Implement primary and secondary keyserver usage for cache prep

Sometimes, especially with restricted internet access through proxies or firewalls, the LXC container creation fails when using the download template. The failure is due to the inability to access the gpg keyserver and therefore the inability to validate the downloaded image. This patch implements the usage of a primary and secondary keyserver, and uses a primary keyserver which is more likely to be accessible in restricted environments as it's accessed on port 80. Change-Id: Ic1ca3d9f3c7d720e9715b6dcc67a7888910e6d0d Closes-Bug: #1609479
2016-08-03 17:34:12 +01:00 · 2016-08-03 17:34:12 +01:00 · 319e37c8f5
commit 319e37c8f5
parent 7a7ef951be
3 changed files with 32 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -78,8 +78,13 @@ lxc_image_compression_ratio: 0
 #       dest: "/etc/issue"
 lxc_container_cache_files: []

+# The DNS name of the LXD server to source the base container cache from
 lxc_image_cache_server: images.linuxcontainers.org

+# The keyservers to use when validating GPG keys for the downloaded cache
+lxc_image_cache_primary_keyserver: hkp://p80.pool.sks-keyservers.net:80
+lxc_image_cache_secondary_keyserver: hkp://keyserver.ubuntu.com:80
+
 ## Default download template options
 ##  This can be customized to use a local build server and options.
 ##  By default these options will be fulfilled by the distro specific
--- a/releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml
+++ b/releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - The lxc_hosts role can now make use of a primary and secondary gpg
+    keyserver for gpg validation of the downloaded cache. Setting the
+    servers to use can be done using the
+    ``lxc_image_cache_primary_keyserver`` and
+    ``lxc_image_cache_secondary_keyserver`` variables.
--- a/tasks/lxc_cache.yml
+++ b/tasks/lxc_cache.yml
@ -19,11 +19,28 @@
    template: "download"
    state: stopped
    backing_store: "dir"
-    template_options: "{{ lxc_cache_download_template_options }}"
-  register: cache_download
+    template_options: "{{ lxc_cache_download_template_options }} --keyserver {{ lxc_image_cache_primary_keyserver }}"
+  register: cache_download_primary
  retries: 3
  delay: 10
-  until: cache_download|success
+  until: cache_download_primary | success
+  ignore_errors: yes
+  tags:
+    - lxc-cache
+    - lxc-cache-download
+
+- name: Create base container
+  lxc_container:
+    name: "LXC_NAME"
+    template: "download"
+    state: stopped
+    backing_store: "dir"
+    template_options: "{{ lxc_cache_download_template_options }} --keyserver {{ lxc_image_cache_secondary_keyserver }}"
+  when: cache_download_primary | failed
+  register: cache_download_secondary
+  retries: 3
+  delay: 10
+  until: cache_download_secondary | success
  tags:
    - lxc-cache
    - lxc-cache-download