From c8fabb628cc8d12fd35319774f9174c7d6aef96d Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Thu, 15 Apr 2021 22:41:55 +0200 Subject: [PATCH] Debian: use extrepo for setting-up the repositories The old method used in manifests/repo/debian/debian.pp that was using apt-key is currently deprecated. apt-key itself is going to be removed in 2021. Also, downloading a random repository key from the internet is questionable at least. So I'm switching to use extrepo by default for setting-up the Debian repositories. It's nice, it's official, and it's in Bullseye already. It also is authenticated by default, and supports additional repositories (so it's prepared for the future). Change-Id: I7686a1cf541c81a9a14ef05542e31053c47e3f51 --- manifests/repo/debian/debian.pp | 95 +++++++++++++------ .../debian-uses-extrepo-a77c672920581e4e.yaml | 8 ++ ...penstack_extras_repo_debian_debian_spec.rb | 59 +++++++++--- 3 files changed, 117 insertions(+), 45 deletions(-) create mode 100644 releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml diff --git a/manifests/repo/debian/debian.pp b/manifests/repo/debian/debian.pp index 6f19888..1dc3c16 100644 --- a/manifests/repo/debian/debian.pp +++ b/manifests/repo/debian/debian.pp @@ -15,6 +15,17 @@ # Debian APT source # Defaults to true # +# [*package_require*] +# (optional) Whether or not to run 'apt-get update' before +# installing any packages. +# Defaults to false +# +# [*use_extrepo*] +# (optional) Should this module use extrepo to +# setup the Debian apt sources.list. If true, the +# below parameters aren't in use. +# Defaults to true. +# # [*source_hash*] # (optional) A hash of apt::source resources to # create and manage @@ -25,11 +36,6 @@ # resources created by this class # Defaults to {} # -# [*package_require*] -# (optional) Whether or not to run 'apt-get update' before -# installing any packages. -# Defaults to false -# # [*deb_location*] # (optional) Debian package repository location. # Defaults to "http://${::lsbdistcodename}-${release}.debian.net/debian" @@ -43,41 +49,68 @@ class openstack_extras::repo::debian::debian( $release = $::openstack_extras::repo::debian::params::release, $manage_deb = true, + $package_require = false, + $use_extrepo = true, + # Below params only used if $use_extrepo is set to false $source_hash = {}, $source_defaults = {}, - $package_require = false, $deb_location = "http://${::lsbdistcodename}-${release}.debian.net/debian", # DEPRECATED $manage_whz = undef, ) inherits openstack_extras::repo::debian::params { # handle deprecation $deb_manage = pick($manage_whz, $manage_deb) - if $deb_manage { - exec { 'installing openstack-backports-archive-keyring': - command => "/usr/bin/apt-get update ; \ - wget ${deb_location}/dists/pubkey.gpg ; \ - apt-key add pubkey.gpg ; \ - rm pubkey.gpg", - logoutput => 'on_failure', - tries => 3, - try_sleep => 1, - refreshonly => true, - subscribe => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"], - notify => Exec['apt_update'], - } - apt::source { $::openstack_extras::repo::debian::params::deb_name: - location => $deb_location, - release => "${::lsbdistcodename}-${release}-backports", - repos => $::openstack_extras::repo::debian::params::deb_repos, - } - -> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange": - location => $deb_location, - release => "${::lsbdistcodename}-${release}-backports-nochange", - repos => $::openstack_extras::repo::debian::params::deb_repos, - } - } - create_resources('apt::source', $source_hash, $source_defaults) + $lowercase_release = downcase($release) + + + if $deb_manage { + + if $use_extrepo { + # Extrepo is much nicer than what's below, because + # the repositories are authenticated by extrepo itself. + # Also, using apt-key is now deprecated (to be removed in 2021). + # We use ensure_packages to avoid conflict with any other class + # external to this module that may also install extrepo. + ensure_packages(['extrepo',], {'ensure' => 'present'}) + + exec { "extrepo enable openstack_${lowercase_release}": + command => "extrepo enable openstack_${lowercase_release}", + logoutput => 'on_failure', + tries => 3, + try_sleep => 1, + refreshonly => true, + require => Package['extrepo'], + } + if $package_require { + Exec["extrepo enable openstack_${lowercase_release}"] -> Exec['apt_update'] + } + }else{ + exec { 'installing openstack-backports-archive-keyring': + command => "/usr/bin/apt-get update ; \ + wget ${deb_location}/dists/pubkey.gpg ; \ + apt-key add pubkey.gpg ; \ + rm pubkey.gpg", + logoutput => 'on_failure', + tries => 3, + try_sleep => 1, + refreshonly => true, + subscribe => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"], + notify => Exec['apt_update'], + } + apt::source { $::openstack_extras::repo::debian::params::deb_name: + location => $deb_location, + release => "${::lsbdistcodename}-${lowercase_release}-backports", + repos => $::openstack_extras::repo::debian::params::deb_repos, + } + -> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange": + location => $deb_location, + release => "${::lsbdistcodename}-${lowercase_release}-backports-nochange", + repos => $::openstack_extras::repo::debian::params::deb_repos, + } + } + create_resources('apt::source', $source_hash, $source_defaults) + } if $package_require { Exec['apt_update'] -> Package<||> diff --git a/releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml b/releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml new file mode 100644 index 0000000..89f2666 --- /dev/null +++ b/releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + The class openstack_extras::repo::debian::debian has now a new parameter + use_extrepo, which is true by default. If true, extrepo will be used for + setting-up the OpenStack apt sources.list, and the parameters source_hash, + source_defaults and deb_location are ignored. Beware that this is now + the new default! diff --git a/spec/classes/openstack_extras_repo_debian_debian_spec.rb b/spec/classes/openstack_extras_repo_debian_debian_spec.rb index f5c7ec1..474d3db 100644 --- a/spec/classes/openstack_extras_repo_debian_debian_spec.rb +++ b/spec/classes/openstack_extras_repo_debian_debian_spec.rb @@ -7,7 +7,8 @@ describe 'openstack_extras::repo::debian::debian' do :manage_deb => true, :source_hash => {}, :source_defaults => {}, - :package_require => false + :package_require => false, + :use_extrepo => false, } end @@ -21,9 +22,37 @@ describe 'openstack_extras::repo::debian::debian' do class_params.merge!(paramclass_defaults) end - context 'with default parameters' do + context 'with default params' do + it { should contain_exec('extrepo enable openstack_victoria').with( + :command => 'extrepo enable openstack_victoria', + )} + it { should contain_package('extrepo').with( + :ensure => 'present', + :name => 'extrepo', + )} + end + + context 'wallaby with extrepo' do let :params do - {} + { + :release => 'wallaby', + :use_extrepo => true, + } + end + it { should contain_exec('extrepo enable openstack_wallaby').with( + :command => 'extrepo enable openstack_wallaby', + )} + it { should contain_package('extrepo').with( + :ensure => 'present', + :name => 'extrepo', + )} + end + + context 'with extrepo set to false' do + let :params do + { + :use_extrepo => false, + } end it { should contain_apt__source('debian-openstack-backports').with( @@ -87,19 +116,20 @@ describe 'openstack_extras::repo::debian::debian' do } } }) + default_params.merge!({ :use_extrepo => false }) end it { should contain_apt__source('debian_unstable').with( - :location => 'http://mymirror/debian/', - :release => 'unstable', - :repos => 'main' + :location => 'http://mymirror/debian/', + :release => 'unstable', + :repos => 'main', )} it { should contain_apt__source('puppetlabs').with( - :location => 'http://apt.puppetlabs.com', - :repos => 'main', - :release => 'stretch', - :key => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' } + :location => 'http://apt.puppetlabs.com', + :repos => 'main', + :release => 'stretch', + :key => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' }, )} it { should contain_exec('installing openstack-backports-archive-keyring') } @@ -119,13 +149,14 @@ describe 'openstack_extras::repo::debian::debian' do 'include' => { 'src' => true } } }) + default_params.merge!({ :use_extrepo => false }) end it { should contain_apt__source('debian_unstable').with( - :include => { 'src' => true }, - :location => 'http://mymirror/debian/', - :release => 'unstable', - :repos => 'main', + :include => { 'src' => true }, + :location => 'http://mymirror/debian/', + :release => 'unstable', + :repos => 'main', )} it { should contain_exec('installing openstack-backports-archive-keyring') }