Fuel for OpenStack

Add key management for repos in Fuel

Bug #1541598 reported by Alexander Bozhenko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Confirmed
Medium
Fuel Sustaining
Fuel for OpenStack 10.0

Bug Description

Since there is no way to manage keys for repositories in fuel(or am I missing it?) I have to specify [trusted=yes] for my repository.
But fuel doesn't allow to do that, complaining about bad format(see attach).

I was able to manually change it in database though.
[root@fuel1 ~]# dockerctl shell postgres
[root@fuel1 /]# su - postgres
-bash-4.1$ pg_dump --column-inserts --data-only -t attributes nailgun > attributes_old.sql
-bash-4.1$ cp attributes_old.sql attributes_new.sql
-bash-4.1$ vim attributes_new.sql and
1) delete attributes record that you do not want to change
2) Change
INSERT INTO attributes (id, cluster_id, editable, generated) VALUES (...);
to
UPDATE attributes (id, cluster_id, editable, generated) = (...) WHERE id = 'ID_THAT_YOU_NEED';
And change uri in 'editable' column by adding [trusted=yes] before actual url . So in my case:
{"name": "fixedkernel", "section": "main", "uri": "[trusted=yes] http://local.repo/hotfix/1/ubuntu/", "priority": 1002, "suite": "trusty", "type": "deb"}, "extra_priority": null]
{"name": "fixedkernel", "section": "main", "uri": "http://local.repo/hotfix/1/ubuntu/", "priority": 1002, "suite": "trusty", "type": "deb"}], "extra_priority": null}
Then execute the script:
-bash-4.1$ psql nailgun -f attributes_new.sql

After that
fuel node --node-id 1 --task upload_core_repos
worked, and I was able to install the packages from new repo.

Revision history for this message
Alexander Bozhenko (alexbozhenko) wrote :
Revision history for this message
Alexander Bozhenko (alexbozhenko) wrote :

And just for information how to add key:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys REPLACE_WITH_KEY_YOU_NEED

or manually add if you do not have internet on the node.
http://opensourceforgeeks.blogspot.in/2013/04/w-gpg-error-httpppalaunchpadnet-precise.html

Matthew Mosesohn (raytrac3r)
Changed in fuel:
milestone: none → 9.0
assignee: nobody → Fuel Python Team (fuel-python)
importance: Undecided → Medium
status: New → Confirmed
tags: added: area-python module-nailgun team-bugfix
Revision history for this message
Alexander Gordeev (a-gordeev) wrote :

fuel-agent might be also affected

https://github.com/openstack/fuel-agent/blob/10a9a2efe4bde4ddc55829f702c0bf97a89e2b1c/fuel_agent/utils/build.py#L515-L517

it explicitly allows unauthenticated packages. Nailgun does the same for granular deployment.

https://github.com/openstack/fuel-web/blob/master/nailgun/nailgun/orchestrator/tasks_templates.py#L110-L116

just in case if it could affect how apt-get works with trusted repos.

Revision history for this message
Denis Ipatov (dipatov) wrote :

Next deployment doesn't work after this hack.
You can't add any new repo if a repo with "[trusted=yes]" is presented in list of repositories.
After delete of the repo with "[trusted=yes]" and adding new in correct format, the fuel task "fuel node --node-id 1 --task upload_core_repos"
puts node in "deploying" or "error" state.

The astute log has the following:

2016-02-17T20:30:21 debug: [515] Process message from worker queue: "null"
2016-02-17T20:30:23 debug: [515] Got message with payload "null"
2016-02-18T01:18:07 debug: [519] Process message from worker queue: "null"
2016-02-18T01:18:08 debug: [519] Got message with payload "null"
2016-02-18T01:26:40 debug: [528] Process message from worker queue: "null"
2016-02-18T01:26:40 debug: [528] Got message with payload "null"
2016-02-18T01:34:07 debug: [503] Process message from worker queue: "null"
2016-02-18T01:34:11 debug: [503] Got message with payload "null"
2016-02-18T18:53:13 debug: [513] Process message from worker queue: "null"
2016-02-18T18:53:14 debug: [513] Got message with payload "null"

Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

The stuff allowing unauthenticated repository simply doesn't work, unfortunately. When creating the ibp image, apt-get -y update just fails and the deployment stops.

I tried to hack in fuel_agent/utils/build.py#L515-L517 to make it download my repo key using curl, but this just fails.

All that leads me to the conclusion that the pre_apt_get() function is just called too late when fa_build_image runs.

This is a major blocker for my port of Fuel master node to Debian as well. Please this this with a high priority.

Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

BTW, the correct fix for this isn't to allow [trusted=yet], this is just a (very bad) workaround. What should be done is to, generically, allow stuff in brackets, because trusted=yes isn't the only possible directive. That's one. Then we should allow proper repository key management in Fuel. IE, add the possibility to attach a gpg key fingerprint to each repository, and have it downloaded and installed.

Revision history for this message
Alexander Bozhenko (alexbozhenko) wrote :

Totally agree with Thomas. I had to use trusted=yes because I was not able to add repo key via fuel.

Dmitry Pyzhov (dpyzhov)
summary: - Fuel doesn't allow to specify [trusted=yes] for repos
+ Add key management for repos in Fuel
tags: added: feature
Changed in fuel:
milestone: 9.0 → 10.0
Dmitry Pyzhov (dpyzhov)
Changed in fuel:
assignee: Fuel Python (Deprecated) (fuel-python) → Fuel Sustaining (fuel-sustaining-team)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.