From e23b5a32a2503c7b15bda1579bd299586040dc2a Mon Sep 17 00:00:00 2001 From: Lars Karlitski Date: Tue, 24 Sep 2019 15:53:31 +0200 Subject: [PATCH] stages/yum: only write known options to repo file This is similar to the previous commit for the dnf stage. Don't pass through arbitrary options. This means that pipeline repo objects don't have the same options as yum repo files anymore: 1. Hard code repo name to repo id. The name has no influence on the resulting image and should thus not appear in a pipeline. 2. Set gpgcheck=1 when gpgkey is given. It defaults to false, which means that all sample and test pipelines didn't verify packages. It would have failed anyway, because the container doesn't have the key referenced in /etc. Change all gpgkeys to refer to the key id and import them manually. 3. Don't allow lists for baseurl and gpgkey. We can add that if we need it at some point. Also be less verbose. --- samples/base-from-yum.json | 3 +-- samples/build-from-yum.json | 3 +-- stages/org.osbuild.yum | 39 +++++++++++++++++++++++-------------- 3 files changed, 26 insertions(+), 19 deletions(-) diff --git a/samples/base-from-yum.json b/samples/base-from-yum.json index b7e92b57..81ee988d 100644 --- a/samples/base-from-yum.json +++ b/samples/base-from-yum.json @@ -10,9 +10,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "baseurl": "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/$basearch/os/", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "860E 19B0 AFA8 00A1 7518 81A6 F55E 7430 F528 2EE4" } }, "packages": [ diff --git a/samples/build-from-yum.json b/samples/build-from-yum.json index 4a6367bf..34a5922b 100644 --- a/samples/build-from-yum.json +++ b/samples/build-from-yum.json @@ -8,9 +8,8 @@ "basearch": "x86_64", "repos": { "fedora": { - "name": "Fedora", "baseurl": "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/$basearch/os/", - "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch" + "gpgkey": "860E 19B0 AFA8 00A1 7518 81A6 F55E 7430 F528 2EE4" } }, "packages": [ diff --git a/stages/org.osbuild.yum b/stages/org.osbuild.yum index 55b2bd59..b5b64ae7 100755 --- a/stages/org.osbuild.yum +++ b/stages/org.osbuild.yum @@ -5,6 +5,28 @@ import subprocess import sys +def write_repofile(f, repoid, repo): + f.write(f"[{repoid}]\n") + + def write_option(key, value): + f.write(f"{key}={value}\n") + + # silence dnf warning about missing name + write_option("name", repoid) + + for key in ("metalink", "mirrorlist", "baseurl"): + value = repo.get(key) + if value: + write_option(key, value) + + if "gpgkey" in repo: + keyfile = f"/tmp/{repoid}.asc" + subprocess.run(["gpg2", "--recv-keys", repo["gpgkey"]], check=True) + subprocess.run(["gpg2", "--armor", "--output", keyfile, "--export", repo["gpgkey"]], check=True) + write_option("gpgcheck", 1) + write_option("gpgkey", f"file://{keyfile}") + + def main(tree, options): repos = options["repos"] packages = options["packages"] @@ -14,20 +36,7 @@ def main(tree, options): with open("/tmp/yum.conf", "w") as conf: for repoid, repo in repos.items(): - conf.write(f"[{repoid}]\n") - for key, value in repo.items(): - if isinstance(value, str): - s = value - elif isinstance(value, list): - s = " ".join(value) - elif isinstance(value, bool): - s = "1" if value else "0" - elif isinstance(value, int): - s = str(value) - else: - print(f"unkown type for `{key}`: {value} ({type(value)})") - return 1 - conf.write(f"{key}={s}\n") + write_repofile(conf, repoid, repo) script = f""" set -e @@ -43,7 +52,7 @@ def main(tree, options): return err.returncode cmd = [ - "yum", "-y", "-v", + "yum", "--assumeyes", f"--installroot={tree}", "--setopt=\"reposdir=\"", f"--releasever={releasever}",