search

canonical / ubuntu-pro-client

Ubuntu Pro Client for offerings from Canonical
https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/
GNU General Public License v3.0
52 stars 73 forks source link

Bug: enable esm-apps/esm-infra on Noble against selfhosted landscape+ua-airgapped in an airgapped Environment fails #3142

Open twau opened 3 months ago

twau commented 3 months ago

Description of the bug

We are testing out a POC with selfhosted landscape 24.04+ua-airgapped in an airgapped environment. We are mirroring esm-apps/esm-infra to our local selfhosted landscape server, the repo is using the landscape GPG Key. With Ubuntu 24.04 (Noble) https://github.com/canonical/ubuntu-pro-client/commit/e39f45c6e13e934f7a06dfd986df85b7fd948844 the .source repo-file is created and that also includes the "Signed-By:" that points to the default esm-gpg'keys, hence "pro enable esm-apps" fails to enable the repos since we using the landscape GPG Key on our repo.

Expected behavior

Would be great to have an option to have the ubuntu-pro-client import your current landscape-server-mirror.asc public key. On bionic, focal and jammy the old ubuntu-esm-apps.list files still are created, they don't specify any sign key, so we dont have the issue there.

Current behavior

With ubuntu 24.04 server pro enable esm-apps fails due to the new .source format on the repo-file includes Signed-By As workaround we can edit and add noble to "SERIES_NOT_USING_DEB822" in /usr/lib/python3/dist-packages/uaclient/apt.py and it enables without any issues since it finds our key in /etc/apt/trusted.gpg.d/landscape-server-mirror8a61e8a5-ef88-45d5-8efc-2c3d7229091c.asc

To Reproduce

Please include details on how to reproduce the bug.

  1. Setup selfhosted landscape+ua-airgapped environment, mirror the esm repos in our landscape: bild
  2. On a Ubuntu 24.04 server try to run "pro enable esm-apps"

System information:

Additional context I understand that specifying "Signed-by" in the repo file is a good thing for security, just want to have an option to have the ubuntu-pro-client to populate a custom key so it wont fail when trying to register.

orndorffgrant commented 1 month ago

Hi @twau - thank you for the bug report and sorry for taking a while to respond.

You are right - right now the pro-client doesn't support enabling a service to a mirror with re-signed packages. Generally, if you change any metadata from the original packages, not all pro-client functionality is guaranteed to work.

It appears there is an option in the landscape interface for selecting the GPG key to use for signing the mirrored packages. @Perfect5th if you select "none" for that option, will Landscape not re-sign the packages?

Perfect5th commented 1 month ago

@orndorffgrant if you select "none", then Landscape signs the packages with Ubuntu's public keys.

twau commented 1 month ago

The option in the landscape interface for selecting the GPG key is forced to the default "Landscape" GPG key, can't set it to "none" there, must this be done with CLI?