forked from neil/lxc-templates
lxc-debian: avoid installing unauthenticated packages
--force-yes is deprecated, and is a shortcut for --allow-unauthenticated, --allow-downgrades, --allow-remove-essential, --allow-change-held-packages. --allow-unauthenticated is the only likely to be needed here, so instead of allowing unauthenticated packages, copy any custom keyring used inside the rootfs so any packages we need to install are properly authenticated. The common case is debian-ports-archive-keyring. Signed-off-by: Antonio Terceiro <terceiro@debian.org>
This commit is contained in:
parent
4b041f1d18
commit
56a2d30c41
@ -269,7 +269,7 @@ install_packages()
|
|||||||
local packages="$*"
|
local packages="$*"
|
||||||
|
|
||||||
if [ -n "${packages}" ] && apt_update_packages; then
|
if [ -n "${packages}" ] && apt_update_packages; then
|
||||||
chroot "${rootfs}" apt-get install --force-yes -y --no-install-recommends ${packages}
|
chroot "${rootfs}" apt-get install -y --no-install-recommends ${packages}
|
||||||
elif [ -n "${packages}" ]; then
|
elif [ -n "${packages}" ]; then
|
||||||
echo "Apt update failed, not downloading packages"
|
echo "Apt update failed, not downloading packages"
|
||||||
fi
|
fi
|
||||||
@ -614,6 +614,13 @@ EOF
|
|||||||
write_sourceslist "${rootfs}" "${release}"
|
write_sourceslist "${rootfs}" "${release}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Copy non-standard keyring inside rootfs
|
||||||
|
local extra_keyring
|
||||||
|
extra_keyring="${rootfs}/etc/apt/trusted.gpg.d/lxc-create-$(basename "${KEYRING}")"
|
||||||
|
if [ "${KEYRING}" != "${DEBIAN_ARCHIVE_KEYRING}" ]; then
|
||||||
|
cp "${KEYRING}" "${extra_keyring}"
|
||||||
|
fi
|
||||||
|
|
||||||
# Install Packages in container
|
# Install Packages in container
|
||||||
if [ -n "${packages}" ]; then
|
if [ -n "${packages}" ]; then
|
||||||
local pack_list
|
local pack_list
|
||||||
|
Loading…
Reference in New Issue
Block a user