Package: openstack-cluster-installer
Version: 42.2.1~bpo11+1
Severity: wishlist
Tags: patch
Further to, and dependent upon, Bug#1028393, I would like to use
OpenStack Cluster Installer with packages from an internal aptly
mirror repository. Unfortunately as the packages hosted by aptly are
signed by its own keyring, this currently does not work.
The attached patches do the following:
- Add support to openstack-cluster-installer-build-live-image for using
a custom archive keyring
- Add support to slave_install_server_os_command() in slave_actions.php
to provide parameters to build-openstack-debian-image for custom
archive keyring
- Add options to openstack-cluster-installer.conf for the above
- Update README with instructions for the above.
Please let me know if I'm following the correct process for raising this
request, and I'm happy to discuss the request/patches/etc.
Cheers
Jim
diff --git a/bin/openstack-cluster-installer-build-live-image b/bin/openstack-cluster-installer-build-live-image
index 12987332..4e6c97db 100755
--- a/bin/openstack-cluster-installer-build-live-image
+++ b/bin/openstack-cluster-installer-build-live-image
@@ -206,6 +206,13 @@ deb-src ${debian_incoming_buildd} buildd-sid main
" >config/archives/incoming-buildd.list.binary
fi
+# Install keyring, if configured
+if [ -n "${debian_keyring_package}" ]; then
+ cd config/archives
+ apt-get download ${debian_keyring_package}
+ cd ../..
+fi
+
# Add the IP of the PXE server in a configuration file
# for later use during the install process
mkdir -p config/includes.chroot/etc/oci
@@ -863,6 +870,11 @@ if [ -d /etc/openstack-cluster-installer/live-image-additions ] ; then
fi
fi
+# Configure debootstrap to trust our archive keyring
+if [ -n "${debian_keyring_file}" ]; then
+ export DEBOOTSTRAP_OPTIONS="${DEBOOTSTRAP_OPTIONS} --keyring=${debian_keyring_file}"
+fi
+
lb clean
lb config --mirror-binary http://${OTCI_PXE_SERVER_IP}:9999/debian -b netboot --bootappend-live "boot=live iomem=relaxed console=tty0 console=ttyS0,115200 console=ttyS1,115200 earlyprintk=ttyS1,115200 consoleblank=0 systemd.show_status=true components url=http://${OTCI_PXE_SERVER_IP} fetch=http://${OTCI_PXE_SERVER_IP}/openstack-cluster-installer/filesystem.squashfs"; --net-root-path /var/lib/openstack-cluster-installer --net-root-server ${OTCI_PXE_SERVER_IP}
diff --git a/src/inc/slave_actions.php b/src/inc/slave_actions.php
index 9374346f..b6056ca5 100644
--- a/src/inc/slave_actions.php
+++ b/src/inc/slave_actions.php
@@ -1376,6 +1376,9 @@ function slave_install_server_os_command($con, $conf, $machine_id){
$package_list_file .= file_get_contents($package_list_path);
}
}
+ if($conf["network"]["debian_keyring_package"] && $conf["network"]["install_debian_keyring_package"]){
+ $package_list_file .= "," . $conf["network"]["debian_keyring_package"];
+ }
$cmd = "oci-install-with-report";
$cmd .= $network_params;
@@ -1383,6 +1386,12 @@ function slave_install_server_os_command($con, $conf, $machine_id){
$cmd .= " --debootstrap-url ".$conf["network"]["debian_mirror"];
$cmd .= " --sources.list-mirror ".$conf["network"]["debian_mirror"];
$cmd .= " --security-mirror ".$conf["network"]["debian_security_mirror"];
+ if($conf["network"]["debian_keyring_file"]){
+ $cmd .= " --debootstrap-keyring-file " . $conf["network"]["debian_keyring_file"];
+ if ($conf["network"]["install_debian_keyring_file"]) {
+ $cmd .= " --copy-debootstrap-keyring-file";
+ }
+ }
if($machine["boot_uefi"] == "yes"){
$cmd .= " --boot-type uefi";
diff --git a/etc/openstack-cluster-installer/openstack-cluster-installer.conf b/etc/openstack-cluster-installer/openstack-cluster-installer.conf
index 9f9cb295..3d3e0935 100644
--- a/etc/openstack-cluster-installer/openstack-cluster-installer.conf
+++ b/etc/openstack-cluster-installer/openstack-cluster-installer.conf
@@ -28,6 +28,24 @@ debian_mirror=http://deb.debian.org/debian
# Example: like http://mirror.infomaniak.com/debian-security
debian_security_mirror=http://security.debian.org/debian-security
+# Package containing keyring used to sign packages in above repositories
+# this is useful when using self-hosted package repos which are not signed
+# by the official Debian archive keyring
+# Leave empty when using official debian packages
+debian_keyring_package=
+
+# Filename of keyring installed by above package (this also needs to be availble
+# on the OCI server)
+# Leave empty when using official debian packages
+debian_keyring_file=
+
+# Whether to install the keyring package specified above on OpenStack nodes
+install_debian_keyring_package=yes
+
+# Whether to copy above keyring file to OpenStack nodes (using a package instead
+# is preferred)
+install_debian_keyring_file=no
+
# URL of the incoming buildd repo: useful for Sid development of OCI.
debian_incoming_buildd=http://incoming.debian.org/debian-buildd
diff --git a/README.md b/README.md
index 642a0be1..f7cd1c97 100644
--- a/README.md
+++ b/README.md
@@ -431,6 +431,34 @@ individual servers using your private key. Therefore, it is strongly
advise to customize /etc/openstack-cluster-installer/authorized_keys
*before* you build the OCI Debian Live image.
+### Optional: using a self-hosted package repository ###
+
+If you are using a self-hosted package repository which signs packages
+with its own key (e.g. aptly), this requires additional configuration.
+If you are using the official Debian packages (either direct or via a
+caching proxy) then skip to the next section.
+
+You will need a package in your repo which contains the repository's
+signing key, and this package will need to already be installed on your
+OCI server.
+
+Configure the following entries in /etc/openstack-cluster-installer/openstack-cluster-installer.conf :
+```
+debian_keyring_package=my-archive-keyring
+debian_keyring_file=/usr/share/keyrings/my-archive-keyring.gpg
+install_debian_keyring_package=yes
+```
+
+If the keyring package is not available at install time (because it
+is not kept in the same repository as the mirrored debian packages),
+then set the following options to instead copy the keyring file from
+the live image:
+
+```
+install_debian_keyring_package=no
+install_debian_keyring_file=yes
+```
+
### Build OCI's live image ###
```
