ソースを参照

Merge pull request #289 from netmanagers/debian-family-apt-keyrings

feat(debian): use keyrings instead of key_ids
tags/v2.8.0
Imran Iqbal 2年前
コミット
bc86b743fd
コミッターのメールアドレスに関連付けられたアカウントが存在しません
6個のファイルの変更138行の追加16行の削除
  1. +34
    -0
      docs/README.apt.keyrings.rst
  2. バイナリ
      nginx/files/default/nginx-archive-keyring.gpg
  3. バイナリ
      nginx/files/default/phusionpassenger-archive-keyring.gpg
  4. +2
    -0
      nginx/map.jinja
  5. +56
    -16
      nginx/pkg.sls
  6. +46
    -0
      test/integration/passenger/controls/repository.rb

+ 34
- 0
docs/README.apt.keyrings.rst ファイルの表示

@@ -0,0 +1,34 @@
.. _readme_apt_keyrings:

apt repositories' keyrings
==========================

Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
in favor of using `keyring files` which contain a binary OpenPGP format of the key
(also known as "GPG key public ring")

As nginx and passenger don't provide such key files, we created them following the
official recomendations in their sites and install the resulting files.

Nginx
-----

See https://nginx.org/en/linux_packages.html#Debian for details

.. code-block:: bash

$ curl -s https://nginx.org/keys/nginx_signing.key | \
gpg --dearmor --output nginx-archive-keyring.gpg

Phusion-passenger
-----------------

See https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/installations/oss/ownserver/ruby/nginx/
for more details.

.. code-block:: bash

$ gpg --keyserver keyserver.ubuntu.com \
--output - \
--recv-keys 561F9B9CAC40B2F7 | \
gpg --export --output phusionpassenger-archive-keyring.gpg

バイナリ
nginx/files/default/nginx-archive-keyring.gpg ファイルの表示


バイナリ
nginx/files/default/phusionpassenger-archive-keyring.gpg ファイルの表示


+ 2
- 0
nginx/map.jinja ファイルの表示

@@ -19,6 +19,8 @@
'server_use_symlink': True,
'pid_file': '/run/nginx.pid',
'openssl_package': 'openssl',
'package_repo_keyring': '/usr/share/keyrings/nginx-archive-keyring.gpg',
'passenger_package_repo_keyring': '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg',
},
'CentOS': {
'package': 'nginx',

+ 56
- 16
nginx/pkg.sls ファイルの表示

@@ -2,7 +2,11 @@
#
# Manages installation of nginx from pkg.

{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import nginx, sls_block with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}

{%- if nginx.install_from_repo %}
{% set from_official = true %}
{% set from_ppa = false %}
@@ -33,7 +37,19 @@ nginx_install:
- name: {{ nginx.lookup.package }}
{% endif %}

{% if salt['grains.get']('os_family') == 'Debian' %}
{% if grains.os_family == 'Debian' %}
{%- if from_official %}
nginx_official_repo_keyring:
file.managed:
- name: {{ nginx.lookup.package_repo_keyring }}
- source: {{ files_switch(['nginx-archive-keyring.gpg'],
lookup='nginx_official_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_official_repo
{%- endif %}

nginx_official_repo:
pkgrepo:
{%- if from_official %}
@@ -42,10 +58,10 @@ nginx_official_repo:
- absent
{%- endif %}
- humanname: nginx apt repo
- name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
- keyid: ABF5BD827BD9BF62
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.package_repo_keyring }}]
http://nginx.org/packages/{{ grains.os | lower }}/ {{ grains.oscodename }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
@@ -60,10 +76,10 @@ nginx_ppa_repo:
{%- else %}
- absent
{%- endif %}
{% if salt['grains.get']('os') == 'Ubuntu' %}
{% if grains.os == 'Ubuntu' %}
- ppa: nginx/{{ nginx.ppa_version }}
{% else %}
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains['oscodename'] }} main
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains.oscodename }} main
- keyid: C300EE8C
- keyserver: keyserver.ubuntu.com
{% endif %}
@@ -73,6 +89,30 @@ nginx_ppa_repo:
- pkg: nginx_install
{%- endif %}

{%- if from_phusionpassenger %}
nginx_phusionpassenger_repo_keyring:
file.managed:
- name: /usr/share/keyrings/phusionpassenger-archive-keyring.gpg
- source: {{ files_switch(['phusionpassenger-archive-keyring.gpg'],
lookup='nginx_phusionpassenger_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_phusionpassenger_repo

# Remove the old repo file
nginx_phusionpassenger_repo_remove:
pkgrepo.absent:
- name: deb http://nginx.org/packages/{{ grains.os |lower }}/ {{ grains.oscodename }} nginx
- keyid: 561F9B9CAC40B2F7
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
file.absent:
- name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains.oscodename }}.list
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
{%- endif %}

nginx_phusionpassenger_repo:
pkgrepo:
{%- if from_phusionpassenger %}
@@ -81,17 +121,17 @@ nginx_phusionpassenger_repo:
- absent
{%- endif %}
- humanname: nginx phusionpassenger repo
- name: deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
- file: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
- keyid: 561F9B9CAC40B2F7
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.passenger_package_repo_keyring }}]
https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains.oscodename }} main
- file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
{% if grains.os_family == 'Suse' or grains.os == 'SUSE' %}
nginx_zypp_repo:
pkgrepo:
{%- if from_official %}
@@ -112,8 +152,8 @@ nginx_zypp_repo:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'RedHat' %}
{% if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
{% if grains.os_family == 'RedHat' %}
{% if grains.get('osfinger', '') == 'Amazon Linux-2' %}
nginx_epel_repo:
pkgrepo.managed:
- name: epel
@@ -138,7 +178,7 @@ nginx_yum_repo:
{%- endif %}
- name: nginx
- humanname: nginx repo
{%- if salt['grains.get']('os') == 'CentOS' %}
{%- if grains.os == 'CentOS' %}
- baseurl: 'http://nginx.org/packages/centos/$releasever/$basearch/'
{%- else %}
- baseurl: 'http://nginx.org/packages/rhel/{{ nginx.lookup.rh_os_releasever }}/$basearch/'

+ 46
- 0
test/integration/passenger/controls/repository.rb ファイルの表示

@@ -0,0 +1,46 @@
# frozen_string_literal: true

case platform.family
when 'redhat'
repo_file = '/etc/yum.repos.d/passenger.repo'
repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
when 'debian'
# Inspec does not provide a `codename` matcher, so we add ours
finger_codename = {
'ubuntu-18.04' => 'bionic',
'ubuntu-20.04' => 'focal',
'debian-9' => 'stretch',
'debian-10' => 'buster',
'debian-11' => 'bullseye'
}
codename = finger_codename[system.platform[:finger]]

repo_keyring = '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg'
repo_file = "/etc/apt/sources.list.d/phusionpassenger-official-#{codename}.list"
# rubocop:disable Metrics/LineLength
repo_url = "deb [signed-by=#{repo_keyring}] https://oss-binaries.phusionpassenger.com/apt/passenger #{codename} main"
# rubocop:enable Metrics/LineLength
end

control 'Phusion-passenger repository keyring' do
title 'should be installed'

only_if('Requirement for Debian family') do
os.debian?
end

describe file(repo_keyring) do
it { should exist }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its('mode') { should cmp '0644' }
end
end

control 'Phusion-passenger repository' do
impact 1
title 'should be configured'
describe file(repo_file) do
its('content') { should include repo_url }
end
end

読み込み中…
キャンセル
保存