Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blueprint: fix cacerts name for TOML #1076

Merged
merged 1 commit into from
Dec 6, 2024
Merged

blueprint: fix cacerts name for TOML #1076

merged 1 commit into from
Dec 6, 2024

Conversation

lzap
Copy link
Contributor

@lzap lzap commented Nov 29, 2024
edited
Loading

@avitova found some issues, I am going to address them.

To test the CA generation run this:

go run ./cmd/gen-manifests --arches x86_64 --distros fedora-41 --types qcow2 -config ./test/configs/all-customizations.json

It creates the following file in test/data/manifests:

...
         {
            "type": "org.osbuild.copy",
            "inputs": {
              "file-4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c": {
                "type": "org.osbuild.files",
                "origin": "org.osbuild.source",
                "references": [
                  {
                    "id": "sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c"
                  }
                ]
              }
            },
            "options": {
              "paths": [
                {
                  "from": "input://file-4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c/sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c",
                  "to": "tree:///etc/pki/ca-trust/source/anchors/27894af897dd2423607045716438a725f28a6d0b.pem",
                  "remove_destination": true
                }
              ]
            }
          },
          {
            "type": "org.osbuild.chown",
            "options": {
              "items": {
                "/etc/pki/ca-trust/source/anchors/27894af897dd2423607045716438a725f28a6d0b.pem": {
                  "user": "root",
                  "group": "root"
                }
              }
            }
          },
          {
            "type": "org.osbuild.pki.update-ca-trust"
          },
...

I think it works.

@lzap lzap mentioned this pull request Nov 29, 2024
Open
@lzap lzap marked this pull request as draft November 29, 2024 11:54
@lzap lzap marked this pull request as ready for review November 29, 2024 17:25
@bcl
Copy link
Contributor

bcl commented Dec 2, 2024

I don't think this can be changed, any existing blueprint using this field will not be parsed correctly.

thozza
thozza requested changes Dec 3, 2024
View reviewed changes
Copy link
Member

@thozza thozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except for the leftover debug prints, this looks OK to me. 👍

pkg/manifest/os.go Outdated Show resolved Hide resolved
@thozza
Copy link
Member

thozza commented Dec 3, 2024

I don't think this can be changed, any existing blueprint using this field will not be parsed correctly.

This has not yet been exposed to users in any form AFAICT, and the TOML parsing here is not the same as the one used on-prem in osbuild-composer. So, all in all, this should be fine.

@lzap
Copy link
Contributor Author

lzap commented Dec 4, 2024

So removed the logging line and added a test, but I am not sure where exactly this shell test is being executed.

thozza
thozza previously approved these changes Dec 4, 2024
View reviewed changes
@thozza thozza enabled auto-merge December 4, 2024 09:28
@lzap
Copy link
Contributor Author

lzap commented Dec 6, 2024

Tests look good, why this isn’t getting merged? Not sure if I should rebase.

@thozza
Copy link
Member

thozza commented Dec 6, 2024

Tests look good, why this isn’t getting merged? Not sure if I should rebase.

You dismissed my review by force-pushing. If you need just to rebase, using GH UI does not dismiss approvals.

@thozza thozza added this pull request to the merge queue Dec 6, 2024
Merged via the queue into osbuild:main with commit e82349a Dec 6, 2024
19 checks passed
@lzap lzap deleted the cacacerts branch December 6, 2024 13:17
@lzap
Copy link
Contributor Author

lzap commented Dec 6, 2024

Ah now I remember, I was on the wrong branch and accidentally pushed here instead, sorry! Cheers.

lzap
lzap commented Dec 6, 2024
View reviewed changes
test/scripts/base-host-check.sh
exit 1
fi
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiousity, where do I see this output? I am unable to locate this job.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the manifest were not rebuilt during the CI run (because it didn't change), you'd find a link to the run in which it was tested in the job that generated it (e.g. https://gitlab.com/redhat/services/products/image-builder/ci/images/-/jobs/8565731980). Since the manifest didn't change and you added the test, it was not run at all. A complete manifest regeneration would be required. That can be achieved by bumping the rngseed in

images/Schutzfile

Line 3 in 048c8c6

"rngseed": 1,

I did it in #1093 and if my comment about the potential typo from above is correct, it should fail 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The story continuous:

  • osbuild: new stage 'cacert' (HMS-4839) #907 added the cacert customization only to all-customizations.json,
  • all-customizations.json is applied only when building qcow2

    images/test/config-map.json

    Lines 2 to 13 in 048c8c6

    "./configs/all-customizations.json": {
    "distros": [
    "rhel-10*",
    "rhel-9*",
    "rhel-8*",
    "centos*",
    "fedora*"
    ],
    "image-types": [
    "qcow2"
    ]
    },
  • We do not boot-test qcow2 in this repository CI, so the change in the base-host-check.sh won't run in the CI.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, apologies: #1096

thozza
thozza reviewed Dec 7, 2024
View reviewed changes
test/scripts/base-host-check.sh
fi

echo "📗 Checking extracted CA cert file"
if ! [ -e "/etc/pki/ca-trust/source/extracted/pem/directory-hash/Test_CA_for_osbuild.pem.pem" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lzap I just noticed a potential typo in the filename - note the double .pem.pem 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is curious, do we generate funky filenames here or is the test not running correctly?

Copy link
Member

@thozza thozza Dec 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mvo5 see #1076 (comment). The cacert customization is not applied to any image we boot-test, so this code is never executed.

thozza added a commit to thozza/osbuild-images that referenced this pull request Dec 7, 2024
@thozza
Force rebuild of all manifests in CI
ce1b1f4 
This is to test the new check added by PR osbuild#1076 [0].

[0] osbuild#1076

Signed-off-by: Tomáš Hozza <[email protected]>
@thozza thozza mentioned this pull request Dec 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thozza thozza thozza approved these changes

@mvo5 mvo5 mvo5 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lzap @bcl @thozza @mvo5