Trust new APT and RPM keys #30
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow customizing the URL with `datadog_apt_key_url_new` (for users with local apt mirrors).
degemer
approved these changes
Sep 27, 2016
| - name: Download new RPM key | ||
| get_url: | ||
| url: "http://yum.datadoghq.com/DATADOG_RPM_KEY.public.E09422B3" | ||
| dest: /tmp/DATADOG_RPM_KEY.e09422b3.public |
There was a problem hiding this comment.
Does this mean this file will always be there, even when the rpm key is already imported ?
There was a problem hiding this comment.
Correct. We could avoid this by first checking if the key is already imported and only download/import the new key if it's not. I didn't do it because I didn't think it was worth the added complexity, but let me know what you think.
There was a problem hiding this comment.
No, it's probably not worth it given the size of the key.
Download the new key through plain HTTP for best compatibility (since SSL only works when the managed nodes have a recent version of python). Ensure the integrity of the downloaded file using a sha-256 sum. We use the `sha256sum` option instead of `checksum` since `checksum` was only added in Ansible 2.0 The `rpm_key` module has a good idempotent behavior so no need to have extra steps to check whether the key is already imported.
olivielpeau
force-pushed
the
olivielpeau/trust-new-keys
branch
from
2a29fde
to
dc2874a
Compare
|
Just updated the URL of the new key to @degemer: could you do a quick sanity check of my change? 🙇 |
degemer
approved these changes
Oct 6, 2016
|
Is there a reason this wasn't merged? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make the pkg managers trust the new keys in addition to the current keys. Similar approach as what's described in DataDog/chef-datadog#365.
APT
apt_keymoduledatadog_apt_key_url_new(for userswith local apt mirrors)
RPM
SSL only works when the managed nodes have a recent version of python)
the
sha256sumoption instead ofchecksumsincechecksumwas onlyadded in Ansible 2.0
rpm_keymodule has a good idempotent behavior so no need to haveextra steps to check whether the key is already imported.
Testing
Tested manually w/ Ansible
1.9.2and2.1.1, against Ubuntu 14.04 and CentOS 6