Update ca-certificates to pull from Centos 7.9

https download fails with errors such as...

00:21:13.479 ERROR: cannot verify opendev.org's certificate, issued by
‘/C=US/O=Let's Encrypt/CN=R3’:
00:21:13.479   Issued certificate has expired.

The upstream root certificate expire on Oct 1, 2021.

ca-certificates needs to be updated to version 2021.2.50
but that version is only available in Centos 7.9 or newer.
This build container is locked down to Centos 7.8 without
updates.

This update adds repo definitions for 7.9 and 7.8 updates,
but sets them to disabled by default.

When updating ca-certificates I temporarily enable the
Centos 7.9 updates repo.

I also disable the yum module that causes the
"system is not registered with an entitlement server"
messages, but those messages turned out to NOT be the root
cause of ca-certificates failure to update.

Closes-bug: 1946151
Closes-bug: 1946122
Signed-off-by: Scott Little <scott.little@windriver.com>
Change-Id: I7ac47582e731ec5003f76ddfa24331ca87e1bf6c
This commit is contained in:
Scott Little 2021-10-06 11:47:01 -04:00
parent 874f70f91f
commit 42ed522880
3 changed files with 49 additions and 2 deletions

View File

@ -32,6 +32,7 @@ ARG MYUID=1000
# CentOS & EPEL URLs that match the base image # CentOS & EPEL URLs that match the base image
# Override these with --build-arg if you have a mirror # Override these with --build-arg if you have a mirror
ARG CENTOS_7_8_URL=https://vault.centos.org/centos/7.8.2003 ARG CENTOS_7_8_URL=https://vault.centos.org/centos/7.8.2003
ARG CENTOS_7_9_URL=http://mirror.centos.org/centos-7/7.9.2009
ARG EPEL_7_8_URL=https://archives.fedoraproject.org/pub/archive/epel/7.2020-04-20 ARG EPEL_7_8_URL=https://archives.fedoraproject.org/pub/archive/epel/7.2020-04-20
ARG MY_EMAIL= ARG MY_EMAIL=
@ -47,9 +48,12 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
# yum variables must be in lower case ; \ # yum variables must be in lower case ; \
echo "$CENTOS_7_8_URL" >/etc/yum/vars/centos_7_8_url && \ echo "$CENTOS_7_8_URL" >/etc/yum/vars/centos_7_8_url && \
echo "$EPEL_7_8_URL" >/etc/yum/vars/epel_7_8_url && \ echo "$EPEL_7_8_URL" >/etc/yum/vars/epel_7_8_url && \
echo "$CENTOS_7_9_URL" >/etc/yum/vars/centos_7_9_url && \
# disable fastestmirror plugin because we are not using mirrors ; \ # disable fastestmirror plugin because we are not using mirrors ; \
# FIXME: use a mirrorlist URL for centos/vault/epel archives. I couldn't find one. # FIXME: use a mirrorlist URL for centos/vault/epel archives. I couldn't find one.
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf && \ sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf && \
echo "[main]" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
echo "enabled=0" >> /etc/yum/pluginconf.d/subscription-manager.conf && \
yum clean all && \ yum clean all && \
yum makecache && \ yum makecache && \
yum install -y deltarpm yum install -y deltarpm
@ -58,6 +62,9 @@ RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* && \
# them reports "Failed to get D-Bus connection: Operation not permitted". # them reports "Failed to get D-Bus connection: Operation not permitted".
VOLUME /run /tmp VOLUME /run /tmp
# root CA cert expired on October 1st, 2021
RUN yum update -y --enablerepo=centos-7.9-updates ca-certificates
# Download required dependencies by mirror/build processes. # Download required dependencies by mirror/build processes.
RUN yum install -y \ RUN yum install -y \
anaconda \ anaconda \
@ -139,8 +146,6 @@ RUN useradd -s /sbin/nologin -u 9001 -g 9001 mockbuild && \
echo "config_opts['rpmbuild_networking'] = True" >> /etc/mock/site-defaults.cfg && \ echo "config_opts['rpmbuild_networking'] = True" >> /etc/mock/site-defaults.cfg && \
echo >> /etc/mock/site-defaults.cfg echo >> /etc/mock/site-defaults.cfg
# root CA cert expired on October 1st, 2021
RUN yum update -y ca-certificates
# cpan modules, installing with cpanminus to avoid stupid questions since cpan is whack # cpan modules, installing with cpanminus to avoid stupid questions since cpan is whack
RUN cpanm --notest Fatal && \ RUN cpanm --notest Fatal && \

View File

@ -0,0 +1,32 @@
# centos_7_9_url must be defined in /etc/yum/vars/
#
# All 7.9 repos are disabled for now. The base image
# for or docker build environmnet remains Centos 7.8.
# These repos are defined to facilite one-off
# package update where it can't be avoided, e.g.
# ca-certificates.
[centos-7.9-os]
name=centos-7.9-os
baseurl=$centos_7_9_url/os/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[centos-7.9-extras]
name=centos-7.9-extras
baseurl=$centos_7_9_url/extras/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# Disable updates by default for stability,
# but define it so it can be enebled for single packages
# if so desired.
[centos-7.9-updates]
name=centos-7.9-updates
baseurl=$centos_7_9_url/updates/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

View File

@ -14,3 +14,13 @@ enabled=1
gpgcheck=1 gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# Disable updates by default for stability,
# but define it so it can be enebled for single packages
# if so desired.
[centos-updates]
name=centos-updates
baseurl=$centos_7_8_url/updates/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7