Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 0/8] virt-builder: use .conf files for configuration
Hi, attached there is a serie of patches that completes the work on making virt-builder use .conf files, shipped in XDG directories, to configure all the available sources of indexes used. This also removes the hardcoded default location, replaced now with a configuration file (which may be not used at all). Thanks, Pino Toscano (8): builder: allow "no key" as key in Sigchecker builder: use Sigchecker.gpgkey_type for the fingerprint builder: add functions to read XDG_CONFIG_DIRS and XDG_CONFIG_PATH builder: extract the default key to file builder: switch sources to .conf files builder: remove VIRT_BUILDER_SOURCE and VIRT_BUILDER_FINGERPRINT builder: remove the default fingerprint/pubkey builder: update documentation .gitignore | 3 + builder/Makefile.am | 10 +- builder/builder.ml | 19 ++- builder/cmdline.ml | 20 +-- builder/libguestfs.conf.in | 3 + builder/libguestfs.gpg | 64 +++++++++ builder/list_entries.ml | 22 ++- builder/list_entries.mli | 2 +- builder/paths.ml | 15 ++ builder/sigchecker.ml | 87 ++---------- builder/sigchecker.mli | 3 +- builder/sources.ml | 122 ++++++++++++++++ builder/sources.mli | 25 ++++ .../virt-builder/repos.d/test-index.conf.in | 2 + builder/test-virt-builder-list.sh | 8 +- builder/test-virt-builder-planner.sh | 2 +- builder/test-virt-builder.sh | 2 +- .../virt-builder/repos.d/libguestfs.conf.in | 3 + builder/virt-builder.pod | 154 ++++++++++----------- configure.ac | 9 ++ po/POTFILES-ml | 1 + run.in | 6 +- 22 files changed, 383 insertions(+), 199 deletions(-) create mode 100644 builder/libguestfs.conf.in create mode 100644 builder/libguestfs.gpg create mode 100644 builder/sources.ml create mode 100644 builder/sources.mli create mode 100644 builder/test-config/virt-builder/repos.d/test-index.conf.in create mode 100644 builder/test-website/virt-builder/repos.d/libguestfs.conf.in -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 1/8] builder: allow "no key" as key in Sigchecker
Additional way to distinguish no actual key available for signature checking; make sure to not allow signing in such situation. --- builder/sigchecker.ml | 8 ++++++++ builder/sigchecker.mli | 1 + 2 files changed, 9 insertions(+) diff --git a/builder/sigchecker.ml b/builder/sigchecker.ml index 7459e4b..67d1600 100644 --- a/builder/sigchecker.ml +++ b/builder/sigchecker.ml @@ -97,6 +97,7 @@ ZvXkQ3FVJwZoLmHw47vvlVpLD/4gi1SuHWieRvZ+UdDq00E348pm " type gpgkey_type + | No_Key | Fingerprint of string | KeyFile of string @@ -127,6 +128,11 @@ let rec create ~debug ~gpg ~gpgkey ~check_signature (* Create a temporary directory for gnupg. *) let tmpdir = Mkdtemp.mkdtemp (Filename.temp_dir_name // "vb.gpghome.XXXXXX") in rmdir_on_exit tmpdir; + (* Make sure we have no check_signature=true with no actual key. *) + let check_signature, gpgkey + match check_signature, gpgkey with + | true, No_Key -> false, No_Key + | x, y -> x, y in let fingerprint if check_signature then ( (* Run gpg so it can setup its own home directory, failing if it @@ -141,6 +147,8 @@ let rec create ~debug ~gpg ~gpgkey ~check_signature exit 1 ); match gpgkey with + | No_Key -> + assert false | KeyFile kf -> let status_file = import_keyfile gpg tmpdir debug kf in let status = read_whole_file status_file in diff --git a/builder/sigchecker.mli b/builder/sigchecker.mli index f4e817e..ab44a5c 100644 --- a/builder/sigchecker.mli +++ b/builder/sigchecker.mli @@ -21,6 +21,7 @@ val default_fingerprint : string type t type gpgkey_type + | No_Key | Fingerprint of string | KeyFile of string -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 2/8] builder: use Sigchecker.gpgkey_type for the fingerprint
Use Sigchecker.gpgkey_type instead of just string as type in the sources list; adapt the listing code (and its expected output) to that. No behaviour change which eases a bit the addition of new sources with other key types. --- builder/builder.ml | 9 ++++++--- builder/list_entries.ml | 22 +++++++++++++++++----- builder/list_entries.mli | 2 +- builder/test-virt-builder-list.sh | 4 ++-- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/builder/builder.ml b/builder/builder.ml index 80ccef7..1ddbd0a 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -136,13 +136,16 @@ let main () (* Download the sources. *) let downloader = Downloader.create ~debug ~curl ~cache in + let sources = List.map ( + fun (source, fingerprint) -> + source, Sigchecker.Fingerprint fingerprint + ) sources in let index : Index_parser.index List.concat ( List.map ( - fun (source, fingerprint) -> + fun (source, key) -> let sigchecker - Sigchecker.create ~debug ~gpg ~check_signature - ~gpgkey:(Sigchecker.Fingerprint fingerprint) in + Sigchecker.create ~debug ~gpg ~check_signature ~gpgkey:key in Index_parser.get_index ~prog ~debug ~downloader ~sigchecker source ) sources ) in diff --git a/builder/list_entries.ml b/builder/list_entries.ml index edf7dfb..476bf14 100644 --- a/builder/list_entries.ml +++ b/builder/list_entries.ml @@ -65,9 +65,15 @@ and list_entries_long ~sources index | Some locale -> split_locale locale in List.iter ( - fun (source, fingerprint) -> + fun (source, key) -> printf (f_"Source URI: %s\n") source; - printf (f_"Fingerprint: %s\n") fingerprint; + (match key with + | Sigchecker.No_Key -> () + | Sigchecker.Fingerprint fp -> + printf (f_"Fingerprint: %s\n") fp; + | Sigchecker.KeyFile kf -> + printf (f_"Key: %s\n") kf; + ); printf "\n" ) sources; @@ -160,10 +166,16 @@ and list_entries_json ~sources index printf " \"version\": %d,\n" 1; printf " \"sources\": [\n"; iteri ( - fun i (source, fingerprint) -> + fun i (source, key) -> printf " {\n"; - printf " \"uri\": \"%s\",\n" source; - printf " \"fingerprint\": \"%s\"\n" fingerprint; + (match key with + | Sigchecker.No_Key -> () + | Sigchecker.Fingerprint fp -> + printf " \"fingerprint\": \"%s\",\n" fp; + | Sigchecker.KeyFile kf -> + printf " \"key\": \"%s\",\n" kf; + ); + printf " \"uri\": \"%s\"\n" source; printf " }%s\n" (trailing_comma i (List.length sources)) ) sources; printf " ],\n"; diff --git a/builder/list_entries.mli b/builder/list_entries.mli index e7c32f1..b53ccec 100644 --- a/builder/list_entries.mli +++ b/builder/list_entries.mli @@ -16,4 +16,4 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. *) -val list_entries : list_format:([ `Short | `Long | `Json ]) -> sources:(string * string) list -> Index_parser.index -> unit +val list_entries : list_format:([ `Short | `Long | `Json ]) -> sources:(string * Sigchecker.gpgkey_type) list -> Index_parser.index -> unit diff --git a/builder/test-virt-builder-list.sh b/builder/test-virt-builder-list.sh index 7174152..6db9b78 100755 --- a/builder/test-virt-builder-list.sh +++ b/builder/test-virt-builder-list.sh @@ -117,8 +117,8 @@ if [ "$json_list" != "{ \"version\": 1, \"sources\": [ { - \"uri\": \"$VIRT_BUILDER_SOURCE\", - \"fingerprint\": \"F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0\" + \"fingerprint\": \"F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0\", + \"uri\": \"$VIRT_BUILDER_SOURCE\" } ], \"templates\": [ -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 3/8] builder: add functions to read XDG_CONFIG_DIRS and XDG_CONFIG_PATH
--- builder/paths.ml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/builder/paths.ml b/builder/paths.ml index 66e8922..e4f0c7b 100644 --- a/builder/paths.ml +++ b/builder/paths.ml @@ -24,3 +24,18 @@ let xdg_cache_home try Some (Sys.getenv "HOME" // ".cache" // "virt-builder") with Not_found -> None (* no cache directory *) + +let xdg_config_home ~prog + try Some (Sys.getenv "XDG_CONFIG_HOME" // prog) + with Not_found -> + try Some (Sys.getenv "HOME" // ".config" // prog) + with Not_found -> + None (* no config directory *) + +let xdg_config_dirs ~prog + let dirs + try Sys.getenv "XDG_CONFIG_DIRS" + with Not_found -> "/etc/xdg" in + let dirs = string_nsplit ":" dirs in + let dirs = List.filter (fun x -> x <> "") dirs in + List.map (fun x -> x // prog) dirs -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 4/8] builder: extract the default key to file
This is basically default_pubkey from sigchecker.ml, just extracted as file. Not used right now, but will be in the future. --- builder/libguestfs.gpg | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 builder/libguestfs.gpg diff --git a/builder/libguestfs.gpg b/builder/libguestfs.gpg new file mode 100644 index 0000000..306a234 --- /dev/null +++ b/builder/libguestfs.gpg @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.14 (GNU/Linux) + +mQINBE6UMMEBEADM811hfTulaF4JpkVpAI10FImyb4ArvOiu8NdcUwTFo+cyWno3 +U85B86H1Bsk/LgLTYtthSrTgsCtdxy+i5OaMjxZDIwKQ2+IYI3FCn9T3Mn28Idyh +kLHzrO9ph0Dv0BNfrlDZhQEC53aAFe/QxN7+A49BNBV7D1VAOOCsHjxMEDzcZkCa +oCrtXw1aNm2vkkj5ukbfukHAyLcQL7kow0qKPSVa1G4lfQP0WiG259Ydy+sUmbVb +TGdb6MEC84PQRDuw6/ZeoV04tn7ZNtQEMOS0uiciHOGfr2hBxQf9VIPNrHg42yaL +dOv51D99GuaxZ9E0HSoH/RwB1oXgd6rFdqVNYaBIQnnkwJANUEeGBArtIOZNCADT +Bt8vkSDm+lLEAFS+V8CACyW/LMIrGCvLdHeqtoAv0GDVyR2GPxldYfdtEmCUMWcb +Jlf71V9iAse2gUdoiHp5FfpGMkA5j7idKuxIws11XxRZJXXbBqiBqmVEAQ/v0m6p +kdo0MYTHydmecLuUK2bAGhpysfX97EfTSrxfrYphYWjTfKRD9GrADeZNfuz1DbKs +7LSqVaQJSjQrfgAwcnZLRaU0V4P5zxiz50gz1Aj3AZRL+Y3meZenzZTXcLFdnusg +wUfhhCuL3tluMtEh6tznumyxb43WO1yLwj6J6LtveiuJN1Z+KSQ6OieZcwARAQAB +tCVSaWNoYXJkIFcuTS4gSm9uZXMgPHJpY2hAYW5uZXhpYS5vcmc+iQI4BBMBAgAi +BQJOlDDBAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRc49z4bdooHQY +D/wJLklSZNyXIW+rG5sUbg7j9cTIF5p/lB9kI2yx6KodJp/2knKyvnmzz0gBw/OE +HL4E4UW26oWKo+36I8wkBnuGa6UtANeITcJqFE19VpHEXHsxre64jNQnO8/w748W +1ROW+Ry43xmrlRWKuCm4oPYUzlp0fq9ATAne8eblfG+NOs8DYuA8xZNQzFaI2kDC +QLD4YoXLoNsP27Koga36b0KwxPFD9tyVZiu9XDH/3hMN7Nb15B66PFr+HcMmQ67G +nUIN5ulcIwj38i40cyaTs1VRheOzTHXE/a6Q2AhMKiKqOoEjQ73/mV7cAVoPtM3o +83Q/8aVKBH0bVRwAeV1tju6b14fqKoG0zNBEcXdlSkht6ScxJYIc/LPUxAMDwgSE +OWshjmeRzKXypBbHn/DP8QVyM2gk5wY+mMSH7MpR0p/hgj+rFO8H9L7pC4dCog3E +qzrYhRN+TaP6MPH3WkOwPH4d4IfQRFnHp+VPYPijKEiLrUl/o8k3DyAanAPBpJ/x +na4wXAjlFBctOq6g+SrCUiHpwk7b2YNwGgr5Vl3GmZELzK/G8gg3uJYKQ9Bpv16t +WWOz+IFiOFa0UULeo0QPmFAIMZiDojNsY1SwBKB3ZL1YWZezgMdQAbpze/IXoSt7 +zxWJoKH2jK7q9mvFiaY12l2YnKuCcegWVAViLxRpBnrbz7QmUmljaGFyZCBXLk0u +IEpvbmVzIDxyam9uZXNAcmVkaGF0LmNvbT6JAjgEEwECACIFAk6UOQsCGwMGCwkI +BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJFzj3Pht2igIUYQAKomI0edLakahsUQ +MxOZuhBbXJ4/VWF8bXYChDNPKvJp5nB7fBXujJ+39cIUM5fe2ViO6qSDpFC29imx +F5pPbAqspZBPBkLLiZLji8R42hGarntdtTW0UWSBpq+nC5+G1psrnATI3uXGNxKQ +R99c5HoMY7dBC2Y8TCGE64NINZ/XVh472s6IGLPn8MTn26YdRKC9BrVkCFMP2OBr +6D4IprnyTAWAzb68ew20QmyWO+NBi9MplaDNQVl8PIOgfpyWlkgX1z9m67pcSDkw +46hksp0yuOD1VwR4iVZ2/CmIsGRUlx41vWD6BIp9KxKyDIU1CYTRhq72dahHsl/8 +BjCndV5PO0GphqfCzmCv4DXjUwmrMTbH/GFnt5rfwcMcXUgcK0vV9vQ2SOU56Zd1 +fb27ZCFJKZc0Fu8krwFldCp/NYILf6ogUL/C1hfuCGSSuyDVY16Gg3dla1x+6zpF +asnWQlaw8xT5LlMWvTZs5WsoSVHu7dVZWlgxINP++hlZrTz/S8l38yyQ15YFFl3W +9M7dzkegOeDTPfx6B89WgfvfJjA/D0/FYxxWPXEtrn9DlJ4daEJqNsrvfLErz9R8 +4IQmfmhR93j+rdotner+6keC/wVByEfbW1wmXtmFKXQ6srdpj8VKRFrvkyXVgepM +DypLgRH2v7lL2kdWhUu2y4EAgrwzuQINBE6UMMEBEADxQxMgUuDrw5GT4tqARTPI +SSdNcUsRxRhVA8srYOyECliE+B3TwcRDFBs+MyPFJVEuX8fi4eGj/AK5t1GHerfk +orUGlz72q4c7LLhkfZrsuJbk2dgkjvldKJnIazQJa6epGLqdsE5RlmSgwedIbtMd +naGJBQH8aKP/Wi1+wUxsm5N3p7+R2WRx48VfpEhYB+Zf/FkFm1Ycjwh57KQ0+OHw +ykf8VfMisxuH30tDxOCV+VptWKfOF2rDNdaNPWhij2YIjhJXRpkuRR+1PpI4jLaD +JxcVZmG/0zucacupUN2g5OUH59ySU/totD6YMnmp3FONoyF1uIEJo6Vs30npHGkO +XgBo3Pxt7oLJeykLPtdSLgm3cwXIYMWarVsAkKNXitQIVGpVRLeaK373VwmXFqoi +M2SMHeawTUdOORFjpQzkknlJWM1TmUVtHHKt8Pl9+/5+wXKyt2IDdcUkMrB6K5qF +fb7EwVhoI8ehJQK+eeDCjFwCAiwB3iV8JlyW+tEU7JuyXOQlwY1VWm/WqMD8gaRi +rT+RFDFliZ3tQbW2pqUoZBROV5HN4tieDfwxGKCvk6Tsdb30zA9DPQp93+238bYf +312sg9R+CD0AqxoxFG5FJu4HShcPRrPnYtRZqKRe40GDWvBEArXZprwL1qrP+Kl/ +mRrEQpxAGIoFG8HbVvD3EQARAQABiQIfBBgBAgAJBQJOlDDBAhsMAAoJEJFzj3Ph +t2igSLQP/2uIrAY2CDr0kWBJiD3TztiHy8IdxwUpyTBTebwmAbi44/EvtJfIisrG +YjKIEv/w0E61gO7O1JBG4+IG93W+v9fTT/e39JMyxsYqoZZHUhP11Okx5grDS5b0 +O8VXOmXVRMdVNfstRBr10HD9uNDq7ruKD18TxYTwN0GPD4gj1dbHQDR77Tr5cyBs +6Ou5PBOH4r3qcqf/cJUSMeUUu75xLwixux6E7tD2S+t6F07wlWxntUcPtzyAHj20 +J89orUC+dT6r6MypBoI0jdJCp9JPGtR7i+fE5Gm4E5+AUSubLPtZGRY9Um2eMoS2 +DnQpGOKx1VvsixR/Kw44j2tRAvmYMS4iDKcuZU+nZ+xokAgObILj/b9n/Qe2/fXy +CFdcgSvbm+dV1fZxsdMF/P9OU8aqdT9A9Fv5y+cDMEg4DVnhwMJTxGh/TCkw/H+A +frHEtRc98lSQN5odpITNG17mG6JOdHM+wA57qHH0uy4+5RsbyAJahcdBcmObK/RF +i4WZlThpbHftX5O/LH98aYQ2fJayIxv1EAjzOBOQ0MfBHI0KCJR1pysEisX28sJA +Ic73gnJJ3BLZbqfBRgxjNMNroxC+5Tw6uPGFHa3YnuIAxxw0HcDVZ9vnTWBWFPGw +ZvXkQ3FVJwZoLmHw47vvlVpLD/4gi1SuHWieRvZ+UdDq00E348pm +=neBW +-----END PGP PUBLIC KEY BLOCK----- -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 5/8] builder: switch sources to .conf files
Introduce and use simple .conf files to configure the sources of indexes for virt-builder. The location of these files is in XDG_CONFIG_DIRS / XDG_CONFIG_HOME, so it can be easily overridden. There are three .conf(.in) files shipped with this commit: - "test-index.conf.in" (in "test-config"), which points to the "test-index" index (used in tests only); the tests are adapted to point to the hierarchy containing this .conf - "libguestfs.conf.in" (in "test-website"), which points to the local "index.asc" (i.e. the offline copy of the libguestfs.org index); run(.in) will point to the hierarchy providing this .conf - "libguestfs.conf.in" (directly among the other sources), which points to the online "index.asc" and it is installed in sysconfdir, along with the key of this repository The tests are adapted, other than to the different way to pick sources, to the different output of --list, as "test-index" is not signed. --- .gitignore | 3 + builder/Makefile.am | 10 +- builder/builder.ml | 10 ++ builder/libguestfs.conf.in | 3 + builder/sources.ml | 122 +++++++++++++++++++++ builder/sources.mli | 25 +++++ .../virt-builder/repos.d/test-index.conf.in | 2 + builder/test-virt-builder-list.sh | 8 +- builder/test-virt-builder-planner.sh | 2 +- builder/test-virt-builder.sh | 2 +- .../virt-builder/repos.d/libguestfs.conf.in | 3 + configure.ac | 9 ++ po/POTFILES-ml | 1 + run.in | 6 +- 14 files changed, 195 insertions(+), 11 deletions(-) create mode 100644 builder/libguestfs.conf.in create mode 100644 builder/sources.ml create mode 100644 builder/sources.mli create mode 100644 builder/test-config/virt-builder/repos.d/test-index.conf.in create mode 100644 builder/test-website/virt-builder/repos.d/libguestfs.conf.in diff --git a/.gitignore b/.gitignore index 1ee7775..844df3c 100644 --- a/.gitignore +++ b/.gitignore @@ -61,10 +61,13 @@ Makefile.in /builder/index-parse.c /builder/index-parse.h /builder/index-scan.c +/builder/libguestfs.conf /builder/*.qcow2 /builder/stamp-virt-builder.pod /builder/stamp-virt-index-validate.pod +/builder/test-config/virt-builder/repos.d/test-index.conf /builder/test-index +/builder/test-website/virt-builder/repos.d/libguestfs.conf /builder/virt-builder /builder/virt-builder.1 /builder/virt-index-validate diff --git a/builder/Makefile.am b/builder/Makefile.am index a72b7ac..f0cb1dd 100644 --- a/builder/Makefile.am +++ b/builder/Makefile.am @@ -58,7 +58,9 @@ SOURCES = \ setlocale.mli \ setlocale-c.c \ sigchecker.mli \ - sigchecker.ml + sigchecker.ml \ + sources.mli \ + sources.ml man_MANS noinst_DATA @@ -103,6 +105,7 @@ OBJECTS = \ sigchecker.cmx \ index_parser.cmx \ list_entries.cmx \ + sources.cmx \ cmdline.cmx \ builder.cmx @@ -221,6 +224,11 @@ DISTCLEANFILES = .depend .PHONY: depend docs +# virt-builder's default repository + +repoconfdir = $(sysconfdir)/xdg/virt-builder/repos.d +repoconf_DATA = libguestfs.conf libguestfs.gpg + # Build a small C index validator program. bin_PROGRAMS = virt-index-validate diff --git a/builder/builder.ml b/builder/builder.ml index 1ddbd0a..1800f2d 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -136,10 +136,20 @@ let main () (* Download the sources. *) let downloader = Downloader.create ~debug ~curl ~cache in + let repos = Sources.read_sources ~prog ~debug in + let repos = List.map ( + fun { Sources.uri = uri; Sources.gpgkey = gpgkey } -> + let gpgkey + match gpgkey with + | None -> Sigchecker.No_Key + | Some key -> Sigchecker.KeyFile key in + uri, gpgkey + ) repos in let sources = List.map ( fun (source, fingerprint) -> source, Sigchecker.Fingerprint fingerprint ) sources in + let sources = List.append repos sources in let index : Index_parser.index List.concat ( List.map ( diff --git a/builder/libguestfs.conf.in b/builder/libguestfs.conf.in new file mode 100644 index 0000000..633a0ab --- /dev/null +++ b/builder/libguestfs.conf.in @@ -0,0 +1,3 @@ +[libguestfs.org] +uri=http://libguestfs.org/download/builder/index.asc +gpgkey=file://@SYSCONFDIR@/xdg/virt-builder/repos.d/libguestfs.gpg diff --git a/builder/sources.ml b/builder/sources.ml new file mode 100644 index 0000000..fd0b236 --- /dev/null +++ b/builder/sources.ml @@ -0,0 +1,122 @@ +(* virt-builder + * Copyright (C) 2014 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +open Common_gettext.Gettext +open Common_utils + +open Printf +open Unix + +type source = { + name : string; + uri : string; + gpgkey : string option; +} + +let parse_conf ~prog ~debug file + if debug then ( + eprintf (f_"%s: trying to read %s\n") prog file; + ); + let sections = Ini_reader.read_ini file in + + let sources = List.fold_right ( + fun (n, fields) acc -> + let give_source n fields + let fields = List.map (fun (k, sk, v) -> (k, sk), v) fields in + let uri + try List.assoc ("uri", None) fields + with Not_found as ex -> + eprintf (f_"%s: no 'uri' entry for '%s' in %s, skipping it\n") prog n file; + raise ex in + let gpgkey + let k + try Some (URI.parse_uri (List.assoc ("gpgkey", None) fields)) with + | Not_found -> None + | Invalid_argument "URI.parse_uri" as ex -> + if debug then ( + eprintf (f_"%s: '%s' has invalid gpgkey URI\n") prog n; + ); + raise ex in + match k with + | None -> None + | Some uri -> + (match uri.URI.protocol with + | "file" -> Some uri.URI.path + | _ -> + if debug then ( + eprintf (f_"%s: '%s' has non-local gpgkey URI\n") prog n; + ); + None + ) in + { + name = n; uri = uri; gpgkey = gpgkey; + } + in + try (give_source n fields) :: acc + with Not_found | Invalid_argument _ -> acc + ) sections [] in + + if debug then ( + eprintf (f_"%s: ... read %d sources\n") prog (List.length sources); + ); + + sources + +let merge_sources current_sources new_sources + List.fold_right ( + fun source acc -> + if List.exists (fun { name = n } -> n = source.name) acc then + acc + else + source :: acc + ) new_sources current_sources + +let filter_filenames filename + let suffix = ".conf" in + let n = String.length filename in + let ns = String.length suffix in + n >= ns && String.sub filename (n - ns) ns = suffix + +let read_sources ~prog ~debug + let dirs = Paths.xdg_config_dirs ~prog in + let dirs + match Paths.xdg_config_home ~prog with + | None -> dirs + | Some dir -> dir :: dirs in + let dirs = List.map (fun x -> x // "repos.d") dirs in + List.fold_right ( + fun dir acc -> + let files + try List.filter filter_filenames (Array.to_list (Sys.readdir dir)) + with Sys_error _ -> [] in + let files = List.map (fun x -> dir // x) files in + List.fold_left ( + fun acc file -> + try merge_sources acc (parse_conf ~prog ~debug file) with + | Unix_error (code, fname, _) -> + if debug then ( + eprintf (f_"%s: file error: %s: %s\n") prog fname (error_message code) + ); + acc + | Invalid_argument msg -> + if debug then ( + eprintf (f_"%s: internal error: invalid argument: %s\n") prog msg + ); + acc + ) acc files + ) dirs [] diff --git a/builder/sources.mli b/builder/sources.mli new file mode 100644 index 0000000..76feeda --- /dev/null +++ b/builder/sources.mli @@ -0,0 +1,25 @@ +(* virt-builder + * Copyright (C) 2014 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +type source = { + name : string; + uri : string; + gpgkey : string option; +} + +val read_sources : prog:string -> debug:bool -> source list diff --git a/builder/test-config/virt-builder/repos.d/test-index.conf.in b/builder/test-config/virt-builder/repos.d/test-index.conf.in new file mode 100644 index 0000000..3755e75 --- /dev/null +++ b/builder/test-config/virt-builder/repos.d/test-index.conf.in @@ -0,0 +1,2 @@ +[test-index] +uri=file://@abs_top_srcdir@/builder/test-index diff --git a/builder/test-virt-builder-list.sh b/builder/test-virt-builder-list.sh index 6db9b78..2f9b319 100755 --- a/builder/test-virt-builder-list.sh +++ b/builder/test-virt-builder-list.sh @@ -23,7 +23,7 @@ set -e abs_builddir=$(pwd) -export VIRT_BUILDER_SOURCE=file://$abs_builddir/test-index +export XDG_CONFIG_DIRS="$abs_builddir/test-config" short_list=$($VG ./virt-builder --no-check-signature --no-cache --list) @@ -41,8 +41,7 @@ fi long_list=$(./virt-builder --no-check-signature --no-cache --list --long) -if [ "$long_list" != "Source URI: $VIRT_BUILDER_SOURCE -Fingerprint: F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0 +if [ "$long_list" != "Source URI: file://$abs_builddir/test-index os-version: phony-debian Full name: Phony Debian @@ -117,8 +116,7 @@ if [ "$json_list" != "{ \"version\": 1, \"sources\": [ { - \"fingerprint\": \"F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0\", - \"uri\": \"$VIRT_BUILDER_SOURCE\" + \"uri\": \"file://$abs_builddir/test-index\" } ], \"templates\": [ diff --git a/builder/test-virt-builder-planner.sh b/builder/test-virt-builder-planner.sh index 738b299..386de5c 100755 --- a/builder/test-virt-builder-planner.sh +++ b/builder/test-virt-builder-planner.sh @@ -21,7 +21,7 @@ set -e abs_builddir=$(pwd) -export VIRT_BUILDER_SOURCE=file://$abs_builddir/test-index +export XDG_CONFIG_DIRS="$abs_builddir/test-config" if [ ! -f fedora.xz -o ! -f fedora.qcow2 -o ! -f fedora.qcow2.xz ]; then echo "$0: test skipped because there is no fedora.xz, fedora.qcow2 or fedora.qcow2.xz in the build directory" diff --git a/builder/test-virt-builder.sh b/builder/test-virt-builder.sh index 3c8eb60..85a7888 100755 --- a/builder/test-virt-builder.sh +++ b/builder/test-virt-builder.sh @@ -21,7 +21,7 @@ set -e abs_builddir=$(pwd) -export VIRT_BUILDER_SOURCE=file://$abs_builddir/test-index +export XDG_CONFIG_DIRS="$abs_builddir/test-config" if [ ! -f fedora.xz ]; then echo "$0: test skipped because there is no fedora.xz in the build directory" diff --git a/builder/test-website/virt-builder/repos.d/libguestfs.conf.in b/builder/test-website/virt-builder/repos.d/libguestfs.conf.in new file mode 100644 index 0000000..7bbc28d --- /dev/null +++ b/builder/test-website/virt-builder/repos.d/libguestfs.conf.in @@ -0,0 +1,3 @@ +[libguestfs.org] +uri=file://@abs_top_srcdir@/builder/website/index.asc +gpgkey=file://@abs_top_srcdir@/builder/libguestfs.gpg diff --git a/configure.ac b/configure.ac index 96ae786..17e5229 100644 --- a/configure.ac +++ b/configure.ac @@ -1587,6 +1587,12 @@ dnl http://lists.fedoraproject.org/pipermail/devel/2010-November/146343.html LIBTOOL='bash $(top_srcdir)/libtool-kill-dependency_libs.sh $(top_builddir)/libtool' AC_SUBST([LIBTOOL]) +dnl Work around autoconf's lack of expanded variables. +eval my_sysconfdir="\"[$]sysconfdir\"" +eval my_sysconfdir="\"$my_sysconfdir\"" +SYSCONFDIR="${my_sysconfdir}" +AC_SUBST(SYSCONFDIR) + dnl Produce output files. AC_CONFIG_HEADERS([config.h]) @@ -1618,7 +1624,10 @@ AC_CONFIG_FILES([Makefile appliance/Makefile bash/Makefile builder/Makefile + builder/libguestfs.conf + builder/test-config/virt-builder/repos.d/test-index.conf builder/test-index + builder/test-website/virt-builder/repos.d/libguestfs.conf builder/website/Makefile cat/Makefile csharp/Makefile diff --git a/po/POTFILES-ml b/po/POTFILES-ml index 2c9f5dc..8725e5e 100644 --- a/po/POTFILES-ml +++ b/po/POTFILES-ml @@ -9,6 +9,7 @@ builder/paths.ml builder/pxzcat.ml builder/setlocale.ml builder/sigchecker.ml +builder/sources.ml mllib/common_gettext.ml mllib/common_utils.ml mllib/common_utils_tests.ml diff --git a/run.in b/run.in index f77db95..c804b84 100755 --- a/run.in +++ b/run.in @@ -87,9 +87,9 @@ export LD_LIBRARY_PATH # Make virt-builder use the local website copy to avoid hitting # the network all the time. -if [ -z "$VIRT_BUILDER_SOURCE" ]; then - VIRT_BUILDER_SOURCE="file://$s/builder/website/index.asc" - export VIRT_BUILDER_SOURCE +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS="$b/builder/test-website" + export XDG_CONFIG_DIRS fi # For Perl. -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 6/8] builder: remove VIRT_BUILDER_SOURCE and VIRT_BUILDER_FINGERPRINT
Drop these two environment variables, and the implicit hardcoded source hosted at libguestfs.org. This means all the sources must be provided as .conf files, or at each invocation with --source. --- builder/cmdline.ml | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/builder/cmdline.ml b/builder/cmdline.ml index e9e47ae..6e8bfd8 100644 --- a/builder/cmdline.ml +++ b/builder/cmdline.ml @@ -30,8 +30,6 @@ open Printf let prog = Filename.basename Sys.executable_name -let default_source = "http://libguestfs.org/download/builder/index.asc" - let parse_cmdline () let display_version () printf "virt-builder %s\n" Config.package_version; @@ -407,27 +405,13 @@ read the man page virt-builder(1). exit 1 ) in - (* Check source(s) and fingerprint(s), or use environment or default. *) + (* Check source(s) and fingerprint(s). *) let sources - let list_split = function "" -> [] | str -> string_nsplit "," str in let rec repeat x = function | 0 -> [] | 1 -> [x] | n -> x :: repeat x (n-1) in - let sources - if sources <> [] then sources - else ( - try list_split (Sys.getenv "VIRT_BUILDER_SOURCE") - with Not_found -> [ default_source ] - ) in - let fingerprints - if fingerprints <> [] then fingerprints - else ( - try list_split (Sys.getenv "VIRT_BUILDER_FINGERPRINT") - with Not_found -> [ Sigchecker.default_fingerprint ] - ) in - let nr_sources = List.length sources in let fingerprints match fingerprints with @@ -444,8 +428,6 @@ read the man page virt-builder(1). exit 1 ); - assert (nr_sources > 0); - (* Combine the sources and fingerprints into a single list of pairs. *) List.combine sources fingerprints in -- 1.8.3.1
Pino Toscano
2014-Feb-25 16:29 UTC
[Libguestfs] [PATCH 7/8] builder: remove the default fingerprint/pubkey
Sigchecker can still import keys from the user's keyring, so there is no need to hardcode fingerprint and key of the index hosted on libguestfs.org (which is now pointed to using a .conf file). --- builder/sigchecker.ml | 79 -------------------------------------------------- builder/sigchecker.mli | 2 -- 2 files changed, 81 deletions(-) diff --git a/builder/sigchecker.ml b/builder/sigchecker.ml index 67d1600..ae8e413 100644 --- a/builder/sigchecker.ml +++ b/builder/sigchecker.ml @@ -24,78 +24,6 @@ open Unix let quote = Filename.quote -(* These are the public key and fingerprint belonging to - * Richard W.M. Jones who signs the templates on - * http://libguestfs.org/download/builder. - *) -let default_fingerprint = "F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0" -let default_pubkey = "\ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.14 (GNU/Linux) - -mQINBE6UMMEBEADM811hfTulaF4JpkVpAI10FImyb4ArvOiu8NdcUwTFo+cyWno3 -U85B86H1Bsk/LgLTYtthSrTgsCtdxy+i5OaMjxZDIwKQ2+IYI3FCn9T3Mn28Idyh -kLHzrO9ph0Dv0BNfrlDZhQEC53aAFe/QxN7+A49BNBV7D1VAOOCsHjxMEDzcZkCa -oCrtXw1aNm2vkkj5ukbfukHAyLcQL7kow0qKPSVa1G4lfQP0WiG259Ydy+sUmbVb -TGdb6MEC84PQRDuw6/ZeoV04tn7ZNtQEMOS0uiciHOGfr2hBxQf9VIPNrHg42yaL -dOv51D99GuaxZ9E0HSoH/RwB1oXgd6rFdqVNYaBIQnnkwJANUEeGBArtIOZNCADT -Bt8vkSDm+lLEAFS+V8CACyW/LMIrGCvLdHeqtoAv0GDVyR2GPxldYfdtEmCUMWcb -Jlf71V9iAse2gUdoiHp5FfpGMkA5j7idKuxIws11XxRZJXXbBqiBqmVEAQ/v0m6p -kdo0MYTHydmecLuUK2bAGhpysfX97EfTSrxfrYphYWjTfKRD9GrADeZNfuz1DbKs -7LSqVaQJSjQrfgAwcnZLRaU0V4P5zxiz50gz1Aj3AZRL+Y3meZenzZTXcLFdnusg -wUfhhCuL3tluMtEh6tznumyxb43WO1yLwj6J6LtveiuJN1Z+KSQ6OieZcwARAQAB -tCVSaWNoYXJkIFcuTS4gSm9uZXMgPHJpY2hAYW5uZXhpYS5vcmc+iQI4BBMBAgAi -BQJOlDDBAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRc49z4bdooHQY -D/wJLklSZNyXIW+rG5sUbg7j9cTIF5p/lB9kI2yx6KodJp/2knKyvnmzz0gBw/OE -HL4E4UW26oWKo+36I8wkBnuGa6UtANeITcJqFE19VpHEXHsxre64jNQnO8/w748W -1ROW+Ry43xmrlRWKuCm4oPYUzlp0fq9ATAne8eblfG+NOs8DYuA8xZNQzFaI2kDC -QLD4YoXLoNsP27Koga36b0KwxPFD9tyVZiu9XDH/3hMN7Nb15B66PFr+HcMmQ67G -nUIN5ulcIwj38i40cyaTs1VRheOzTHXE/a6Q2AhMKiKqOoEjQ73/mV7cAVoPtM3o -83Q/8aVKBH0bVRwAeV1tju6b14fqKoG0zNBEcXdlSkht6ScxJYIc/LPUxAMDwgSE -OWshjmeRzKXypBbHn/DP8QVyM2gk5wY+mMSH7MpR0p/hgj+rFO8H9L7pC4dCog3E -qzrYhRN+TaP6MPH3WkOwPH4d4IfQRFnHp+VPYPijKEiLrUl/o8k3DyAanAPBpJ/x -na4wXAjlFBctOq6g+SrCUiHpwk7b2YNwGgr5Vl3GmZELzK/G8gg3uJYKQ9Bpv16t -WWOz+IFiOFa0UULeo0QPmFAIMZiDojNsY1SwBKB3ZL1YWZezgMdQAbpze/IXoSt7 -zxWJoKH2jK7q9mvFiaY12l2YnKuCcegWVAViLxRpBnrbz7QmUmljaGFyZCBXLk0u -IEpvbmVzIDxyam9uZXNAcmVkaGF0LmNvbT6JAjgEEwECACIFAk6UOQsCGwMGCwkI -BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJFzj3Pht2igIUYQAKomI0edLakahsUQ -MxOZuhBbXJ4/VWF8bXYChDNPKvJp5nB7fBXujJ+39cIUM5fe2ViO6qSDpFC29imx -F5pPbAqspZBPBkLLiZLji8R42hGarntdtTW0UWSBpq+nC5+G1psrnATI3uXGNxKQ -R99c5HoMY7dBC2Y8TCGE64NINZ/XVh472s6IGLPn8MTn26YdRKC9BrVkCFMP2OBr -6D4IprnyTAWAzb68ew20QmyWO+NBi9MplaDNQVl8PIOgfpyWlkgX1z9m67pcSDkw -46hksp0yuOD1VwR4iVZ2/CmIsGRUlx41vWD6BIp9KxKyDIU1CYTRhq72dahHsl/8 -BjCndV5PO0GphqfCzmCv4DXjUwmrMTbH/GFnt5rfwcMcXUgcK0vV9vQ2SOU56Zd1 -fb27ZCFJKZc0Fu8krwFldCp/NYILf6ogUL/C1hfuCGSSuyDVY16Gg3dla1x+6zpF -asnWQlaw8xT5LlMWvTZs5WsoSVHu7dVZWlgxINP++hlZrTz/S8l38yyQ15YFFl3W -9M7dzkegOeDTPfx6B89WgfvfJjA/D0/FYxxWPXEtrn9DlJ4daEJqNsrvfLErz9R8 -4IQmfmhR93j+rdotner+6keC/wVByEfbW1wmXtmFKXQ6srdpj8VKRFrvkyXVgepM -DypLgRH2v7lL2kdWhUu2y4EAgrwzuQINBE6UMMEBEADxQxMgUuDrw5GT4tqARTPI -SSdNcUsRxRhVA8srYOyECliE+B3TwcRDFBs+MyPFJVEuX8fi4eGj/AK5t1GHerfk -orUGlz72q4c7LLhkfZrsuJbk2dgkjvldKJnIazQJa6epGLqdsE5RlmSgwedIbtMd -naGJBQH8aKP/Wi1+wUxsm5N3p7+R2WRx48VfpEhYB+Zf/FkFm1Ycjwh57KQ0+OHw -ykf8VfMisxuH30tDxOCV+VptWKfOF2rDNdaNPWhij2YIjhJXRpkuRR+1PpI4jLaD -JxcVZmG/0zucacupUN2g5OUH59ySU/totD6YMnmp3FONoyF1uIEJo6Vs30npHGkO -XgBo3Pxt7oLJeykLPtdSLgm3cwXIYMWarVsAkKNXitQIVGpVRLeaK373VwmXFqoi -M2SMHeawTUdOORFjpQzkknlJWM1TmUVtHHKt8Pl9+/5+wXKyt2IDdcUkMrB6K5qF -fb7EwVhoI8ehJQK+eeDCjFwCAiwB3iV8JlyW+tEU7JuyXOQlwY1VWm/WqMD8gaRi -rT+RFDFliZ3tQbW2pqUoZBROV5HN4tieDfwxGKCvk6Tsdb30zA9DPQp93+238bYf -312sg9R+CD0AqxoxFG5FJu4HShcPRrPnYtRZqKRe40GDWvBEArXZprwL1qrP+Kl/ -mRrEQpxAGIoFG8HbVvD3EQARAQABiQIfBBgBAgAJBQJOlDDBAhsMAAoJEJFzj3Ph -t2igSLQP/2uIrAY2CDr0kWBJiD3TztiHy8IdxwUpyTBTebwmAbi44/EvtJfIisrG -YjKIEv/w0E61gO7O1JBG4+IG93W+v9fTT/e39JMyxsYqoZZHUhP11Okx5grDS5b0 -O8VXOmXVRMdVNfstRBr10HD9uNDq7ruKD18TxYTwN0GPD4gj1dbHQDR77Tr5cyBs -6Ou5PBOH4r3qcqf/cJUSMeUUu75xLwixux6E7tD2S+t6F07wlWxntUcPtzyAHj20 -J89orUC+dT6r6MypBoI0jdJCp9JPGtR7i+fE5Gm4E5+AUSubLPtZGRY9Um2eMoS2 -DnQpGOKx1VvsixR/Kw44j2tRAvmYMS4iDKcuZU+nZ+xokAgObILj/b9n/Qe2/fXy -CFdcgSvbm+dV1fZxsdMF/P9OU8aqdT9A9Fv5y+cDMEg4DVnhwMJTxGh/TCkw/H+A -frHEtRc98lSQN5odpITNG17mG6JOdHM+wA57qHH0uy4+5RsbyAJahcdBcmObK/RF -i4WZlThpbHftX5O/LH98aYQ2fJayIxv1EAjzOBOQ0MfBHI0KCJR1pysEisX28sJA -Ic73gnJJ3BLZbqfBRgxjNMNroxC+5Tw6uPGFHa3YnuIAxxw0HcDVZ9vnTWBWFPGw -ZvXkQ3FVJwZoLmHw47vvlVpLD/4gi1SuHWieRvZ+UdDq00E348pm -=neBW ------END PGP PUBLIC KEY BLOCK----- -" - type gpgkey_type | No_Key | Fingerprint of string @@ -162,13 +90,6 @@ let rec create ~debug ~gpg ~gpgkey ~check_signature | _ -> () ) status; !fingerprint - | Fingerprint fp when equal_fingerprints default_fingerprint fp -> - let filename, chan = Filename.open_temp_file "vbpubkey" ".asc" in - unlink_on_exit filename; - output_string chan default_pubkey; - close_out chan; - ignore (import_keyfile gpg tmpdir debug filename); - fp | Fingerprint fp -> let filename = Filename.temp_file "vbpubkey" ".asc" in unlink_on_exit filename; diff --git a/builder/sigchecker.mli b/builder/sigchecker.mli index ab44a5c..8c6ba7f 100644 --- a/builder/sigchecker.mli +++ b/builder/sigchecker.mli @@ -16,8 +16,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. *) -val default_fingerprint : string - type t type gpgkey_type -- 1.8.3.1
Update the documentation according to the new .conf files structure, the drop of VIRT_BUILDER_SOURCE and VIRT_BUILDER_FINGERPRINT, the drop of hardcoded source and its key, etc. --- builder/virt-builder.pod | 154 +++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 79 deletions(-) diff --git a/builder/virt-builder.pod b/builder/virt-builder.pod index b25dffd..32c0961 100644 --- a/builder/virt-builder.pod +++ b/builder/virt-builder.pod @@ -292,12 +292,6 @@ URLs, then you can have either no fingerprint, one fingerprint or multiple fingerprints. If you have multiple, then each must correspond 1-1 with a source URL. -The default fingerprint (if none are supplied) is -S<F777 4FB1 AD07 4A7E 8C87 67EA 9173 8F73 E1B7 68A0> -(which is S<Richard W.M. Jones's> key). - -You can also set the C<VIRT_BUILDER_FINGERPRINT> environment variable. - =item B<--firstboot> SCRIPT =item B<--firstboot-command> 'CMD ARGS ...' @@ -420,7 +414,7 @@ keys are no more present). I<--long> is a shorthand for the C<long> format. -See also: I<--source>, I<--notes>, L</CREATING YOUR OWN TEMPLATES>. +See also: I<--source>, I<--notes>, L</SOURCES OF TEMPLATES>. =item B<--no-logfile> @@ -635,12 +629,8 @@ Enable N E<ge> 2 virtual CPUs for I<--run> scripts to use. Set the source URL to look for indexes. You can give this option multiple times to specify multiple sources. -If not specified it defaults to -L<http://libguestfs.org/download/builder/index.asc> -See also L</CREATING YOUR OWN TEMPLATES> below. - -You can also set the C<VIRT_BUILDER_SOURCE> environment variable. +See also L</SOURCES OF TEMPLATES> below. Note that you should not point I<--source> to sources that you don't trust (unless the source is signed by someone you do trust). See also @@ -1203,7 +1193,53 @@ serial console, add the following on the kernel command line: =back -=head2 CREATING YOUR OWN TEMPLATES +=head2 SOURCES OF TEMPLATES + +virt-builder reads the available sources from configuration files, +with the I<.conf> extension and located in the following paths: + +=over 4 + +=item * + +$XDG_CONFIG_HOME/virt-builder/repos.d/ (C<$XDG_CONFIG_HOME> is +C<$HOME/.config> if not set). + +=item * + +$XDG_CONFIG_DIRS/virt-builder/repos.d/ (where C<$XDG_CONFIG_DIRS> +means any of the directories in that environment variable, or just C</etc/xdg> +if not set) + +=back + +Each I<.conf> file in those paths has a simple text format like the +following: + + [libguestfs.org] + uri=http://libguestfs.org/download/builder/index.asc + gpgkey=file:///etc/xdg/virt-builder/repos.d/libguestfs.gpg + +The part in square brackets is the repository identifier, which is +used as unique identifier. + +The following fields can appear: + +=over 4 + +=item C<uri=URI> + +The URI of the index file which this repository refers to. + +This field is required. + +=item C<gpgkey=URI> + +This optional field represents the URI (although only I<file://> URIs +are accepted) of the key used to sign the index file. +If not present, the index file referred by I<uri=..> is not signed. + +=back For serious virt-builder use, you may want to create your own repository of templates. @@ -1223,16 +1259,17 @@ libguestfs source tree, in C<builder/website>. =head3 Setting up the repository You can set up your own site containing an index file and some -templates, and then point virt-builder at the site by using the -I<--source> option: +templates, and then point virt-builder at the site by creating a +I<.conf> file pointing to it. + +Note that if your index is signed, you will need to properly fill +I<gpgkey=..> in your I<.conf> file, making sure to deploy also the +GPG key file. virt-builder --source https://example.com/builder/index.asc \ --fingerprint 'AAAA BBBB ...' \ --list -(Note setting the environment variables C<VIRT_BUILDER_SOURCE> and -C<VIRT_BUILDER_FINGERPRINT> may be easier to type!) - You can host this on any web or FTP server, or a local or network filesystem. @@ -1246,18 +1283,10 @@ I<--no-check-signature> flag every time they use virt-builder.) To create a key, see the GPG manual L<http://www.gnupg.org/gph/en/manual.html>. -Export your GPG public key and add it to the keyring of all -virt-builder users: +Export your GPG public key: gpg --export -a "you@example.com" > pubkey - # For each virt-builder user: - gpg --import pubkey - -Also find the fingerprint of your key: - - gpg --list-keys --fingerprint - =head3 Create the templates There are many ways to create the templates. For example you could @@ -1305,7 +1334,7 @@ using the following command: gpg --clearsign --armor index This will create the final file called C<index.asc> which can be -uploaded to the server (and is the I<--source> URL). As noted above, +uploaded to the server (and is the I<uri=..> URL). As noted above, signing the index file is optional, but recommended. The following fields can appear: @@ -1449,51 +1478,18 @@ images. =back -=head3 Running virt-builder against the alternate repository - -Ensure each virt-builder user has imported your public key into -their gpg keyring (see above). - -Each virt-builder user should export these environment variables: - -=over 4 - -=item * - -C<VIRT_BUILDER_SOURCE> to point to the URL of the C<index.asc> file. - -=item * - -C<VIRT_BUILDER_FINGERPRINT> to contain the fingerprint (long hex -string) of the user who signed the index file and the templates. - -=back - -Now run virt-builder commands as normal, eg: - - virt-builder --list --long - - virt-builder os-version - -To debug problems, add the C<-v> option to these commands. - =head3 Running virt-builder against multiple sources -It is possible to use multiple sources with virt-builder. Use either -multiple I<--source> and/or I<--fingerprint> options, or a -comma-separated list in the C<VIRT_BUILDER_SOURCE> / -C<VIRT_BUILDER_FINGERPRINT> environment variables: +It is possible to use multiple sources with virt-builder. +The recommended way is to deploy I<.conf> files pointing to the +index files. Another way is to specify the sources using +multiple I<--source> and/or I<--fingerprint> options: virt-builder \ --source http://example.com/s1/index.asc \ --source http://example.com/s2/index.asc -or equivalently: - - export VIRT_BUILDER_SOURCE=http://example.com/s1/index.asc,http://example.com/s2/index.asc - virt-builder [...] - -You can provide N, 1 or 0 fingerprints. In the case where you +You can provide N or 1 fingerprints. In the case where you provide N fingerprints, N = number of sources and there is a 1-1 correspondence between each source and each fingerprint: @@ -1504,8 +1500,7 @@ correspondence between each source and each fingerprint: In the case where you provide 1 fingerprint, the same fingerprint is used for all sources. -In the case where you provide no fingerprints, the default fingerprint -built into virt-builder is used for all sources. +You C<must> provide at least 1 fingerprint. =head3 Licensing of templates @@ -1618,8 +1613,8 @@ The source points to an index file, which is optionally signed. Virt-builder downloads the index and checks that the signature is valid and the signer's fingerprint matches the specified fingerprint -(ie. I<--fingerprint>, C<VIRT_BUILDER_FINGERPRINT>, or a built-in -fingerprint, in that order). +(ie. the one specified in I<gpgkey=..> in the I<.conf>, or with +I<--fingerprint>, in that order). For checking against the built-in public key/fingerprint, this requires importing the public key into the user's local gpg keyring @@ -1800,21 +1795,22 @@ are actually interpreted by L<curl(1)>, not virt-builder. =item C<HOME> -Used to determine the location of the template cache. See L</CACHING>. +Used to determine the location of the template cache, and the location +of the user' sources. See L</CACHING> and L</SOURCES OF TEMPLATES>. -=item C<VIRT_BUILDER_FINGERPRINT> +=item C<XDG_CACHE_HOME> -Set the default value for the GPG signature fingerprint or -comma-separated list of fingerprints (see I<--fingerprint> option). +Used to determine the location of the template cache. See L</CACHING>. -=item C<VIRT_BUILDER_SOURCE> +=item C<XDG_CONFIG_HOME> -Set the default value for the source URL (or comma-separated list of -URLs) for the template repository (see I<--source> option). +Used to determine the location of the user' sources. See +L</SOURCES OF TEMPLATES>. -=item C<XDG_CACHE_HOME> +=item C<XDG_CONFIG_DIRS> -Used to determine the location of the template cache. See L</CACHING>. +Used to determine the location of the system sources. See +L</SOURCES OF TEMPLATES>. =back -- 1.8.3.1
Richard W.M. Jones
2014-Feb-27 10:07 UTC
Re: [Libguestfs] [PATCH 1/8] builder: allow "no key" as key in Sigchecker
On Tue, Feb 25, 2014 at 05:29:06PM +0100, Pino Toscano wrote:> + (* Make sure we have no check_signature=true with no actual key. *) > + let check_signature, gpgkey > + match check_signature, gpgkey with > + | true, No_Key -> false, No_Key > + | x, y -> x, y inMinor stylistic point: You can write the second case as: | x -> x in It's also fractionally faster (not in this case, but if this was in an inner loop) because it means the compiler doesn't have to cons a new cell, it just returns the old one. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
Richard W.M. Jones
2014-Feb-27 10:10 UTC
Re: [Libguestfs] [PATCH 5/8] builder: switch sources to .conf files
On Tue, Feb 25, 2014 at 05:29:10PM +0100, Pino Toscano wrote:> Introduce and use simple .conf files to configure the sources of indexes > for virt-builder. The location of these files is in XDG_CONFIG_DIRS / > XDG_CONFIG_HOME, so it can be easily overridden. > > There are three .conf(.in) files shipped with this commit: > - "test-index.conf.in" (in "test-config"), which points to the > "test-index" index (used in tests only); the tests are adapted to > point to the hierarchy containing this .conf > - "libguestfs.conf.in" (in "test-website"), which points to the local > "index.asc" (i.e. the offline copy of the libguestfs.org index); > run(.in) will point to the hierarchy providing this .conf > - "libguestfs.conf.in" (directly among the other sources), which points > to the online "index.asc" and it is installed in sysconfdir, along > with the key of this repository > > The tests are adapted, other than to the different way to pick sources, > to the different output of --list, as "test-index" is not signed.This is missing changes to EXTRA_DIST. You can automatically find out what additions to EXTRA_DIST are needed by doing: make && make dist && make maintainer-check-extra-dist Note that some files are known to be missing from EXTRA_DIST already -- that is an existing bug. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/
Richard W.M. Jones
2014-Feb-27 10:12 UTC
Re: [Libguestfs] [PATCH 8/8] builder: update documentation
I pushed this series upstream. Thanks, Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW
Richard W.M. Jones
2014-Mar-02 12:43 UTC
Re: [Libguestfs] [PATCH 3/8] builder: add functions to read XDG_CONFIG_DIRS and XDG_CONFIG_PATH
On Tue, Feb 25, 2014 at 05:29:08PM +0100, Pino Toscano wrote:> +let xdg_config_dirs ~prog > + let dirs > + try Sys.getenv "XDG_CONFIG_DIRS" > + with Not_found -> "/etc/xdg" inThis seems to put the virt-builder config files into /etc/xdg/virt-builder which is kind of annoying. Can we move them to a regular default location (/etc/virt-builder)? I have patched this in the Fedora package for now. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
Apparently Analagous Threads
- [PATCH] builder: move the gpgkey_type type from Sigchecker to Utils
- [PATCH] builder: add an arch field to sources read from indexes
- [PATCH 00/10] RFC: builder: first support for Simple Streams metadata
- [PATCH v2 1/2] mllib: curl: add optional tmpdir parameter
- [PATCH 1/2] mllib: curl: add optional tmpdir parameter