Task #912
closed
Importer needs to support additional configuration properties
100%
Description
The importer needs to support the following additional configuration properties:
Standard:
- KEY_SSL_CA_CERT = 'ssl_ca_cert'
- KEY_SSL_VALIDATION = 'ssl_validation'
- KEY_SSL_CLIENT_CERT = 'ssl_client_cert'
- KEY_SSL_CLIENT_KEY = 'ssl_client_key'
Custom:
- KEY_GPG = 'gpg_key'
Values are set in the remote options on remote-add.
(see: man ostree.repo-config):
tls-client-cert-path = KEY_SSL_CLIENT_CERT
Path to file for client-side certificate, to present when making requests to this repository.
tls-client-key-path = KEY_SSL_CLIENT_KEY
Path to file containing client-side certificate key, to present when making requests to this repository.
tls-ca-path = KEY_SSL_CA_CERT
Path to file containing trusted anchors instead of the system CA database.
tls-permissive = (not KEY_SSL_VALIDATION)
A boolean value, defaults to false. By default, server TLS certificates will be checked against the system certificate store. If this variable is
set, any certificate will be accepted.
gpg-verify = (KEY_GPG is not None)
A boolean value, defaults to true. Controls whether or not OSTree will require commits to be signed by a known GPG key. For more information, see
the ostree(1) manual under GPG.
The GPG key will need to be stored as keyring files in /usr/share/ostree/trusted.gpg.d
When a GPG key is specifed, gpg-verify=1 must be specified in the remote options.
Notes:
- Pulp stores the GPG keys in the DB.
- Find out if libostree can be handed the keys directly. If not, let's see if libostree can be changed to support a different file location.
Related issues
Updated by bmbouter over 9 years ago
- Sprint Candidate set to Yes
- Tags deleted (
Sprint Candidate)
Updated by mhrivnak over 9 years ago
- Priority changed from Normal to High
- Groomed changed from No to Yes
Updated by mhrivnak over 9 years ago
- Blocks Story #911: As a user, I want the CLI to support additional settings used to sync with the remote. added
Updated by jortel@redhat.com over 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to jortel@redhat.com
- Sprint/Milestone set to 16
Updated by jortel@redhat.com over 9 years ago
We also need to support:
# Hostname or IP of the proxy server
KEY_PROXY_HOST = 'proxy_host'
# Port used to contact the proxy server
KEY_PROXY_PORT = 'proxy_port'
# Username for an authenticated proxy server
KEY_PROXY_USER = 'proxy_username'
# Password for an authenticated proxy server
KEY_PROXY_PASS = 'proxy_password'
Mapped to a remote configuration:
proxy
A string value, if given should be a URL for a HTTP proxy to use for access to this repository.
Updated by jortel@redhat.com over 9 years ago
The atomic project has just merged this PR: https://github.com/GNOME/ostree/pull/107 which supports managing GPG keyrings for each remote and is stored in the ostree repository directory.
The PR is the resolution to: https://bugzilla.gnome.org/show_bug.cgi?id=729592.
Not sure when it will land in a packaged release.
Updated by jortel@redhat.com over 9 years ago
- % Done changed from 30 to 40
Submitted patch to libostree (upstream): https://github.com/GNOME/ostree/pull/115
Updated by jortel@redhat.com over 9 years ago
PR https://github.com/GNOME/ostree/pull/115 accepted and merged upstream.
Troubleshooting an issue with the ostree team. I don't think that ostree should still be looking in /usr/share/ostree/trusted.gpg.d for keyrings when there is a remote specific keyring defined. The directory not-found is also an issue.
$ sudo -u apache ostree --repo=content remote gpg-import jeff -k /tmp/j.asc
Imported 1 GPG key to remote "jeff"
$ sudo -u apache ostree --repo=content pull jeff rhel-atomic-host/7/x86_64/standard
error: Reading keyring directory '/usr/share/ostree/trusted.gpg.d' No such file or directory
Updated by jortel@redhat.com over 9 years ago
Filed BZ: https://bugzilla.gnome.org/show_bug.cgi?id=750049 on advice from Matthew Barnes (OSTree Development Team).
Updated by jortel@redhat.com over 9 years ago
Issues signing a commit:
$ sudo rpm-ostree compose sign --key=30170657 --rev=rhel-atomic-host/7/x86_64/standard --repo=.
error: Failed to execute child process "rpm-sign" (No such file or directory)
Updated by jortel@redhat.com over 9 years ago
Looks like
rpm-ostree compose sign
has been deprecated. Using
ostree gpg-sign
instead.
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=750119 closed on recommendation of OSTree team.
Updated by jortel@redhat.com over 9 years ago
Getting a SIGABRT on subsequent PULL operations after a failed PULL related to GPG validation. This results in termination of the pulp worker.
Filed upstream: https://bugzilla.gnome.org/show_bug.cgi?id=750813
Added by jortel@redhat.com over 9 years ago
Updated by jortel@redhat.com over 9 years ago
- Status changed from ASSIGNED to MODIFIED
Updated by rbarlow almost 9 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
- % Done changed from 70 to 100
- Target Release - OSTree set to 1.0.0
.
ref #912 - support ssl and gpg options.