From 42ed52288079ceef8a7edb15441f1e25e1165b9b Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Wed, 6 Oct 2021 11:47:01 -0400
Subject: [PATCH] Update ca-certificates to pull from Centos 7.9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https download fails with errors such as...

00:21:13.479 ERROR: cannot verify opendev.org's certificate, issued by
‘/C=US/O=Let's Encrypt/CN=R3’:
00:21:13.479   Issued certificate has expired.

The upstream root certificate expire on Oct 1, 2021.

ca-certificates needs to be updated to version 2021.2.50
but that version is only available in Centos 7.9 or newer.
This build container is locked down to Centos 7.8 without
updates.

This update adds repo definitions for 7.9 and 7.8 updates,
but sets them to disabled by default.

When updating ca-certificates I temporarily enable the
Centos 7.9 updates repo.

I also disable the yum module that causes the
"system is not registered with an entitlement server"
messages, but those messages turned out to NOT be the root
cause of ca-certificates failure to update.

Closes-bug: 1946151
Closes-bug: 1946122
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: I7ac47582e731ec5003f76ddfa24331ca87e1bf6c
---
 Dockerfile                         |  9 +++++++--
 toCOPY/yum.repos.d/centos-7.9.repo | 32 ++++++++++++++++++++++++++++++
 toCOPY/yum.repos.d/centos.repo     | 10 ++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 toCOPY/yum.repos.d/centos-7.9.repo

diff --git a/Dockerfile b/Dockerfile
index fdc71325..98dce557 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,6 +32,7 @@ ARG MYUID=1000
 # CentOS & EPEL URLs that match the base image
 # Override these with --build-arg if you have a mirror
 ARG CENTOS_7_8_URL=https://vault.centos.org/centos/7.8.2003
+ARG CENTOS_7_9_URL=http://mirror.centos.org/centos-7/7.9.2009
 ARG EPEL_7_8_URL=https://archives.fedoraproject.org/pub/archive/epel/7.2020-04-20
 ARG MY_EMAIL=
 
@@ -47,9 +48,12 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
     # yum variables must be in lower case ; \
     echo "$CENTOS_7_8_URL" >/etc/yum/vars/centos_7_8_url && \
     echo "$EPEL_7_8_URL" >/etc/yum/vars/epel_7_8_url && \
+    echo "$CENTOS_7_9_URL" >/etc/yum/vars/centos_7_9_url && \
     # disable fastestmirror plugin because we are not using mirrors ; \
     # FIXME: use a mirrorlist URL for centos/vault/epel archives. I couldn't find one.
     sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf && \
+    echo "[main]" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
+    echo "enabled=0" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
     yum clean all && \
     yum makecache && \
     yum install -y deltarpm
@@ -58,6 +62,9 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
 # them reports "Failed to get D-Bus connection: Operation not permitted".
 VOLUME /run /tmp
 
+# root CA cert expired on October 1st, 2021
+RUN yum update -y --enablerepo=centos-7.9-updates ca-certificates
+
 # Download required dependencies by mirror/build processes.
 RUN yum install -y \
         anaconda \
@@ -139,8 +146,6 @@ RUN useradd -s /sbin/nologin -u 9001 -g 9001 mockbuild && \
     echo "config_opts['rpmbuild_networking'] = True" >> /etc/mock/site-defaults.cfg && \
     echo  >> /etc/mock/site-defaults.cfg
 
-# root CA cert expired on October 1st, 2021
-RUN yum update -y ca-certificates
 
 # cpan modules, installing with cpanminus to avoid stupid questions since cpan is whack
 RUN cpanm --notest Fatal && \
diff --git a/toCOPY/yum.repos.d/centos-7.9.repo b/toCOPY/yum.repos.d/centos-7.9.repo
new file mode 100644
index 00000000..a3c4a203
--- /dev/null
+++ b/toCOPY/yum.repos.d/centos-7.9.repo
@@ -0,0 +1,32 @@
+# centos_7_9_url must be defined in /etc/yum/vars/
+#
+# All 7.9 repos are disabled for now.  The base image
+# for or docker build environmnet remains Centos 7.8.
+# These repos are defined to facilite one-off
+# package update where it can't be avoided, e.g.
+# ca-certificates.
+
+[centos-7.9-os]
+name=centos-7.9-os
+baseurl=$centos_7_9_url/os/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+[centos-7.9-extras]
+name=centos-7.9-extras
+baseurl=$centos_7_9_url/extras/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+# Disable updates by default for stability,
+# but define it so it can be enebled for single packages
+# if so desired.
+[centos-7.9-updates]
+name=centos-7.9-updates
+baseurl=$centos_7_9_url/updates/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
diff --git a/toCOPY/yum.repos.d/centos.repo b/toCOPY/yum.repos.d/centos.repo
index 782571de..5214daa9 100644
--- a/toCOPY/yum.repos.d/centos.repo
+++ b/toCOPY/yum.repos.d/centos.repo
@@ -14,3 +14,13 @@ enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 
+# Disable updates by default for stability,
+# but define it so it can be enebled for single packages
+# if so desired.
+[centos-updates]
+name=centos-updates
+baseurl=$centos_7_8_url/updates/$basearch/
+enabled=0
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+