From 00bfe8775618e653e2532588cebd522d7fe5ccbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Fri, 30 Apr 2021 15:12:53 +0000 Subject: [PATCH] [CI] Trust only infra mirrors Infra mirrors get their indices rebuilt to avoid broken indices (due to partial update). Unfortunately, this wipes out the cryptographic signatures. Our approach so far was disabling apt security features globally. However, this is not a valid choice for external repos. It hid an issue we introduced with new RabbitMQ repos missing proper keys installed in the image. This caused permanent failures outside of our CI. Our process should be as close as possible to users' experience. This patch makes CI trust only the mirrors that have their indices rebuilt (so infra mirrors). Change-Id: Ic5abc4b87fd76f87aba383abf43e95ba70629fcb (cherry picked from commit c364c8be85f4653bf7af1c7ac0378823553e7441) --- tests/templates/template_overrides.j2 | 32 +++++++++------------------ 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/tests/templates/template_overrides.j2 b/tests/templates/template_overrides.j2 index d12639c2e2..515da5b844 100644 --- a/tests/templates/template_overrides.j2 +++ b/tests/templates/template_overrides.j2 @@ -15,15 +15,6 @@ RUN echo registry={{ nodepool_npmjs_proxy }} > /etc/npmrc \ && ln -s /etc/npmrc /usr/etc/npmrc {% raw %} -{% if base_distro in ['debian', 'ubuntu'] %} -{% endraw %} - -# NOTE(hrw): Debian since 'buster' and Ubuntu since 18.04 refuse to use unsigned repos -RUN echo 'APT::Get::AllowUnauthenticated "true";' > /etc/apt/apt.conf.d/99allow-unauthenticated \ - && echo 'Acquire::AllowInsecureRepositories "true";' > /etc/apt/apt.conf.d/99allow-insecure-repos - -{% raw %} -{% endif %} {% endblock %} {% block base_centos_repo_overrides_post_copy %} @@ -64,17 +55,17 @@ RUN sed -i \ {% if base_distro == "debian" %} {% endraw %} -RUN sed -i -e "s|http://deb.debian.org|http://{{ nodepool_mirror_host }}|" \ - -e "s|http://security.debian.org|http://{{ nodepool_mirror_host }}|" \ +RUN sed -i -e "s|http://deb.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \ + -e "s|http://security.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \ /etc/apt/sources.list {% raw %} {% elif base_distro == "ubuntu" %} {% endraw %} -RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|http://{{ nodepool_mirror_host }}/ubuntu/|" \ - -e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \ - -e "s|http://ports.ubuntu.com|http://{{ nodepool_mirror_host }}/ubuntu-ports|" \ +RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu/|" \ + -e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \ + -e "s|http://ports.ubuntu.com|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-ports|" \ /etc/apt/sources.list {% raw %} @@ -110,20 +101,17 @@ RUN sed -i \ /etc/yum.repos.d/epel*.repo {% raw %} {% elif base_package_type == 'deb' %} -{% endraw %} -RUN rm -f /etc/apt/apt.conf.d/99allow-unauthenticated /etc/apt/apt.conf.d/99allow-insecure-repos -{% raw %} {% if base_distro == "debian" %} {% endraw %} -RUN sed -i -e "s|http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \ - -e "s|http://{{ nodepool_mirror_host }}|http://security.debian.org|" \ +RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \ + -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://security.debian.org|" \ /etc/apt/sources.list {% raw %} {% elif base_distro == "ubuntu" %} {% endraw %} -RUN sed -i -e "s|http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \ - -e "s|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \ - -e "s|http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \ +RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \ + -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \ + -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \ /etc/apt/sources.list {% raw %} {% endif %}