starlingx/update
Code Issues Proposed changes

Disable GPG in inactive load import

Browse Source 
The major releases loads are creating a remote without the
no-gpg-verify flag, this causes the pull from this repo to fail.

This commit adds this flag when creating an Ostree remote.
Also, it check and add gpg key after load_import script, to fix the
issue in N-1 loads missing this config.

Test-Plan:
PASS: Import a N+1 major release load and see the remote
      was created with gpg disabled in the config file
PASS: Import an N-1 major release load and see the remote
      was created with gpg disabled in the config file

Closes-Bug: 2124981

Change-Id: I6bb4fc6a535d0c8f954d778ec08f18f70a676254
Signed-off-by: Lindley Vieira <lindley.vieira@windriver.com>
This commit is contained in:
Lindley Vieira
2025-09-17 14:30:07 -04:00
committed by Lindley Werner Soares Vieira
parent f3f74e90f4
commit ab3bed73fd
4 changed files with 26 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
software/scripts/major-release-upload
View File

@@ -142,8 +142,9 @@ def load_import(from_release, to_major_rel, iso_mount_dir):
config.write(file, space_around_delimiters=False)
# Create 'starlingx' remote on the feed ostree_repo
cmd = ["ostree", "remote", "add", "--repo=%s/ostree_repo/" % to_feed_dir,
FEED_REMOTE, "http://controller:8080/feed/rel-%s/ostree_repo/" % to_major_rel,
cmd = ["ostree", "remote", "add", "--no-gpg-verify",
"--repo=%s/ostree_repo/" % to_feed_dir, FEED_REMOTE,
"http://controller:8080/feed/rel-%s/ostree_repo/" % to_major_rel,
FEED_BRANCH]
try:
subprocess.check_call(cmd)

2
software/software/constants.py
View File

@@ -105,6 +105,8 @@ OSTREE_AUX_REMOTE_PATH = "/ostree/repo"
OSTREE_HISTORY_NOT_FETCHED = "<< History beyond this commit not fetched >>"
OSTREE_REPO = 'ostree_repo'
SYSROOT_OSTREE_REF = "debian:starlingx"
OSTREE_CONFIG = "config"
OSTREE_GPG_VERIFY = "gpg-verify"
# Sysroot
SYSROOT_OSTREE = "/sysroot/ostree/repo"

28
software/software/ostree_utils.py
View File

@@ -75,23 +75,23 @@ def get_ostree_latest_commit(ostree_ref, repo_path):
return latest_commit
def add_gpg_verify_false():
def add_gpg_verify_false(repo_path=constants.SYSROOT_OSTREE):
# TODO(mmachado): remove once gpg is enabled
# Modify the ostree configuration to disable gpg-verify
try:
command = """
# Check if gpg-verify=false is at the end of the file and adds it if not
if ! tail -n 1 /sysroot/ostree/repo/config | grep -q '^gpg-verify=false$'; then
echo "gpg-verify=false" >> /sysroot/ostree/repo/config
fi
"""
subprocess.run(command, shell=True, check=True)
config_path = os.path.join(repo_path, constants.OSTREE_CONFIG)
if os.path.exists(config_path):
config = configparser.ConfigParser()
config.read(config_path)
except subprocess.CalledProcessError as e:
msg = "Failed to modify ostree config to disable GPG verification"
err_msg = "Command Error: return code: %s, Output: %s" \
% (e.returncode, e.stderr.decode("utf-8") if e.stderr else "No error message")
LOG.exception(err_msg)
for section in config.sections():
if section.startswith("remote ") and \
constants.OSTREE_GPG_VERIFY not in config[section]:
config[section][constants.OSTREE_GPG_VERIFY] = "false"
with open(config_path, 'w') as file:
config.write(file, space_around_delimiters=False)
else:
msg = f"Ostree config file: {config_path} does not exist"
raise OSTreeCommandFail(msg)

7
software/software/software_controller.py
View File

@@ -1529,6 +1529,13 @@ class PatchController(PatchService):
local_info += load_import_info or ""
local_error += load_import_error or ""
# TODO(lvieira): fix when 24.09 is the N-1 load. Remove it in 26.09
ostree_feed_repo_path = os.path.join(
constants.FEED_OSTREE_BASE_DIR,
("rel-%s" % utils.get_major_release_version(to_release)),
constants.OSTREE_REPO)
ostree_utils.add_gpg_verify_false(ostree_feed_repo_path)
# Copy metadata.xml to /opt/software/rel-<rel>/
to_file = os.path.join(constants.SOFTWARE_STORAGE_DIR,
("rel-%s" % to_release), "metadata.xml")