| Message ID | 20241126141210.2004080-1-felix.moessbauer@siemens.com |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [1/1] fix: include ca-certificates in mmdebstrap if needed | expand |
26/11/2024 16:12, 'Felix Moessbauer' via isar-users wrote: > In case we have apt URLs with https, we also need the ca-certificates > package. While that is not needed in mmdebstrap itself (as it uses the > host packages), it will be needed in the later rootfs install tasks like > sbuild-chroot and image install. Otherwise these tasks will fail due to > certificate errors. > > For now, I copied over the logic from the old isar-bootstrap file, but > we might want to unify this. Also, I did not copy the gnupg part as I'm > unsure if that is needed. > > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> > --- > I'm wondering how that was not noticed earlier. It literally breaks > ALL Ubuntu builds against snapshot mirrors. > > Best regards, > Felix Moessbauer > Siemens AG Hello Felix, Thanks for that fix. It's all about changes between mmdebstrap versions of different distros. Original development of this implementation was done when bullseye still was using as host distro. And mmdebstrap in bullseye was handling https inside URIs itself: >If any mirror contains a https URI, then the packages apt-transport-https and ca-certificates will be installed inside the chroot. But it turns out this logic was changed in bookworm version of mmdebstrap: >If you specify a https or tor MIRROR and you want the chroot to be able to update itself, don't forget to also install the ca-certificates package, the apt-transport-https package for apt versions less than 1.5 and/or the apt-transport-tor package using the --include option, as necessary. So we should do it manually now. And probably cover snapshot mirrors by CI to avoid such a regression later.
On Tue, 2024-11-26 at 15:12 +0100, 'Felix Moessbauer' via isar-users wrote: > In case we have apt URLs with https, we also need the ca-certificates > package. While that is not needed in mmdebstrap itself (as it uses > the > host packages), it will be needed in the later rootfs install tasks > like > sbuild-chroot and image install. Otherwise these tasks will fail due > to > certificate errors. > > For now, I copied over the logic from the old isar-bootstrap file, > but > we might want to unify this. Also, I did not copy the gnupg part as > I'm > unsure if that is needed. > > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> > --- > I'm wondering how that was not noticed earlier. It literally breaks > ALL Ubuntu builds against snapshot mirrors. > > Best regards, > Felix Moessbauer > Siemens AG > > .../isar-mmdebstrap/isar-mmdebstrap.inc | 13 > +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > index 1043f2d1..c8ea53ab 100644 > --- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > +++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > @@ -12,6 +12,8 @@ inherit deb-dl-dir > FILESEXTRAPATHS:append = ":${LAYERDIR_core}/recipes-core/isar- > bootstrap/files" > > DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales,apt,usrmerge" > +DISTRO_BOOTSTRAP_BASE_PACKAGES:append:https-support = ",ca- > certificates" > + > BOOTSTRAP_TMPDIR = "${WORKDIR}/tempdir" > > # Fix for /var/lib/apt/available while maybe-jessie-or-older hook do > not work > @@ -24,6 +26,17 @@ MMHOOKS:debian-buster ?= "${DPKG_HOOKS}" > > DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg" > > +def get_distro_have_https_source(d): > + return any(source[2].startswith("https://") for source in > generate_distro_sources(d)) > + > +def get_distro_needs_https_support(d): > + if get_distro_have_https_source(d): > + return "https-support" > + else: > + return "" > + > +OVERRIDES:append = ":${@get_distro_needs_https_support(d)}" > + > do_generate_keyrings[cleandirs] = "${WORKDIR}/trusted.gpg.d" > do_generate_keyrings[dirs] = "${DEBDIR}" > do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS > THIRD_PARTY_APT_KEYS" > -- > 2.39.5 > Applied to next, thanks.
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc index 1043f2d1..c8ea53ab 100644 --- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc +++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc @@ -12,6 +12,8 @@ inherit deb-dl-dir FILESEXTRAPATHS:append = ":${LAYERDIR_core}/recipes-core/isar-bootstrap/files" DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales,apt,usrmerge" +DISTRO_BOOTSTRAP_BASE_PACKAGES:append:https-support = ",ca-certificates" + BOOTSTRAP_TMPDIR = "${WORKDIR}/tempdir" # Fix for /var/lib/apt/available while maybe-jessie-or-older hook do not work @@ -24,6 +26,17 @@ MMHOOKS:debian-buster ?= "${DPKG_HOOKS}" DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg" +def get_distro_have_https_source(d): + return any(source[2].startswith("https://") for source in generate_distro_sources(d)) + +def get_distro_needs_https_support(d): + if get_distro_have_https_source(d): + return "https-support" + else: + return "" + +OVERRIDES:append = ":${@get_distro_needs_https_support(d)}" + do_generate_keyrings[cleandirs] = "${WORKDIR}/trusted.gpg.d" do_generate_keyrings[dirs] = "${DEBDIR}" do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
In case we have apt URLs with https, we also need the ca-certificates package. While that is not needed in mmdebstrap itself (as it uses the host packages), it will be needed in the later rootfs install tasks like sbuild-chroot and image install. Otherwise these tasks will fail due to certificate errors. For now, I copied over the logic from the old isar-bootstrap file, but we might want to unify this. Also, I did not copy the gnupg part as I'm unsure if that is needed. Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> --- I'm wondering how that was not noticed earlier. It literally breaks ALL Ubuntu builds against snapshot mirrors. Best regards, Felix Moessbauer Siemens AG .../isar-mmdebstrap/isar-mmdebstrap.inc | 13 +++++++++++++ 1 file changed, 13 insertions(+)