From a1b5d4941ea7c75a95f4ad81f650c6b44d1332a8 Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Wed, 26 Feb 2025 17:52:57 +0000 Subject: [PATCH] ci: Use upstream base images for image prep This eliminates use of third-party *-vault images and performs repository config during image prep. The Apache httpd proxy is necessary because https://vault.centos.org now only accepts TLS 1.x connections, and CentOS 5 can only do upto SSL 3.0. It is developed to run on Debian 11. --- tests/ansible/hosts/group_vars/debian9.yml | 4 ++- tests/image_prep/_container_create.yml | 2 ++ tests/image_prep/apache_proxy.conf | 33 ++++++++++++++++++++++ tests/image_prep/host_vars/centos5.yml | 32 ++++++++++++++++++++- tests/image_prep/host_vars/centos6.yml | 23 ++++++++++++++- tests/image_prep/host_vars/centos7.yml | 21 ++++++++++++++ tests/image_prep/host_vars/centos8.yml | 26 +++++++++++++++++ tests/image_prep/host_vars/debian10.yml | 8 ++++++ tests/image_prep/host_vars/debian11.yml | 8 +++++- tests/image_prep/host_vars/debian9.yml | 7 +++++ 10 files changed, 160 insertions(+), 4 deletions(-) create mode 100644 tests/image_prep/apache_proxy.conf diff --git a/tests/ansible/hosts/group_vars/debian9.yml b/tests/ansible/hosts/group_vars/debian9.yml index e08b1ed2..5be6ee80 100644 --- a/tests/ansible/hosts/group_vars/debian9.yml +++ b/tests/ansible/hosts/group_vars/debian9.yml @@ -1,4 +1,6 @@ package_manager_repos: - dest: /etc/apt/sources.list content: | - deb http://archive.debian.org/debian stretch main contrib non-free + deb http://archive.debian.org/debian/ stretch main contrib non-free + deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free + deb http://archive.debian.org/debian-security stretch/updates main contrib non-free diff --git a/tests/image_prep/_container_create.yml b/tests/image_prep/_container_create.yml index a3e8385f..2fec8bd9 100644 --- a/tests/image_prep/_container_create.yml +++ b/tests/image_prep/_container_create.yml @@ -14,6 +14,8 @@ image: "{{ docker_base }}" command: /bin/bash hostname: "mitogen-{{ inventory_hostname }}" + etc_hosts: + centos-vault-proxy: host-gateway detach: true interactive: true tty: true diff --git a/tests/image_prep/apache_proxy.conf b/tests/image_prep/apache_proxy.conf new file mode 100644 index 00000000..79022df7 --- /dev/null +++ b/tests/image_prep/apache_proxy.conf @@ -0,0 +1,33 @@ +DefaultRuntimeDir ${XDG_RUNTIME_DIR} +PidFile ${XDG_RUNTIME_DIR}/apache2.pid + +LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so +LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so +LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so +LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so +LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so +LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so + +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined + +KeepAlive On +Listen 8090 + + + Require all denied + AllowOverride None + + + + ServerName centos-vault-proxy + SSLProxyEngine On + CustomLog logs/access.log vhost_combined + ProxyPass "/" "https://vault.centos.org/" + ProxyPassReverse "https://vault.centos.org/" "/" + RedirectMatch "^/(.*)" "http://centos-vault-proxy:8090/$1" + + +# /usr/sbin/apache2 -d . -f apache_proxy.conf -D FOREGROUND + +# vim: syntax=apache diff --git a/tests/image_prep/host_vars/centos5.yml b/tests/image_prep/host_vars/centos5.yml index 1828c29e..19397096 100644 --- a/tests/image_prep/host_vars/centos5.yml +++ b/tests/image_prep/host_vars/centos5.yml @@ -1,6 +1,36 @@ bootstrap_packages: [python-simplejson] -docker_base: astj/centos5-vault +docker_base: centos:5 packages: - perl +package_manager_repos: + - dest: /etc/yum.repos.d/CentOS-Base.repo + content: | + [base] + name=CentOS-$releasever - Base + baseurl=http://centos-vault-proxy:8090/5.11/os/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 + + [updates] + name=CentOS-$releasever - Updates + baseurl=http://centos-vault-proxy:8090/5.11/updates/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 + + [extras] + name=CentOS-$releasever - Extras + baseurl=http://centos-vault-proxy:8090/5.11/extras/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 + + - dest: /etc/yum.repos.d/libselinux.repo + content: | + [libselinux] + name=CentOS-$releasever - libselinux + baseurl=http://centos-vault-proxy:8090/5.11/centosplus/$basearch/ + gpgcheck=1 + enabled=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 + includepkgs=libselinux* diff --git a/tests/image_prep/host_vars/centos6.yml b/tests/image_prep/host_vars/centos6.yml index aae7965f..2eb20f48 100644 --- a/tests/image_prep/host_vars/centos6.yml +++ b/tests/image_prep/host_vars/centos6.yml @@ -1,6 +1,27 @@ bootstrap_packages: [python] -docker_base: moreati/centos6-vault +docker_base: centos:6 packages: - perl-JSON + +package_manager_repos: + - dest: /etc/yum.repos.d/CentOS-Base.repo + content: | + [base] + name=CentOS-$releasever - Base + baseurl=http://vault.centos.org/6.10/os/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + + [updates] + name=CentOS-$releasever - Updates + baseurl=http://vault.centos.org/6.10/updates/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + + [extras] + name=CentOS-$releasever - Extras + baseurl=http://vault.centos.org/6.10/extras/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 diff --git a/tests/image_prep/host_vars/centos7.yml b/tests/image_prep/host_vars/centos7.yml index fec83471..513e4bb9 100644 --- a/tests/image_prep/host_vars/centos7.yml +++ b/tests/image_prep/host_vars/centos7.yml @@ -6,3 +6,24 @@ packages: - perl-JSON - python-virtualenv - python3 + +package_manager_repos: + - dest: /etc/yum.repos.d/CentOS-Base.repo + content: | + [base] + name=CentOS-$releasever - Base + baseurl=http://vault.centos.org/$contentdir/$releasever/os/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + + [updates] + name=CentOS-$releasever - Updates + baseurl=http://vault.centos.org/$contentdir/$releasever/updates/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + + [extras] + name=CentOS-$releasever - Extras + baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/ + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 diff --git a/tests/image_prep/host_vars/centos8.yml b/tests/image_prep/host_vars/centos8.yml index 17eccd01..c2deb6ff 100644 --- a/tests/image_prep/host_vars/centos8.yml +++ b/tests/image_prep/host_vars/centos8.yml @@ -8,3 +8,29 @@ packages: - python3-virtualenv - python36 - python38 + +package_manager_repos: + - dest: /etc/yum.repos.d/CentOS-Linux-AppStream.repo + content: | + [appstream] + name=CentOS Linux $releasever - AppStream + baseurl=http://vault.centos.org/$contentdir/$releasever/AppStream/$basearch/os/ + enabled=1 + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial + - dest: /etc/yum.repos.d/CentOS-Linux-BaseOS.repo + content: | + [baseos] + name=CentOS Linux $releasever - BaseOS + baseurl=http://vault.centos.org/$contentdir/$releasever/BaseOS/$basearch/os/ + enabled=1 + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial + - dest: /etc/yum.repos.d/CentOS-Linux-Extras.repo + content: | + [extras] + name=CentOS Linux $releasever - Extras + baseurl=http://vault.centos.org/$contentdir/$releasever/extras/$basearch/os/ + enabled=1 + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial diff --git a/tests/image_prep/host_vars/debian10.yml b/tests/image_prep/host_vars/debian10.yml index 1b03d6a2..f3c592b4 100644 --- a/tests/image_prep/host_vars/debian10.yml +++ b/tests/image_prep/host_vars/debian10.yml @@ -9,3 +9,11 @@ packages: - python3 - python3-virtualenv - virtualenv + +package_manager_repos: + - dest: /etc/apt/sources.list + content: | + deb http://archive.debian.org/debian/ buster main non-free contrib + deb http://archive.debian.org/debian/ buster-updates main non-free contrib + deb http://archive.debian.org/debian/ buster-proposed-updates main non-free contrib + deb http://security.debian.org/ buster/updates main non-free contrib diff --git a/tests/image_prep/host_vars/debian11.yml b/tests/image_prep/host_vars/debian11.yml index 5ab2d761..6d4a991a 100644 --- a/tests/image_prep/host_vars/debian11.yml +++ b/tests/image_prep/host_vars/debian11.yml @@ -1,6 +1,6 @@ bootstrap_packages: [python3, python3-apt] -docker_base: debian:bullseye +docker_base: debian:11 packages: - libjson-perl @@ -9,3 +9,9 @@ packages: - python2 - python3-virtualenv - virtualenv + +package_manager_keys: + - src: debian-archive-bullseye-automatic.gpg # Debian 11 + dest: /etc/apt/trusted.gpg.d/ + - src: debian-archive-bookworm-automatic.gpg # Debian 12 + dest: /etc/apt/trusted.gpg.d/ diff --git a/tests/image_prep/host_vars/debian9.yml b/tests/image_prep/host_vars/debian9.yml index cbd22e0f..987d9cd4 100644 --- a/tests/image_prep/host_vars/debian9.yml +++ b/tests/image_prep/host_vars/debian9.yml @@ -9,3 +9,10 @@ packages: - python3 - python3-virtualenv - virtualenv + +package_manager_repos: + - dest: /etc/apt/sources.list + content: | + deb http://archive.debian.org/debian/ stretch main contrib non-free + deb http://archive.debian.org/debian/ stretch-proposed-updates main contrib non-free + deb http://archive.debian.org/debian-security stretch/updates main contrib non-free