Project

Profile

Help

Task #912

Importer needs to support additional configuration properties

Added by jortel@redhat.com over 5 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Target Release - OSTree:
1.0.0
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
May 2015

Description

The importer needs to support the following additional configuration properties:

Standard:

  • KEY_SSL_CA_CERT = 'ssl_ca_cert'
  • KEY_SSL_VALIDATION = 'ssl_validation'
  • KEY_SSL_CLIENT_CERT = 'ssl_client_cert'
  • KEY_SSL_CLIENT_KEY = 'ssl_client_key'

Custom:

  • KEY_GPG = 'gpg_key'

Values are set in the remote options on remote-add.
(see: man ostree.repo-config):

       tls-client-cert-path = KEY_SSL_CLIENT_CERT
           Path to file for client-side certificate, to present when making requests to this repository.

       tls-client-key-path = KEY_SSL_CLIENT_KEY
           Path to file containing client-side certificate key, to present when making requests to this repository.

       tls-ca-path = KEY_SSL_CA_CERT
           Path to file containing trusted anchors instead of the system CA database.

       tls-permissive = (not KEY_SSL_VALIDATION)
           A boolean value, defaults to false. By default, server TLS certificates will be checked against the system certificate store. If this variable is
           set, any certificate will be accepted.
       gpg-verify = (KEY_GPG is not None)
           A boolean value, defaults to true. Controls whether or not OSTree will require commits to be signed by a known GPG key. For more information, see
           the ostree(1) manual under GPG.

The GPG key will need to be stored as keyring files in /usr/share/ostree/trusted.gpg.d
When a GPG key is specifed, gpg-verify=1 must be specified in the remote options.

Notes:

  • Pulp stores the GPG keys in the DB.
  • Find out if libostree can be handed the keys directly. If not, let's see if libostree can be changed to support a different file location.

Related issues

Blocks OSTree Support - Story #911: As a user, I want the CLI to support additional settings used to sync with the remote.CLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 54e7c49a View on GitHub
Added by jortel@redhat.com about 5 years ago

ref #912 - support ssl and gpg options.

History

#1 Updated by mhrivnak over 5 years ago

  • Tags Sprint Candidate added

#2 Updated by bmbouter over 5 years ago

  • Sprint Candidate set to Yes
  • Tags deleted (Sprint Candidate)

#3 Updated by bmbouter over 5 years ago

  • Groomed set to No

#4 Updated by jortel@redhat.com over 5 years ago

  • Description updated (diff)

#5 Updated by mhrivnak over 5 years ago

  • Priority changed from Normal to High
  • Groomed changed from No to Yes

#6 Updated by mhrivnak over 5 years ago

  • Blocks Story #911: As a user, I want the CLI to support additional settings used to sync with the remote. added

#7 Updated by jortel@redhat.com about 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com
  • Sprint/Milestone set to 16

#8 Updated by jortel@redhat.com about 5 years ago

  • % Done changed from 0 to 30

#9 Updated by jortel@redhat.com about 5 years ago

We also need to support:

# Hostname or IP of the proxy server
KEY_PROXY_HOST = 'proxy_host'

# Port used to contact the proxy server
KEY_PROXY_PORT = 'proxy_port'

# Username for an authenticated proxy server
KEY_PROXY_USER = 'proxy_username'

# Password for an authenticated proxy server
KEY_PROXY_PASS = 'proxy_password'

Mapped to a remote configuration:

       proxy
           A string value, if given should be a URL for a HTTP proxy to use for access to this repository.

#10 Updated by jortel@redhat.com about 5 years ago

The atomic project has just merged this PR: https://github.com/GNOME/ostree/pull/107 which supports managing GPG keyrings for each remote and is stored in the ostree repository directory.

The PR is the resolution to: https://bugzilla.gnome.org/show_bug.cgi?id=729592.

Not sure when it will land in a packaged release.

#11 Updated by jortel@redhat.com about 5 years ago

  • % Done changed from 30 to 40

Submitted patch to libostree (upstream): https://github.com/GNOME/ostree/pull/115

#12 Updated by jortel@redhat.com about 5 years ago

  • % Done changed from 40 to 70

#13 Updated by jortel@redhat.com about 5 years ago

PR https://github.com/GNOME/ostree/pull/115 accepted and merged upstream.

Troubleshooting an issue with the ostree team. I don't think that ostree should still be looking in /usr/share/ostree/trusted.gpg.d for keyrings when there is a remote specific keyring defined. The directory not-found is also an issue.


$ sudo -u apache ostree --repo=content remote gpg-import jeff -k /tmp/j.asc
Imported 1 GPG key to remote "jeff"

$ sudo -u apache ostree --repo=content pull jeff rhel-atomic-host/7/x86_64/standard

error: Reading keyring directory '/usr/share/ostree/trusted.gpg.d' No such file or directory

#14 Updated by jortel@redhat.com about 5 years ago

Filed BZ: https://bugzilla.gnome.org/show_bug.cgi?id=750049 on advice from Matthew Barnes (OSTree Development Team).

#15 Updated by jortel@redhat.com about 5 years ago

Issues signing a commit:

$ sudo rpm-ostree compose sign --key=30170657 --rev=rhel-atomic-host/7/x86_64/standard --repo=.
error: Failed to execute child process "rpm-sign" (No such file or directory)

Filed: https://bugzilla.gnome.org/show_bug.cgi?id=750119

#16 Updated by jortel@redhat.com about 5 years ago

Looks like

rpm-ostree compose sign

has been deprecated. Using

ostree gpg-sign

instead.

Bug: https://bugzilla.gnome.org/show_bug.cgi?id=750119 closed on recommendation of OSTree team.

#17 Updated by jortel@redhat.com about 5 years ago

Getting a SIGABRT on subsequent PULL operations after a failed PULL related to GPG validation. This results in termination of the pulp worker.

Filed upstream: https://bugzilla.gnome.org/show_bug.cgi?id=750813

#18 Updated by jortel@redhat.com about 5 years ago

  • Status changed from ASSIGNED to MODIFIED

#19 Updated by rbarlow over 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
  • % Done changed from 70 to 100
  • Target Release - OSTree set to 1.0.0

#20 Updated by bmbouter over 2 years ago

  • Sprint set to May 2015

#21 Updated by bmbouter over 2 years ago

  • Sprint/Milestone deleted (16)

#22 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF