1. Patchew
  2. Libvirt
  3. View series

[libvirt] [jenkins-ci PATCH] guests: Special-case fedora-gpg-keys updates on Rawhide

Andrea Bolognani posted 1 patch 5 years, 7 months ago
Failed in applying to current master (apply log)
guests/lcitool                         | 24 +++++++++++++++++-------
guests/playbooks/update/tasks/base.yml |  9 +++++++++
2 files changed, 26 insertions(+), 7 deletions(-)
[libvirt] [jenkins-ci PATCH] guests: Special-case fedora-gpg-keys updates on Rawhide
Posted by Andrea Bolognani 5 years, 7 months ago 
During each Rawhide development cycle there is a point
at which packages start being signed with new keys, which
causes updates to fail.

To work around the problem, make sure fedora-gpg-keys is
updated before attempting to update all other packages;
updating fedora-gpg-keys itself requires gpg signature
checking to be disabled.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
I am actually not 100% sure we need to disable gpg
signature checking in order to update fedora-gpg-keys:
it would make sense for that one package to be signed
with the old key to make the update possible without
breaking trust at any point in time. Unfortunately I
updated my Rawhide guest without taking a snapshot
first, and I can't figure out a way to get it back to
a state suitable for checking whether the above makes
sense :( Perhaps someone with deeper understanding of
the Fedora release process will confirm or deny.

 guests/lcitool                         | 24 +++++++++++++++++-------
 guests/playbooks/update/tasks/base.yml |  9 +++++++++
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/guests/lcitool b/guests/lcitool
index 821cafc..ddeee6a 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -511,7 +511,8 @@ class Application:
         facts = self._inventory.get_facts(host)
         package_format = facts["package_format"]
         os_name = facts["os_name"]
-        os_full = os_name + str(facts["os_version"])
+        os_version = str(facts["os_version"])
+        os_full = os_name + os_version
 
         if package_format not in ["deb", "rpm"]:
             raise Error("Host {} doesn't support Dockerfiles".format(host))
@@ -560,12 +561,21 @@ class Application:
                     apt-get autoclean -y
             """))
         elif package_format == "rpm":
-            sys.stdout.write(textwrap.dedent("""
-                RUN yum update -y && \\
-                    yum install -y ${PACKAGES} && \\
-                    yum autoremove -y && \\
-                    yum clean all -y
-            """))
+            if os_name == "Fedora" and os_version == "Rawhide":
+                sys.stdout.write(textwrap.dedent("""
+                    RUN yum update -y --nogpgcheck fedora-gpg-keys && \\
+                        yum update -y && \\
+                        yum install -y ${PACKAGES} && \\
+                        yum autoremove -y && \\
+                        yum clean all -y
+                """))
+            else:
+                sys.stdout.write(textwrap.dedent("""
+                    RUN yum update -y && \\
+                        yum install -y ${PACKAGES} && \\
+                        yum autoremove -y && \\
+                        yum clean all -y
+                """))
 
     def run(self):
         cmdline = self._parser.parse_args()
diff --git a/guests/playbooks/update/tasks/base.yml b/guests/playbooks/update/tasks/base.yml
index 11f600f..cc16eb0 100644
--- a/guests/playbooks/update/tasks/base.yml
+++ b/guests/playbooks/update/tasks/base.yml
@@ -64,6 +64,15 @@
     - not ( os_name == 'Fedora' and
             os_version == 'Rawhide' )
 
+- name: Update installed packages
+  package:
+    name: fedora-gpg-keys
+    state: latest
+    disable_gpg_check: yes
+  when:
+    - os_name == 'Fedora'
+    - os_version == 'Rawhide'
+
 - name: Update installed packages
   command: dnf update --refresh --exclude 'kernel*' -y
   args:
-- 
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [jenkins-ci PATCH] guests: Special-case fedora-gpg-keys updates on Rawhide
Posted by Daniel P. Berrangé 5 years, 7 months ago 
On Tue, Sep 04, 2018 at 03:59:23PM +0200, Andrea Bolognani wrote:
> During each Rawhide development cycle there is a point
> at which packages start being signed with new keys, which
> causes updates to fail.
> 
> To work around the problem, make sure fedora-gpg-keys is
> updated before attempting to update all other packages;
> updating fedora-gpg-keys itself requires gpg signature
> checking to be disabled.
> 
> Signed-off-by: Andrea Bolognani <abologna@redhat.com>
> ---
> I am actually not 100% sure we need to disable gpg
> signature checking in order to update fedora-gpg-keys:
> it would make sense for that one package to be signed
> with the old key to make the update possible without
> breaking trust at any point in time. Unfortunately I
> updated my Rawhide guest without taking a snapshot
> first, and I can't figure out a way to get it back to
> a state suitable for checking whether the above makes
> sense :( Perhaps someone with deeper understanding of
> the Fedora release process will confirm or deny.
>  guests/lcitool                         | 24 +++++++++++++++++-------
>  guests/playbooks/update/tasks/base.yml |  9 +++++++++
>  2 files changed, 26 insertions(+), 7 deletions(-)

After chatting with one of the Fedora team about this, we
came to conclusion there's no nicer option right now, so

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>




Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.