소스 검색

Merge pull request #289 from netmanagers/debian-family-apt-keyrings

feat(debian): use keyrings instead of key_ids
tags/v2.8.0
Imran Iqbal 2 년 전
부모
커밋
bc86b743fd
No account linked to committer's email address
6개의 변경된 파일138개의 추가작업 그리고 16개의 파일을 삭제
  1. +34
    -0
      docs/README.apt.keyrings.rst
  2. BIN
      nginx/files/default/nginx-archive-keyring.gpg
  3. BIN
      nginx/files/default/phusionpassenger-archive-keyring.gpg
  4. +2
    -0
      nginx/map.jinja
  5. +56
    -16
      nginx/pkg.sls
  6. +46
    -0
      test/integration/passenger/controls/repository.rb

+ 34
- 0
docs/README.apt.keyrings.rst 파일 보기

@@ -0,0 +1,34 @@
.. _readme_apt_keyrings:

apt repositories' keyrings
==========================

Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
in favor of using `keyring files` which contain a binary OpenPGP format of the key
(also known as "GPG key public ring")

As nginx and passenger don't provide such key files, we created them following the
official recomendations in their sites and install the resulting files.

Nginx
-----

See https://nginx.org/en/linux_packages.html#Debian for details

.. code-block:: bash

$ curl -s https://nginx.org/keys/nginx_signing.key | \
gpg --dearmor --output nginx-archive-keyring.gpg

Phusion-passenger
-----------------

See https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/installations/oss/ownserver/ruby/nginx/
for more details.

.. code-block:: bash

$ gpg --keyserver keyserver.ubuntu.com \
--output - \
--recv-keys 561F9B9CAC40B2F7 | \
gpg --export --output phusionpassenger-archive-keyring.gpg

BIN
nginx/files/default/nginx-archive-keyring.gpg 파일 보기


BIN
nginx/files/default/phusionpassenger-archive-keyring.gpg 파일 보기


+ 2
- 0
nginx/map.jinja 파일 보기

@@ -19,6 +19,8 @@
'server_use_symlink': True,
'pid_file': '/run/nginx.pid',
'openssl_package': 'openssl',
'package_repo_keyring': '/usr/share/keyrings/nginx-archive-keyring.gpg',
'passenger_package_repo_keyring': '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg',
},
'CentOS': {
'package': 'nginx',

+ 56
- 16
nginx/pkg.sls 파일 보기

@@ -2,7 +2,11 @@
#
# Manages installation of nginx from pkg.

{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import nginx, sls_block with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}

{%- if nginx.install_from_repo %}
{% set from_official = true %}
{% set from_ppa = false %}
@@ -33,7 +37,19 @@ nginx_install:
- name: {{ nginx.lookup.package }}
{% endif %}

{% if salt['grains.get']('os_family') == 'Debian' %}
{% if grains.os_family == 'Debian' %}
{%- if from_official %}
nginx_official_repo_keyring:
file.managed:
- name: {{ nginx.lookup.package_repo_keyring }}
- source: {{ files_switch(['nginx-archive-keyring.gpg'],
lookup='nginx_official_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_official_repo
{%- endif %}

nginx_official_repo:
pkgrepo:
{%- if from_official %}
@@ -42,10 +58,10 @@ nginx_official_repo:
- absent
{%- endif %}
- humanname: nginx apt repo
- name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
- keyid: ABF5BD827BD9BF62
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.package_repo_keyring }}]
http://nginx.org/packages/{{ grains.os | lower }}/ {{ grains.oscodename }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
@@ -60,10 +76,10 @@ nginx_ppa_repo:
{%- else %}
- absent
{%- endif %}
{% if salt['grains.get']('os') == 'Ubuntu' %}
{% if grains.os == 'Ubuntu' %}
- ppa: nginx/{{ nginx.ppa_version }}
{% else %}
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains['oscodename'] }} main
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains.oscodename }} main
- keyid: C300EE8C
- keyserver: keyserver.ubuntu.com
{% endif %}
@@ -73,6 +89,30 @@ nginx_ppa_repo:
- pkg: nginx_install
{%- endif %}

{%- if from_phusionpassenger %}
nginx_phusionpassenger_repo_keyring:
file.managed:
- name: /usr/share/keyrings/phusionpassenger-archive-keyring.gpg
- source: {{ files_switch(['phusionpassenger-archive-keyring.gpg'],
lookup='nginx_phusionpassenger_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_phusionpassenger_repo

# Remove the old repo file
nginx_phusionpassenger_repo_remove:
pkgrepo.absent:
- name: deb http://nginx.org/packages/{{ grains.os |lower }}/ {{ grains.oscodename }} nginx
- keyid: 561F9B9CAC40B2F7
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
file.absent:
- name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains.oscodename }}.list
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
{%- endif %}

nginx_phusionpassenger_repo:
pkgrepo:
{%- if from_phusionpassenger %}
@@ -81,17 +121,17 @@ nginx_phusionpassenger_repo:
- absent
{%- endif %}
- humanname: nginx phusionpassenger repo
- name: deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
- file: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
- keyid: 561F9B9CAC40B2F7
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.passenger_package_repo_keyring }}]
https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains.oscodename }} main
- file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
{% if grains.os_family == 'Suse' or grains.os == 'SUSE' %}
nginx_zypp_repo:
pkgrepo:
{%- if from_official %}
@@ -112,8 +152,8 @@ nginx_zypp_repo:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'RedHat' %}
{% if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
{% if grains.os_family == 'RedHat' %}
{% if grains.get('osfinger', '') == 'Amazon Linux-2' %}
nginx_epel_repo:
pkgrepo.managed:
- name: epel
@@ -138,7 +178,7 @@ nginx_yum_repo:
{%- endif %}
- name: nginx
- humanname: nginx repo
{%- if salt['grains.get']('os') == 'CentOS' %}
{%- if grains.os == 'CentOS' %}
- baseurl: 'http://nginx.org/packages/centos/$releasever/$basearch/'
{%- else %}
- baseurl: 'http://nginx.org/packages/rhel/{{ nginx.lookup.rh_os_releasever }}/$basearch/'

+ 46
- 0
test/integration/passenger/controls/repository.rb 파일 보기

@@ -0,0 +1,46 @@
# frozen_string_literal: true

case platform.family
when 'redhat'
repo_file = '/etc/yum.repos.d/passenger.repo'
repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
when 'debian'
# Inspec does not provide a `codename` matcher, so we add ours
finger_codename = {
'ubuntu-18.04' => 'bionic',
'ubuntu-20.04' => 'focal',
'debian-9' => 'stretch',
'debian-10' => 'buster',
'debian-11' => 'bullseye'
}
codename = finger_codename[system.platform[:finger]]

repo_keyring = '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg'
repo_file = "/etc/apt/sources.list.d/phusionpassenger-official-#{codename}.list"
# rubocop:disable Metrics/LineLength
repo_url = "deb [signed-by=#{repo_keyring}] https://oss-binaries.phusionpassenger.com/apt/passenger #{codename} main"
# rubocop:enable Metrics/LineLength
end

control 'Phusion-passenger repository keyring' do
title 'should be installed'

only_if('Requirement for Debian family') do
os.debian?
end

describe file(repo_keyring) do
it { should exist }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its('mode') { should cmp '0644' }
end
end

control 'Phusion-passenger repository' do
impact 1
title 'should be configured'
describe file(repo_file) do
its('content') { should include repo_url }
end
end

Loading…
취소
저장