From 0d53a12526357e86effa21159fc2209f83df08c4 Mon Sep 17 00:00:00 2001 From: Sreejith Punnapuzha Date: Wed, 17 Feb 2021 08:46:14 -0600 Subject: [PATCH] Block packages in image-builder This commit adds support for block packages via apt to image builder. Signed-off-by: Sreejith Punnapuzha Change-Id: Ia7504504c4415b38af862429a9e1f51a50da0bae --- .../roles/multistrap/defaults/main.yaml | 2 ++ .../playbooks/roles/multistrap/tasks/main.yaml | 17 +++++++++++++++++ .../multistrap/templates/multistrap.conf.j2 | 2 ++ .../multistrap/templates/unapproved-packages.j2 | 6 ++++++ 4 files changed, 27 insertions(+) create mode 100644 image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2 diff --git a/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml b/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml index 6ebe8c0..e0e0b17 100644 --- a/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml +++ b/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml @@ -71,6 +71,8 @@ ubuntu_packages: - wget - xfsprogs - xz-utils +unapproved_packages: # provide the exact name of the packages that need to be blocked + - unattended-upgrades repos: - register_repo_with_rootfs: true name: Ubuntu diff --git a/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml b/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml index ddcc360..7889d43 100644 --- a/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml +++ b/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml @@ -25,6 +25,11 @@ suffix: multistrap register: multistrap_tempdir +- name: "Configure apt with unapproved packages" + template: + src: unapproved-packages.j2 + dest: "{{ multistrap_tempdir.path }}/pref.conf" + - name: "write out multistrap config" template: src: multistrap.conf.j2 @@ -61,6 +66,18 @@ # cmd: | # chroot {{ rootfs_root }} update-grub +- name: "Configure apt with unapproved packages" + template: + src: unapproved-packages.j2 + dest: "{{ rootfs_root }}/etc/apt/preferences.d/unapproved-packages.pref" + +- name: "Configure apt to remove unapproved packages from update" + ansible.builtin.lineinfile: + path: "{{ rootfs_root }}/etc/apt/apt.conf.d/01autoremove" + insertafter: "multiverse/metapackages" + line: ' "{{ item }}";' + with_items: "{{ unapproved_packages }}" + - name: "Lock sources.list to prevent conflict and duplicates with multistrap repo list" shell: | set -e diff --git a/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2 b/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2 index 2d28eda..4193304 100644 --- a/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2 +++ b/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2 @@ -14,6 +14,8 @@ unpack=true # enable MultiArch for the specified architectures # default is empty #multiarch=allowed +# apt preferences file +aptpreferences=pref.conf # the order of sections is not important. # the bootstrap option determines which repository # is used to calculate the list of Priority: required packages. diff --git a/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2 b/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2 new file mode 100644 index 0000000..4c929c3 --- /dev/null +++ b/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2 @@ -0,0 +1,6 @@ +{% for package in unapproved_packages %} +Package: {{ package }} +Pin: origin * +Pin-Priority: -1 + +{% endfor %}