Debian: use extrepo for setting-up the repositories

The old method used in manifests/repo/debian/debian.pp that was
using apt-key is currently deprecated. apt-key itself is going
to be removed in 2021. Also, downloading a random repository key
from the internet is questionable at least.

So I'm switching to use extrepo by default for setting-up the
Debian repositories. It's nice, it's official, and it's in
Bullseye already. It also is authenticated by default, and supports
additional repositories (so it's prepared for the future).

Change-Id: I7686a1cf541c81a9a14ef05542e31053c47e3f51
This commit is contained in:
Thomas Goirand 2021-04-15 22:41:55 +02:00
parent 7e74f6914e
commit c8fabb628c
3 changed files with 117 additions and 45 deletions

View File

@ -15,6 +15,17 @@
# Debian APT source
# Defaults to true
#
# [*package_require*]
# (optional) Whether or not to run 'apt-get update' before
# installing any packages.
# Defaults to false
#
# [*use_extrepo*]
# (optional) Should this module use extrepo to
# setup the Debian apt sources.list. If true, the
# below parameters aren't in use.
# Defaults to true.
#
# [*source_hash*]
# (optional) A hash of apt::source resources to
# create and manage
@ -25,11 +36,6 @@
# resources created by this class
# Defaults to {}
#
# [*package_require*]
# (optional) Whether or not to run 'apt-get update' before
# installing any packages.
# Defaults to false
#
# [*deb_location*]
# (optional) Debian package repository location.
# Defaults to "http://${::lsbdistcodename}-${release}.debian.net/debian"
@ -43,41 +49,68 @@
class openstack_extras::repo::debian::debian(
$release = $::openstack_extras::repo::debian::params::release,
$manage_deb = true,
$package_require = false,
$use_extrepo = true,
# Below params only used if $use_extrepo is set to false
$source_hash = {},
$source_defaults = {},
$package_require = false,
$deb_location = "http://${::lsbdistcodename}-${release}.debian.net/debian",
# DEPRECATED
$manage_whz = undef,
) inherits openstack_extras::repo::debian::params {
# handle deprecation
$deb_manage = pick($manage_whz, $manage_deb)
if $deb_manage {
exec { 'installing openstack-backports-archive-keyring':
command => "/usr/bin/apt-get update ; \
wget ${deb_location}/dists/pubkey.gpg ; \
apt-key add pubkey.gpg ; \
rm pubkey.gpg",
logoutput => 'on_failure',
tries => 3,
try_sleep => 1,
refreshonly => true,
subscribe => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"],
notify => Exec['apt_update'],
}
apt::source { $::openstack_extras::repo::debian::params::deb_name:
location => $deb_location,
release => "${::lsbdistcodename}-${release}-backports",
repos => $::openstack_extras::repo::debian::params::deb_repos,
}
-> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange":
location => $deb_location,
release => "${::lsbdistcodename}-${release}-backports-nochange",
repos => $::openstack_extras::repo::debian::params::deb_repos,
}
}
create_resources('apt::source', $source_hash, $source_defaults)
$lowercase_release = downcase($release)
if $deb_manage {
if $use_extrepo {
# Extrepo is much nicer than what's below, because
# the repositories are authenticated by extrepo itself.
# Also, using apt-key is now deprecated (to be removed in 2021).
# We use ensure_packages to avoid conflict with any other class
# external to this module that may also install extrepo.
ensure_packages(['extrepo',], {'ensure' => 'present'})
exec { "extrepo enable openstack_${lowercase_release}":
command => "extrepo enable openstack_${lowercase_release}",
logoutput => 'on_failure',
tries => 3,
try_sleep => 1,
refreshonly => true,
require => Package['extrepo'],
}
if $package_require {
Exec["extrepo enable openstack_${lowercase_release}"] -> Exec['apt_update']
}
}else{
exec { 'installing openstack-backports-archive-keyring':
command => "/usr/bin/apt-get update ; \
wget ${deb_location}/dists/pubkey.gpg ; \
apt-key add pubkey.gpg ; \
rm pubkey.gpg",
logoutput => 'on_failure',
tries => 3,
try_sleep => 1,
refreshonly => true,
subscribe => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"],
notify => Exec['apt_update'],
}
apt::source { $::openstack_extras::repo::debian::params::deb_name:
location => $deb_location,
release => "${::lsbdistcodename}-${lowercase_release}-backports",
repos => $::openstack_extras::repo::debian::params::deb_repos,
}
-> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange":
location => $deb_location,
release => "${::lsbdistcodename}-${lowercase_release}-backports-nochange",
repos => $::openstack_extras::repo::debian::params::deb_repos,
}
}
create_resources('apt::source', $source_hash, $source_defaults)
}
if $package_require {
Exec['apt_update'] -> Package<||>

View File

@ -0,0 +1,8 @@
---
features:
- |
The class openstack_extras::repo::debian::debian has now a new parameter
use_extrepo, which is true by default. If true, extrepo will be used for
setting-up the OpenStack apt sources.list, and the parameters source_hash,
source_defaults and deb_location are ignored. Beware that this is now
the new default!

View File

@ -7,7 +7,8 @@ describe 'openstack_extras::repo::debian::debian' do
:manage_deb => true,
:source_hash => {},
:source_defaults => {},
:package_require => false
:package_require => false,
:use_extrepo => false,
}
end
@ -21,9 +22,37 @@ describe 'openstack_extras::repo::debian::debian' do
class_params.merge!(paramclass_defaults)
end
context 'with default parameters' do
context 'with default params' do
it { should contain_exec('extrepo enable openstack_victoria').with(
:command => 'extrepo enable openstack_victoria',
)}
it { should contain_package('extrepo').with(
:ensure => 'present',
:name => 'extrepo',
)}
end
context 'wallaby with extrepo' do
let :params do
{}
{
:release => 'wallaby',
:use_extrepo => true,
}
end
it { should contain_exec('extrepo enable openstack_wallaby').with(
:command => 'extrepo enable openstack_wallaby',
)}
it { should contain_package('extrepo').with(
:ensure => 'present',
:name => 'extrepo',
)}
end
context 'with extrepo set to false' do
let :params do
{
:use_extrepo => false,
}
end
it { should contain_apt__source('debian-openstack-backports').with(
@ -87,19 +116,20 @@ describe 'openstack_extras::repo::debian::debian' do
}
}
})
default_params.merge!({ :use_extrepo => false })
end
it { should contain_apt__source('debian_unstable').with(
:location => 'http://mymirror/debian/',
:release => 'unstable',
:repos => 'main'
:location => 'http://mymirror/debian/',
:release => 'unstable',
:repos => 'main',
)}
it { should contain_apt__source('puppetlabs').with(
:location => 'http://apt.puppetlabs.com',
:repos => 'main',
:release => 'stretch',
:key => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' }
:location => 'http://apt.puppetlabs.com',
:repos => 'main',
:release => 'stretch',
:key => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' },
)}
it { should contain_exec('installing openstack-backports-archive-keyring') }
@ -119,13 +149,14 @@ describe 'openstack_extras::repo::debian::debian' do
'include' => { 'src' => true }
}
})
default_params.merge!({ :use_extrepo => false })
end
it { should contain_apt__source('debian_unstable').with(
:include => { 'src' => true },
:location => 'http://mymirror/debian/',
:release => 'unstable',
:repos => 'main',
:include => { 'src' => true },
:location => 'http://mymirror/debian/',
:release => 'unstable',
:repos => 'main',
)}
it { should contain_exec('installing openstack-backports-archive-keyring') }