From fb5ff8e46227518fbcb515efb9829d555100dfd6 Mon Sep 17 00:00:00 2001 From: Hernan Garcia Date: Fri, 21 Apr 2023 14:59:40 -0500 Subject: [PATCH 1/2] replaced deprecated apt_key --- roles/zabbix_agent/tasks/Debian.yml | 22 ++++++++++++++++++---- roles/zabbix_agent/vars/Debian.yml | 5 +++++ roles/zabbix_javagateway/tasks/Debian.yml | 22 ++++++++++++++++++---- roles/zabbix_javagateway/vars/Debian.yml | 3 +++ roles/zabbix_proxy/tasks/Debian.yml | 23 ++++++++++++++++++----- roles/zabbix_proxy/vars/Debian.yml | 3 +++ roles/zabbix_server/tasks/Debian.yml | 22 ++++++++++++++++++---- roles/zabbix_server/vars/Debian.yml | 3 +++ roles/zabbix_web/tasks/Debian.yml | 22 ++++++++++++++++++---- roles/zabbix_web/vars/Debian.yml | 3 +++ 10 files changed, 107 insertions(+), 21 deletions(-) diff --git a/roles/zabbix_agent/tasks/Debian.yml b/roles/zabbix_agent/tasks/Debian.yml index 17f8906cd..8a8b1a0bd 100644 --- a/roles/zabbix_agent/tasks/Debian.yml +++ b/roles/zabbix_agent/tasks/Debian.yml @@ -40,10 +40,24 @@ until: gnupg_installed is succeeded become: true -- name: "Debian | Install gpg key" - apt_key: - id: "{{ sign_keys[zabbix_short_version][zabbix_agent_distribution_release]['sign_key'] }}" +# In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. +# It SHOULD be created with permissions 0755 if it is needed and does not already exist. +# See: https://wiki.debian.org/DebianRepository/UseThirdParty +- name: "Debian | Create /etc/apt/keyrings/ on older versions" + ansible.builtin.file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version < "22") or + (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") + +- name: "Debian | Download gpg key" + ansible.builtin.get_url: url: http://repo.zabbix.com/zabbix-official-repo.key + dest: "{{ zabbix_gpg_key }}" + mode: '0644' + force: true environment: http_proxy: "{{ zabbix_http_proxy | default(None) | default(omit) }}" https_proxy: "{{ zabbix_https_proxy | default(None) | default(omit) }}" @@ -54,7 +68,7 @@ - name: "Debian | Installing repository {{ ansible_distribution }}" apt_repository: - repo: "{{ item }} {{ zabbix_agent_apt_repository | join(' ') }}" + repo: "{{ item }} [signed-by={{ zabbix_gpg_key }}] {{ zabbix_agent_apt_repository | join(' ') }}" state: present become: true with_items: diff --git a/roles/zabbix_agent/vars/Debian.yml b/roles/zabbix_agent/vars/Debian.yml index 23fb3b299..f04a6df60 100644 --- a/roles/zabbix_agent/vars/Debian.yml +++ b/roles/zabbix_agent/vars/Debian.yml @@ -37,3 +37,8 @@ zabbix_valid_agent_versions: - 6.4 - 6.2 - 6.0 + - 5.0 + - 4.0 + +debian_keyring_path: /etc/apt/keyrings/ +zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" diff --git a/roles/zabbix_javagateway/tasks/Debian.yml b/roles/zabbix_javagateway/tasks/Debian.yml index 139ceba3a..618b15c3e 100644 --- a/roles/zabbix_javagateway/tasks/Debian.yml +++ b/roles/zabbix_javagateway/tasks/Debian.yml @@ -24,15 +24,29 @@ when: - ansible_machine == "aarch64" -- name: "Debian | Install gpg key" - apt_key: - id: "{{ sign_keys[zabbix_short_version][ansible_distribution_release]['sign_key'] }}" +# In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. +# It SHOULD be created with permissions 0755 if it is needed and does not already exist. +# See: https://wiki.debian.org/DebianRepository/UseThirdParty +- name: "Debian | Create /etc/apt/keyrings/ on older versions" + ansible.builtin.file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version < "22") or + (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") + +- name: "Debian | Download gpg key" + ansible.builtin.get_url: url: http://repo.zabbix.com/zabbix-official-repo.key + dest: "{{ zabbix_gpg_key }}" + mode: '0644' + force: true become: true - name: "Debian | Installing repository Debian" apt_repository: - repo: "{{ item }} {{ zabbix_javagateway_apt_repository | join(' ') }}" + repo: "{{ item }} [signed-by={{ zabbix_gpg_key }}] {{ zabbix_javagateway_apt_repository | join(' ') }}" state: present become: true with_items: diff --git a/roles/zabbix_javagateway/vars/Debian.yml b/roles/zabbix_javagateway/vars/Debian.yml index cfff15a37..f2f37a105 100644 --- a/roles/zabbix_javagateway/vars/Debian.yml +++ b/roles/zabbix_javagateway/vars/Debian.yml @@ -21,3 +21,6 @@ zabbix_valid_javagateway_versions: - 6.4 - 6.2 - 6.0 + +debian_keyring_path: /etc/apt/keyrings/ +zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" diff --git a/roles/zabbix_proxy/tasks/Debian.yml b/roles/zabbix_proxy/tasks/Debian.yml index 520f1e2f6..5f9d84c3a 100644 --- a/roles/zabbix_proxy/tasks/Debian.yml +++ b/roles/zabbix_proxy/tasks/Debian.yml @@ -30,13 +30,26 @@ until: gnupg_installed is succeeded become: true -- name: "Debian | Install gpg key" - apt_key: - id: "{{ sign_keys[zabbix_short_version][ansible_distribution_release]['sign_key'] }}" +# In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. +# It SHOULD be created with permissions 0755 if it is needed and does not already exist. +# See: https://wiki.debian.org/DebianRepository/UseThirdParty +- name: "Debian | Create /etc/apt/keyrings/ on older versions" + ansible.builtin.file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version < "22") or + (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") + +- name: "Debian | Download gpg key" + ansible.builtin.get_url: url: http://repo.zabbix.com/zabbix-official-repo.key + dest: "{{ zabbix_gpg_key }}" + mode: '0644' + force: true register: are_zabbix_proxy_dependency_packages_installed until: are_zabbix_proxy_dependency_packages_installed is succeeded - become: true tags: - zabbix-proxy @@ -44,7 +57,7 @@ - name: "Debian | Installing repository {{ ansible_distribution }}" apt_repository: - repo: "{{ item }} http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}/{{ ansible_distribution.lower() }}/ {{ ansible_distribution_release }} main" + repo: "{{ item }} [signed-by={{ zabbix_gpg_key }}] http://repo.zabbix.com/zabbix/{{ zabbix_proxy_version }}/{{ ansible_distribution.lower() }}/ {{ ansible_distribution_release }} main" state: present become: true with_items: diff --git a/roles/zabbix_proxy/vars/Debian.yml b/roles/zabbix_proxy/vars/Debian.yml index 75f5c89ad..c8a3958e5 100644 --- a/roles/zabbix_proxy/vars/Debian.yml +++ b/roles/zabbix_proxy/vars/Debian.yml @@ -43,3 +43,6 @@ mysql_client_pkgs: mysql_plugin: "18": mysql_native_password "10": mysql_native_password + +debian_keyring_path: /etc/apt/keyrings/ +zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" diff --git a/roles/zabbix_server/tasks/Debian.yml b/roles/zabbix_server/tasks/Debian.yml index dcf996245..88e97862d 100644 --- a/roles/zabbix_server/tasks/Debian.yml +++ b/roles/zabbix_server/tasks/Debian.yml @@ -60,10 +60,24 @@ until: gnupg_installed is succeeded become: true -- name: "Debian | Install gpg key" - apt_key: - id: "{{ sign_keys[zabbix_short_version][ansible_distribution_release]['sign_key'] }}" +# In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. +# It SHOULD be created with permissions 0755 if it is needed and does not already exist. +# See: https://wiki.debian.org/DebianRepository/UseThirdParty +- name: "Debian | Create /etc/apt/keyrings/ on older versions" + ansible.builtin.file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version < "22") or + (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") + +- name: "Debian | Download gpg key" + ansible.builtin.get_url: url: http://repo.zabbix.com/zabbix-official-repo.key + dest: "{{ zabbix_gpg_key }}" + mode: '0644' + force: true register: zabbix_server_repo_files_installed until: zabbix_server_repo_files_installed is succeeded become: true @@ -73,7 +87,7 @@ - name: "Debian | Installing repository {{ ansible_distribution }}" apt_repository: - repo: "{{ item }} {{ zabbix_server_apt_repository | join(' ') }}" + repo: "{{ item }} [signed-by={{ zabbix_gpg_key }}] {{ zabbix_server_apt_repository | join(' ') }}" state: present become: true with_items: diff --git a/roles/zabbix_server/vars/Debian.yml b/roles/zabbix_server/vars/Debian.yml index febc5097c..cd3468eeb 100644 --- a/roles/zabbix_server/vars/Debian.yml +++ b/roles/zabbix_server/vars/Debian.yml @@ -24,3 +24,6 @@ zabbix_valid_server_versions: - 6.0 "18": - 6.0 + +debian_keyring_path: /etc/apt/keyrings/ +zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" diff --git a/roles/zabbix_web/tasks/Debian.yml b/roles/zabbix_web/tasks/Debian.yml index 4d9986dcc..4ade32a42 100644 --- a/roles/zabbix_web/tasks/Debian.yml +++ b/roles/zabbix_web/tasks/Debian.yml @@ -65,10 +65,24 @@ - init - config -- name: "Debian | Install gpg key" - apt_key: - id: "{{ sign_keys[zabbix_short_version][ansible_distribution_release]['sign_key'] }}" +# In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. +# It SHOULD be created with permissions 0755 if it is needed and does not already exist. +# See: https://wiki.debian.org/DebianRepository/UseThirdParty +- name: "Debian | Create /etc/apt/keyrings/ on older versions" + ansible.builtin.file: + path: /etc/apt/keyrings/ + state: directory + mode: '0755' + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version < "22") or + (ansible_distribution == "Debian" and ansible_distribution_major_version < "12") + +- name: "Debian | Download gpg key" + ansible.builtin.get_url: url: http://repo.zabbix.com/zabbix-official-repo.key + dest: "{{ zabbix_gpg_key }}" + mode: '0644' + force: true become: true tags: - zabbix-web @@ -77,7 +91,7 @@ - name: "Debian | Installing repository {{ ansible_distribution }}" apt_repository: - repo: "{{ item }} {{ zabbix_server_apt_repository | join(' ') }}" + repo: "{{ item }} [signed-by={{ zabbix_gpg_key }}] {{ zabbix_server_apt_repository | join(' ') }}" state: present become: true with_items: diff --git a/roles/zabbix_web/vars/Debian.yml b/roles/zabbix_web/vars/Debian.yml index f866dc385..c4143dbe9 100644 --- a/roles/zabbix_web/vars/Debian.yml +++ b/roles/zabbix_web/vars/Debian.yml @@ -42,3 +42,6 @@ zabbix_valid_web_versions: - 6.0 "18": - 6.0 + +debian_keyring_path: /etc/apt/keyrings/ +zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc" From 5f558e373e926150299c486e79ca17bcb36ae5f1 Mon Sep 17 00:00:00 2001 From: Hernan Garcia Date: Sat, 22 Apr 2023 07:34:06 -0500 Subject: [PATCH 2/2] added change fragment for replacement of apt_key --- changelogs/fragments/969_replace_apt_key.yml | 3 +++ roles/zabbix_agent/vars/Debian.yml | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/969_replace_apt_key.yml diff --git a/changelogs/fragments/969_replace_apt_key.yml b/changelogs/fragments/969_replace_apt_key.yml new file mode 100644 index 000000000..dca49a420 --- /dev/null +++ b/changelogs/fragments/969_replace_apt_key.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - Replaced usage of deprecated apt key management in Debian based distros - See https://wiki.debian.org/DebianRepository/UseThirdParty diff --git a/roles/zabbix_agent/vars/Debian.yml b/roles/zabbix_agent/vars/Debian.yml index f04a6df60..93c42fe60 100644 --- a/roles/zabbix_agent/vars/Debian.yml +++ b/roles/zabbix_agent/vars/Debian.yml @@ -37,8 +37,6 @@ zabbix_valid_agent_versions: - 6.4 - 6.2 - 6.0 - - 5.0 - - 4.0 debian_keyring_path: /etc/apt/keyrings/ zabbix_gpg_key: "{{ debian_keyring_path }}/zabbix-official-repo.asc"