From 319e37c8f5a7b8c66120ed3fadb172944631b7ca Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Wed, 3 Aug 2016 17:34:12 +0100
Subject: [PATCH] Implement primary and secondary keyserver usage for cache
 prep

Sometimes, especially with restricted internet access through
proxies or firewalls, the LXC container creation fails when using
the download template.

The failure is due to the inability to access the gpg keyserver
and therefore the inability to validate the downloaded image.

This patch implements the usage of a primary and secondary
keyserver, and uses a primary keyserver which is more likely
to be accessible in restricted environments as it's accessed
on port 80.

Change-Id: Ic1ca3d9f3c7d720e9715b6dcc67a7888910e6d0d
Closes-Bug: #1609479
---
 defaults/main.yml                             |  5 ++++
 .../notes/lxc-cache-gpg-156169a867d4653f.yaml |  7 ++++++
 tasks/lxc_cache.yml                           | 23 ++++++++++++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index d5873ef5..bfd69ce3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -78,8 +78,13 @@ lxc_image_compression_ratio: 0
 #       dest: "/etc/issue"
 lxc_container_cache_files: []
 
+# The DNS name of the LXD server to source the base container cache from
 lxc_image_cache_server: images.linuxcontainers.org
 
+# The keyservers to use when validating GPG keys for the downloaded cache
+lxc_image_cache_primary_keyserver: hkp://p80.pool.sks-keyservers.net:80
+lxc_image_cache_secondary_keyserver: hkp://keyserver.ubuntu.com:80
+
 ## Default download template options
 ##  This can be customized to use a local build server and options.
 ##  By default these options will be fulfilled by the distro specific
diff --git a/releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml b/releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml
new file mode 100644
index 00000000..b2e0b433
--- /dev/null
+++ b/releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - The lxc_hosts role can now make use of a primary and secondary gpg
+    keyserver for gpg validation of the downloaded cache. Setting the
+    servers to use can be done using the
+    ``lxc_image_cache_primary_keyserver`` and
+    ``lxc_image_cache_secondary_keyserver`` variables.
diff --git a/tasks/lxc_cache.yml b/tasks/lxc_cache.yml
index 8178515e..13aaa3ac 100644
--- a/tasks/lxc_cache.yml
+++ b/tasks/lxc_cache.yml
@@ -19,11 +19,28 @@
     template: "download"
     state: stopped
     backing_store: "dir"
-    template_options: "{{ lxc_cache_download_template_options }}"
-  register: cache_download
+    template_options: "{{ lxc_cache_download_template_options }} --keyserver {{ lxc_image_cache_primary_keyserver }}"
+  register: cache_download_primary
   retries: 3
   delay: 10
-  until: cache_download|success
+  until: cache_download_primary | success
+  ignore_errors: yes
+  tags:
+    - lxc-cache
+    - lxc-cache-download
+
+- name: Create base container
+  lxc_container:
+    name: "LXC_NAME"
+    template: "download"
+    state: stopped
+    backing_store: "dir"
+    template_options: "{{ lxc_cache_download_template_options }} --keyserver {{ lxc_image_cache_secondary_keyserver }}"
+  when: cache_download_primary | failed
+  register: cache_download_secondary
+  retries: 3
+  delay: 10
+  until: cache_download_secondary | success
   tags:
     - lxc-cache
     - lxc-cache-download