Package: openstack-debian-images Version: 1.72 Severity: wishlist Tags: patch
I would like to use build-openstack-debian-image to install OpenStack (a la OpenStack Cluster Installer) using packages from an internal aptly mirror repository. Unfortunately as the packages hosted by aptly are signed by its own keyring, this currently does not work. By default debootstrap will specifically use the official Debian archive keyring to verify packages, and provides the --keyring option to specify a different key. I think it would be beneficial to add an option to build-openstack-debian-image to provide a keyring filename and pass this on to debootstrap. I have attached patches for build-openstack-debian-image and accompanying man page which would add this functionality, for your consideration. I've also added an option to copy the keyring file into the image so the resulting installation will also trust the packages in the respository. Cheers Jim
diff --git a/build-openstack-debian-image b/build-openstack-debian-image index 9b2e69a..ad35509 100755 --- a/build-openstack-debian-image +++ b/build-openstack-debian-image @@ -25,6 +25,8 @@ Options are: --debootstrap-url|-u <debootstrap-mirror> (default: http://deb.debian.org/debian) --sources.list-mirror|-s <source-list-mirror> (default: http://deb.debian.org/debian) --extra-packages|-e <package>,<package>,... + --debootstrap-keyring-file|-k <path-to-keyring> + --copy-debootstrap-keyring-file --rescue (implies: --permit-ssh-as-root --add-serial-getty ttyS0 --tty-autologin yes) --hook-script|-hs <hook-script> --image-size|-is <image-size> (default: 2G) @@ -138,6 +140,20 @@ for i in $@ ; do shift shift ;; + "--debootstrap-keyring-file"|"-k") + if [ -z "${2}" ] ; then + echo "No parameter defining the debootstrap URL" + usage + fi + DEBOOTSTRAP_KEYRING="${2}" + DEBOOTSTRAP_OPTIONS="${DEBOOTSTRAP_OPTIONS} --keyring=${2}" + shift + shift + ;; + "--copy-debootstrap-keyring-file") + COPY_DEBOOTSTRAP_KEYRING=yes + shift + ;; "--minimal"|"-m") EXTRA=no shift @@ -955,7 +971,7 @@ if [ "${BOOTTYPE}" = "uefi" ] ; then fi debootstrap --verbose \ - --include=${PKG_LIST} \ + --include=${PKG_LIST} ${DEBOOTSTRAP_OPTIONS} \ ${RELEASE} ${MOUNT_DIR} ${DEB_MIRROR} @@ -1244,6 +1260,11 @@ fi # done #fi +if [ "${COPY_DEBOOTSTRAP_KEYRING}" = "yes" ] && [ -n "${DEBOOTSTRAP_KEYRING}" ] ; then + cp "${DEBOOTSTRAP_KEYRING}" ${MOUNT_DIR}/etc/apt/trusted.gpg.d/ + cp "${DEBOOTSTRAP_KEYRING}" ${MOUNT_DIR}/usr/share/keyrings/ +fi + # We do it *after* the debootstrap, as otherwise it fails with # systemd-shim conflicting with systemd-sysv. chroot ${MOUNT_DIR} apt-get update
diff --git a/build-openstack-debian-image.1 b/build-openstack-debian-image.1 index 4c9a596..cf8b141 100644 --- a/build-openstack-debian-image.1 +++ b/build-openstack-debian-image.1 @@ -77,6 +77,24 @@ Select the of the Debian mirror to use to perform the debootstrap. For example: .I http://ftp.fr.debian.org/debian +.LP +.B \-\-debootstrap\-keyring\-file|\-k +.I <path-to-keyring> +.IP + +Use the specified keyring file, and not the official debian archive keyring, +when verifying packages. This is useful when using an unofficial package +repository (e.g. a self-hosted aptly) + +.LP +.B \-\-copy\-debootstrap\-keyring\-file +.IP + +Copy the keyring file specified by \-\-debootstrap\-keyring\-file into +/etc/apt/trusted.gpg.d and /usr/share/keyrings in the generated image. +Note that the prefered way to install and manage a keyring is to install +it as a package using \-\-extra\-packages. + .LP .B \-\-boot-manager|\-bm .I <grub|syslinux>
