Allow unauthenticated packages via puppet provider
After MOS cluster deployment APT configuration allows installation packages coming from unauthenticated DEB repositories. This is a security risk because packages installed from unsigned APT repositories are subject to various threats. This change will move the option to the puppet provider used during the deploy and leave APT configuration secure as it should be. Change-Id: I20ade67e108f0d6666d386b6e00e0cb18df5c571 Closes-Bug: #1594699 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit is contained in:
parent
ada1c2b3ff
commit
0a743b70ce
|
@ -5,6 +5,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt
|
|||
desc "Package management via `apt-get` managing locks."
|
||||
|
||||
has_feature :versionable
|
||||
has_feature :install_options
|
||||
|
||||
defaultfor :operatingsystem => [:ubuntu]
|
||||
|
||||
|
@ -14,13 +15,13 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt
|
|||
:retry_count,
|
||||
:retry_sleep
|
||||
|
||||
def initialize(value={})
|
||||
super(value)
|
||||
@default_lock_timeout = 300
|
||||
@lock_file = '/var/lib/dpkg/lock'
|
||||
@lock_sleep = 2
|
||||
@retry_count = 3
|
||||
@retry_sleep = 5
|
||||
def initialize(value={})
|
||||
super(value)
|
||||
@default_lock_timeout = 300
|
||||
@lock_file = '/var/lib/dpkg/lock'
|
||||
@lock_sleep = 2
|
||||
@retry_count = 3
|
||||
@retry_sleep = 5
|
||||
end
|
||||
|
||||
def timeout
|
||||
|
@ -67,6 +68,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt
|
|||
|
||||
def install
|
||||
debug 'Call: install'
|
||||
@resource[:install_options] = ['-o', 'APT::Get::AllowUnauthenticated=1']
|
||||
(1..@retry_count).each do |try|
|
||||
begin
|
||||
wait_for_lock do
|
||||
|
|
|
@ -41,7 +41,7 @@ class osnailyfacter::fuel_pkgs::setup_repositories {
|
|||
}
|
||||
|
||||
apt::conf { 'allow-unathenticated':
|
||||
content => 'APT::Get::AllowUnauthenticated 1;',
|
||||
content => 'APT::Get::AllowUnauthenticated 0;',
|
||||
}
|
||||
|
||||
apt::conf { 'install-recommends':
|
||||
|
|
|
@ -50,9 +50,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do
|
|||
|
||||
it 'should retry the failed installation attempts' do
|
||||
subject.stubs(:locked?).returns(false)
|
||||
subject.expects(:aptget).
|
||||
with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test').
|
||||
raises(Puppet::ExecutionFailure, 'installation failed').times(3)
|
||||
subject.expects(:aptget).with do |*options|
|
||||
options[-2..-1] == [:install, 'test']
|
||||
end.raises(Puppet::ExecutionFailure, 'installation failed').times(3)
|
||||
subject.expects(:aptget).with('-q', '-y', :update).times(2)
|
||||
expect do
|
||||
subject.install
|
||||
|
@ -61,9 +61,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do
|
|||
|
||||
it 'should be able to succeed after failing' do
|
||||
subject.stubs(:locked?).returns(false)
|
||||
subject.expects(:aptget).
|
||||
with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test').
|
||||
raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2)
|
||||
subject.expects(:aptget).with do |*options|
|
||||
options[-2..-1] == [:install, 'test']
|
||||
end.raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2)
|
||||
subject.expects(:aptget).with('-q', '-y', :update).times(1)
|
||||
subject.install
|
||||
end
|
||||
|
|
|
@ -43,10 +43,10 @@ define tweaks::ubuntu_service_override (
|
|||
})
|
||||
|
||||
File['create-policy-rc.d'] ->
|
||||
Package <| name == $package_name |> ->
|
||||
Package <| name == $package_name |> { provider => 'apt_fuel' } ->
|
||||
Exec['remove-policy-rc.d']
|
||||
File['create-policy-rc.d'] ->
|
||||
Package <| title == $package_name |> ->
|
||||
Package <| title == $package_name |> { provider => 'apt_fuel' } ->
|
||||
Exec['remove-policy-rc.d']
|
||||
Exec['remove-policy-rc.d'] ->
|
||||
Service <| name == $service_name |>
|
||||
|
|
|
@ -37,7 +37,7 @@ describe manifest do
|
|||
end
|
||||
|
||||
it 'apt-get should allow unathenticated packages' do
|
||||
should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 1;')
|
||||
should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 0;')
|
||||
end
|
||||
|
||||
it 'apt-get shouldn\'t install recommended packages' do
|
||||
|
|
Loading…
Reference in New Issue