Browse Source

Update ca-certificates to pull from Centos 7.9

https download fails with errors such as...

00:21:13.479 ERROR: cannot verify opendev.org's certificate, issued by
‘/C=US/O=Let's Encrypt/CN=R3’:
00:21:13.479   Issued certificate has expired.

The upstream root certificate expire on Oct 1, 2021.

ca-certificates needs to be updated to version 2021.2.50
but that version is only available in Centos 7.9 or newer.
This build container is locked down to Centos 7.8 without
updates.

This update adds repo definitions for 7.9 and 7.8 updates,
but sets them to disabled by default.

When updating ca-certificates I temporarily enable the
Centos 7.9 updates repo.

I also disable the yum module that causes the
"system is not registered with an entitlement server"
messages, but those messages turned out to NOT be the root
cause of ca-certificates failure to update.

Closes-bug: 1946151
Closes-bug: 1946122
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: I7ac47582e731ec5003f76ddfa24331ca87e1bf6c
changes/25/812725/1
Scott Little 7 months ago
parent
commit
42ed522880
  1. 9
      Dockerfile
  2. 32
      toCOPY/yum.repos.d/centos-7.9.repo
  3. 10
      toCOPY/yum.repos.d/centos.repo

9
Dockerfile

@ -32,6 +32,7 @@ ARG MYUID=1000
# CentOS & EPEL URLs that match the base image
# Override these with --build-arg if you have a mirror
ARG CENTOS_7_8_URL=https://vault.centos.org/centos/7.8.2003
ARG CENTOS_7_9_URL=http://mirror.centos.org/centos-7/7.9.2009
ARG EPEL_7_8_URL=https://archives.fedoraproject.org/pub/archive/epel/7.2020-04-20
ARG MY_EMAIL=
@ -47,9 +48,12 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
# yum variables must be in lower case ; \
echo "$CENTOS_7_8_URL" >/etc/yum/vars/centos_7_8_url && \
echo "$EPEL_7_8_URL" >/etc/yum/vars/epel_7_8_url && \
echo "$CENTOS_7_9_URL" >/etc/yum/vars/centos_7_9_url && \
# disable fastestmirror plugin because we are not using mirrors ; \
# FIXME: use a mirrorlist URL for centos/vault/epel archives. I couldn't find one.
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf && \
echo "[main]" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
echo "enabled=0" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
yum clean all && \
yum makecache && \
yum install -y deltarpm
@ -58,6 +62,9 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
# them reports "Failed to get D-Bus connection: Operation not permitted".
VOLUME /run /tmp
# root CA cert expired on October 1st, 2021
RUN yum update -y --enablerepo=centos-7.9-updates ca-certificates
# Download required dependencies by mirror/build processes.
RUN yum install -y \
anaconda \
@ -139,8 +146,6 @@ RUN useradd -s /sbin/nologin -u 9001 -g 9001 mockbuild && \
echo "config_opts['rpmbuild_networking'] = True" >> /etc/mock/site-defaults.cfg && \
echo >> /etc/mock/site-defaults.cfg
# root CA cert expired on October 1st, 2021
RUN yum update -y ca-certificates
# cpan modules, installing with cpanminus to avoid stupid questions since cpan is whack
RUN cpanm --notest Fatal && \

32
toCOPY/yum.repos.d/centos-7.9.repo

@ -0,0 +1,32 @@
# centos_7_9_url must be defined in /etc/yum/vars/
#
# All 7.9 repos are disabled for now. The base image
# for or docker build environmnet remains Centos 7.8.
# These repos are defined to facilite one-off
# package update where it can't be avoided, e.g.
# ca-certificates.
[centos-7.9-os]
name=centos-7.9-os
baseurl=$centos_7_9_url/os/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[centos-7.9-extras]
name=centos-7.9-extras
baseurl=$centos_7_9_url/extras/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# Disable updates by default for stability,
# but define it so it can be enebled for single packages
# if so desired.
[centos-7.9-updates]
name=centos-7.9-updates
baseurl=$centos_7_9_url/updates/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

10
toCOPY/yum.repos.d/centos.repo

@ -14,3 +14,13 @@ enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# Disable updates by default for stability,
# but define it so it can be enebled for single packages
# if so desired.
[centos-updates]
name=centos-updates
baseurl=$centos_7_8_url/updates/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

Loading…
Cancel
Save