How to add Ubuntu PPA repository (with signing key)?
1,482 views
Skip to first unread message
Ron
Dec 7, 2009, 10:54:20 AM12/7/09
to puppet...@googlegroups.com
I'm new to Puppet. I've read the docs, followed the tutorials, and have
the software up and running on 4 Ubuntu systems. I've written a few
simple modules but could use some help.
I use several PPAs (Personal Package Archives/Ubuntu). Can anyone
suggest how to add a PPA repository, along with the signing key, into
the base Ubuntu repository? (My goal is to manage Ubuntu upgrades on
heavily customized systems, should anyone have pointers or code that
might help.)
(I intend to practice by installing VLC from the PPA -
https://launchpad.net/~c-korn/+archive/vlc )
Thank you.
the software up and running on 4 Ubuntu systems. I've written a few
simple modules but could use some help.
I use several PPAs (Personal Package Archives/Ubuntu). Can anyone
suggest how to add a PPA repository, along with the signing key, into
the base Ubuntu repository? (My goal is to manage Ubuntu upgrades on
heavily customized systems, should anyone have pointers or code that
might help.)
(I intend to practice by installing VLC from the PPA -
https://launchpad.net/~c-korn/+archive/vlc )
Thank you.
Silviu Paragina
Dec 7, 2009, 1:00:25 PM12/7/09
to puppet...@googlegroups.com
Use the /etc/apt/sources.list.d/ for adding repositories. Note the files
in there must have ".list" extension to be considered.
For signing the easy way out is creating a define similar to this one:
I'd advise against this one because I made it when I started using puppet.
In a class:
$folder = "/etc/apt/rkeys/"
file { $folder :
owner => root,
group => root,
mode => 700,
ensure => directory
}
In the define
define apt_sign_key($sign_key)
{
$file_dest = "${folder}${sign_key}"
file { $file_dest :
owner => root,
group => root,
mode => 600,
source => "puppet:///somepath/${sign_key}",
require => File[$folder]
}
exec { "apt-key add ${file_dest}":
refreshonly => true,
require => File[$file_dest],
subscribe => File[$file_dest]
}
}
Another way would be doing something like
file{ "${repokey}": ......}
exec { "apt-key add ${repokey}":
require => File[$repokey],
unless => "apt-key list | grep $repokeyid"
}
And of course the best way would be to do another provider like yumrepo
in ruby :-)
Silviu
> --
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
>
in there must have ".list" extension to be considered.
For signing the easy way out is creating a define similar to this one:
I'd advise against this one because I made it when I started using puppet.
In a class:
$folder = "/etc/apt/rkeys/"
file { $folder :
owner => root,
group => root,
mode => 700,
ensure => directory
}
In the define
define apt_sign_key($sign_key)
{
$file_dest = "${folder}${sign_key}"
file { $file_dest :
owner => root,
group => root,
mode => 600,
source => "puppet:///somepath/${sign_key}",
require => File[$folder]
}
exec { "apt-key add ${file_dest}":
refreshonly => true,
require => File[$file_dest],
subscribe => File[$file_dest]
}
}
Another way would be doing something like
file{ "${repokey}": ......}
exec { "apt-key add ${repokey}":
require => File[$repokey],
unless => "apt-key list | grep $repokeyid"
}
And of course the best way would be to do another provider like yumrepo
in ruby :-)
Silviu
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
>
Ron
Dec 8, 2009, 12:37:22 PM12/8/09
to puppet...@googlegroups.com
Thank you Silviu,
Very simple and straight forward. I followed a previous thread that
discussed the sources.list.d directory, but didn't quite connect the
dots. With your advise, I looked at a few of my systems and found that
Google parks the repo for their Chrome browser there. That example
should help me debug any problems.
As far as the yumrepo, I'm still smarting from Red Hat going all
enterprisie ... I jumped 5 machines to Gentoo, and after 3 years of
daily compiles, I twitch a bit when the Ubuntu Update Manager pops
up ;-)
Thanks again!
Very simple and straight forward. I followed a previous thread that
discussed the sources.list.d directory, but didn't quite connect the
dots. With your advise, I looked at a few of my systems and found that
Google parks the repo for their Chrome browser there. That example
should help me debug any problems.
As far as the yumrepo, I'm still smarting from Red Hat going all
enterprisie ... I jumped 5 machines to Gentoo, and after 3 years of
daily compiles, I twitch a bit when the Ubuntu Update Manager pops
up ;-)
Thanks again!
Silviu Paragina
Dec 8, 2009, 1:19:26 PM12/8/09
to puppet...@googlegroups.com
On 08.12.2009 19:37, Ron wrote:
> Thank you Silviu,
>
> Very simple and straight forward. I followed a previous thread that
> discussed the sources.list.d directory, but didn't quite connect the
> dots. With your advise, I looked at a few of my systems and found that
> Google parks the repo for their Chrome browser there. That example
> should help me debug any problems.
>
> As far as the yumrepo, I'm still smarting from Red Hat going all
> enterprisie ... I jumped 5 machines to Gentoo, and after 3 years of
> daily compiles, I twitch a bit when the Ubuntu Update Manager pops
> up ;-)
>
design decision would be: rename yumrepo as packagerepo, split some of
the code as a provider yumrepo, add new code for a provider aptrepo. But
that isn't easy as pie and it requires ruby knowledge, apt and puppet
internals. This is the elegant, but complex solution. Now I'm balabbering.
Distro change requires a lot of work, so I wouldn't recommend that that
easily (and I didn't).
Silviu
Julian Simpson
Dec 8, 2009, 4:02:28 PM12/8/09
to puppet...@googlegroups.com
> I meant implementing a new type like aptrepo there. Actually the best
> design decision would be: rename yumrepo as packagerepo, split some of
> the code as a provider yumrepo, add new code for a provider aptrepo. But
> that isn't easy as pie and it requires ruby knowledge, apt and puppet
> internals. This is the elegant, but complex solution. Now I'm balabbering.
You're not blabbering. A new type in Puppet seems like the right idea to me.
> design decision would be: rename yumrepo as packagerepo, split some of
> the code as a provider yumrepo, add new code for a provider aptrepo. But
> that isn't easy as pie and it requires ruby knowledge, apt and puppet
> internals. This is the elegant, but complex solution. Now I'm balabbering.
J.
--
Julian Simpson
Software Build and Deployment
http://www.build-doctor.com
http://twitter.com/builddoctor
Bob
Apr 12, 2012, 6:53:14 AM4/12/12
to puppet...@googlegroups.com
This is a very old thread, but I am a new puppet user and it still seems very relevant.
I am a SuSE user struggling to find a tidy way of managing repository keys, but I think the principles are the same for all distributions.
As far as I can see, both yumrepo and zypprepo are of limited value because they don't provide a mechanism to import keys. I suspect most people bottle out of this by disabling the GPG checking, and that sounds to me like a bad idea.
So I think the way to go is
(1) new type packagerepo to supercede yumrepo and zypprepo
(2) the gpgkey parameter should do something useful, i.e. import the key from the puppet server
Then the administrator would install trusted keys on the Puppet server and they would be automatically distributed to clients.
I may well be missing something here, so I am happy to be corrected if i am wrong
Bob
I am a SuSE user struggling to find a tidy way of managing repository keys, but I think the principles are the same for all distributions.
As far as I can see, both yumrepo and zypprepo are of limited value because they don't provide a mechanism to import keys. I suspect most people bottle out of this by disabling the GPG checking, and that sounds to me like a bad idea.
So I think the way to go is
(1) new type packagerepo to supercede yumrepo and zypprepo
(2) the gpgkey parameter should do something useful, i.e. import the key from the puppet server
Then the administrator would install trusted keys on the Puppet server and they would be automatically distributed to clients.
I may well be missing something here, so I am happy to be corrected if i am wrong
Bob
Reply all
Reply to author
Forward
0 new messages