From f072dd9a4c3e6b10e202c1deb54e0ee582d25794 Mon Sep 17 00:00:00 2001 From: Eric MacDonald Date: Wed, 21 Aug 2024 16:20:16 +0000 Subject: [PATCH] Add --no-gpg-verify option in kickstart to ostree remote add command Cases have been seen where installing a system node with patches leads to ostree pull failures with the following error: "GPG verification enabled, but no signatures found" The system is not able to configure gpg-verify=false option for the kickstart remote pull cases. This update adds the --no-gpg-verify option to the ostree remote add command in the kickstart so that the kickstart and LAT pull operations can be gpg unverified. Doing so automatically adds the gpg-verify=false option to the local ostree_repo/config file. This update also adds support for of a instgpg=1 install option to enable gpg verify to the kickstart. This option is not used by default but could be made to through the modification of system node install grub menus in the future. Test Plan: PASS: Verify AIO DX Install PASS: Verify controller system node install with an unsigned patch. PASS: Verify worker system node install with an unsigned patch. PASS: Verify gpg-verify=false install option is set in controller feed ostree_repo/config file following the install of a controller. PASS: Verify update fixes reported issue of trying to install a system node with an unsigned patch. PASS: Verify kernel parameter instgpg=1 enables a gpg verified install and that install fails with the same issue the source bug reports Regression: PASS: Verify worker system node install without patch PASS: Verify controller syustem node install without patch Closes-Bug: 2077556 Change-Id: I48343e6469bf1dd0ad7f46f0119ec8bfb5f18f26 Signed-off-by: Eric MacDonald --- kickstart/files/kickstart.cfg | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/kickstart/files/kickstart.cfg b/kickstart/files/kickstart.cfg index 456066b1..3ec9e22c 100644 --- a/kickstart/files/kickstart.cfg +++ b/kickstart/files/kickstart.cfg @@ -1999,6 +1999,17 @@ udevadm settle --timeout=300 || report_failure_with_msg "udevadm settle failed" # Rescan LVM cache to avoid warnings for VGs that were recreated. pvscan --cache 2>/dev/null +# Unverified GPG with kernel parameter instgpg!=1 +# Verified GPG with kernel parameter instgpg=1 +if grep -q 'instgpg=1' /proc/cmdline 2>/dev/null; then + gpg_option="" +else + # Tell LAT to enable --no-gpg-verify + export INSTGPG=0 + gpg_option="--no-gpg-verify" + ilog "Enable LAT ${gpg_option} option to configure ostree for unverified GPG (gpg-verify=false)" +fi + # Stage the ostree_repo in /sysroot for network installations # of controller nodes. Doing so avoids a double ostree pull of # the huge ostree_repo over the network. @@ -2057,14 +2068,14 @@ else ostree --repo=${repo} init --mode=archive if [ "${insturl}" = "file://NOT_SET" ] ; then - ilog "ostree_repo archive pull from file:///instboot/ostree_repo" - ostree --repo=${repo} remote add ${instbr} file:///instboot/ostree_repo + ilog "ostree_repo archive pull from file:///instboot/ostree_repo ${gpg_option}" + ostree --repo=${repo} remote add ${gpg_option} ${instbr} file:///instboot/ostree_repo else - ilog "ostree_repo archive pull from ${insturl}" - ostree --repo=${repo} remote add ${instbr} ${insturl} + ilog "ostree_repo archive pull from ${insturl} ${gpg_option}" + ostree --repo=${repo} remote add ${gpg_option} ${instbr} ${insturl} fi - ilog "Executing: ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr}" + ilog "Executing: ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr} ${gpg_option}" MAX_TRIES=3 RETRY_WAIT=10 for try in 1 2 3