Open PrimaryCanary opened 3 years ago
Files identified in the description:
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @AnderEnder @alxgu @andytom @commel @dcermak @evrardjp @lrupp @matze @sealor @toabctl click here for bot help
I'm against adding something general like extra_args
. Having a specific parameter for this makes more sense IMO.
@felixfontein @PrimaryCanary
I agree that adding extra_args
is too general. I'm fine with a new parameter.
What do you think about adding a parameter for --no-gpgcheck
and --gpgcheck-allow-unsigned-repo
?
This approach allows us to use the most secure way which is available.
How do we want to name the new parameters? gpgcheck: no
and gpgcheck_allow_unsigned_repo: yes
?
IMHO we do not need the repo_
prefix here which is used in the yum
configuration.
- name: Add ZeroTier repo for SUSE/openSUSE
community.general.zypper_repository:
name: zerotier
description: ZeroTier, Inc. RPM Release Repository
repo: https://download.zerotier.com/redhat/el/8/
gpgcheck: no
state: present
- name: Add ZeroTier repo for SUSE/openSUSE
community.general.zypper_repository:
name: zerotier
description: ZeroTier, Inc. RPM Release Repository
repo: https://download.zerotier.com/redhat/el/8/
gpgcheck_allow_unsigned_repo: yes
state: present
Useful links: Zypper manual man yum.conf
@sealor instead of adding two boolean parameters, you could also add a choices
parameter, especially since not all combinations of the booleans make sense (no GPG check while allowing unsigned repos for example). So you could have an option gpg_signature_check
with three choices always
(default), allow_unsigned_repos
, and never
. (Or with some better names :) )
Good idea!
What do you think about the following choices for gpg_signature_check
?
choice | zypper parameter | description |
---|---|---|
default |
--default-gpgcheck |
use global GPG check settings in zypp.conf |
no |
--no-gpgcheck |
disable all checks |
allow_unsigned |
--gpgcheck-allow-unsigned |
Short hand for --gpgcheck-allow-unsigned-repo and --gpgcheck-allow-unsigned-package |
allow_unsigned_repo |
--gpgcheck-allow-unsigned-repo |
allow the repository metadata to be unsigned |
allow_unsigned_package |
--gpgcheck-allow-unsigned-package |
allow installing unsigned packages |
I would avoid no
, since boolean processing could change that to false
. How about disable
instead? Besides that, sounds good!
:+1: disable
is fine!
I've been implementing this on a local branch and I've run into a zypper
bug preventing me from implementing idempotency. The XML output from zypper
doesn't seem to be correct with version 1.14.43.
Start by adding any repo with a GPG option:
sudo zypper addrepo --gpgcheck-allow-unsigned https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/ packman
Verify its correctness:
$ zypper repos
# | Alias | Name | Enabled | GPG Check | Refresh
---+---------------------------+------------------------------------+---------+-----------+--------
1 | packman | packman | Yes | ( p) Yes | No
<more below>
$ cat /etc/zypp/repos.d/packman.repo [packman] enabled=1 autorefresh=0 baseurl=https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/ gpgcheck=1 repo_gpgcheck=0 pkg_gpgcheck=0
3. Verify its XML:
$ zypper --xmlout repos <?xml version='1.0'?>
I notice the same behavior.
$ docker run -ti --rm opensuse/leap /bin/bash -c '
set -x
zypper rr -a
for PARAM in \
--default-gpgcheck \
--gpgcheck-strict \
--no-gpgcheck \
--gpgcheck-allow-unsigned \
--gpgcheck-allow-unsigned-repo \
--gpgcheck-allow-unsigned-package; do
zypper ar $PARAM http://download.opensuse.org/distribution/leap/15.2/repo/oss/ $PARAM
done
zypper --version
zypper repos
zypper --xmlout repos | grep "<repo" | grep -o name.* | sed 's/priority.*autorefresh....//'
'
...
+ zypper --version
zypper 1.14.43
+ zypper repos
Repository priorities are without effect. All enabled repositories share the same priority.
# | Alias | Name | Enabled | GPG Check | Refresh
--+-----------------------------------+-----------------------------------+---------+-----------+--------
1 | --default-gpgcheck | --default-gpgcheck | Yes | ( p) Yes | No
2 | --gpgcheck-allow-unsigned | --gpgcheck-allow-unsigned | Yes | ( p) Yes | No
3 | --gpgcheck-allow-unsigned-package | --gpgcheck-allow-unsigned-package | Yes | ( p) Yes | No
4 | --gpgcheck-allow-unsigned-repo | --gpgcheck-allow-unsigned-repo | Yes | ( p) Yes | No
5 | --gpgcheck-strict | --gpgcheck-strict | Yes | ( p) Yes | No
6 | --no-gpgcheck | --no-gpgcheck | Yes | ( ) No | No
+ zypper --xmlout repos
+ grep '<repo'
+ grep -o 'name.*'
+ sed 's/priority.*autorefresh.....//'
name="--default-gpgcheck" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--gpgcheck-allow-unsigned" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--gpgcheck-allow-unsigned-package" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--gpgcheck-allow-unsigned-repo" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--gpgcheck-strict" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--no-gpgcheck" gpgcheck="0" repo_gpgcheck="0" pkg_gpgcheck="0">
After zypper refresh
I get the following repository list:
+ zypper repos
Repository priorities are without effect. All enabled repositories share the same priority.
# | Alias | Name | Enabled | GPG Check | Refresh
--+-----------------------------------+-----------------------------------+---------+-----------+--------
1 | --default-gpgcheck | --default-gpgcheck | Yes | (r ) Yes | No
2 | --gpgcheck-allow-unsigned | --gpgcheck-allow-unsigned | Yes | (r ) Yes | No
3 | --gpgcheck-allow-unsigned-package | --gpgcheck-allow-unsigned-package | Yes | (r ) Yes | No
4 | --gpgcheck-allow-unsigned-repo | --gpgcheck-allow-unsigned-repo | Yes | (r ) Yes | No
5 | --gpgcheck-strict | --gpgcheck-strict | Yes | (rp) Yes | No
6 | --no-gpgcheck | --no-gpgcheck | Yes | ( ) No | No
+ zypper --xmlout repos
+ grep '<repo'
+ grep -o 'name.*'
+ sed 's/priority.*autorefresh....//'
name="--default-gpgcheck" type="rpm-md" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="0">
name="--gpgcheck-allow-unsigned" type="rpm-md" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="0">
name="--gpgcheck-allow-unsigned-package" type="rpm-md" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="0">
name="--gpgcheck-allow-unsigned-repo" type="rpm-md" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="0">
name="--gpgcheck-strict" type="rpm-md" gpgcheck="1" repo_gpgcheck="1" pkg_gpgcheck="1">
name="--no-gpgcheck" type="rpm-md" gpgcheck="0" repo_gpgcheck="0" pkg_gpgcheck="0">
I've submitted a bug report to Zypper. In the meantime, a partially complete implementation is available https://github.com/PrimaryCanary/community.general/tree/zypper/gpg-checking. I'll wait to see what the Zypper maintainers say then finish implementing idempotency. Perhaps we can issue a warning for Zypper versions less than X.Y.Z saying Ansible will incorrectly report changed status.
As https://github.com/openSUSE/zypper/issues/390 has been closed with a corresponding PR, would you like to open a PR for this issue?
Although I'm not sure when will libzypp=17.27.0
hit opensuse 15.2 and when will ansible test containers get updated, but we can definitely create a PR meanwhile.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
Summary
RPM repositories can optionally sign the repository metadata (
repomd.xml
). Thezypper_repository
module's inability to disable metadata signing makes it difficult to add repos that don't sign their metadata. While this can be worked around by disablinggpgcheck
, doing so is ill-advised.Issue Type
Feature Idea
Component Name
zypper_repository
Additional Information
Zypper supports skipping the metadata signing check with
zypper addrepo --gpgcheck-allow-unsigned-repo ....
. This is more secure thanzypper addrepo --no-gpgcheck ....
because individual packages are still verified. The Ansible's builtinyum_repository
module supports this use case with itsrepo_gpgcheck
parameter.I propose two solutions:
repo_gpgcheck
parameter like that found inyum_repository
.extra_args
parameter like that found in thezypper
module.I'm willing to implement one or both of these solutions. Which would you prefer?
Code of Conduct