copr / copr

Clone

#730 keygen fixes (mostly to speed up gen_key task)
Merged 4 years ago by praiskup. Opened 4 years ago by praiskup.
Unknown source keygen-fixes-2019-05-03  into  master

file modified
+1 -1 
@@ -73,7 +73,7 @@
 

          stdout, stderr = handle.communicate()
 

      except Exception as e:
 

          err = CoprSignError(
 

-             msg="Failed to  invoke sign {} by user {} with error {}"
 

+             msg="Failed to invoke sign {} by user {} with error {}"
 

              .format(path, email, e, cmd=None, stdout=None, stderr=None))
 

  

          raise err

file added
+5 
@@ -0,0 +1,5 @@
 

+ #! /bin/sh
 

+ 

+ # Do a periodic trustdb maintenance.  Use --batch, so the maintenance is done
 

+ # only when needed.
 

+ runuser -u copr-signer -- /usr/bin/gpg-copr --check-trustdb --batch

file modified
+1 -1 
@@ -1,3 +1,3 @@
 

  allow: 127.16.5.5
 

  phrases: /var/lib/copr-keygen/phrases
 

- gpg: /bin/gpg_copr
 

+ gpg: /usr/bin/gpg_copr.sh

file modified
+8 
@@ -27,6 +27,7 @@
 

  BuildRequires: python3-pytest
 

  BuildRequires: python3-pytest-cov
 

  

+ Requires:   crontabs
 

  Requires:   haveged
 

  Requires:   gnupg2
 

  Requires:   python3-mod_wsgi
 
@@ -101,8 +102,10 @@
 

  install -d -m 500 %{buildroot}%{_sharedstatedir}/copr-keygen/gnupg
 

  install -d %{buildroot}%{_localstatedir}/log/copr-keygen
 

  install -d %{buildroot}%{_sysconfdir}/logrotate.d/
 

+ install -d %{buildroot}%{_sysconfdir}/cron.daily
 

  

  %{__install} -p -m 0755 run/gpg_copr.sh %{buildroot}/%{_bindir}/gpg_copr.sh
 

+ %{__install} -p -m 0755 run/gpg-copr %{buildroot}/%{_bindir}/
 

  

  %{__install} -p -m 0755 run/application.py %{buildroot}%{_datadir}/copr-keygen/
 

  %{__install} -p -m 0644 configs/httpd/copr-keygen.conf.example %{buildroot}%{_pkgdocdir}/httpd/
 
@@ -110,6 +113,8 @@
 

  

  %{__install} -p -m 0644 configs/sign/sign.conf.example %{buildroot}%{_pkgdocdir}/sign/sign.conf.example
 

  

+ %{__install} -p -m 0755 configs/cron.daily %{buildroot}%{_sysconfdir}/cron.daily/copr-keygen
 

+ 

  cp -a configs/sudoers/copr_signer %{buildroot}%{_sysconfdir}/sudoers.d/copr_signer
 

  

  cp -a docs/_build/html %{buildroot}%{_pkgdocdir}/
 
@@ -143,6 +148,7 @@
 

  %{python3_sitelib}/*
 

  

  %{_bindir}/gpg_copr.sh
 

+ %{_bindir}/gpg-copr
 

  %config(noreplace)  %{_sysconfdir}/sudoers.d/copr_signer
 

  

  %defattr(600, copr-signer, copr-signer, 700)
 
@@ -151,6 +157,8 @@
 

  

  %{_sysconfdir}/logrotate.d/copr-keygen
 

  

+ %config %attr(0755, root, root) %{_sysconfdir}/cron.daily/*
 

+ 

  %dir %{_localstatedir}/log/copr-keygen
 

  %ghost %{_localstatedir}/log/copr-keygen/main.log

file added
+13 
@@ -0,0 +1,13 @@
 

+ #! /usr/bin/python3
 

+ 

+ import sys
 

+ import os
 

+ import getpass
 

+ from copr_keygen.gpg import gpg_cmd
 

+ 

+ if getpass.getuser() != 'copr-signer':
 

+     sys.stderr.write("run as 'copr-signer' user\n")
 

+     sys.exit(1)
 

+ 

+ cmd = gpg_cmd + sys.argv[1:]
 

+ os.execve(cmd[0], cmd, os.environ)

file modified
+2 -2 
@@ -1,3 +1,3 @@
 

- #!/bin/bash
 

+ #! /bin/sh
 

  

- runuser -u copr-signer  /usr/bin/gpg2 -- --homedir /var/lib/copr-keygen/gnupg --no-auto-check-trustdb  $@
 

+ exec runuser -u copr-signer -- /usr/bin/gpg-copr "$@"

file modified
+1 
@@ -2,6 +2,7 @@
 

  

  PHRASES_DIR = "/var/lib/copr-keygen/phrases/"
 

  GPG_BINARY = "/bin/gpg2"
 

+ # TODO: rename to GPG_HOMEDIR
 

  GNUPG_HOMEDIR = "/var/lib/copr-keygen/gnupg"
 

  

  GPG_KEY_LENGTH = 2048

file added
+7 
@@ -0,0 +1,7 @@
 

+ from copr_keygen import app
 

+ 

+ gpg_cmd = [
 

+     app.config['GPG_BINARY'],
 

+     '--homedir', app.config['GNUPG_HOMEDIR'],
 

+     '--no-auto-check-trustdb'
 

+ ]

file modified
+4 -9 
@@ -7,6 +7,7 @@
 

  import sys
 

  

  from .exceptions import GpgErrorException, KeygenServiceBaseException
 

+ from .gpg import gpg_cmd
 

  

  log = logging.getLogger(__name__)
 

  
@@ -43,9 +44,7 @@
 

      :raises: GpgErrorException
 

  

      """
 

-     cmd = [app.config["GPG_BINARY"],
 

-            "--homedir", app.config["GNUPG_HOMEDIR"],
 

-            "--list-secret-keys", "--with-colons", "<{0}>".format(mail)]
 

+     cmd = gpg_cmd + ["--list-secret-keys", "--with-colons", "<{0}>".format(mail)]
 

  

      try:
 

          handle = Popen(cmd, stdout=PIPE, stderr=PIPE)
 
@@ -56,7 +55,7 @@
 

                                  cmd=" ".join(cmd), err=e)
 

  

      if handle.returncode == 0:
 

-         # TODO: validate that we really got exactly one line in stdout
 

+         # TODO: validate that the key is ultimately trusted
 

          log.debug("user {} has keys in keyring".format(mail))
 

          ensure_passphrase_exist(app, mail)
 

          return True
 
@@ -120,11 +119,7 @@
 

          raise GpgErrorException(msg="Failed to write tmp file for gen_key",
 

                                  err=e)
 

  

-     cmd = [
 

-         app.config["GPG_BINARY"], "--batch",
 

-         "--homedir", app.config["GNUPG_HOMEDIR"],
 

-         "--gen-key", out.name
 

-     ]
 

+     cmd = gpg_cmd + ["--batch", "--gen-key", out.name]
 

  

      log.debug("CMD: {}".format(' '.join(map(str, cmd))))
 

      try:

no initial comment

5 new commits added

  • [keygen] add daily cron job to do trustdb maintenance
  • [keygen] fix TODO comment
  • [keygen] shell fix s/$@/"$@"/
  • [backend] typofix, drop doubled space
  • [keygen] use --no-auto-check-trustdb
4 years ago

I guess this should be " ... -u copr-signer -- /usr/bin/gpg2 ..."

same here

Probably, yes.... I copied and pasted it from gpg_copr.sh. Both versions seem to work, but I'll fix it.

Imho not necessary to implement it in python. We just can have something like --homedir $(our_script --get-config home-dir)

Right, both are possible. Ignore me.

1 new commit added

  • [keygen] define gpg2 arguments on one place
4 years ago

OK, I added one more commit doing rather wider change; so we don't have to think about specifying gpg configuration on multiple places.

There's copr_keygen.gpg module, which is used by /usr/bin/gpg-copr and by keygen internals.
Administrators may use gpg-copr instead of gpg2, and for signd there's gpg-signd wrapper.

6 new commits added

  • [keygen] define gpg2 arguments on one place
  • [keygen] add daily cron job to do trustdb maintenance
  • [keygen] fix TODO comment
  • [keygen] shell fix s/$@/"$@"/
  • [backend] typofix, drop doubled space
  • [keygen] use --no-auto-check-trustdb
4 years ago

rebased onto bf26fa520dc2f863544f745b57d025eb274694cb
4 years ago

6 new commits added

  • [keygen] define gpg2 arguments on one place
  • [keygen] add daily cron job to do trustdb maintenance
  • [keygen] fix TODO comment
  • [keygen] shell fix s/$@/"$@"/
  • [backend] typofix, drop doubled space
  • [keygen] use --no-auto-check-trustdb
4 years ago

Should be ready (i made it compatible with previous version, so we don't have to update configuration).

LGTM +1

rebased onto 8c488b3
4 years ago

Thanks for the review!

Pull-Request has been merged by praiskup
4 years ago
Changes Summary 9
+1 -1
file changed
backend/backend/sign.py
+5
file added
keygen/configs/cron.daily
+1 -1
file changed
keygen/configs/sign/sign.conf.example
+8 -0
file changed
keygen/copr-keygen.spec
+13
file added
keygen/run/gpg-copr
+2 -2
file changed
keygen/run/gpg_copr.sh
+1 -0
file changed
keygen/src/copr_keygen/default_settings.py
+7
file added
keygen/src/copr_keygen/gpg.py
+4 -9
file changed
keygen/src/copr_keygen/logic.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.