Project

General

Profile

Actions
Copy link

action #180143

open

The utils::ensure_ca_certificates_suse_installed might be switched from IBS to OBS

Added by pdostal 9 days ago. Updated 8 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
rbranco
Category:
-
Target version:
-
Start date:
2025-04-07
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

In some cases the IBS is not available. It might be better to switch to OBS.

The code however expects SLE-Factory repository which is not enabled in OBS:

$distversion = 'SLE-Factory' if ($exit != 0);
        diag "CA folder: $distversion";

Other issue is that this subroutine is used in many places across different teams.

Actions
Copy link
 #2

Updated by mdati 8 days ago · Edited

Considering the current status, for the CA repo use:
1) code in the lib/util/ensure_ca_certificates_suse_installed is based on IBS url to get a proper CA SLE repo;
2) in the case the expected repo is not found, a fallback to SLE-Factory is applied;
3) but this last setting in not pre-checked (via curl) like here done, and when IBS is unresponsive, still fail.
4) Another problem is with SLE 16: in that routine the directory $distversion adds a leading SLE_ to the version, but no IBS/OBS CA repo is like SLE_16.0, therefore always the fallback is used, until routine or repo adaptations will be performed.

Initial proposal to improve resilience when IBS fails to provide the repo, is to switch using OBS, in place, like done in PR note-1;

  • but A problem is that the coded fallback SLE-Factory is in IBS only and not present in OBS, so when the specific SLE is missig or failing, like version 16, routine fails.

Therefore, a more proposal here is to still use IBS as default, until SUSE_Factory, but the add a pre-check and when failure detected, make the code fallback on the CA openSUSE_Factory in OBS (even present in IBS), that should be equivalent.

A snippet, to insert after the first $exit check (L#2395), could be like:

    $distversion = 'SLE-Factory' if ($exit != 0);
    $exit = script_run("curl -fkIL https://download.suse.de/repositories/SUSE:/CA/$distversion/SUSE:CA.repo >/dev/null 2>&1");
    # when also SLE-Factory not ok, let's invoke OBS fallback:
    $distversion = 'openSUSE_Factory' if ($exit != 0);
    # new URL response check:
    $exit = script_run("curl -fkIL https://download.opensuse.org/repositories/SUSE:/CA/$distversion/SUSE:CA.repo >/dev/null 2>&1");
    # if all CA-s fail, code stop run:
    die("CA repo issues") if ($exit != 0);
    # otherwise continue
    diag "CA folder: $distversion";

A last suggestion is to add a routine to simplify the 3 curl check calls, like:

curl_check() {
    my ($domain, $distvers) = @_;
    return script_run("curl -fkIL https://download.$domain/repositories/SUSE:/CA/$distvers/SUSE:CA.repo >/dev/null 2>&1");
}

and call: $exit = curl_check('suse.de', $distversion) or $exit = curl_check('opensuse.org', $distversion)

Actions
Copy link
 #3

Updated by rbranco 8 days ago · Edited

This routine can be made as clean as possible without any curl checks. Just a 1:1 mapping so that we can detect when a repo is not available.

We shouldn't use repos from IBS at all which use plain HTTP. Also, we should drop the -k (--insecure) flag.

Actions
Copy link
 #4

Updated by rbranco 8 days ago

  • Status changed from New to In Progress
  • Assignee set to rbranco
Actions
Copy link

Also available in: Atom PDF