Browse Source

[CI] Trust only infra mirrors

Infra mirrors get their indices rebuilt to avoid broken
indices (due to partial update).
Unfortunately, this wipes out the cryptographic signatures.
Our approach so far was disabling apt security features globally.
However, this is not a valid choice for external repos.
It hid an issue we introduced with new RabbitMQ repos missing
proper keys installed in the image.
This caused permanent failures outside of our CI.

Our process should be as close as possible to users' experience.
This patch makes CI trust only the mirrors that have their indices
rebuilt (so infra mirrors).

Change-Id: Ic5abc4b87fd76f87aba383abf43e95ba70629fcb
(cherry picked from commit c364c8be85)
changes/54/789754/1
Radosław Piliszek 2 months ago
parent
commit
4a48238040
1 changed files with 10 additions and 22 deletions
  1. +10
    -22
      tests/templates/template_overrides.j2

+ 10
- 22
tests/templates/template_overrides.j2 View File

@ -13,15 +13,6 @@ RUN echo registry={{ nodepool_npmjs_proxy }} > /etc/npmrc \
&& ln -s /etc/npmrc /usr/etc/npmrc
{% raw %}
{% if base_distro in ['debian', 'ubuntu'] %}
{% endraw %}
# NOTE(hrw): Debian 'buster' and Ubuntu 18.04 refuse to use unsigned repos
RUN echo 'APT::Get::AllowUnauthenticated "true";' > /etc/apt/apt.conf.d/99allow-unauthenticated \
&& echo 'Acquire::AllowInsecureRepositories "true";' > /etc/apt/apt.conf.d/99allow-insecure-repos
{% raw %}
{% endif %}
{% endblock %}
{% block base_centos_repo_overrides_post_copy %}
@ -64,17 +55,17 @@ RUN sed -i \
{% if base_distro == "debian" %}
{% endraw %}
RUN sed -i -e "s|http://deb.debian.org|http://{{ nodepool_mirror_host }}|" \
-e "s|http://security.debian.org|http://{{ nodepool_mirror_host }}|" \
RUN sed -i -e "s|http://deb.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \
-e "s|http://security.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \
/etc/apt/sources.list
{% raw %}
{% elif base_distro == "ubuntu" %}
{% endraw %}
RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|http://{{ nodepool_mirror_host }}/ubuntu/|" \
-e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \
-e "s|http://ports.ubuntu.com|http://{{ nodepool_mirror_host }}/ubuntu-ports|" \
RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu/|" \
-e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \
-e "s|http://ports.ubuntu.com|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-ports|" \
/etc/apt/sources.list
{% raw %}
@ -110,20 +101,17 @@ RUN sed -i \
/etc/yum.repos.d/epel*.repo
{% raw %}
{% elif base_package_type == 'deb' %}
{% endraw %}
RUN rm -f /etc/apt/apt.conf.d/99allow-unauthenticated /etc/apt/apt.conf.d/99allow-insecure-repos
{% raw %}
{% if base_distro == "debian" %}
{% endraw %}
RUN sed -i -e "s|http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \
-e "s|http://{{ nodepool_mirror_host }}|http://security.debian.org|" \
RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \
-e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://security.debian.org|" \
/etc/apt/sources.list
{% raw %}
{% elif base_distro == "ubuntu" %}
{% endraw %}
RUN sed -i -e "s|http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \
-e "s|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \
-e "s|http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \
RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \
-e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \
-e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \
/etc/apt/sources.list
{% raw %}
{% endif %}


Loading…
Cancel
Save