-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(MODULES-9695) Debian: use modern APT keyring format #681
Conversation
24b2974
to
5ca6bf2
Compare
The commit message check wants only a PA jira issue ID, but the issue for this is in the MODULES jira project. Caused by #642. |
85dc25b
to
e48620a
Compare
@mhashizume already did that. That's what the last force push was. Commit e48620a is on top of current |
FWIW I'm using this plus puppetlabs-apt at puppetlabs/puppetlabs-apt@cb21d0b on my infrastructure, and it does the right thing on Ubuntu 18.04, 20.04, and 22.04. |
Modern APT keyring format also needs to be used in |
e48620a
to
bcd4d8d
Compare
I'm not seeing why the Debian tests would be running on Windows agents, and why my changes would cause these test failures. |
bcd4d8d
to
5d1f1bc
Compare
dbfd6eb
to
62d4f14
Compare
as we have nightly puppet-agent packages for Debian 12 now it would be great to have this merged if possible |
62d4f14
to
301aeeb
Compare
301aeeb
to
20ffb91
Compare
@kenyon can you resolve the test failures so we can get this merged? |
I'd like to, but like I mentioned in #681 (comment), I investigated and couldn't figure out why these changes have anything to do with Windows tests. So I'll need a little assistance. |
My guess is that something more fundamental is wrong with the tests, like there are tests executing on platforms that they shouldn't be executing on. |
Looking at the log, the current failures look to be dependency related. It is happening in |
Thanks for all of your work on this @kenyon , would it make sense to bump the puppetlabs-apt requirement in metadata.json since this is only supported in >= 9.2.0? |
@mhashizume good catch (I started this PR before puppetlabs-apt 9.2.0 was released 😄). Updated |
We'll also want to update puppetlab-apt in tests here: puppetlabs-puppet_agent/acceptance/helpers.rb Line 182 in 3ce04a2
Edit: And here
puppetlabs-apt is also pinned to an older version in our various dockerfiles. |
@mhashizume I updated the versions in those helpers. The Dockerfiles don't specify versions (there are some branch specifications, but those lines are commented out). |
@kenyon A few more things:
I'm not sure what the best solution is for the second issue, if we need to update anything on our end or if we just need to update documentation to let users know to update their repo configuration to point to the key. Thoughts? |
@mhashizume I updated the metadata. Without looking at it myself, I'm not sure either what to do about that upgrade issue. I still have one PE 2019 instance that I need to upgrade, but the puppet_agent and apt modules would remain on Puppet 6-compatible versions until after the upgrade to Puppet 7. So I don't think it would be a problem. Which brings up this line: puppetlabs-puppet_agent/metadata.json Lines 75 to 78 in 3da119f
IMO this should be bumped to require Puppet 7 since the apt, stdlib, and inifile dependencies require it. Should I make that change too? |
@mhashizume I added a commit that bumps the Puppet version requirement to 7. I think this is the only safe way to go if the dependent modules require Puppet 7. Otherwise there is no guarantee that the Ruby interpreter used in Puppet 5 or 6 would work with the Ruby code in these newer modules, for example. |
The bump makes sense to me. I found a few more things that needed to be updated:
You can see what I did in addition to what you have here in this commit: 627d06c I think after you incorporate those changes, this PR should be good to go. |
This updates puppet_agent::osfamily::debian to use modern APT keyrings instead of the deprecated apt-key method used by apt::key and apt::source.key without `name`. This also removes the legacy key, because keys not used for signing package sources aren't needed. /etc/pki is not needed anymore (also this directory is a RedHatism) because keyrings are now stored in the default location of /etc/apt/keyrings. We don't clean it up though, in case people are using the files there for something else.
The module dependencies (apt, stdlib, inifile) require Puppet 7.
@mhashizume done. Not sure where the proper fix would go for that acceptance helper, maybe around here: https://github.com/puppetlabs/beaker-puppet/blob/1146cb9783f74812421ebd52dc556f68710c57fe/lib/beaker-puppet/install_utils/foss_utils.rb#L1091 |
Thanks again @kenyon ! Really appreciate all your work. I'm not sure what the upstream fix is for the issue we had to work around in the acceptance helper. The fundamental issue is that we had two sources.list with the same URL, but only one had the Maybe we should document this circumstance somewhere, but I'm not sure where makes the most sense (and I'm not sure how often users will run into it). |
Well I've run into a problem with this. I set up the puppet-tools apt source, which uses the same keyring as the pc_repo apt source that puppetlabs-puppet_agent sets up, here: https://github.com/kenyon/puppet/blob/3196bea6a8e8f54acf814c5cb5a0fb65e01cb6db/data/os/family/Debian.yaml#L107-L116
Because of the way apt::keyring is implemented, I don't think there is a way to use the same keyring for multiple sources without causing duplicate resource catalog compilation errors. I was able to work around this case by using apt.puppetlabs.com for puppet-tools instead of apt.puppet.com, but I think the real solution would be to add |
Nevermind, that wouldn't work, of course you can't manage the same file path multiple times with puppet even if they have different resource titles. So I'm not sure what the best solution is for this kind of situation. |
Maybe puppetlabs-apt's apt::source type needs a way to specify the |
Sigh, nevermind, I forgot that this already exists, the |
This updates
puppet_agent::osfamily::debian
to use modern APT keyrings (puppetlabs/puppetlabs-apt#1128) instead of the deprecatedapt-key
method used byapt::key
andapt::source.key
withoutname
.For this to work properly, it needs a release of puppetlabs-apt which contains puppetlabs/puppetlabs-apt#1128, which should be the release after v9.1.0.
This also removes the legacy key, because keys not used for signing package sources aren't needed.
/etc/pki
is not needed anymore (also this directory is a RedHatism) because keyrings are now stored in the default location of/etc/apt/keyrings
. We don't clean it up though, in case people are using the files there for something else.