From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B069369BBA for ; Wed, 20 Jan 2021 11:02:27 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A35632558D for ; Wed, 20 Jan 2021 11:01:57 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2796825550 for ; Wed, 20 Jan 2021 11:01:55 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E88FF4609B for ; Wed, 20 Jan 2021 11:01:54 +0100 (CET) From: Fabian Ebner To: pve-devel@lists.proxmox.com Date: Wed, 20 Jan 2021 11:01:38 +0100 Message-Id: <20210120100143.16268-3-f.ebner@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210120100143.16268-1-f.ebner@proxmox.com> References: <20210120100143.16268-1-f.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.007 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [apt.pm, proxmox.com] Subject: [pve-devel] [RFC common 2/7] APT: add extended repositories check X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2021 10:02:27 -0000 To detect old/bad suites and see whether the 'enterprise' repository or at least the 'no-subscription' repository is configured. Signed-off-by: Fabian Ebner --- Suggestions for further checks are welcome. Note that the distribution names might conflict for external non-Debian repos that would re-use Debian names, but I think we can safely ignore that. src/PVE/APT.pm | 108 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) diff --git a/src/PVE/APT.pm b/src/PVE/APT.pm index 75d1810..9f29593 100644 --- a/src/PVE/APT.pm +++ b/src/PVE/APT.pm @@ -287,4 +287,112 @@ sub list_repositories { return $repos; } +sub check_repositories { + my ($repos, $product) = @_; + + my $enterprise_configured = 0; + my $no_subscription_configured = 0; + + my $enterprise_uri = "https://enterprise.proxmox.com/debian/${product}"; + my $enterprise_component = "${product}-enterprise"; + my $no_subscription_uri = "http://download.proxmox.com/debian/${product}"; + my $no_subscription_component = "${product}-no-subscription"; + + # TODO update for PVE 7.0 + my @old_suites = ( + 'lenny', + 'squeeze', + 'wheezy', + 'jessie', + 'stretch', + 'oldoldstable', + 'oldstable', + ); + + my @new_suites = ( + 'unstable', + 'sid', + 'experimental', + ); + + my $warnings = []; + + my $add_warning = sub { + my ($repo, $message) = @_; + + if (defined($repo)) { + push @{$warnings}, { + path => $repo->{path}, + number => $repo->{number}, + message => $message, + }; + } else { + push @{$warnings}, { message => $message }; + } + }; + + my $match_suite = sub { + my ($suite, $list) = @_; + + return grep { + $_ =~ m|^\Q$suite\E$| || + $_ =~ m|^\Q$suite\E-backports$| || + $_ =~ m|^\Q$suite\E-backports-sloppy$| || + $_ =~ m|^\Q$suite\E-updates$| || + $_ =~ m|^\Q$suite\E/updates$| + } @{$list}; + }; + + foreach my $repo (@{$repos}) { + my $types = $split_list->($repo->{Types}); + my $uris = $split_list->($repo->{URIs}); + my $components = $split_list->($repo->{Components}); + my $suites = $split_list->($repo->{Suites}); + + foreach my $type (@{$types}) { + next if $type ne 'deb'; + + foreach my $old_suite (@old_suites) { + $add_warning->($repo, "Old suite '${old_suite}' configured!") + if $match_suite->($old_suite, $suites); + } + + foreach my $new_suite (@new_suites) { + $add_warning->($repo, "Suite '${new_suite}' should not be " . + "used in production!") if $match_suite->($new_suite, $suites); + } + + $add_warning->($repo, "Use the name of the stable distribuition " . + "instead of 'stable'!") if $match_suite->('stable', $suites); + + next if !$repo->{enabled}; + + foreach my $uri (@{$uris}) { + if ($uri =~ m|^\Q$enterprise_uri\E/?|) { + foreach my $component (@{$components}) { + $enterprise_configured = 1 + if $component eq $enterprise_component; + } + } + if ($uri =~ m|^\Q$no_subscription_uri\E/?|) { + foreach my $component (@{$components}) { + $no_subscription_configured = 1 + if $component eq $no_subscription_component; + } + } + } + } + } + + if (!$enterprise_configured && !$no_subscription_configured) { + $add_warning->(undef, "You should configure either the 'enterprise' " . + "or 'no-subscription' repository!"); + } elsif (!$enterprise_configured && $no_subscription_configured) { + $add_warning->(undef, "The 'no-subscription' repository is not " . + "recommended for production use!"); + } + + return $warnings; +} + 1; -- 2.20.1