-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use modern APT keyrings on Debian family #965
base: main
Are you sure you want to change the base?
Conversation
7246980
to
0a43c0e
Compare
Acceptance tests are failing in setup of the machines under test, not related to this PR. |
@kenyon What about adding the key to the module, just as it has been suggested in puppetlabs/puppetlabs-postgresql#1563 (review) for the same change? |
@saz yes, that could be done. It means potentially more maintenance work for this module when the key needs to be updated. I'll leave it up to this module's @puppetlabs maintainers whether to do this. |
Looking at this module again, it's possible to set a custom URL for the key source. As |
0a43c0e
to
7e8dc53
Compare
I think we should do a minor release before we merge this: https://github.com/puppetlabs/puppetlabs-docker/pull/978/files (and there are some other non-breaking changes that should be merged first) |
7e8dc53
to
28a533b
Compare
Is there any update on when that PR will be merged? |
@kenyon I just tried your fork and it works fine but I get the following warnings that I didn't have before:
Is it expected ? Theres's not much info even in debug so I don't know what kind of key/certificate I should set and where. I've seen the apt mod requirement has changed but I was already using |
Those warnings sound unrelated to the changes in this pull request. I would try running puppet agent with |
This makes use of puppetlabs/puppetlabs-apt#1128 to store the public key in `/etc/apt/keyrings` and add a `signed-by` option to the `sources.list.d` entry.
28a533b
to
81a8f63
Compare
@kenyon As I said, I already ran in debug mode but it didn't give much information except helping me to find it was in the middle of docker related stuff. I've just disabled all my puppet code except this: class { 'docker':
} And I still get this in debug mode:
|
@gdlx strange. I'm using this PR in my puppet code, and those warnings don't appear. I'm pretty sure they have to be coming from some other puppet module. |
Maybe it depends on the OS ? |
They're coming out of Puppet's code, rather than this module: |
Sure, yet reverting from the fork back to puppetlabs-docker 10.0.1 release removes the warnings (but restores the one in It may be relevant to specify I'm using Puppet 8.9.0 in puppet-apply mode. |
I fixed the issue by generating requested key and certificate: openssl genrsa -out /etc/puppetlabs/puppet/ssl/private_keys/myserver.domain.com.pem 4096
openssl req -new -x509 -key /etc/puppetlabs/puppet/ssl/private_keys/myserver.domain.com.pem -out /etc/puppetlabs/puppet/ssl/certs/myserver.domain.com.pem -days 3650 -subj "/CN=myserver.domain.com"
cp /etc/puppetlabs/puppet/ssl/certs/myserver.domain.com.pem /usr/local/share/ca-certificates/myserver.domain.com.crt
update-ca-certificates It's probably related to the way puppetlabs-apt downloads the GPG key when using a name instead of an ID. I haven't found a way to avoid creating this cert I don't actually need. |
@gdlx I think most puppet users are using puppet agent, so that key and certificate must already exist, which means we won't get those warnings. I don't know why this particular change would trigger those warnings though. Looks like it has to do with making a TLS connection to download the GPG key. Maybe you could come up with the minimal puppet code needed to cause the warnings, and then raise an issue in https://github.com/puppetlabs/puppet. |
The doc says the cert should be provided by the I don't know why it's not my case. I'll investigate about that, but this change in the docker module obviously only reveals this problem. Thanks ! |
@gdlx I suspect the cert is missing because it only gets generated if you run puppet in agent mode. Since you use apply mode, it never gets created. |
We are just waiting on Puppet to review/approve here if I understand correctly? |
This makes use of puppetlabs/puppetlabs-apt#1128 to store the public key in
/etc/apt/keyrings
and add asigned-by
option to thesources.list.d
entry.This replaces #885 by using puppetlabs-apt rather than implementing keyring handling here in the docker module.
Fixes #884.