stages/dnf: only write known options to repo file

Don't pass through arbitrary options. This means that pipeline repo objects don't have the same options as dnf repo files anymore: 1. Hard code repo name to repo id. The name has no influence on the resulting image and should thus not appear in a pipeline. 2. Set gpgcheck=1 when gpgkey is given. It defaults to false, which means that all sample and test pipelines didn't verify packages. It would have failed anyway, because the container doesn't have the key referenced in /etc. Change all gpgkeys to refer to the key id and import them manually. 3. Don't allow lists for baseurl and gpgkey. We can add that if we need it at some point.
2019-09-24 15:50:37 +02:00 · 2019-09-24 15:50:37 +02:00 · 0dd939b658
commit 0dd939b658
parent 93da5caa69
10 changed files with 36 additions and 34 deletions
--- a/stages/org.osbuild.dnf
+++ b/stages/org.osbuild.dnf
@ -5,6 +5,28 @@ import subprocess
 import sys


+def write_repofile(f, repoid, repo):
+    f.write(f"[{repoid}]\n")
+
+    def write_option(key, value):
+        f.write(f"{key}={value}\n")
+
+    # silence dnf warning about missing name
+    write_option("name", repoid)
+
+    for key in ("metalink", "mirrorlist", "baseurl"):
+        value = repo.get(key)
+        if value:
+            write_option(key, value)
+
+    if "gpgkey" in repo:
+        keyfile = f"/tmp/{repoid}.asc"
+        subprocess.run(["gpg2", "--recv-keys", repo["gpgkey"]], check=True)
+        subprocess.run(["gpg2", "--armor", "--output", keyfile, "--export", repo["gpgkey"]], check=True)
+        write_option("gpgcheck", 1)
+        write_option("gpgkey", f"file://{keyfile}")
+
+
 def main(tree, options):
    repos = options["repos"]
    packages = options["packages"]
@ -15,20 +37,7 @@ def main(tree, options):

    with open("/tmp/dnf.conf", "w") as conf:
        for repoid, repo in repos.items():
-            conf.write(f"[{repoid}]\n")
-            for key, value in repo.items():
-                if isinstance(value, str):
-                    s = value
-                elif isinstance(value, list):
-                    s = " ".join(value)
-                elif isinstance(value, bool):
-                    s = "1" if value else "0"
-                elif isinstance(value, int):
-                    s = str(value)
-                else:
-                    print(f"unkown type for `{key}`: {value} ({type(value)})")
-                    return 1
-                conf.write(f"{key}={s}\n")
+            write_repofile(conf, repoid, repo)

    script = f"""
        set -e