Add GPG Keys for 3rd party RPMs?

[Mark]

Hello again.  I have a new question.

I'm trying to add a new RPM into our SIMP build image.  The instructions at https://simp-project.atlassian.net/wiki/display/SD/Compiling+the+SIMP+Tarball+and+ISO indicate adding an RPM to the build is done by "Optionally, you may drop in custom packages you wish to have available during an install into build/yum_data/SIMP<simp_version>_<CentOS or RHEL><os_version>_<architecture>/packages".  I've had success doing that in the past, but all those packages that worked were signed by RHEL or EPEL.  Unfortunately I'm trying to add a non-RHEL, EPEL, PuppetLabs, or SIMP signed RPM into the DVD and my SIMP server and clients cannot install it due to a GPG key error.

I see that the /etc/yum.repos.d/simp.repo file is constructed in part by /etc/puppet/environments/simp/modules/simp/lib/puppet/parser/functions/simp_yumrepo_gpgkeys.rb, where the GPG key paths for RHEL, CentOS, EPEL, PuppetLabs, and SIMP are all hard-coded.  I added the appropriate 3rd party GPG key into the SIMP Puppet Master in /srv/www/yum/SIMP/GPGKEYS, but obviously it doesn't make a difference because all of the servers have only the hard-coded GPG key paths in their /etc/yum.repos.d/simp.repo file.  As a side note, I bundled the GPG key into the DVD overlay tar.gz so it is automatically included in new SIMP DVD builds.

The way I see it, I have two options:
- edit the simp_yumrepo_gpgkeys.rb script to hard-code the 3rd party GPG key
- create a new repo and .repo file with additional 3rd party RPMs

I'd really rather not edit the native gpgkey script.  However, I tried to create a new repo via the simp::yum::yumrepo puppet module:
/etc/puppet/environments/simp/hieradata/simp_classes.yaml
simp::yum::yumrepo:
  - name: 'test'
    baseurl: 'testurl'
    descr: 'Test Packages'
    enabled: '1'
    enablegroups: '0'
    gpgcheck: '0'
    gpgkey:
    keepalive: '0'
    metadata_expire: '3600'
    tag: 'firstrun'

I can't seem to get it to apply to any host.  Any advice?  Thanks!

--Mark

[Mark Fitch]

Good deal, thanks for the feedback Trevor.  Here's a follow up:

I took your advice and created a new repo which works in my tests.  However, now I don't know how to include it in the SIMP DVD build process.  In the past I would simply copy new/additional RPM's into the <DVDOverlay>/build/yum.../packages folder and they'd be added to the native SIMP repo during the build iso rake, but now I have a new repository in another folder, not the <DVDRoot>/SIMP folder.  I suppose I could try adding my repo folder to the RHEL source DVD (which was cp -rl'ed) and see if that works.  Do you have a better idea?  As always, thanks for your help!

--Mark

---

From: Trevor Vaughan <tvau...@onyxpoint.com>
Sent: Tuesday, August 30, 2016 4:11 PM
To: Mark
Cc: SIMP Q&A Forum
Subject: Re: Add GPG Keys for 3rd party RPMs?

 

Hi Mark,

I must admit that we hadn't planned on using that repo for RPMs that were not "official" from an upstream vendor (or us) so that would certainly cause issues.

Your second option of adding an additional 3rd party repo is the way to go.

We don't currently allow for the generation of resources directly via Hiera, so you'll need to create a class (perhaps in the 'site' module) and include it in your 'classes' array in hiera.

I would do that in the 'defaults.yaml' file if you want it on all nodes instead of modifying our simp_classes.yaml file.

Alternatively, you can set the value of 'simp::yum::simp_gpg_url' to whatever you like that includes your updated keys. Just be sure to get the syntax exactly right.

Thanks,

Trevor

--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/2043325d-d5d3-4aa3-bfa9-eb0b2100b763%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Mark Fitch]

Thanks for the input Trevor.  Unfortunately, we are deploying our product into a tactical environment and there is not much opportunity for soldiers to perform much post-configurations.  Because of that we need to make sure as much is pre-configured at deployment as possible.  I think I will take a look at the repo mangling .rb soon, but in the mean time I came up with what I think might be a better solution for the short term.

I ended up changing the /etc/puppet/environments/simp/modules/simp/lib/puppet/parser/functions/simp_yumrepo_gpgkeys.rb script so that it will query each defined YUM_SERVER via http and pull a list of all files in the $yum_base/GPGKEYS/ folder that are named RPM-GPG-KEY-*.  Then it adds all of those entries to the gpgkeys= field in the /etc/yum.repos.d/simp.repo file instead of the hard-coded list.  This way you can add/remove whatever key you want at any time and the list will stay updated in near-real-time with no need to pre-define what key files you want.  Just have them named appropriately and in the correct directory.  That will obviously allow for adding 3rd party packages into the ISO build.

I rolled that change into a new SIMP...tar.gz and used it to create a new ISO including my packages.  I'm planning to submit a pull request; maybe it'll be something you're interested in?

--Mark

---

From: Trevor Vaughan <tvau...@onyxpoint.com>
Sent: Wednesday, August 31, 2016 1:48 PM
To: Mark Fitch

Cc: SIMP Q&A Forum
Subject: Re: Add GPG Keys for 3rd party RPMs?

 

So, this isn't a great solution but, ideally there would be a way to add arbitrary repos to your ISO. We don't really have any push for that since most people just modify the system after the fact.

The code that does the ISO repo mangling starts here https://github.com/simp/rubygem-simp-rake-helpers/blob/master/lib/simp/rake/build/iso.rb#L199 if you want to take a stab at something better.

You can certainly add anything that you like to the final repo and the easiest way to do this would be to run build:auto, discard the resulting ISO, modify the tarball in build/DVD_Overlay and then run build:auto again with the new tarball as an argument. Not exactly elegant, but it should work.

In terms of getting your repo active initially, the *easiest* way to do this would be to just have a script that you could run after the system was installed. It could even just call 'puppet apply' and go from there.

You could also package your own module that does this and add that to your initial run of the system by adding it to the simp_classes.yaml file.

Sorry that this isn't more straightforward, it just hasn't been a use case that's had much traction.

Thanks,

Trevor

[Trevor Vaughan]

That would certainly work! Looking forward to a PR and we'll see if it will work for the main project.

We used to have a 'workstation' mode that was very similar to this that was made by building up a custom profile in Puppet and then applying it as a kickstart option from the ISO. 

We eventually backed it out due to general disinterest so it's interesting to see that there may be additional use cases.

Thanks,

Trevor

[Trevor Vaughan]

Hi Mark,

I must admit that we hadn't planned on using that repo for RPMs that were not "official" from an upstream vendor (or us) so that would certainly cause issues.

Your second option of adding an additional 3rd party repo is the way to go.

We don't currently allow for the generation of resources directly via Hiera, so you'll need to create a class (perhaps in the 'site' module) and include it in your 'classes' array in hiera.

I would do that in the 'defaults.yaml' file if you want it on all nodes instead of modifying our simp_classes.yaml file.

Alternatively, you can set the value of 'simp::yum::simp_gpg_url' to whatever you like that includes your updated keys. Just be sure to get the syntax exactly right.

Thanks,

Trevor

On Tue, Aug 30, 2016 at 3:54 PM, Mark <mark....@hotmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/2043325d-d5d3-4aa3-bfa9-eb0b2100b763%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Trevor Vaughan]

So, this isn't a great solution but, ideally there would be a way to add arbitrary repos to your ISO. We don't really have any push for that since most people just modify the system after the fact.

The code that does the ISO repo mangling starts here https://github.com/simp/rubygem-simp-rake-helpers/blob/master/lib/simp/rake/build/iso.rb#L199 if you want to take a stab at something better.

You can certainly add anything that you like to the final repo and the easiest way to do this would be to run build:auto, discard the resulting ISO, modify the tarball in build/DVD_Overlay and then run build:auto again with the new tarball as an argument. Not exactly elegant, but it should work.

In terms of getting your repo active initially, the *easiest* way to do this would be to just have a script that you could run after the system was installed. It could even just call 'puppet apply' and go from there.

You could also package your own module that does this and add that to your initial run of the system by adding it to the simp_classes.yaml file.

Sorry that this isn't more straightforward, it just hasn't been a use case that's had much traction.

Thanks,

Trevor

On Wed, Aug 31, 2016 at 1:20 PM, Mark Fitch <mark....@hotmail.com> wrote: