Accessing external https repo during install

Diego Zuccato diego.zuccato at unibo.it
Thu Jan 18 10:12:35 CET 2024


Seems the copy is done by line 1115 of usr/lib/fai/subroutines:
fcopy -SBMir /etc/apt # copy all other apt config files from the config 
space
It probably should be documented, especially since docs currently state 
that files under files/ are not copied automatically but require an 
fcopy. Or I just missed the special treatment of sources.list.d ...

Now I have commented the repo definitions in sources.list.d/salt.list 
and uncomment 'em from hooks/configure.SALT :
-8<--
#! /bin/bash

sed -i 's/^#//' $target/etc/apt/sources.list.d/salt.list
fcopy -r /etc/salt/minion.d/

$ROOTCMD apt-get update
$ROOTCMD apt-get install -y salt-minion
-8<--

Finally it seems to work as expected.

Thanks again!

Diego

Il 18/01/2024 08:23, Diego Zuccato ha scritto:
> IIUC that's the same as adding 'em to the basefile. Every time an 
> install errors out, basefile/nfsroot must be regenerated to include 
> updated root certs. Error prone and time consuming.
> I'm now trying to understand:
> 1) who is copying the whole /etc/apt/sources.list.d during 
> task_repository, to disable salt.list
> 2) initialize salt repo with a script later in the configuration phase, 
> when packages (including ca-certificates) are already installed
> 
> Point 1 is really unexpected and shouldn't happen by default. Currently 
> ruling out it gets done by one of my scripts. Just to be sure:
> fcopy /etc/apt/sources
> does *not* touch /etc/apt/sources.list.d/, right?
> 
> Diego
> 
> Il 17/01/2024 17:10, Markus Köberl ha scritto:
>> On Wednesday, 17 January 2024 16:13:02 CET Diego Zuccato wrote:
>>> Il 17/01/2024 14:15, Carsten Aulbert ha scritto:
>>>>> How can I have ca-certificates installed when the repository gets 
>>>>> added?
>>>>
>>>> I think you could either add it into your basefile
>>>
>>> Thought that, but would require regular maintenance, regenerating
>>> basefile every time ca-certificates is updated.
>>>
>>>> or add it to your
>>>> hook to install ca-certificates from Debian first.
>>>
>>> That whould be the perfect solution.
>>>
>>>> Does that make sense?
>>>
>>> Sure it does. I just have to understand how to do it the correct way :)
>>>
>>> First issue (that deranged me): I forgot to set SALT class for the
>>> test-fai host, but files/etc/apt/sources.list.d/salt.list/BOOKWORM got
>>> copied anyway... some script is fcopy-ing more than expected...
>>> Fixed (partially) the first issue, hooks/repository.SALT (the one that
>>> should create salt.list file...) finally got called and attempted to
>>> install ca-certificate. But it failed. Seems I'm attempting to install
>>> it too soon.
>>> Uff. Work for tomorrow...
>>>
>>> Tks for all the hints!
>>
>> I have on the fai server in /etc/fai/nfsroot.conf:
>>
>> FAI_DEBOOTSTRAP_OPTS="--include=ca-certificates,apt-transport-https"
>>
>> and /etc/fai/nfsroot-hooks/ca-certificates:
>>
>> # load deffinition of ${NFSROOT}
>> . /etc/fai/nfsroot.conf
>> mkdir -p ${NFSROOT}/usr/local/share/ca-certificates
>> cp /etc/fai/nfsroot-hooks/ComodoIntermediateCertificates.crt \
>>     
>> ${NFSROOT}/usr/local/share/ca-certificates/ComodoIntermediateCertificates.crt
>> chroot $NFSROOT update-ca-certificates
>>
>>
>> regards
>> Markus Köberl
> 

-- 
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786


More information about the linux-fai mailing list