Simplify inserting apt keys into nspawn image

Bionic requires a functioning gpg-agent to run apt-key add. This means that gpg-agent must be working properly in the chroot when the nspawn image preparation script runs. Previous changes [1] have enabled apt-key to communicate with gpg-agent during the nspawn_hosts role checks, however the cache prep fails almost every time when nspawn_hosts is used within other role checks. This is not a new issue, debian-installer is affected too [2]. This change adopts the same route as d-i, and simply copies the host /etc/apt/trusted.gpg.d directory to the nspawn image, removing the need for apt-key and in turn gpg-agent. This is a re-implementation of https://review.openstack.org/588962 for nspawn. [1] https://review.openstack.org/590431 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774 Change-Id: I3c56da445377d7ba27a623fb7ebe95c20d28a327
2018-08-25 21:12:51 +01:00 · 2018-08-25 21:12:51 +01:00 · f3fe949711
parent 7ba42bc3d7
commit f3fe949711
5 changed files with 2 additions and 28 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -52,8 +52,3 @@
 - name: Reload systemd-daemon
  systemd:
    daemon_reload: true
-
- name: Remove generated apt keys
-  file:
-    path: /root/repo.keys
-    state: absent
--- a/tasks/nspawn_cache.yml
+++ b/tasks/nspawn_cache.yml
@ -66,21 +66,6 @@
  when:
    - nspawn_image_cache_refresh | bool

- block:
-    - name: Generate apt keys from host for the container cache
-      command: "apt-key exportall"
-      changed_when: false
-      register: _apt_exportall
-
-    - name: Write exported keys to file
-      copy:
-        content: "{{ _apt_exportall.stdout }}"
-        dest: "/var/lib/machines/{{ nspawn_container_base_name }}/root/repo.keys"
-      notify:
-        - Remove generated apt keys
-  when:
-    - ansible_pkg_mgr == 'apt'
-
 - name: Cached image preparation script
  template:
    src: "prep-scripts/nspawn_{{ nspawn_cache_map.distro }}_prep.sh.j2"
--- a/templates/prep-scripts/nspawn_ubuntu_prep.sh.j2
+++ b/templates/prep-scripts/nspawn_ubuntu_prep.sh.j2
@ -30,14 +30,6 @@ apt-get update

 apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes {{ nspawn_container_distro_required_packages | join(' ') }}

-#start gpg-agent if is is not already running
-<(gpg-agent) || true
-gpg-connect-agent /bye || true
-
-if [[ -f "/root/repo.keys" ]]; then
-  apt-key add /root/repo.keys
-fi
-
 apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes {{ nspawn_container_distro_packages | join(' ') }}
 apt-get upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes
 apt-get clean
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@ -63,3 +63,4 @@ _nspawn_copy_from_host:
  - /etc/apt/sources.list
  - /etc/apt/apt.conf.d/
  - /etc/apt/preferences.d/
+  - /etc/apt/trusted.gpg.d
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -63,3 +63,4 @@ _nspawn_copy_from_host:
  - /etc/apt/sources.list
  - /etc/apt/apt.conf.d/
  - /etc/apt/preferences.d/
+  - /etc/apt/trusted.gpg.d