From 28547b743f3ae76628143e795159efb27e585bb4 Mon Sep 17 00:00:00 2001 From: Didier METRAL Date: Tue, 11 Mar 2025 13:49:15 +0100 Subject: [PATCH 1/5] fix(repositories): force aptkey if signed-by and allow aptkey --- .gitlab-ci.yml | 50 +++++----- .pre-commit-config.yaml | 2 +- .travis.yml | 18 ++-- apt/map.jinja | 4 + apt/repositories.sls | 16 ++++ kitchen.yml | 92 +++++++++---------- pillar.example | 11 +++ .../controls/repositories_spec.rb | 19 ++++ test/salt/pillar/repositories.sls | 8 ++ 9 files changed, 136 insertions(+), 84 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d92b1bc..3b7da7c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -131,12 +131,10 @@ rubocop: # Make sure the instances listed below match up with # the `platforms` defined in `kitchen.yml` # yamllint disable rule:line-length -# repositories-debian-11-tiamat-py3: {extends: '.test_instance'} -# repositories-debian-10-tiamat-py3: {extends: '.test_instance'} -# repositories-debian-9-tiamat-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-tiamat-py3: {extends: '.test_instance_failure_permitted'} -# repositories-ubuntu-2004-tiamat-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-tiamat-py3: {extends: '.test_instance'} +# repositories-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# preferences-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# unattended-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# debian-12-master-py3: {extends: '.test_instance_failure_permitted'} # repositories-debian-11-master-py3: {extends: '.test_instance'} # preferences-debian-11-master-py3: {extends: '.test_instance'} # unattended-debian-11-master-py3: {extends: '.test_instance'} @@ -145,14 +143,14 @@ debian-11-master-py3: {extends: '.test_instance'} # preferences-debian-10-master-py3: {extends: '.test_instance'} # unattended-debian-10-master-py3: {extends: '.test_instance'} debian-10-master-py3: {extends: '.test_instance'} -# repositories-debian-9-master-py3: {extends: '.test_instance'} -# preferences-debian-9-master-py3: {extends: '.test_instance'} -# unattended-debian-9-master-py3: {extends: '.test_instance'} -debian-9-master-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -# preferences-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -# unattended-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# preferences-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# unattended-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-master-py3: {extends: '.test_instance'} +# preferences-ubuntu-2204-master-py3: {extends: '.test_instance'} +# unattended-ubuntu-2204-master-py3: {extends: '.test_instance'} +ubuntu-2204-master-py3: {extends: '.test_instance'} # repositories-ubuntu-2004-master-py3: {extends: '.test_instance'} # preferences-ubuntu-2004-master-py3: {extends: '.test_instance'} # unattended-ubuntu-2004-master-py3: {extends: '.test_instance'} @@ -161,16 +159,20 @@ ubuntu-2004-master-py3: {extends: '.test_instance'} # preferences-ubuntu-1804-master-py3: {extends: '.test_instance'} # unattended-ubuntu-1804-master-py3: {extends: '.test_instance'} ubuntu-1804-master-py3: {extends: '.test_instance'} -# repositories-debian-11-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-10-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-9-3004-1-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-3004-1-py3: {extends: '.test_instance_failure_permitted'} -# repositories-ubuntu-2004-3004-1-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-10-3003-4-py3: {extends: '.test_instance'} -# repositories-debian-9-3003-4-py3: {extends: '.test_instance'} -# repositories-ubuntu-2004-3003-4-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-3003-4-py3: {extends: '.test_instance'} +# repositories-debian-12-3007-1-py3: {extends: '.test_instance_failure_permitted'} +# repositories-debian-11-3007-1-py3: {extends: '.test_instance'} +# repositories-debian-10-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-2404-3007-1-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-2004-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-1804-3007-1-py3: {extends: '.test_instance'} +# repositories-debian-12-3006-9-py3: {extends: '.test_instance_failure_permitted'} +# repositories-debian-11-3006-9-py3: {extends: '.test_instance'} +# repositories-debian-10-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-2404-3006-9-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-2004-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-1804-3006-9-py3: {extends: '.test_instance'} # yamllint enable rule:line-length ############################################################################### diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1299a84..0abb695 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -53,7 +53,7 @@ repos: always_run: true pass_filenames: false - repo: https://github.com/warpnet/salt-lint - rev: v0.8.0 + rev: v0.9.2 hooks: - id: salt-lint name: Check Salt files using salt-lint diff --git a/.travis.yml b/.travis.yml index 75dabaf..4d3d799 100644 --- a/.travis.yml +++ b/.travis.yml @@ -83,12 +83,10 @@ jobs: ## Define the rest of the matrix based on Kitchen testing # Make sure the instances listed below match up with # the `platforms` defined in `kitchen.yml` - # - env: INSTANCE=repositories-debian-11-tiamat-py3 - # - env: INSTANCE=repositories-debian-10-tiamat-py3 - # - env: INSTANCE=repositories-debian-9-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-2204-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-2004-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-1804-tiamat-py3 + # - env: INSTANCE=repositories-debian-12-master-py3 + # - env: INSTANCE=preferences-debian-12-master-py3 + # - env: INSTANCE=unattended-debian-12-master-py3 + # - env: INSTANCE=debian-12-master-py3 # - env: INSTANCE=repositories-debian-11-master-py3 # - env: INSTANCE=preferences-debian-11-master-py3 # - env: INSTANCE=unattended-debian-11-master-py3 @@ -97,10 +95,10 @@ jobs: # - env: INSTANCE=preferences-debian-10-master-py3 # - env: INSTANCE=unattended-debian-10-master-py3 - env: INSTANCE=debian-10-master-py3 - # - env: INSTANCE=repositories-debian-9-master-py3 - # - env: INSTANCE=preferences-debian-9-master-py3 - # - env: INSTANCE=unattended-debian-9-master-py3 - - env: INSTANCE=debian-9-master-py3 + # - env: INSTANCE=repositories-ubuntu-2404-master-py3 + # - env: INSTANCE=preferences-ubuntu-2404-master-py3 + # - env: INSTANCE=unattended-ubuntu-2404-master-py3 + # - env: INSTANCE=ubuntu-2404-master-py3 # - env: INSTANCE=repositories-ubuntu-2204-master-py3 # - env: INSTANCE=preferences-ubuntu-2204-master-py3 # - env: INSTANCE=unattended-ubuntu-2204-master-py3 diff --git a/apt/map.jinja b/apt/map.jinja index d77073e..be14df0 100644 --- a/apt/map.jinja +++ b/apt/map.jinja @@ -13,6 +13,8 @@ 'preferences': {}, 'remove_preferences': false, 'clean_preferences_d': false, + 'keyrings_dir': '/etc/apt/keyrings', + 'clean_keyrings_list_d': false, 'remove_apt_conf': false, 'clean_apt_conf_d': false, 'apt_conf_d': {}, @@ -52,6 +54,8 @@ 'preferences': {}, 'remove_preferences': false, 'clean_preferences_d': false, + 'keyrings_dir': '/etc/apt/keyrings', + 'clean_keyrings_list_d': false, 'remove_apt_conf': false, 'clean_apt_conf_d': false, 'apt_conf_d': {}, diff --git a/apt/repositories.sls b/apt/repositories.sls index 032cc47..b765dac 100644 --- a/apt/repositories.sls +++ b/apt/repositories.sls @@ -3,6 +3,8 @@ {% set remove_sources_list = apt.get('remove_sources_list', apt_map.remove_sources_list) %} {% set clean_sources_list_d = apt.get('clean_sources_list_d', apt_map.clean_sources_list_d) %} {% set sources_list_dir = apt.get('sources_list_dir', apt_map.sources_list_dir) %} +{% set keyrings_dir = apt.get('keyrings_dir', apt_map.keyrings_dir) %} +{% set clean_keyrings_list_d = apt.get('clean_keyrings_list_d', apt_map.clean_keyrings_list_d) %} {% set repositories = apt.get('repositories', apt_map.repositories) %} {% set default_url = apt.get('default_url', apt_map.default_url) %} {% set keyring_package = apt.get('keyring_package', apt_map.default_keyring_package) %} @@ -30,6 +32,14 @@ - group: root - clean: {{ clean_sources_list_d }} +{{ keyrings_dir }}: + file.directory: + - mode: '0755' + - user: root + - group: root + - clean: {{ clean_keyrings_list_d }} + + {% for repo, args in repositories.items() %} {% set r_opts = '' %} @@ -69,6 +79,9 @@ the latter will be used. #} {% if args.key_url is defined %} - key_url: {{ args.key_url }} + {% if 'signed-by=' in r_opts|lower and args.aptkey is not defined %} + - aptkey: false + {% endif %} {% elif args.key_text is defined %} - key_text: {{ args.key_text }} {% elif args.keyid is defined %} @@ -78,6 +91,9 @@ - clean_file: true - refresh: False - refresh_db: False + {% if args.aptkey is defined %} + - aptkey: {{ args.aptkey }} + {% endif %} - onchanges_in: - module: apt.refresh_db diff --git a/kitchen.yml b/kitchen.yml index a46b6c6..79f0499 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -19,33 +19,11 @@ provisioner: - .git platforms: - ## SALT `tiamat` - - name: debian-11-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-11 - run_command: /lib/systemd/systemd - - name: debian-10-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-10 - run_command: /lib/systemd/systemd - - name: debian-9-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-9 - run_command: /lib/systemd/systemd - - name: ubuntu-2204-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:ubuntu-22.04 - run_command: /lib/systemd/systemd - - name: ubuntu-2004-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:ubuntu-20.04 - run_command: /lib/systemd/systemd - - name: ubuntu-1804-tiamat-py3 + ## SALT `master` + - name: debian-12-master-py3 driver: - image: saltimages/salt-tiamat-py3:ubuntu-18.04 + image: saltimages/salt-master-py3:debian-12 run_command: /lib/systemd/systemd - - ## SALT `master` - name: debian-11-master-py3 driver: image: saltimages/salt-master-py3:debian-11 @@ -54,9 +32,9 @@ platforms: driver: image: saltimages/salt-master-py3:debian-10 run_command: /lib/systemd/systemd - - name: debian-9-master-py3 + - name: ubuntu-2404-master-py3 driver: - image: saltimages/salt-master-py3:debian-9 + image: saltimages/salt-master-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - name: ubuntu-2204-master-py3 driver: @@ -71,48 +49,64 @@ platforms: image: saltimages/salt-master-py3:ubuntu-18.04 run_command: /lib/systemd/systemd - ## SALT `3004.1` - - name: debian-11-3004-1-py3 + ## SALT `3007.1` + - name: debian-12-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-11 + image: saltimages/salt-3007.1-py3:debian-12 run_command: /lib/systemd/systemd - - name: debian-10-3004-1-py3 + - name: debian-11-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-10 + image: saltimages/salt-3007.1-py3:debian-11 run_command: /lib/systemd/systemd - - name: debian-9-3004-1-py3 + - name: debian-10-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-9 + image: saltimages/salt-3007.1-py3:debian-10 run_command: /lib/systemd/systemd - - name: ubuntu-2204-3004-1-py3 + - name: ubuntu-2404-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-22.04 + image: saltimages/salt-3007.1-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - - name: ubuntu-2004-3004-1-py3 + - name: ubuntu-2204-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-20.04 + image: saltimages/salt-3007.1-py3:ubuntu-22.04 run_command: /lib/systemd/systemd - - name: ubuntu-1804-3004-1-py3 + - name: ubuntu-2004-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-18.04 + image: saltimages/salt-3007.1-py3:ubuntu-20.04 + run_command: /lib/systemd/systemd + - name: ubuntu-1804-3007-1-py3 + driver: + image: saltimages/salt-3007.1-py3:ubuntu-18.04 run_command: /lib/systemd/systemd - ## SALT `3003.4` - - name: debian-10-3003-4-py3 + ## SALT `3006.9` + - name: debian-12-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-12 + run_command: /lib/systemd/systemd + - name: debian-11-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-11 + run_command: /lib/systemd/systemd + - name: debian-10-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-10 + run_command: /lib/systemd/systemd + - name: ubuntu-2404-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:debian-10 + image: saltimages/salt-3006.9-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - - name: debian-9-3003-4-py3 + - name: ubuntu-2204-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:debian-9 + image: saltimages/salt-3006.9-py3:ubuntu-22.04 run_command: /lib/systemd/systemd - - name: ubuntu-2004-3003-4-py3 + - name: ubuntu-2004-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:ubuntu-20.04 + image: saltimages/salt-3006.9-py3:ubuntu-20.04 run_command: /lib/systemd/systemd - - name: ubuntu-1804-3003-4-py3 + - name: ubuntu-1804-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:ubuntu-18.04 + image: saltimages/salt-3006.9-py3:ubuntu-18.04 run_command: /lib/systemd/systemd verifier: diff --git a/pillar.example b/pillar.example index 6f313a0..0fe3b37 100644 --- a/pillar.example +++ b/pillar.example @@ -14,6 +14,9 @@ apt: remove_preferences: true clean_preferences_d: true + keyrings_dir: '/etc/apt/keyrings' + clean_keyrings_list_d: true + apt_conf_d: 30release: 'APT::Default-Release': stable @@ -126,6 +129,14 @@ apt: opts: trusted: 'yes' another: whatever + saltstack: + distro: stable + url: https://packages.broadcom.com/artifactory/saltproject-deb + comps: [main] + type: [binary] + key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length + opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" + preferences: 00-rspamd: diff --git a/test/integration/repositories/controls/repositories_spec.rb b/test/integration/repositories/controls/repositories_spec.rb index c08eef9..cac9731 100644 --- a/test/integration/repositories/controls/repositories_spec.rb +++ b/test/integration/repositories/controls/repositories_spec.rb @@ -64,4 +64,23 @@ describe file('/etc/apt/sources.list.d/raspbian-binary.list') do it { should_not exist } end + + describe file('/etc/apt/sources.list.d/saltstack.list') do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its(:content) do + should match( + %r{deb \[\s?signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp\s?\] https://packages.broadcom.com/artifactory/saltproject-deb stable main} + ) + end + end + + describe file('/etc/apt/keyrings/salt-archive-keyring.pgp') do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + end end diff --git a/test/salt/pillar/repositories.sls b/test/salt/pillar/repositories.sls index 97aeb3b..3edd516 100644 --- a/test/salt/pillar/repositories.sls +++ b/test/salt/pillar/repositories.sls @@ -27,3 +27,11 @@ apt: url: http://archive.raspbian.org/raspbian type: [source] key_url: https://archive.raspbian.org/raspbian.public.key + saltstack: + filename: saltstack.list + distro: stable + url: https://packages.broadcom.com/artifactory/saltproject-deb + comps: [main] + type: [binary] + key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length + opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" \ No newline at end of file From 9abb98de6a084d71dc281ff5c2ade1d00db15083 Mon Sep 17 00:00:00 2001 From: Robbe Van der Gucht Date: Mon, 17 Mar 2025 13:03:32 +0100 Subject: [PATCH 2/5] feat(repositories): stop removing sources files to get them added again --- apt/repositories.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apt/repositories.sls b/apt/repositories.sls index b765dac..b5b4250 100644 --- a/apt/repositories.sls +++ b/apt/repositories.sls @@ -96,7 +96,13 @@ {% endif %} - onchanges_in: - module: apt.refresh_db - + file.managed: + - name: {{ sources_list_dir }}/{{ r_file }} + - replace: false + - require_in: + - file: {{ sources_list_dir }} + # require_in the directory clean state + # This way, we don't remove all the files, just to add them again. {%- endfor %} {% endfor %} From 5186059e78c41fcb667f78b9006cb15554d0cf7a Mon Sep 17 00:00:00 2001 From: Robbe Van der Gucht Date: Mon, 17 Mar 2025 14:54:12 +0100 Subject: [PATCH 3/5] feat(repositories): support for an unmanaged sources.list file --- apt/apt_conf.sls | 4 ++-- apt/listchanges.sls | 2 +- apt/map.jinja | 14 ++++++++++---- apt/repositories.sls | 16 ++++++++++++++++ kitchen.yml | 4 ++++ pillar.example | 3 ++- .../repositories/controls/repositories_spec.rb | 9 ++------- test/salt/pillar/repositories.sls | 11 ++++------- test/salt/states/unmanaged.sls | 6 ++++++ 9 files changed, 47 insertions(+), 22 deletions(-) create mode 100644 test/salt/states/unmanaged.sls diff --git a/apt/apt_conf.sls b/apt/apt_conf.sls index 8a07461..be6d436 100644 --- a/apt/apt_conf.sls +++ b/apt/apt_conf.sls @@ -18,7 +18,7 @@ {{ confd_dir }}: file.directory: - - mode: 755 + - mode: '0755' - user: root - group: root - clean: {{ clean_apt_conf_d }} @@ -30,7 +30,7 @@ - template: jinja - user: root - group: root - - mode: 644 + - mode: '0644' - context: data: {{ contents }} - require_in: diff --git a/apt/listchanges.sls b/apt/listchanges.sls index 87fb06f..2d81edc 100644 --- a/apt/listchanges.sls +++ b/apt/listchanges.sls @@ -13,5 +13,5 @@ apt_listchanges_pkgs: - template: jinja - user: root - group: root - - mode: 644 + - mode: '0644' - source: {{ listchanges_config_template }} diff --git a/apt/map.jinja b/apt/map.jinja index be14df0..2249b59 100644 --- a/apt/map.jinja +++ b/apt/map.jinja @@ -1,5 +1,7 @@ {% set distribution = salt['grains.get']('lsb_distrib_codename') %} {% set arch = salt['grains.get']('osarch').split(' ') %} +{% set debian_comp = ['main', 'contrib', 'non-free', 'non-free-firmware'] if salt['grains.get']('osmajorrelease') >= 12 else ['main', 'contrib', 'non-free'] %} + {% set apt = salt['grains.filter_by']({ 'Debian': { 'pkgs': ['unattended-upgrades'], @@ -26,19 +28,22 @@ 'distro': distribution, 'url': 'http://deb.debian.org/debian/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' }, 'security-stable': { - 'distro': distribution ~ '/updates', + 'distro': distribution ~ '-security', 'url': 'http://security.debian.org/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' }, 'default-updates': { 'distro': distribution ~ '-updates', 'url': 'http://deb.debian.org/debian/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' }, }, }, @@ -87,4 +92,5 @@ 'Mint': { 'keyring_package': 'linuxmint-keyring' }, + }, grain='oscodename', merge=salt['pillar.get']('apt:lookup'), default='Debian')) %} diff --git a/apt/repositories.sls b/apt/repositories.sls index b5b4250..8332f31 100644 --- a/apt/repositories.sls +++ b/apt/repositories.sls @@ -25,12 +25,28 @@ - replace: False {% endif %} +{% set excluded_sources = [] %} +{% set unmanaged_repos = [] %} +{% for repo, args in repositories.items() %} + {% if args.unmanaged is defined and args.unmanaged %} + {# repo.list is considered the filename unless filename is explicitly defined. + # managed repo lists files are constructed repo-type.list #} + {% do excluded_sources.append(args.filename if args.filename is defined else repo ~ '.list') %} + {% do unmanaged_repos.append(repo) %} + {% endif %} +{% endfor %} +{% for repo in unmanaged_repos %} + {# remove these repo's to avoid pgrepo.managed loop #} + {% do repositories.pop(repo) %} +{% endfor %} + {{ sources_list_dir }}: file.directory: - mode: '0755' - user: root - group: root - clean: {{ clean_sources_list_d }} + - exclude_pat: {{ excluded_sources | json }} {{ keyrings_dir }}: file.directory: diff --git a/kitchen.yml b/kitchen.yml index 79f0499..f1adb20 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -123,6 +123,7 @@ suites: state_top: base: '*': + - states/unmanaged - apt._mapdata - apt.repositories - apt.update @@ -133,6 +134,9 @@ suites: - apt pillars_from_files: apt.sls: test/salt/pillar/repositories.sls + dependencies: + - name: states + path: ./test/salt verifier: inspec_tests: - path: test/integration/repositories diff --git a/pillar.example b/pillar.example index 0fe3b37..653da79 100644 --- a/pillar.example +++ b/pillar.example @@ -136,7 +136,8 @@ apt: type: [binary] key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" - + rabbitmq: + unmanaged: true # useful when rabbitmq.list is managed by another formula preferences: 00-rspamd: diff --git a/test/integration/repositories/controls/repositories_spec.rb b/test/integration/repositories/controls/repositories_spec.rb index cac9731..12cfdd1 100644 --- a/test/integration/repositories/controls/repositories_spec.rb +++ b/test/integration/repositories/controls/repositories_spec.rb @@ -25,15 +25,10 @@ its('mode') { should cmp '0755' } end - describe file('/etc/apt/sources.list.d/multimedia-stable-binary.list') do + describe file('/etc/apt/sources.list.d/unmanaged.list') do it { should exist } - it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } - its('mode') { should cmp '0644' } its(:content) do - should match( - %r{deb \[arch=amd64\] http://www.deb-multimedia.org stable main} - ) + should match("## unmanged list file that shouldn't be removed") end end diff --git a/test/salt/pillar/repositories.sls b/test/salt/pillar/repositories.sls index 3edd516..b9605ed 100644 --- a/test/salt/pillar/repositories.sls +++ b/test/salt/pillar/repositories.sls @@ -6,13 +6,10 @@ apt: clean_sources_list_d: true repositories: - multimedia-stable: - distro: stable - url: http://www.deb-multimedia.org - arch: [amd64] - comps: [main] - keyid: 5C808C2B65558117 - keyserver: keyserver.ubuntu.com + unmanaged: + unmanaged: true # do not remove this file when clean_sources_list_d=true + filename: unmanaged.list # optional + heroku: distro: ./ url: https://cli-assets.heroku.com/apt diff --git a/test/salt/states/unmanaged.sls b/test/salt/states/unmanaged.sls new file mode 100644 index 0000000..ea1b885 --- /dev/null +++ b/test/salt/states/unmanaged.sls @@ -0,0 +1,6 @@ + +repos_maintained_by_another_formula: + file.managed: + - name: /etc/apt/sources.list.d/unmanaged.list + - mode: '0644' + - contents: "## unmanged list file that shouldn't be removed" From 51c348065328de498a0b41ab7e7bf235f3de7a1f Mon Sep 17 00:00:00 2001 From: Robbe Van der Gucht Date: Wed, 19 Mar 2025 15:27:25 +0100 Subject: [PATCH 4/5] ci(fix): fix comment --- pillar.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 653da79..d4275fe 100644 --- a/pillar.example +++ b/pillar.example @@ -137,7 +137,7 @@ apt: key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" rabbitmq: - unmanaged: true # useful when rabbitmq.list is managed by another formula + unmanaged: true # useful when rabbitmq.list is managed by another formula preferences: 00-rspamd: From 4a10a55f1a40067ae0d31119455f78d43e462ae8 Mon Sep 17 00:00:00 2001 From: Didier METRAL Date: Wed, 19 Mar 2025 17:33:28 +0100 Subject: [PATCH 5/5] fix: keyring in map file not properly defined --- apt/map.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apt/map.jinja b/apt/map.jinja index 2249b59..0cb5384 100644 --- a/apt/map.jinja +++ b/apt/map.jinja @@ -29,21 +29,21 @@ 'url': 'http://deb.debian.org/debian/', 'arch': arch, 'comps': debian_comp, - 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, 'security-stable': { 'distro': distribution ~ '-security', 'url': 'http://security.debian.org/', 'arch': arch, 'comps': debian_comp, - 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, 'default-updates': { 'distro': distribution ~ '-updates', 'url': 'http://deb.debian.org/debian/', 'arch': arch, 'comps': debian_comp, - 'opts': 'signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp' + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, }, },