[xen-tools-discuss] Issue with standalone Debian apt repo

Axel Beckert abe at deuxchevaux.org
Mon Jun 22 19:40:20 CEST 2015 

Hi John,,

On Thu, Jun 18, 2015 at 12:21:59PM -0700, John Oliver wrote:
> Background: I'm historically a Red Hat guy, but kind of have to use
> Debian in this case.

JFTR: xen-tools should also be available as package in Fedora AFAIK.

> The host I'm working on has no Internet access, and cannot have
> Internet access under any circumstance. So, after installing Debian
> 8 "Jessie", I fiddled around until I got a local apt repo working. I
> can 'apt-get install foo' no problem. But xen-tools is always
> finding something to complain about.

Interesting case. I've never thought about such a setup.
 
> First, I kept getting "Couldn't find a useful entry in the sources.list
> files of the Dom0. Tried: /etc/apt/sources.list"  It appears that was
> coming from xt-guess-suite-and-mirror  My first question / observation
> would be, if apt is happy with my repo, why isn't
> xt-guess-suite-and-mirror?

As the program name says, it's guessing. E.g. it looks for lines in
sources list where the URL ends in either /debian/ or /ubuntu/
(trailing slash optional).

> I got past that issue by replacing mirror= and dist= with hard-coded
> lines.

That's the way I would have suggested it, too.
xt-guess-suite-and-mirror is just thought as convenience to not have
to fiddle around if you want to same distribution in the guests as you
have on the hosting server. It surely doesn't catch all cases.

> Then it complained about not seeing the Release file.

That likely doesn't come from xen-tools but from debootstrap.

> So I had to figure out how to create that.

Well, every proper mirror has one for ages. So yes, this is indeed
expected.

> Again... if apt works just fine without it, why is xen-tools so
> picky?

apt can be used with add-on repos which may have less infrastructure
than the official repos. It can even work if there's no suite
(unstable, testing, stable, etc.) given but just "./" instead.
debootstrap surely require more than that -- at least a suite and that
one is usual defined in the Release file.

> Same thing with Release.gpg, and
> I'm working through a stumbling block getting apt to trust the
> certificate I used to sign Release.

"apt-key add file-with-public-key" should do that. It can also read
from STDIN with "apt-key add -". You should be able to that in a hook
which is run (i.e sorted) before 20-setup-apt runs "apt-get update".

I'd probably call that hook "19-apt-add-keys" or so.

> Once I have that, though, will xen-tools finally be happy, or will
> it complain more?

I don't know. I never tried. Sounds like a quite unusual setup as your
APT repo seems not to be mirror of some offical mirror but
reinstantiated from scratch. I doubt that this is supported in
debootstrap or cdebootstrap and hence will also be difficult to
support in xen-tools as it relies on these two tools.

> I'd really like to see an option to the relevant parts of xen-tools to
> ignore the "unnecessary" overhead.

This first needs a proper definition of "unnecessary". ;-)

To be honest: If you have explicit requests like "please add an option
for $FOO", I can have a look. But request like "please fix everything
which doesn't work in $SETUP" aren't really accomplishable.

So one thing I read out of your mail is to be able to pass --force-yes
and --allow-unauthenticated to apt-get. (Actually the former has been
passed by default in the past, but has been removed recently in git
and will make xen-tools pickier on purpose. See
https://bugs.debian.org/776487 for details.)

To catch as many cases as possible it sounds as if an option to pass
arbitrary apt-get options via installDebianPackage() and friends could
be helpful in such exotic cases. I've added this to thw TODO list:
https://github.com/xen-tools/xen-tools/commit/d49f4568

> I am a long way from being against properly signing things, etc. But
> this is on a closed network, and I could be done with my mission to
> stand up a Xen server and could "make it right" at my leisure. As
> bad as an idea as it might be, how do I just move ahead without
> making everything perfect, especially when apt works perfectly well?

Since it never came to me that someone would use it without a proper
mirror (i.e. without a mirror that has all the files an official one
has, at least for one architecture), I never tried and hence I don't
know.

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe at deuxchevaux.org  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | abe at noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)

More information about the xen-tools-discuss mailing list