From c9df5dcce462af13685236bf7a1d4dd896b1406b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 23:42:23 +0200 Subject: major refactoring of installer roles --- roles/installer/debian/fetch/defaults/main.yml | 12 ++++++ .../installer/debian/fetch/filter_plugins/main.py | 27 +++++++++++++ roles/installer/debian/fetch/tasks/main.yml | 35 ++++++++++++++++ .../installer/debian/fetch/tasks/verify-debian.yml | 46 ++++++++++++++++++++++ .../installer/debian/fetch/tasks/verify-ubuntu.yml | 35 ++++++++++++++++ roles/installer/debian/fetch/vars/main.yml | 13 ++++++ 6 files changed, 168 insertions(+) create mode 100644 roles/installer/debian/fetch/defaults/main.yml create mode 100644 roles/installer/debian/fetch/filter_plugins/main.py create mode 100644 roles/installer/debian/fetch/tasks/main.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-debian.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-ubuntu.yml create mode 100644 roles/installer/debian/fetch/vars/main.yml (limited to 'roles/installer/debian/fetch') diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml new file mode 100644 index 00000000..eebc59bf --- /dev/null +++ b/roles/installer/debian/fetch/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot + +debian_installer_force_download: no +debian_installer_url: +# debian: "https://debian.ffgraz.net/debian" +# ubuntu: "https://debian.ffgraz.net/ubuntu" + debian: "http://deb.debian.org/debian" + ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/fetch/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py new file mode 100644 index 00000000..298e7efd --- /dev/null +++ b/roles/installer/debian/fetch/filter_plugins/main.py @@ -0,0 +1,27 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible import errors + + +def di_images_path(data): + try: + if data[0] != 'ubuntu': + return 'images' + + if data[1] in ['xenial', 'bionic']: + return 'images' + + return 'legacy-images' + except Exception as e: + raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e)) + + +class FilterModule(object): + + filter_map = { + 'di_images_path': di_images_path, + } + + def filters(self): + return self.filter_map diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml new file mode 100644 index 00000000..dc87655f --- /dev/null +++ b/roles/installer/debian/fetch/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: prepare directories for installer files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: directory + +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" + + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml new file mode 100644 index 00000000..6846451d --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..e7cff3ae --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/fetch/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" -- cgit v1.2.3