From 9f30456a0ed21230edf5e7e9be345a4ec8c69219 Mon Sep 17 00:00:00 2001 From: Petr Michalec Date: Tue, 12 Jun 2018 17:46:11 +0200 Subject: [PATCH 1/2] Fix, system.repo don't use curl if not needed - fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7 - updated syntax for key verificatoin - fix, avoid curl for salt:// schema (as in #156) Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197 --- linux/system/repo.sls | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/linux/system/repo.sls b/linux/system/repo.sls index 8b93ecb1..303ea9c0 100644 --- a/linux/system/repo.sls +++ b/linux/system/repo.sls @@ -83,8 +83,6 @@ linux_repo_{{ name }}_key: cmd.run: - name: | echo "{{ repo.key | indent(12) }}" | apt-key add - - - unless: | - apt-key finger --with-colons | grep -qF $(echo "{{ repo.key| indent(12) }}" | gpg --with-fingerprint --with-colons | grep -E '^fpr') - require_in: {%- if repo.get('default', False) %} - file: default_repo_list @@ -92,12 +90,20 @@ linux_repo_{{ name }}_key: - pkgrepo: linux_repo_{{ name }} {% endif %} -{%- elif repo.key_url|default(False) %} +{# key_url fetch by curl when salt <2017.7, higher version of salt has fixed bug for using a proxy_host/port specified at minion.conf #} +{# + NOTE: curl/cmd.run usage to fetch gpg key has limited functionality behind proxy. Environments with salt >= 2017.7 should use + key_url specified at pkgrepo.manage state (which uses properly configured http_host at minion.conf). Older versions of + salt require to have proxy set at ENV and curl way to fetch gpg key here can have a sense for backward compatibility. + + Be aware that as of salt 2018.3 no_proxy option is not implemented at all. +#} +{%- elif repo.key_url|default(False) and grains['saltversioninfo'] < [2017, 7] and not repo.key_url.startswith('salt://') %} + linux_repo_{{ name }}_key: cmd.run: - name: "curl -sL {{ repo.key_url }} | apt-key add -" - - unless: "apt-key finger --with-colons | grep -qF $(curl -sL {{ repo.key_url }} | gpg --with-fingerprint --with-colons | grep -E '^fpr')" - require_in: {%- if repo.get('default', False) %} - file: default_repo_list @@ -132,6 +138,9 @@ linux_repo_{{ name }}: {%- if repo.key_server is defined %} - keyserver: {{ repo.key_server }} {%- endif %} + {%- if repo.key_url is defined and (grains['saltversioninfo'] >= [2017, 7] or repo.key_url.startswith('salt://')) %} + - key_url: {{ repo.key_url }} + {%- endif %} - consolidate: {{ repo.get('consolidate', False) }} - clean_file: {{ repo.get('clean_file', False) }} - refresh_db: {{ repo.get('refresh_db', True) }} From 42048b2b2ccf449ae0a8295bc6eb1113761db327 Mon Sep 17 00:00:00 2001 From: Petr Michalec Date: Wed, 13 Jun 2018 15:26:56 +0200 Subject: [PATCH 2/2] use pkg.add_repo_key and return unless Change-Id: I111a584879c391cab41ca5579dfcad170a3248ad --- .kitchen.yml | 3 ++- linux/system/repo.sls | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index c704da56..4458e162 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -13,7 +13,8 @@ provisioner: log_level: error formula: linux grains: - noservices: true + noservices: True + kitchen-test: True state_top: base: "*": diff --git a/linux/system/repo.sls b/linux/system/repo.sls index 303ea9c0..0efd26ad 100644 --- a/linux/system/repo.sls +++ b/linux/system/repo.sls @@ -80,9 +80,21 @@ linux_repo_{{ name }}_pin: {%- if repo.get('key') %} {# 2 #} linux_repo_{{ name }}_key: +{% if grains['saltversioninfo'] < [2017, 7] %} cmd.run: - name: | echo "{{ repo.key | indent(12) }}" | apt-key add - + {%- if not grains.get('kitchen-test') %} + {# omitted from tests, as behaves inconsistently across CI/platforms #} + - unless: | + apt-key finger --with-colons | grep -qF $(echo "{{ repo.key| indent(12) }}" | gpg --with-fingerprint --with-colons | grep -E '^fpr') + {%- endif %} +{%- else %} + module.run: + - name: pkg.add_repo_key + - text: | + {{ repo.key | indent(10) }} +{%- endif %} - require_in: {%- if repo.get('default', False) %} - file: default_repo_list @@ -104,6 +116,10 @@ linux_repo_{{ name }}_key: linux_repo_{{ name }}_key: cmd.run: - name: "curl -sL {{ repo.key_url }} | apt-key add -" + {%- if not grains.get('kitchen-test') %} + {# omitted from tests, as behaves inconsistently across CI/platforms #} + - unless: "apt-key finger --with-colons | grep -qF $(curl -sL {{ repo.key_url }} | gpg --with-fingerprint --with-colons | grep -E '^fpr')" + {%- endif %} - require_in: {%- if repo.get('default', False) %} - file: default_repo_list