stages/dnf: only write known options to repo file

Don't pass through arbitrary options. This means that pipeline repo objects don't have the same options as dnf repo files anymore: 1. Hard code repo name to repo id. The name has no influence on the resulting image and should thus not appear in a pipeline. 2. Set gpgcheck=1 when gpgkey is given. It defaults to false, which means that all sample and test pipelines didn't verify packages. It would have failed anyway, because the container doesn't have the key referenced in /etc. Change all gpgkeys to refer to the key id and import them manually. 3. Don't allow lists for baseurl and gpgkey. We can add that if we need it at some point.
2019-09-24 15:50:37 +02:00 · 2019-09-24 15:50:37 +02:00 · 0dd939b658
commit 0dd939b658
parent 93da5caa69
10 changed files with 36 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -21,9 +21,8 @@ assembles it into an image. Pipelines are defined as JSON files like this one:
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": [ "@Core", "grub2-pc", "httpd" ]
--- a/samples/base-from-yum.json
+++ b/samples/base-from-yum.json
@ -17,7 +17,8 @@
          },
          "packages": [
            "dnf",
-            "systemd"
+            "systemd",
+            "gnupg"
          ]
        }
      }
@ -31,9 +32,8 @@
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": [
--- a/samples/base-qcow2.json
+++ b/samples/base-qcow2.json
@ -9,9 +9,8 @@
        "install_weak_deps": true,
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": [
--- a/samples/base.json
+++ b/samples/base.json
@ -8,9 +8,8 @@
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": [
--- a/samples/build-from-yum.json
+++ b/samples/build-from-yum.json
@ -16,7 +16,8 @@
        "packages": [
          "dnf",
          "systemd",
-          "tar"
+          "tar",
+          "gnupg"
        ]
      }
    }
--- a/stages/org.osbuild.dnf
+++ b/stages/org.osbuild.dnf
@ -5,6 +5,28 @@ import subprocess
 import sys


+def write_repofile(f, repoid, repo):
+    f.write(f"[{repoid}]\n")
+
+    def write_option(key, value):
+        f.write(f"{key}={value}\n")
+
+    # silence dnf warning about missing name
+    write_option("name", repoid)
+
+    for key in ("metalink", "mirrorlist", "baseurl"):
+        value = repo.get(key)
+        if value:
+            write_option(key, value)
+
+    if "gpgkey" in repo:
+        keyfile = f"/tmp/{repoid}.asc"
+        subprocess.run(["gpg2", "--recv-keys", repo["gpgkey"]], check=True)
+        subprocess.run(["gpg2", "--armor", "--output", keyfile, "--export", repo["gpgkey"]], check=True)
+        write_option("gpgcheck", 1)
+        write_option("gpgkey", f"file://{keyfile}")
+
+
 def main(tree, options):
    repos = options["repos"]
    packages = options["packages"]
@ -15,20 +37,7 @@ def main(tree, options):

    with open("/tmp/dnf.conf", "w") as conf:
        for repoid, repo in repos.items():
-            conf.write(f"[{repoid}]\n")
-            for key, value in repo.items():
-                if isinstance(value, str):
-                    s = value
-                elif isinstance(value, list):
-                    s = " ".join(value)
-                elif isinstance(value, bool):
-                    s = "1" if value else "0"
-                elif isinstance(value, int):
-                    s = str(value)
-                else:
-                    print(f"unkown type for `{key}`: {value} ({type(value)})")
-                    return 1
-                conf.write(f"{key}={s}\n")
+            write_repofile(conf, repoid, repo)

    script = f"""
        set -e
--- a/test/pipelines/f30-boot.json
+++ b/test/pipelines/f30-boot.json
@ -11,9 +11,8 @@
          "install_weak_deps": false,
          "repos": {
            "fedora": {
-              "name": "Fedora",
              "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-              "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+              "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
            }
          },
          "packages": [
@ -36,9 +35,8 @@
        "install_weak_deps": true,
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": [
--- a/test/pipelines/firewall.json
+++ b/test/pipelines/firewall.json
@ -8,9 +8,8 @@
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": ["@Core", "firewalld"]
--- a/test/pipelines/locale.json
+++ b/test/pipelines/locale.json
@ -8,9 +8,8 @@
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": ["@Core"]
--- a/test/pipelines/timezone.json
+++ b/test/pipelines/timezone.json
@ -8,9 +8,8 @@
        "basearch": "x86_64",
        "repos": {
          "fedora": {
-            "name": "Fedora",
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
          }
        },
        "packages": ["@Core"]