salt-bootstrap icon indicating copy to clipboard operation
salt-bootstrap copied to clipboard
verified publisher icon saltstack

Add CentOS GPG key to RHEL7 builds

Open jeff350 opened this issue 5 years ago • 12 comments

What does this PR do?

This adds the feature requested in https://github.com/saltstack/salt-bootstrap/issues/1449 to add support for building on Red Hat's Universal Base image. The core issue here was that the GPG key for CentOS was needed for RHEL7 UBI. This MR adds the CentOS key to the saltstack repo in the __install_saltstack_rhel_repository function.

What issues does this PR fix or reference?

https://github.com/saltstack/salt-bootstrap/issues/1449

Previous Behavior

the saltstack repo file did not include the CentOS GPG Key

[saltstack]
name=SaltStack 2019.2 Release Channel for RHEL/CentOS $releasever
baseurl=https://repo.saltstack.com/yum/redhat/7/$basearch/2019.2/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://repo.saltstack.com/yum/redhat/7/$basearch/2019.2/SALTSTACK-GPG-KEY.pubenabled=1
enabled_metadata=1

New Behavior

The key is not in place.

[saltstack]
name=SaltStack 2019.2 Release Channel for RHEL/CentOS $releasever
baseurl=https://repo.saltstack.com/yum/redhat/7/$basearch/2019.2/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://repo.saltstack.com/yum/redhat/7/$basearch/2019.2/SALTSTACK-GPG-KEY.pub,https://repo.saltstack.com/yum/redhat/7/$basearch/2019.2/base/RPM-GPG-KEY-CentOS-7,
enabled=1
enabled_metadata=1

jeff350 avatar Dec 24 '20 19:12 jeff350

Once we have lint fixed, we can see what the test suite has to say about your changes. Would you mind fixing it please?

s0undt3ch avatar Dec 24 '20 20:12 s0undt3ch

@s0undt3ch the lint issue has been fixed and it looks like all tests are passing. Please let me know if there is anything else I can do to help get this merged.

jeff350 avatar Dec 24 '20 22:12 jeff350

@jeff350 are you still working on this? I notice it's still in Draft and the last commit is from a while ago.

bryceml avatar Jul 21 '21 22:07 bryceml

@bryceml This was pretty much ready to go the only issue was the tests. I was looking to have redhat add the openssh-server packages to the UBI repositories to allow for the tests that I added to succeed. I have asked Redhat about this a number of times and it seems that they are in no rush to help.

I see 2 possible paths forward

  1. We remove the tests for the RHEL UBI and merge this in with RHEL UBI support untested
  2. We leave this in an draft state and continue to try to get the RHEL UBI developers to add the openssh-server package to allow for successful testing with kitchen.

My preference would be 2. Please let me know what direction you would like to go in. If we decide to go with 2 it could be helpful to have Saltstack the organization put some pressure on this.

links to the UBI package can be found here: https://access.redhat.com/articles/4238681 requests for adding packages can be done here: https://bugzilla.redhat.com/

jeff350 avatar Jul 22 '21 22:07 jeff350

I think it would be fine to split this into 2 PRs, one that's just the changes to bootstrap so people can have the fix. It should pass the existing tests and we should probably have someone manually verify that the change fixes the problem on rhel.

Then we can leave a PR in draft for the tests until redhat adds that.

or install ssh some other way.

bryceml avatar Jul 29 '21 23:07 bryceml

@jeff350 are you ready for this to be merged ? Can you mark it Ready for review ?

bryceml avatar Oct 11 '21 15:10 bryceml

@jeff350 it seems that the ubi images don't have packages available that are needed for salt, such as python3 for rhel7, and python3-systemd for rhel8.

I'm don't think there's a good way around that issue for testing against them.

bryceml avatar Oct 11 '21 16:10 bryceml

@bryceml I am assuming all of the freebsd tests and fedora 35 tests are already failing in develop and do not need to be fixed.

it seems there are a few main issues

  1. install_red_hat_enterprise_linux_git fails to install because python3 command is not found. it seems this should be installed in the set up Python 3.7 stage should that stage be verifying that the python3 command exists or should this be done in the bootstrap script?
  2. python36-setuptools is not available for salt 3003 rhel7 , it looks like this was provided in salt repos but was removed in 3003, I see the fix here as getting this added to salt or UBI repos. Salt seems easier, is this possible?
  3. python3-systemd is not available for salt 3003 rhel8, again options are add to salt repos or UBI repo.

This was not originally an issue since I started this MR before salt 3003 was released.

jeff350 avatar Oct 11 '21 17:10 jeff350

@bryceml I am assuming all of the freebsd tests and fedora 35 tests are already failing in develop and do not need to be fixed.

that is true

it seems there are a few main issues

1. install_red_hat_enterprise_linux_git fails to install because python3 command is not found. it seems this should be installed in the `set up Python 3.7 stage` should that stage be verifying that the python3 command exists or should this be done in the bootstrap script?

python3 is probably not installed because it's not available from any repo would be my guess, I haven't looked into it super closely.

2. python36-setuptools is not available for salt 3003 rhel7 , it looks like this was provided in salt repos but was removed in 3003, I see the fix here as getting this added to salt or UBI repos. Salt seems easier, is this possible?

sure, we can add it to the base folder for rhel7

3. python3-systemd is not available for salt 3003 rhel8, again options are add to salt repos or UBI repo.

As far as I'm aware, there are no plans to add a base folder, or put packages that should come from the distro's repos into the salt repos, for anything other than rhel 7. If we'd like to change that, that's probably something that would be good to bring up in open hour on Thursdays. Probably good to open an issue about it to as a feature request.

This was not originally an issue since I started this MR before salt 3003 was released.

Yeah, python3 has been removed from epel since then since it was added to the rhel/centos official repos. We include epel packages in the salt repo, so epel is not required, but we do not include normal system packages that should come from the upstream repo. The base folder has not been touched since then, we probably should have added the relevant packages to the centos 7 base folder when python3 was removed from epel to the distro repos.

bryceml avatar Oct 11 '21 18:10 bryceml

I opened https://github.com/saltstack/salt-bootstrap/pull/1608 if you think we should merge that now.

bryceml avatar Oct 11 '21 18:10 bryceml

I would say merge #1608 now since the packages may take some time to figure out.

jeff350 avatar Oct 11 '21 19:10 jeff350

Is this still relevant?

s0undt3ch avatar Aug 12 '22 06:08 s0undt3ch

@s0undt3ch I am closing this. the RHEL UBI will not be useful for salt formula testing since they strip so many packages from their repos.

jeff350 avatar Dec 28 '22 03:12 jeff350