Package: base-installer Severity: normal As it stands today, the installer will always fail to find kernels in private mirrors defined in a preseed.
This is true, even if you add keys with `apt-setup/local0/key` and set `debian-installer/allow_unauthenticated` and `debian-installer/allow_unauthenticated_ssl`. The reason is an ordering issue. It took a while to dig through the code enough to put this altogether, but here's how it falls out. Inside of `pick_kernel`, we look at `$KERNEL_LIST` which is populated (in `kernel_update_list`), but calling: ``` chroot /target apt-cache search "^(kernel|$KERNEL_NAME)-image" ``` Unfortunately, apt inside of the target is not setup until _after_ `base-installer` in the `apt-setup` package. We _have_ setup apt in the installer (`configure_apt` and `apt_update` are before `pick_kernel`), so the _installation_ of any kernel _would_ work. Unfortuantely, we won't _find_ any of the relevant kernels because the `apt-cache` run inside of the target won't work as none of the keys have been dropped off and so `apt-cache` ignores any private mirrors that have been added. This is also seen in the logs, here's base-isntaller deciding on kernels: ``` Dec 12 09:50:26 base-installer: info: kernel linux-signed-generic usable on amd64 ``` And here's it grabbing keys from `apt-setup/local0/key`: ``` Dec 12 09:51:15 main-menu[1220]: (process:777): 2020-12-12 09:51:11 URL:http://INTERNAL_HOST/public.gpg [1204/1204] -> "/target/tmp/_fetch-url_key0.pub.2041" [1] ``` Note that it's a minute later (internal hostname masked). There is a work around. Since `post_install_hooks` is just before `pick_kernel`, I've added a `preseed/early_command` that generates a file in `/usr/lib/base-installer.d` which wget's the key into `/target/etc/apt/trusted.gpg.d`. Of course this will be done by `apt-setup` just a moment later. This doesn't seem like a trivial bug to fix. I can see two possible fixes: 1. Install apt-cache into the installer 2. Move kernel installation to a separate package that happens after `apt-setup`. There are possibly other options that those more familiar with the codebase can see. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/12 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled