Thanks for your review Thomas.
I'll keep pursuing the key issue until success...
On 10/19/2015 08:53 AM, Thomas Lange wrote:
Mmm, it should be working as I understand apt-key. You can put the key
in a file into /etc/fai/apt/keys/*.asc then this will be loaded via
apt-key add when building the nfsroot.
I now see the spot in task_repository where *.asc is loaded by apt-key.
It escaped my notice earlier when I loaded .../apt/trusted.gpg.d/fai.gpg
directly from web access using wget.
May I suggest an addition to the process? On line 1021 is "...|
$ROOTCMD apt-key add -" (see the excerpt copied below). Please consider
moving the added key keyring from .../apt/trusted.gpg to
.../apt/trusted.gpg.d/$keyfile.asc.gpg or something like that. Add the
--keyring parameter making the statement something like:
"...| $ROOTCMD
apt-key --keyring .../apt/trusted.gpg.d/$keyfile.asc.gpg add -"
Lines 1017 thru 1023 of subroutines showing a part of task_repository
follow:
# add apt keys for all classes
for keyfile in ${classes:-}; do
[ ! -f $FAI/package_config/$keyfile.asc ] && continue
echo -n "Loading APT key from $keyfile.asc "
cat $FAI/package_config/$keyfile.asc | $ROOTCMD apt-key add -
unset keys["$keyfile.asc"]
done
"why" I suggest it does relate to only my standard practice of using the
"something.d/..." directory for my local adjustment to the /etc/...
database if the feature is designed into the configuration by the
author. In the case of apt, I do prefer leaving /trusted.gpg and
/sources.list files alone when adding things. For special repos, I do
like to install both .../apt/sources.list.d/name.list and
.../apt/trusted.gpg.d/name.gpg from the web. BUT again -- it is only
me / not many.
On a similar subject: I have become fairly happy using a proxy instead
of a local mirror for FAI work. My selection is apt-cacher-NG. To
configure apt for the proxy requires something like
.../apt/apt.conf.d/02proxy (similar to your .../apt/apt.conf.d/10fai).
If you agree with me, a new variable containing the IP:PORT might be
enough to allow task_repository to create 02proxy file. It fits at the
end where mount_mirror is found -- a three-way option
[mirror--proxy--nothing]?
Quite frankly this is beyond my ability to program when considering the
impact on all the other options of FAI that I do not use.
I will also add code into fai-make-nfsroot, that adds the official key
of the fai-project repository into the nfsroot by default.
I do hope you mean to add both source and key? If not, then I would
argue that your presentation on the wiki download page is very adequate
to to the task of adding the project repo as a optional source. It
would be _perfect_ if the "deb ..." was directed to a .d/fai.list file
and apt-key included the --keyring to the .d/fai.gpg file...:-)
(humor) AND I believe I could modify the wiki page to get the idea
published if you want.
I noticed something else in task_repository for 02fai file. The
subroutine does create 02fai, but does not delete it when the file is
present and the "if [...]" test fails. Does the "-f" or "-k" option
work OK without the "else delete" clause in task_repository? I have not
tested. I do know a fresh install works OK.
Thanks again for your review this morning!
Skip
