heroes / salt

Clone
Source Code
GIT

Files

adjust-ci-pipeline anikitin/mirrorcache anikitin/t_allow_jinja_in_secrets anikitin/web_mirrors__proxy_mirrorcache bootloader cboltz-borgbackup cboltz-relnotes-15.3 cboltz-scar-sshd doc-o-o gateway hellcp/matrix-synapse-workers-syntax hellcp/paste-sync ifconfig infra libvirt lrupp-production-patch-08358 lrupp/add_identification lrupp/remove_login_interface lrupp/retire lrupp/serve_www mailman micro monitoring-restart paste-socket postfix-aliases production repositories set-secret-detection-config-1 sysctl update-access-crtmgr
  1.   production
  2.   salt
  3.   profile
  4.   fetch-image.sls
Blob Blame History Raw 
{#- version needs to match the build target in OBS _and_ the Kiwi image file name #}
{%- set version = '15.5' %}

{%- set topdir = salt['pillar.get']('infrastructure:kvm_topdir', '/kvm') %}
{%- set imagetype = salt['pillar.get']('infrastructure:image_type') %}

{#- there is a gpg module, but we don't want to install python-gnupg just for two states #}

infrastructure_repository_key:
  cmd.run:
    - name: gpg --import < <(curl -sS http://download.infra.opensuse.org/repositories/openSUSE%3A/infrastructure/{{ version }}/repodata/repomd.xml.key)
    - shell: /bin/bash
    - unless:
        - gpg --list-key 034EB7A6E7506D45DE9CCEC68E01781420F13AAC
        - '! gpg --list-key 034EB7A6E7506D45DE9CCEC68E01781420F13AAC | grep expired'

{%- if imagetype %}
{%- set suffix = {'qcow2': 'qcow.qcow2', 'raw': 'raw.raw.xz'} %}
{%- set image_directory = topdir ~ '/os-images/' %}

{%- set file = 'admin-openSUSE-Leap-' ~ version ~ '.x86_64-' ~ suffix[imagetype] %}
{%- set image_source_leap = 'http://download.infra.opensuse.org/repositories/openSUSE%3A/infrastructure%3A/Images%3A/' ~ version ~ '/images/' ~ file %}
{%- set image_destination_leap = image_directory ~ file %}

hypervisor_image_checksum_download:
  file.managed:
    - name: {{ image_destination_leap }}.sha256
    - source: {{ image_source_leap }}.sha256
    - keep_source: False
    - skip_verify: True
    - use_etag: True

hypervisor_image_checksum_signature_download:
  file.managed:
    - name: {{ image_destination_leap }}.sha256.asc
    - source: {{ image_source_leap }}.sha256.asc
    - keep_source: False
    - skip_verify: True

hypervisor_image_checksum_verify:
  cmd.run:
    - name: gpg --verify {{ image_destination_leap }}.sha256.asc
    - require:
        - cmd: infrastructure_repository_key
    - onchanges:
        - cmd: infrastructure_repository_key
        - file: hypervisor_image_checksum_download
        - file: hypervisor_image_checksum_signature_download

hypervisor_image_download:
  file.managed:
    - name: {{ image_destination_leap }}
    - source: {{ image_source_leap }}
    {#- test fails if target file does not yet exist, hence test with remote file but then apply with the PGP verified local one #}
    {%- if opts['test'] %}
    - source_hash: {{ image_source_leap }}.sha256
    {%- else %}
    - source_hash: file://{{ image_destination_leap }}.sha256
    {%- endif %}
    - require:
        - file: hypervisor_image_checksum_download
        - file: hypervisor_image_checksum_signature_download
        - cmd: hypervisor_image_checksum_verify

hypervisor_image_install:
  cmd.run:
    - name: |
        pushd {{ image_directory }} >/dev/null &&
        sha256sum -c {{ image_destination_leap }}.sha256 &&
        popd >/dev/null {%- if imagetype == 'raw' -%} &&
        unxz -fk {{ image_destination_leap }}
        {%- endif %}
    {%- if salt['file.file_exists'](image_destination_leap.rstrip('.xz')) %}
    - onchanges:
        - file: hypervisor_image_download
    {%- endif %}
    - require:
        - file: hypervisor_image_checksum_download
        - file: hypervisor_image_checksum_signature_download
        - cmd: hypervisor_image_checksum_verify
{%- endif %}
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.