Accessing external https repo during install

Diego Zuccato diego.zuccato at unibo.it
Thu Jan 18 08:23:38 CET 2024


IIUC that's the same as adding 'em to the basefile. Every time an 
install errors out, basefile/nfsroot must be regenerated to include 
updated root certs. Error prone and time consuming.
I'm now trying to understand:
1) who is copying the whole /etc/apt/sources.list.d during 
task_repository, to disable salt.list
2) initialize salt repo with a script later in the configuration phase, 
when packages (including ca-certificates) are already installed

Point 1 is really unexpected and shouldn't happen by default. Currently 
ruling out it gets done by one of my scripts. Just to be sure:
fcopy /etc/apt/sources
does *not* touch /etc/apt/sources.list.d/, right?

Diego

Il 17/01/2024 17:10, Markus Köberl ha scritto:
> On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
>> Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
>>>> How can I have ca-certificates installed when the repository gets added?
>>>
>>> I think you could either add it into your basefile
>>
>> Thought that, but would require regular maintenance, regenerating
>> basefile every time ca-certificates is updated.
>>
>>> or add it to your
>>> hook to install ca-certificates from Debian first.
>>
>> That whould be the perfect solution.
>>
>>> Does that make sense?
>>
>> Sure it does. I just have to understand how to do it the correct way :)
>>
>> First issue (that deranged me): I forgot to set SALT class for the
>> test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
>> copied anyway... some script is fcopy-ing more than expected...
>> Fixed (partially) the first issue, hooks/repository.SALT (the one that
>> should create salt.list file...) finally got called and attempted to
>> install ca-certificate. But it failed. Seems I'm attempting to install
>> it too soon.
>> Uff. Work for tomorrow...
>>
>> Tks for all the hints!
> 
> I have on the fai server in /etc/fai/nfsroot.conf:
> 
> FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
> 
> and /etc/fai/nfsroot-hooks/ca-certificates:
> 
> # load deffinition of ${NFSROOT}
> . /etc/fai/nfsroot.conf
> mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
> cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
>     ${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
> chroot $NFSROOT update-ca-certificates
> 
> 
> regards
> Markus Köberl

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786


More information about the linux-fai mailing list