diff options
author | rtkapiper <andy.piper@arcticwolf.com> | 2023-07-14 00:50:30 +0000 |
---|---|---|
committer | rtkapiper <andy.piper@arcticwolf.com> | 2023-07-14 00:50:30 +0000 |
commit | abc89a98ccd003d4baf01868637eff944d9a37d1 (patch) | |
tree | 2ab34bb684b840c07e13c0af05263e350dd25b41 | |
parent | f86f158dc05c3e70f7608280528d91d67b82b760 (diff) | |
download | vmdb2-abc89a98ccd003d4baf01868637eff944d9a37d1.tar.gz |
debootstrap_plugin: optionally install TLS Certificate Authority certs
Add an optional `tls_ca_certs` key which takes a list of paths to TLS
Certificate Authority (CA) cert files to install in the image after the
debootstrap process has completed. This allows the use of package
repositories with HTTPS transports that use TLS certificates issued by
private CAs. Note that the CA cert files being installed must have a
`.crt` suffix in order to be used.
-rw-r--r-- | vmdb/plugins/debootstrap.mdwn | 7 | ||||
-rw-r--r-- | vmdb/plugins/debootstrap_plugin.py | 18 |
2 files changed, 25 insertions, 0 deletions
diff --git a/vmdb/plugins/debootstrap.mdwn b/vmdb/plugins/debootstrap.mdwn index 6784096..adef40c 100644 --- a/vmdb/plugins/debootstrap.mdwn +++ b/vmdb/plugins/debootstrap.mdwn @@ -29,6 +29,13 @@ Step keys: * `include` — OPTIONAL; a list of additional packages for debootstrap to install. +* `tls_ca_certs` — OPTIONAL; a list of paths to TLS Certificate + Authority (CA) cert files to install in the image after the debootstrap + process has completed. This allows the use of package repositories with + HTTPS transports that use TLS certificates issued by private CAs. + Note that the CA cert files being installed must have a `.crt` suffix + in order to be used. + Example (in the .vmdb file): - debootstrap: buster diff --git a/vmdb/plugins/debootstrap_plugin.py b/vmdb/plugins/debootstrap_plugin.py index 2040fdb..b7e9843 100644 --- a/vmdb/plugins/debootstrap_plugin.py +++ b/vmdb/plugins/debootstrap_plugin.py @@ -40,6 +40,7 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface): "components": ["main"], "include": [], "require_empty_target": True, + "tls_ca_certs": [], } def run(self, values, settings, state): @@ -49,6 +50,7 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface): mirror = values["mirror"] keyring = values["keyring"] or None install_keyring = values["install_keyring"] + tls_ca_certs = values["tls_ca_certs"] include = values["include"] require_empty = values["require_empty_target"] arch = values["arch"] or state.arch @@ -68,6 +70,10 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface): f"debootstrap target {target} is a not an empty directory: {names}" ) + bad_certs = [c for c in tls_ca_certs if not c.endswith(".crt")] + if bad_certs: + raise RuntimeError(f'TLS cert(s) do not have a ".crt" suffix: {bad_certs}') + cmd = [ "debootstrap", "--arch", @@ -101,6 +107,18 @@ class DebootstrapStepRunner(vmdb.StepRunnerInterface): vmdb.runcmd_chroot(target, ["apt-key", "add", f"/{keyring_basename}"]) os.remove(chroot_keyring) + if tls_ca_certs: + for ca_cert in tls_ca_certs: + target_cert_path = os.path.join( + target, + "usr/local/share/ca-certificates", + os.path.basename(ca_cert), + ) + + shutil.copyfile(ca_cert, target_cert_path) + vmdb.progress(f"Copied {ca_cert} -> {target_cert_path}") + vmdb.runcmd_chroot(target, ["update-ca-certificates"]) + if remove_pkgs: vmdb.runcmd_chroot( target, |