This repository has been archived by the owner on Oct 24, 2023. It is now read-only.
fix: automatically get updated apt keys via CSE #2022
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -225,6 +225,21 @@ apt_get_dist_upgrade() { | |
| echo Executed apt-get dist-upgrade $i times | ||
| wait_for_apt_locks | ||
| } | ||
| apt_fix_keys() { | ||
| retries=10 | ||
| output=/tmp/apt-fix-keys.out | ||
| for i in $(seq 1 $retries); do | ||
| wait_for_apt_locks | ||
| ! (apt-get update | tee $output | grep NO_PUBKEY) && \ | ||
| cat $output && break || \ | ||
| apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $(apt-get update | grep NO_PUBKEY -m 1 | awk -F "NO_PUBKEY" '{print $2}') | ||
|
There was a problem hiding this comment. @palma21 Can we add There was a problem hiding this comment. if we have a cluster with no egress lock down, I assume it doesn't need apt operation, why we need this whitelist? There was a problem hiding this comment. My understanding is there are apt sources in the whitelist to allow no egress clusters to update themselves (kernel, azsecpack, etc). If not, then AKS Engine is definitely delivering an apt configuration that doesn't make sense in the no egress scenario. |
||
| if [ $i -eq $retries ]; then | ||
| return 1 | ||
| else sleep 1 | ||
| fi | ||
| done | ||
| echo Executed apt-get update NO_PUBKEY fix $i times | ||
| } | ||
| systemctl_restart() { | ||
| retries=$1; wait_sleep=$2; timeout=$3 svcname=$4 | ||
| for i in $(seq 1 $retries); do | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you could do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
running two extra
apt-get updateoperations in every single CSE (even with VHD) would be a de-optimizationThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current nvidia scenario does not show up in
apt-key list | grep expired. It's only when you run apt-get update that you are able to derive the key that needs fixing.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in that case should we only do the update in nvidia node? I think doing an update for everyone will take a hit on provisioning latency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's attempting the apt-get update in the background (and it's best-effort, it won't error out), so it won't affect provisioning latency