(maint) Fix duplicate solaris ca cert #207
Conversation
The DigiCert root CA G4 cert is named `DigiCert_Trusted_Root_G4.pem` on a fully patched Solaris 11.4 system. This resolves a duplicate certificate error after restarting ca-certificates.
yachub
force-pushed
the
maint/fix_duplicate_solaris_cert
branch
from
f1e418f
to
0fe5624
Compare
yachub
force-pushed
the
maint/fix_duplicate_solaris_cert
branch
from
0fe5624
to
0e67b5d
Compare
|
Same change made at puppetlabs/beaker-puppet#202 as well. |
|
LGTM assuming it all tests out okay. Could you add @puppetlabs/skeletor and @puppetlabs/nimbus as owners too? |
| @@ -1396,10 +1396,10 @@ def solaris_key_chain_fix | |||
| EOM | |||
| hosts.each do |host| | |||
| if host.platform=~ /solaris-11(\.2)?-(i386|sparc)/ | |||
There was a problem hiding this comment.
Do we need x86_64 in here, or is solaris11-64f somehow i386?
There was a problem hiding this comment.
Can probably remove the (\.2)?
There was a problem hiding this comment.
Totally ignorant here, Is i386 A reference vanagon? Like https://github.com/puppetlabs/vanagon/blob/80851591ef40c14b439d4a63a91f68d2d0526790/lib/vanagon/platform/defaults/solaris-11-i386.rb actually points to x86_64?
Ya I was on the fence about removing the (.2) since we hadn't actually destroyed the old pools yet.
There was a problem hiding this comment.
I don't remember why, but we use solaris-11-i386 as the name of the vanagon platform to build on: https://github.com/puppetlabs/puppet-agent/blob/main/configs/platforms/solaris-11-i386.rb
And that is reflected in the beaker-hostgenerator data:
$ bx beaker-hostgenerator solaris11-64a
---
HOSTS:
solaris11-64-1:
platform: solaris-11-i386
template: solaris-11-x86_64
hypervisor: vmpooler
roles:
- agent
I assume this step is trying to match 11 or 11.2 but not 11.4. Presumably the cert doesn't need updating on that platform?
There was a problem hiding this comment.
This is an example of why I'm not a big fan of making the solaris-11-x86_64 pool actually be 11.4. There are probably lots of crusty assumptions built up that solaris-11-x86_64 is < 11.4
There was a problem hiding this comment.
I guess I figured it was a good time to rip the bandaid off since 11.4 is the final release and 11.1 and 11.2 aren't supported anymore. Plus then it will match the solaris-11-sparc pool not having specific point releases (and matches the majority of other pools).
There was a problem hiding this comment.
Well, it looks like solaris11-64 has solaris-11-i386 underneath, but the vmpooler platform is solaris-11-x86_64. Weird.
Since we're interested in platform, looks like i386 is still fine.
There was a problem hiding this comment.
I would really like to get this if possible though so that nightly tests get fixed.
There was a problem hiding this comment.
Either way this change is backwards compatible, so it will still work if we have to revert the pools for some reason, but I'll release it as 2.11.24
|
Added a comment |
@nmburgan Sure, do you think there's any reason to break out specific directories? Like just "*" for all 3 teams? Or add those two teams to the existing specific paths? |
|
Probably not, I think you can give it all to us and RE |
yachub
force-pushed
the
maint/fix_duplicate_solaris_cert
branch
from
0e67b5d
to
51429d9
Compare
What's this PR do?
The DigiCert root CA G4 cert is named
DigiCert_Trusted_Root_G4.pemon a fully patched Solaris 11.4 system. This resolves a duplicate certificate error after restarting ca-certificates.Should any of this be tested outside the normal PR CI cycle?
Tested on jenkins staging instance.
Any background context you want to provide?
Solaris 11 test targets recently updated to fully patched 11.4 install
Questions for reviewers?
Prefer keeping this method to support older Solaris installs, or remove completely?