Allow updates from untrusted mirrors

The default behaviour of apt has been changed, see [0]. When using unsigned mirrors, we need to set the "trusted" option explicitly in order to allow updates from these. [0] https://manpages.debian.org/stretch/apt/apt-secure.8.en.html Depends-On: https://review.openstack.org/#/c/536615/ Change-Id: I1a6818b022cd34c8899179c36cae962a6c8ec5ed
2018-03-02 10:01:04 +00:00 · 2018-03-02 10:01:04 +00:00 · 9861bc1640
parent 1d50e386cf
commit 9861bc1640
3 changed files with 12 additions and 4 deletions
--- a/roles/configure-mirrors/README.rst
+++ b/roles/configure-mirrors/README.rst
@ -11,3 +11,10 @@ An ansible role to configure services to use mirrors.

   URL to override the generated pypi mirror url based on
   :zuul:rolevar:`configure-mirrors.mirror_fqdn`.
+
+.. zuul:rolevar:: set_apt_mirrors_trusted
+   :default: False
+
+   Set to True in order to tag APT mirrors as trusted, needed
+   when accessing unsigned mirrors with newer releases like
+   Ubuntu Bionic.
--- a/roles/configure-mirrors/defaults/main.yaml
+++ b/roles/configure-mirrors/defaults/main.yaml
@ -1,3 +1,4 @@
 mirror_fqdn: "{{ zuul_site_mirror_fqdn|default(omit) }}"
 pypi_mirror: "http://{{ mirror_fqdn }}/pypi/simple"
+set_apt_mirrors_trusted: False
 wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
--- a/roles/configure-mirrors/templates/etc/apt/sources.list.j2
+++ b/roles/configure-mirrors/templates/etc/apt/sources.list.j2
@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-deb {{ package_mirror }} {{ ansible_distribution_release }} main universe
-deb {{ package_mirror }} {{ ansible_distribution_release }}-updates main universe
-deb {{ package_mirror }} {{ ansible_distribution_release }}-backports main universe
-deb {{ package_mirror }} {{ ansible_distribution_release }}-security main universe
+deb {% if set_apt_mirrors_trusted %}[ trusted=yes ] {% endif %}{{ package_mirror }} {{ ansible_distribution_release }} main universe
+deb {% if set_apt_mirrors_trusted %}[ trusted=yes ] {% endif %}{{ package_mirror }} {{ ansible_distribution_release }}-updates main universe
+deb {% if set_apt_mirrors_trusted %}[ trusted=yes ] {% endif %}{{ package_mirror }} {{ ansible_distribution_release }}-backports main universe
+deb {% if set_apt_mirrors_trusted %}[ trusted=yes ] {% endif %}{{ package_mirror }} {{ ansible_distribution_release }}-security main universe