From b173fcb1d9c33b0a42c3b5371961c83760b10d8b Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 19 May 2020 14:25:41 -0700 Subject: [PATCH] Vendor the apt repo gpg keys used for Zuul We use several PPAs on the Zuul servers, and today the Ubuntu keyring servers are frequently failing. Rather than rely on them, store the GPG keys in this repo and install the files "manually" rather than using the apt_repo module. Change-Id: I009a1a38d3a5864a8d5b0d8f8be24a83d1924292 --- playbooks/roles/install-apt-repo/README.rst | 15 +++++ .../roles/install-apt-repo/tasks/main.yaml | 20 ++++++ playbooks/roles/zuul-executor/tasks/main.yaml | 37 ++++------- .../zuul-executor/vars/Ubuntu.focal.yaml | 5 +- .../roles/zuul-executor/vars/default.yaml | 17 ++++-- playbooks/roles/zuul-executor/vars/main.yaml | 61 +++++++++++++++++++ zuul.d/system-config-run.yaml | 1 + 7 files changed, 126 insertions(+), 30 deletions(-) create mode 100644 playbooks/roles/install-apt-repo/README.rst create mode 100644 playbooks/roles/install-apt-repo/tasks/main.yaml create mode 100644 playbooks/roles/zuul-executor/vars/main.yaml diff --git a/playbooks/roles/install-apt-repo/README.rst b/playbooks/roles/install-apt-repo/README.rst new file mode 100644 index 0000000000..19c5d761e2 --- /dev/null +++ b/playbooks/roles/install-apt-repo/README.rst @@ -0,0 +1,15 @@ +Install an APT repo + +**Role Variables** + +.. zuul:rolevar:: repo_name + + The name of the repo (used for filenames). + +.. zuul:rolevar:: repo_key + + The contents of the GPG key, ASCII armored. + +.. zuul:rolevar:: repo_content + + The file content for the sources list. diff --git a/playbooks/roles/install-apt-repo/tasks/main.yaml b/playbooks/roles/install-apt-repo/tasks/main.yaml new file mode 100644 index 0000000000..50852fc62a --- /dev/null +++ b/playbooks/roles/install-apt-repo/tasks/main.yaml @@ -0,0 +1,20 @@ +- name: Add apt repo key + become: yes + apt_key: + data: "{{ repo_key }}" + keyring: "/etc/apt/trusted.gpg.d/{{ repo_name }}.gpg" + +- name: Add apt repo + become: yes + copy: + dest: "/etc/apt/sources.list.d/{{ repo_name }}.list" + group: root + owner: root + mode: 0644 + content: "{{ repo_content }}" + register: apt_repo + +- name: Run the equivalent of "apt-get update" as a separate step + apt: + update_cache: yes + when: apt_repo is changed diff --git a/playbooks/roles/zuul-executor/tasks/main.yaml b/playbooks/roles/zuul-executor/tasks/main.yaml index 1149acb04f..f22aed8a38 100644 --- a/playbooks/roles/zuul-executor/tasks/main.yaml +++ b/playbooks/roles/zuul-executor/tasks/main.yaml @@ -7,35 +7,22 @@ - 'vars' - name: Install PPAs - apt_repository: - repo: '{{ item }}' - become: yes + include_role: + name: install-apt-repo + vars: + repo_name: "{{ item.name }}" + repo_key: "{{ item.key }}" + repo_content: " {{item.content }}" loop: '{{ zuul_executor_ppas }}' - name: Atomic for focal when: ansible_distribution_version is version('20.04', '>=') - block: - - - name: Add Kubic libcontainers OBS repo key - become: yes - apt_key: - data: "{{ libcontainers_apt_key }}" - keyring: /etc/apt/trusted.gpg.d/projectatomic.gpg - - - name: Add kubic project libcontainers apt repo - become: yes - template: - dest: /etc/apt/sources.list.d/projectatomic.list - group: root - mode: 0644 - owner: root - src: sources.list.j2 - register: projectatomic_repo - - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: yes - when: projectatomic_repo is changed + include_role: + name: install-apt-repo + vars: + repo_name: projectatomic + repo_key: "{{ libcontainers_apt_key }}" + repo_content: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_lsb.release }}/ /" - name: Install bindep pip: diff --git a/playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml b/playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml index 57596f3440..e29c34859f 100644 --- a/playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml +++ b/playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml @@ -1,5 +1,8 @@ zuul_executor_ppas: # We use later HWE kernels for better memory managment, requiring an # updated AFS version which we install from our custom ppa. - - ppa:openstack-ci-core/openafs + - name: openafs + content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs/ubuntu focal main" + key: "{{ openstack_ci_core_ppa_key }}" + zuul_executor_extra_packages: [] diff --git a/playbooks/roles/zuul-executor/vars/default.yaml b/playbooks/roles/zuul-executor/vars/default.yaml index f8e44c2964..ac6be2a677 100644 --- a/playbooks/roles/zuul-executor/vars/default.yaml +++ b/playbooks/roles/zuul-executor/vars/default.yaml @@ -1,12 +1,21 @@ zuul_executor_ppas: # For bubblewrap - - ppa:openstack-ci-core/bubblewrap + - name: bubblewrap + content: "deb http://ppa.launchpad.net/openstack-ci-core/bubblewrap/ubuntu xenial main" + key: "{{ openstack_ci_core_ppa_key }}" # Temporary PPA needed for bpo-27945 while waiting for SRU to be published - - ppa:openstack-ci-core/python-bpo-27945-backport + - name: python-bpo-27945-backport + content: "deb http://ppa.launchpad.net/openstack-ci-core/python-bpo-27945-backport/ubuntu xenial main" + key: "{{ openstack_ci_core_ppa_key }}" # We use later HWE kernels for better memory managment, requiring an # updated AFS version which we install from our custom ppa. - - ppa:openstack-ci-core/openafs + - name: openafs + content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs-amd64-hwe/ubuntu xenial main" + key: "{{ openstack_ci_core_ppa_key }}" # For skopeo - - ppa:projectatomic/ppa + - name: projectatomic + content: "deb http://ppa.launchpad.net/projectatomic/ppa/ubuntu xenial main" + key: "{{ projectatomic_ppa_key }}" + zuul_executor_extra_packages: - libjemalloc1 diff --git a/playbooks/roles/zuul-executor/vars/main.yaml b/playbooks/roles/zuul-executor/vars/main.yaml new file mode 100644 index 0000000000..f0023b35be --- /dev/null +++ b/playbooks/roles/zuul-executor/vars/main.yaml @@ -0,0 +1,61 @@ +openstack_ci_core_ppa_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQINBFUZtK8BEADGaOXCZ/ypqcNEU5Y3rospyaJDhi9PiLndRXz6KxZEoDljmaLz + QBMiJ3/lnNflwcv07sBdQDqBjNClFdDbvP4ttIZsQzWYQya/uHzM3rNxbh2bw24T + z0n/+PwZ10NrGFIoXl9rU79tXe7XTJDifYvEXtpwnNcgo6/j3FJ9l7q9jQO4SwbK + 4dxKRLnwxPLsOtspvSp6J0PC9j6TiPYTrQ8dp8mj05GFF7oK6ZlQAJ3lgYG/QaWA + 9rXF1bOMw7E/arMI4+WYQOhx+JHkCitkai000MdNRVykrvJD/r9pb6NSzyAIrs/h + DYvRjD/+7d2pd47R0CLTQJjsT9JNDlZqpU7i6+47zAB9uYTVJFprNF7/BuQ84fK/ + o81ePwutt+gfGzhKvbjUNLUC6WxFzojZEDbixz0TUOgvjUsK4VGoDyxLw1YLebjs + 5YdGROB19+771sx6leMZpdQhiTaXWlQrTyjbiS7f71Hx2Eng4hpyrySzHbBrLzXq + XjiMazxt1yp5qq3VEBBgb6iW1ejDihkew1dnx+IJbUJ+OCs8Exntdta9B5+gg557 + Q6egbxQBK3RZ/c+8JHR1ROZ63COQXtAyfTsWwyxcfm7OI0YkNkJ2gNkeMl3spKw4 + VbGgaC0WBGKsdhVd9TfvtssBItS5/bgnIob/3aOFyCmNH33SGCjYDeopPQARAQAB + tCNMYXVuY2hwYWQgUFBBIGZvciBPcGVuU3RhY2sgQ0kgQ29yZYkCOAQTAQIAIgUC + VRm0rwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQFbbOfAGNBfUyCA/+ + OJEojrft6vxgh3iVDlDan1NavVm4D7F1mgfRlFwd9BC3trUkaLrNAqHXTi0fWtLe + CqD3k0UAekA+0e58AL5EjeGyCadn9TT7oWlaXgiPr9OHCaVV/z8DnalQny31PQhf + weNOVyOMKh/o7BFaLc3i5KCU+qb/gAcCRC7tLI8Saxf2CzboA6tECr8CHxX9xHln + pspbcw5aAnEfpqd6BTagkkMjJ/+tDhC4pv9USwH3lbBjRlU93miuqoqtooMd++yy + AKYd9c8ClRuI33rIAdoAmFfwwqk2prb9fF0BTxvfGdENZ+isOjvYTjzz0cYdBDrx + fZtl7ruYceC54/6Nt9aKX0ADJBJuiIcNjqgaNCjdBP/p7aCIJzh10GKeDIzitCrK + /ikMWcszaqYtctBVQvRxGfF2MSAy/VJny0OhiQI6XVc6eK/9Iu9ZeEAC6GoQRIla + rwYit+TGhqgYBKYTjWwVlKUZAz7GCIF+wx+NTkUTWVQTnDzTFeBVbzGx3WHQhCqF + NayXtKHrdImKfVpQjZZBVo42HzKqfGt/kNDM6IKhIuMlqlCUimVZpc3tawb+d8QT + TS0IjLrW7dpFfRaZRk82AjQOp96WJL9LoDvcEIfKg7RKmcGPBJ2qaquj+PA6yAZL + 5pX70jigBqjtJ0PZGm7jELb8bB70SVSGsvwHmEz0pSs= + =cc1L + -----END PGP PUBLIC KEY BLOCK----- + +projectatomic_ppa_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQINBFlRJjABEADuE3ZLY/2W++bPsxtcaoi7VaNnkvsXuVYbbHalEh/YwKFVsDTo + PQpuw1UlPpmVTwT3ufWfv2v42eZiiWMZaKG9/aWF/TeIdH5+3anfVi+X+tuIW9sv + GKTHZdtDqd7fIhtY6AuNQ/D629TJxLvafZ5MoGeyxjsebt5dOvOrl0SHpwR75uPP + aCXTWrokhH7W2BbJQUB+47k62BMd03EKe8stz9FzUxptROFJJ2bITijJlDXNfSbV + bwCiyREIkzXS6ZdWliJAqencOIZ4UbUax+5BT8SRbSLtr/c4YxvARilpSVCkxo8/ + EkPHBGygmgfw0kRPSGtLL7IqfWip9mFObji2geoU3A8gV/i3s9Ccc9GPKApX8r7b + QFs1tIlgUJKPqVwB2FAh+Xrqlsy/+8r95jL2gfRptSw7u8OP4AySj5WVm7cCEQ69 + aLyemCsf+v72bFOUXuYQ22Kr3yqz2O/1IsG/0Usr4riTdG65Aq6gnq4KRHMNgXu8 + 7fC9omoy3sKHvzeAJsw/eC9chYNwO8pv8KRIvpDSGL5L7Ems8mq2C5xMyzSVegTr + AvXu7nJoZWVBFRluh42bZa9QesX9MzzfOQ+G3085aW8BE++lhtX5QOkfRd74E49H + 1I2piAq/aE8P9jUHr60Po1C1Tw9iXeEaULLKut8eTMLkQ/02DXhBfq0I5QARAQAB + tCBMYXVuY2hwYWQgUFBBIGZvciBQcm9qZWN0IEF0b21pY4kCOAQTAQIAIgUCWVEm + MAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQi+zxY3rYx50HLw/5Ad6k + EHf2uT4owvzu393S/bUR6VVwCWYMbg14XgphxnoOfrHZWUjbrETTURyd1UexoHt7 + ZDtMCVmzeY0jpvMb1W3WDebFVo+wR4CI15sPjyycsOxWTviD743wxaPCL1s009co + CzWg5AgP88B0D353Y39meC07BBgOJgIfk1OkFdeRjqHfAtucT99NrCuKr/bbBwDn + 0E+wWaJoIbQvBzsPIFzMWWQ6RcnrZtyQv35epo+VBmW3VEIkorv1VoStF0RjvJM+ + cMW/ogZsIEZk0IUREOtrtTKUXVrMw1hZ9IGYZRpbJ2g670UGuNjW/vo3rRCRSDaF + 6Txp5Pn6ZLTgQWsWMw/6M6ooFIEpz3rhYmQSJLNmUN6SgKeWGVmOrQlg4f7YM75o + UEw56GKQWl9FAthO0qH0qF1OMfUKp/Tv2OSV/FNZsokf6alWXOB6Bzj6gYmmGXIv + MfFW5fZ1cuu5/0ULDckxWhVQ1ywLHREEoBQ6oKYONwUjSdWcM+VsKCEFeCqsNwak + qweP8C0fooycfiEZuncc/9ZujgkQ2p7xXTlv3t2SPF9h43xHs3515VS/OTJPGW59 + 98AqllpfqGxggYs5cwi2LO3xwvHyPoTqj3hcl1dRMspZINRsIo4VC8bSrCOqbjDc + CD2WFOo2c4mwTDmJpz0PLK87ev/WZ8K0OEflTfc= + =jPWv + -----END PGP PUBLIC KEY BLOCK----- diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index 0eb4c96e54..7a9685e72f 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -659,6 +659,7 @@ - playbooks/host_vars/zk\d+ - playbooks/host_vars/zuul01.openstack.org - playbooks/roles/zookeeper/ + - playbooks/roles/install-apt-repo - playbooks/roles/zuul - job: