Seems the copy is done by line 1115 of usr/lib/fai/subroutines:
fcopy -SBMir /etc/apt # copy all other apt config files from the config
space
It probably should be documented, especially since docs currently state
that files under files/ are not copied automatically but require an
fcopy. Or I just missed the special treatment of sources.list.d ...
Now I have commented the repo definitions in sources.list.d/salt.list
and uncomment 'em from hooks/configure.SALT :
-8<--
#! /bin/bash
sed -i 's/^#//' $target/etc/apt/sources.list.d/salt.list
fcopy -r /etc/salt/minion.d/
$ROOTCMD apt-get update
$ROOTCMD apt-get install -y salt-minion
-8<--
Finally it seems to work as expected.
Thanks again!
Diego
Il 18/01/2024 08:23, Diego Zuccato ha scritto:
IIUC that's the same as adding 'em to the basefile. Every time an
install errors out, basefile/nfsroot must be regenerated to include
updated root certs. Error prone and time consuming.
I'm now trying to understand:
1) who is copying the whole /etc/apt/sources.list.d during
task_repository, to disable salt.list
2) initialize salt repo with a script later in the configuration phase,
when packages (including ca-certificates) are already installed
Point 1 is really unexpected and shouldn't happen by default. Currently
ruling out it gets done by one of my scripts. Just to be sure:
fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?
Diego
Il 17/01/2024 17:10, Markus Köberl ha scritto:
On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
How can I have ca-certificates installed when the repository gets
added?
I think you could either add it into your basefile
Thought that, but would require regular maintenance, regenerating
basefile every time ca-certificates is updated.
or add it to your
hook to install ca-certificates from Debian first.
That whould be the perfect solution.
Does that make sense?
Sure it does. I just have to understand how to do it the correct way :)
First issue (that deranged me): I forgot to set SALT class for the
test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
copied anyway... some script is fcopy-ing more than expected...
Fixed (partially) the first issue, hooks/repository.SALT (the one that
should create salt.list file...) finally got called and attempted to
install ca-certificate. But it failed. Seems I'm attempting to install
it too soon.
Uff. Work for tomorrow...
Tks for all the hints!
I have on the fai server in /etc/fai/nfsroot.conf:
FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
and /etc/fai/nfsroot-hooks/ca-certificates:
# load deffinition of ${NFSROOT}
. /etc/fai/nfsroot.conf
mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
chroot $NFSROOT update-ca-certificates
regards
Markus Köberl
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
