Browse Source

Simplify inserting apt keys into nspawn image

Bionic requires a functioning gpg-agent to run apt-key add. This means
that gpg-agent must be working properly in the chroot when the nspawn
image preparation script runs.

Previous changes [1] have enabled apt-key to communicate with gpg-agent
during the nspawn_hosts role checks, however the cache prep fails almost
every time when nspawn_hosts is used within other role checks.

This is not a new issue, debian-installer is affected too [2].

This change adopts the same route as d-i, and simply copies the host
/etc/apt/trusted.gpg.d directory to the nspawn image, removing the
need for apt-key and in turn gpg-agent.

This is a re-implementation of https://review.openstack.org/588962
for nspawn.

[1] https://review.openstack.org/590431
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774

Change-Id: I3c56da445377d7ba27a623fb7ebe95c20d28a327
Jesse Pretorius 7 months ago
parent
commit
f3fe949711

+ 0
- 5
handlers/main.yml View File

@@ -52,8 +52,3 @@
52 52
 - name: Reload systemd-daemon
53 53
   systemd:
54 54
     daemon_reload: true
55
-
56
-- name: Remove generated apt keys
57
-  file:
58
-    path: /root/repo.keys
59
-    state: absent

+ 0
- 15
tasks/nspawn_cache.yml View File

@@ -66,21 +66,6 @@
66 66
   when:
67 67
     - nspawn_image_cache_refresh | bool
68 68
 
69
-- block:
70
-    - name: Generate apt keys from host for the container cache
71
-      command: "apt-key exportall"
72
-      changed_when: false
73
-      register: _apt_exportall
74
-
75
-    - name: Write exported keys to file
76
-      copy:
77
-        content: "{{ _apt_exportall.stdout }}"
78
-        dest: "/var/lib/machines/{{ nspawn_container_base_name }}/root/repo.keys"
79
-      notify:
80
-        - Remove generated apt keys
81
-  when:
82
-    - ansible_pkg_mgr == 'apt'
83
-
84 69
 - name: Cached image preparation script
85 70
   template:
86 71
     src: "prep-scripts/nspawn_{{ nspawn_cache_map.distro }}_prep.sh.j2"

+ 0
- 8
templates/prep-scripts/nspawn_ubuntu_prep.sh.j2 View File

@@ -30,14 +30,6 @@ apt-get update
30 30
 
31 31
 apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes {{ nspawn_container_distro_required_packages | join(' ') }}
32 32
 
33
-#start gpg-agent if is is not already running
34
-<(gpg-agent) || true
35
-gpg-connect-agent /bye || true
36
-
37
-if [[ -f "/root/repo.keys" ]]; then
38
-  apt-key add /root/repo.keys
39
-fi
40
-
41 33
 apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes {{ nspawn_container_distro_packages | join(' ') }}
42 34
 apt-get upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes
43 35
 apt-get clean

+ 1
- 0
vars/ubuntu-16.04.yml View File

@@ -63,3 +63,4 @@ _nspawn_copy_from_host:
63 63
   - /etc/apt/sources.list
64 64
   - /etc/apt/apt.conf.d/
65 65
   - /etc/apt/preferences.d/
66
+  - /etc/apt/trusted.gpg.d

+ 1
- 0
vars/ubuntu-18.04.yml View File

@@ -63,3 +63,4 @@ _nspawn_copy_from_host:
63 63
   - /etc/apt/sources.list
64 64
   - /etc/apt/apt.conf.d/
65 65
   - /etc/apt/preferences.d/
66
+  - /etc/apt/trusted.gpg.d

Loading…
Cancel
Save