (comment)