From 0dd939b65813ef1b5f73b1c2a82a107387cf5e21 Mon Sep 17 00:00:00 2001 From: Lars Karlitski Date: Tue, 24 Sep 2019 15:50:37 +0200 Subject: [PATCH] stages/dnf: only write known options to repo file Don't pass through arbitrary options. This means that pipeline repo objects don't have the same options as dnf repo files anymore: 1. Hard code repo name to repo id. The name has no influence on the resulting image and should thus not appear in a pipeline. 2. Set gpgcheck=1 when gpgkey is given. It defaults to false, which means that all sample and test pipelines didn't verify packages. It would have failed anyway, because the container doesn't have the key referenced in /etc. Change all gpgkeys to refer to the key id and import them manually. 3. Don't allow lists for baseurl and gpgkey. We can add that if we need it at some point. --- README.md | 3 +-- samples/base-from-yum.json | 6 +++--- samples/base-qcow2.json | 3 +-- samples/base.json | 3 +-- samples/build-from-yum.json | 3 ++- stages/org.osbuild.dnf | 37 ++++++++++++++++++++++-------------- test/pipelines/f30-boot.json | 6 ++---- test/pipelines/firewall.json | 3 +-- test/pipelines/locale.json | 3 +-- test/pipelines/timezone.json | 3 +-- 10 files changed, 36 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 6241ee15..20127142 100644 --- a/README.md +++ b/README.md @@ -21,9 +21,8 @@ assembles it into an image. Pipelines are defined as JSON files like this one: "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ "@Core", "grub2-pc", "httpd" ] diff --git a/samples/base-from-yum.json b/samples/base-from-yum.json index 74696fe2..b7e92b57 100644 --- a/samples/base-from-yum.json +++ b/samples/base-from-yum.json @@ -17,7 +17,8 @@ }, "packages": [ "dnf", - "systemd" + "systemd", + "gnupg" ] } } @@ -31,9 +32,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ diff --git a/samples/base-qcow2.json b/samples/base-qcow2.json index 0b3f2cce..8adafbfd 100644 --- a/samples/base-qcow2.json +++ b/samples/base-qcow2.json @@ -9,9 +9,8 @@ "install_weak_deps": true, "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ diff --git a/samples/base.json b/samples/base.json index b76809ce..2ced87e7 100644 --- a/samples/base.json +++ b/samples/base.json @@ -8,9 +8,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ diff --git a/samples/build-from-yum.json b/samples/build-from-yum.json index 1294f89f..4a6367bf 100644 --- a/samples/build-from-yum.json +++ b/samples/build-from-yum.json @@ -16,7 +16,8 @@ "packages": [ "dnf", "systemd", - "tar" + "tar", + "gnupg" ] } } diff --git a/stages/org.osbuild.dnf b/stages/org.osbuild.dnf index b76152a1..30a32feb 100755 --- a/stages/org.osbuild.dnf +++ b/stages/org.osbuild.dnf @@ -5,6 +5,28 @@ import subprocess import sys +def write_repofile(f, repoid, repo): + f.write(f"[{repoid}]\n") + + def write_option(key, value): + f.write(f"{key}={value}\n") + + # silence dnf warning about missing name + write_option("name", repoid) + + for key in ("metalink", "mirrorlist", "baseurl"): + value = repo.get(key) + if value: + write_option(key, value) + + if "gpgkey" in repo: + keyfile = f"/tmp/{repoid}.asc" + subprocess.run(["gpg2", "--recv-keys", repo["gpgkey"]], check=True) + subprocess.run(["gpg2", "--armor", "--output", keyfile, "--export", repo["gpgkey"]], check=True) + write_option("gpgcheck", 1) + write_option("gpgkey", f"file://{keyfile}") + + def main(tree, options): repos = options["repos"] packages = options["packages"] @@ -15,20 +37,7 @@ def main(tree, options): with open("/tmp/dnf.conf", "w") as conf: for repoid, repo in repos.items(): - conf.write(f"[{repoid}]\n") - for key, value in repo.items(): - if isinstance(value, str): - s = value - elif isinstance(value, list): - s = " ".join(value) - elif isinstance(value, bool): - s = "1" if value else "0" - elif isinstance(value, int): - s = str(value) - else: - print(f"unkown type for `{key}`: {value} ({type(value)})") - return 1 - conf.write(f"{key}={s}\n") + write_repofile(conf, repoid, repo) script = f""" set -e diff --git a/test/pipelines/f30-boot.json b/test/pipelines/f30-boot.json index 759cb461..c334eae8 100644 --- a/test/pipelines/f30-boot.json +++ b/test/pipelines/f30-boot.json @@ -11,9 +11,8 @@ "install_weak_deps": false, "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ @@ -36,9 +35,8 @@ "install_weak_deps": true, "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": [ diff --git a/test/pipelines/firewall.json b/test/pipelines/firewall.json index d4f943b4..a91a70a5 100644 --- a/test/pipelines/firewall.json +++ b/test/pipelines/firewall.json @@ -8,9 +8,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": ["@Core", "firewalld"] diff --git a/test/pipelines/locale.json b/test/pipelines/locale.json index f778f108..3f5b251f 100644 --- a/test/pipelines/locale.json +++ b/test/pipelines/locale.json @@ -8,9 +8,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": ["@Core"] diff --git a/test/pipelines/timezone.json b/test/pipelines/timezone.json index 38eabeda..edcbf611 100644 --- a/test/pipelines/timezone.json +++ b/test/pipelines/timezone.json @@ -8,9 +8,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" } }, "packages": ["@Core"]