瀏覽代碼

Merge pull request #289 from netmanagers/debian-family-apt-keyrings

feat(debian): use keyrings instead of key_ids
tags/v2.8.0
Imran Iqbal 2 年之前
父節點
當前提交
bc86b743fd
No account linked to committer's email address
共有 6 個文件被更改,包括 138 次插入16 次删除
  1. +34
    -0
      docs/README.apt.keyrings.rst
  2. 二進制
      nginx/files/default/nginx-archive-keyring.gpg
  3. 二進制
      nginx/files/default/phusionpassenger-archive-keyring.gpg
  4. +2
    -0
      nginx/map.jinja
  5. +56
    -16
      nginx/pkg.sls
  6. +46
    -0
      test/integration/passenger/controls/repository.rb

+ 34
- 0
docs/README.apt.keyrings.rst 查看文件

@@ -0,0 +1,34 @@
.. _readme_apt_keyrings:

apt repositories' keyrings
==========================

Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
in favor of using `keyring files` which contain a binary OpenPGP format of the key
(also known as "GPG key public ring")

As nginx and passenger don't provide such key files, we created them following the
official recomendations in their sites and install the resulting files.

Nginx
-----

See https://nginx.org/en/linux_packages.html#Debian for details

.. code-block:: bash

$ curl -s https://nginx.org/keys/nginx_signing.key | \
gpg --dearmor --output nginx-archive-keyring.gpg

Phusion-passenger
-----------------

See https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/installations/oss/ownserver/ruby/nginx/
for more details.

.. code-block:: bash

$ gpg --keyserver keyserver.ubuntu.com \
--output - \
--recv-keys 561F9B9CAC40B2F7 | \
gpg --export --output phusionpassenger-archive-keyring.gpg

二進制
nginx/files/default/nginx-archive-keyring.gpg 查看文件


二進制
nginx/files/default/phusionpassenger-archive-keyring.gpg 查看文件


+ 2
- 0
nginx/map.jinja 查看文件

@@ -19,6 +19,8 @@
'server_use_symlink': True,
'pid_file': '/run/nginx.pid',
'openssl_package': 'openssl',
'package_repo_keyring': '/usr/share/keyrings/nginx-archive-keyring.gpg',
'passenger_package_repo_keyring': '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg',
},
'CentOS': {
'package': 'nginx',

+ 56
- 16
nginx/pkg.sls 查看文件

@@ -2,7 +2,11 @@
#
# Manages installation of nginx from pkg.

{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import nginx, sls_block with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}

{%- if nginx.install_from_repo %}
{% set from_official = true %}
{% set from_ppa = false %}
@@ -33,7 +37,19 @@ nginx_install:
- name: {{ nginx.lookup.package }}
{% endif %}

{% if salt['grains.get']('os_family') == 'Debian' %}
{% if grains.os_family == 'Debian' %}
{%- if from_official %}
nginx_official_repo_keyring:
file.managed:
- name: {{ nginx.lookup.package_repo_keyring }}
- source: {{ files_switch(['nginx-archive-keyring.gpg'],
lookup='nginx_official_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_official_repo
{%- endif %}

nginx_official_repo:
pkgrepo:
{%- if from_official %}
@@ -42,10 +58,10 @@ nginx_official_repo:
- absent
{%- endif %}
- humanname: nginx apt repo
- name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
- keyid: ABF5BD827BD9BF62
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.package_repo_keyring }}]
http://nginx.org/packages/{{ grains.os | lower }}/ {{ grains.oscodename }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
@@ -60,10 +76,10 @@ nginx_ppa_repo:
{%- else %}
- absent
{%- endif %}
{% if salt['grains.get']('os') == 'Ubuntu' %}
{% if grains.os == 'Ubuntu' %}
- ppa: nginx/{{ nginx.ppa_version }}
{% else %}
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains['oscodename'] }} main
- name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains.oscodename }} main
- keyid: C300EE8C
- keyserver: keyserver.ubuntu.com
{% endif %}
@@ -73,6 +89,30 @@ nginx_ppa_repo:
- pkg: nginx_install
{%- endif %}

{%- if from_phusionpassenger %}
nginx_phusionpassenger_repo_keyring:
file.managed:
- name: /usr/share/keyrings/phusionpassenger-archive-keyring.gpg
- source: {{ files_switch(['phusionpassenger-archive-keyring.gpg'],
lookup='nginx_phusionpassenger_repo_keyring'
)
}}
- require_in:
- pkgrepo: nginx_phusionpassenger_repo

# Remove the old repo file
nginx_phusionpassenger_repo_remove:
pkgrepo.absent:
- name: deb http://nginx.org/packages/{{ grains.os |lower }}/ {{ grains.oscodename }} nginx
- keyid: 561F9B9CAC40B2F7
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
file.absent:
- name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains.oscodename }}.list
- require_in:
- pkgrepo: nginx_phusionpassenger_repo
{%- endif %}

nginx_phusionpassenger_repo:
pkgrepo:
{%- if from_phusionpassenger %}
@@ -81,17 +121,17 @@ nginx_phusionpassenger_repo:
- absent
{%- endif %}
- humanname: nginx phusionpassenger repo
- name: deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
- file: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
- keyid: 561F9B9CAC40B2F7
- keyserver: keyserver.ubuntu.com
- name: >-
deb [signed-by={{ nginx.lookup.passenger_package_repo_keyring }}]
https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains.oscodename }} main
- file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains.oscodename }}.list
- require_in:
- pkg: nginx_install
- watch_in:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
{% if grains.os_family == 'Suse' or grains.os == 'SUSE' %}
nginx_zypp_repo:
pkgrepo:
{%- if from_official %}
@@ -112,8 +152,8 @@ nginx_zypp_repo:
- pkg: nginx_install
{% endif %}

{% if salt['grains.get']('os_family') == 'RedHat' %}
{% if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
{% if grains.os_family == 'RedHat' %}
{% if grains.get('osfinger', '') == 'Amazon Linux-2' %}
nginx_epel_repo:
pkgrepo.managed:
- name: epel
@@ -138,7 +178,7 @@ nginx_yum_repo:
{%- endif %}
- name: nginx
- humanname: nginx repo
{%- if salt['grains.get']('os') == 'CentOS' %}
{%- if grains.os == 'CentOS' %}
- baseurl: 'http://nginx.org/packages/centos/$releasever/$basearch/'
{%- else %}
- baseurl: 'http://nginx.org/packages/rhel/{{ nginx.lookup.rh_os_releasever }}/$basearch/'

+ 46
- 0
test/integration/passenger/controls/repository.rb 查看文件

@@ -0,0 +1,46 @@
# frozen_string_literal: true

case platform.family
when 'redhat'
repo_file = '/etc/yum.repos.d/passenger.repo'
repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
when 'debian'
# Inspec does not provide a `codename` matcher, so we add ours
finger_codename = {
'ubuntu-18.04' => 'bionic',
'ubuntu-20.04' => 'focal',
'debian-9' => 'stretch',
'debian-10' => 'buster',
'debian-11' => 'bullseye'
}
codename = finger_codename[system.platform[:finger]]

repo_keyring = '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg'
repo_file = "/etc/apt/sources.list.d/phusionpassenger-official-#{codename}.list"
# rubocop:disable Metrics/LineLength
repo_url = "deb [signed-by=#{repo_keyring}] https://oss-binaries.phusionpassenger.com/apt/passenger #{codename} main"
# rubocop:enable Metrics/LineLength
end

control 'Phusion-passenger repository keyring' do
title 'should be installed'

only_if('Requirement for Debian family') do
os.debian?
end

describe file(repo_keyring) do
it { should exist }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its('mode') { should cmp '0644' }
end
end

control 'Phusion-passenger repository' do
impact 1
title 'should be configured'
describe file(repo_file) do
its('content') { should include repo_url }
end
end

Loading…
取消
儲存