Merge pull request #312 from netmanagers/debian-family-apt-keyrings

feat(debian): use repository keyring instead of key_id
saltstack-formulas · Feb 10, 2022 · cbc7c17 · cbc7c17
2 parents 119939d + 652da44
commit cbc7c17
Show file tree

Hide file tree

Showing 10 changed files with 147 additions and 9 deletions.
diff --git a/docker/compose/software/package/clean.sls b/docker/compose/software/package/clean.sls
@@ -7,6 +7,8 @@
     {%- if d.pkg.compose.use_upstream in ('package', 'repo') %}
         {%- if grains.os_family|lower in ('redhat', 'debian') %}
             {%- set sls_repo_clean = tplroot ~ '.software.package.repo.clean' %}
+            {%- set resource_repo_clean = 'file' if grains.os_family == 'Debian' else 'pkgrepo' %}
+
 include:
   - {{ sls_repo_clean }}
         {%- endif %}
@@ -17,7 +19,7 @@ docker-compose-package-clean-pkgs:
     - reload_modules: true
         {%- if grains.os_family|lower in ('redhat', 'debian') %}
     - require:
-      - pkgrepo: docker-software-package-repo-absent
+      - {{ resource_repo_clean }}: docker-software-package-repo-absent
         {%- endif %}
 
     {%- endif %}
diff --git a/docker/files/default/docker-archive-keyring.gpg b/docker/files/default/docker-archive-keyring.gpg
diff --git a/docker/osfamilymap.yaml b/docker/osfamilymap.yaml
@@ -41,12 +41,13 @@ Debian:
       - git
       - procps
     docker:
+          {%- if 'oscodename' in grains %}
+      {%- set repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg' %}
       repo:
-                {%- if 'oscodename' in grains %}
-        name: deb [arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable
-                {%- endif %}
+        name: deb [signed-by={{ repo_keyring }} arch=amd64] https://download.docker.com/linux/{{ grains.os|lower }} {{ grains.oscodename }} stable
         file: /etc/apt/sources.list.d/docker.list
-        key_url: "https://download.docker.com/linux/{{ grains.os|lower }}/gpg"
+      repo_keyring: {{ repo_keyring }}
+          {%- endif %}
 
 RedHat:
   pkg:

diff --git a/docker/osmap.yaml b/docker/osmap.yaml
@@ -10,12 +10,29 @@ FreeBSD:
 CentOS:
   pkg:
     deps:
+      - iptables
       - procps
       - yum-utils
+    docker:
+      repo:
+        baseurl: 'https://download.docker.com/linux/centos/{{ grains.get('osmajorrelease', '') }}/$basearch/stable'
+        gpgkey: 'https://download.docker.com/linux/centos/gpg'
+
+CentOS Stream:
+  pkg:
+    deps:
+      - iptables
+      - python3-dnf-plugin-versionlock
+      - python3-docker
+    docker:
+      repo:
+        baseurl: 'https://download.docker.com/linux/centos/{{ grains.get('osmajorrelease', '') }}/$basearch/stable'
+        gpgkey: 'https://download.docker.com/linux/centos/gpg'
 
 AlmaLinux:
   pkg:
     deps:
+      - iptables
       - python3-dnf-plugin-versionlock
       - python3-docker
     docker:
@@ -27,6 +44,7 @@ AlmaLinux:
 Rocky:
   pkg:
     deps:
+      - iptables
       - python3-dnf-plugin-versionlock
       - python3-docker
     docker:
@@ -55,8 +73,9 @@ Raspbian:
 
 
     compose:
-      name: docker-compose  
-      use_upstream: package   
+      name: docker-compose
+      use_upstream: package
+
 Amazon:
   pkg:
     docker:
@@ -71,3 +90,8 @@ Fedora:
       - selinux-policy-minimum
       - python3-dnf-plugin-versionlock
       - python3-docker
+    docker:
+      repo:
+        baseurl: 'https://download.docker.com/linux/fedora/$releasever/$basearch/stable'
+        file: '/etc/yum.repos.d/docker-ce.repo'
+        gpgkey: 'https://download.docker.com/linux/fedora/gpg'
diff --git a/docker/software/package/clean.sls b/docker/software/package/clean.sls
@@ -8,6 +8,7 @@
         {%- set enable_repo = grains.os_family in ('RedHat', 'Debian') and d.pkg.docker.get('repo') %}
         {%- if enable_repo %}
             {%- set sls_repo_clean = tplroot ~ '.software.package.repo.clean' %}
+            {%- set resource_repo_clean = 'file' if grains.os_family == 'Debian' else 'pkgrepo' %}
 include:
   - {{ sls_repo_clean }}
         {%- endif %}
@@ -21,7 +22,7 @@ docker-software-package-clean-pkg:
     - reload_modules: {{ d.misc.reload|default(true, true) }}
             {%- if enable_repo %}
     - require:
-      - pkgrepo: docker-software-package-repo-absent
+      - {{ resource_repo_clean }}: docker-software-package-repo-absent
             {%- endif %}
 
         {%- elif grains.os_family == 'MacOS' %}

diff --git a/docker/software/package/repo/clean.sls b/docker/software/package/repo/clean.sls
@@ -7,7 +7,19 @@
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
 
 docker-software-package-repo-absent:
+        {%- if grains.os_family != 'Debian' %}
   pkgrepo.absent:
-    - name: {{ d.pkg.docker.repo.name }}
+    - name: {{ d.pkg.docker.repo.name | yaml_dquote }}
+
+        {%- else %}
+        # Due to this bug https://github.com/saltstack/salt/issues/51656#issuecomment-1032882625
+        # we should delete the repo file using other method
+  file.absent:
+    - name: {{ d.pkg.docker.repo.file }}
+
+docker-software-package-repo-keyring-absent:
+  file.absent:
+    - name: {{ d.pkg.docker.repo_keyring }}
+        {%- endif %}
 
     {%- endif %}
diff --git a/docker/software/package/repo/install.sls b/docker/software/package/repo/install.sls
@@ -3,10 +3,24 @@
 
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import data as d with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
     {%- if 'repo' in d.pkg.docker and d.pkg.docker.repo %}
         {%- from tplroot ~ "/files/macros.jinja" import format_kwargs with context %}
 
+{% if grains.os_family == 'Debian' %}
+docker-software-package-repo-keyring-managed:
+  file.managed:
+    - name: {{ d.pkg.docker.repo_keyring }}
+    - source: {{ files_switch(['docker-archive-keyring.gpg'],
+                              lookup='docker-software-package-repo-keyring-managed'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: docker-software-package-repo-managed
+{%- endif %}
+
+
 docker-software-package-repo-managed:
   pkgrepo.managed:
     {{- format_kwargs(d.pkg.docker.repo) }}

diff --git a/docs/README.apt.keyring.rst b/docs/README.apt.keyring.rst
@@ -0,0 +1,18 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As docker don't provide such key files, we created them following the
+official recomendations in their sites and install the resulting files.
+
+See https://docs.docker.com/engine/install/debian/#install-using-the-repository for details
+
+.. code-block:: bash
+
+   $ curl -fsSL https://download.docker.com/linux/debian/gpg | \
+       gpg --dearmor --output docker-archive-keyring.gpg
diff --git a/kitchen.yml b/kitchen.yml
@@ -533,6 +533,8 @@ suites:
       inspec_tests:
         - path: test/integration/package
   - name: repo
+    excludes:
+      - arch-base-latest-master-py3
     provisioner:
       state_top:
         base:

diff --git a/test/integration/package/controls/repository.rb b/test/integration/package/controls/repository.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+only_if('archlinux does not has a repository') do
+  os[:name] != 'arch'
+end
+
+case platform.family
+when 'redhat', 'fedora', 'suse'
+  os_name_repo_file = {
+    'opensuse' => '/etc/zypp/repos.d/docker-ce.repo'
+  }
+  os_name_repo_file.default = '/etc/yum.repos.d/docker-ce.repo'
+
+  os_name_repo_url = {
+    'amazon' => 'https://download.docker.com/linux/centos/7/$basearch/stable',
+    'fedora' => 'https://download.docker.com/linux/fedora/$releasever/$basearch/stable',
+    'opensuse' => 'https://download.docker.com/linux/sles/$releasever/$basearch/stable'
+  }
+  # rubocop:disable Layout/LineLength
+  os_name_repo_url.default = "https://download.docker.com/linux/centos/#{platform.release.to_i}/$basearch/stable"
+  # rubocop:enable Layout/LineLength
+  repo_url = os_name_repo_url[platform.name]
+  repo_file = os_name_repo_file[platform.name]
+
+when 'debian'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/keyrings/docker-archive-keyring.gpg'
+  repo_file = '/etc/apt/sources.list.d/docker.list'
+  # rubocop:disable Layout/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring} arch=amd64] https://download.docker.com/linux/#{platform.name} #{codename} stable"
+  # rubocop:enable Layout/LineLength
+end
+
+control 'Docker repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Docker repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end