[action] [PR:24438] [build] Fix TRUSTED_GPG_URLS bug #24758
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#### Why I did it There are two bugs in the `TRUSTED_GPG_URLS` flow: 1. The sonic-build-hooks Makefile logic that downloads the URLs in TRUSTED_GPG_URLS only reports a failure if the _last_ URL in the list fails. Any other failures are silently ignored, and build proceeds. 2. The first URL in the current default flag value, https://packages.trafficmanager.net/debian/public_key.gpg, does not exist and seems like it has been broken for quite some time. This went unnoticed because of the first issue. ##### Work item tracking - Microsoft ADO **(number only)**: #### How I did it 1. Added `set -e` at the beginning of the mini bash script responsible for downloading the URLs in `TRUSTED_GPG_URLS`, so fatal errors are noticed and reported. 2. Removed the broken https://packages.trafficmanager.net/debian/public_key.gpg URL from the default value #### How to verify it <!-- If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012. --> I've verified this fix under multiple scenarios: 1. Running `make init` with no flags The single valid URL, https://packages.microsoft.com/keys/microsoft.asc, is downloaded successfully and build reports no errors 2. Running `make init` with `TRUSTED_GPG_URLS='https://packages.trafficmanager.net/debian/public_key.gpg,https://packages.microsoft.com/keys/microsoft.asc'` Build fails as the first URL is broken. Note that this error was not caught in baseline code. The second URL is not downloaded. 3. Running `make init` with the same URLs in opposite order (broken URL last) The first URL downloads. The second URL does not. The error is noticed and the build stops. 4. Running `make init` with only the working URL (no other URLs or `,` in the variable) The key file downloads. Build reports success 5. Running `make init` with only the broken URL The 404 error is noticed and build aborts. 6. Running `make init` with a URL that contains a non-existent domain The connection failure is recognized and build fails. 7. Running `make init` with `TRUSTED_GPG_URLS=''` No GPG keys are downloaded and the build proceeds 8. Performing a full build with no `TRUSTED_GPG_URLS` flag provided Build was successful. 9. Performing a full build with `TRUSTED_GPG_URLS=''` set at each step Build was successful. #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> Needs to be backported as it's a build bug - [x] 202505 - [x] 202411 - [x] 202405 #### Tested branch (Please provide the tested image version) master @ d5bb539 <!-- - Please provide tested image version - e.g. - [x] 20201231.100 --> - [ ] <!-- image version 1 --> - [ ] <!-- image version 2 --> #### Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: --> [build] Fix TRUSTED_GPG_URLS bug <!-- Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU. --> #### Link to config_db schema for YANG module changes <!-- Provide a link to config_db schema for the table for which YANG model is defined Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md --> #### A picture of a cute animal (not mandatory but encouraged)
mssonicbld
requested review from
lguohan,
qiluo-msft and
xumia
as code owners
Collaborator
Author
|
Original PR: #24438 |
Collaborator
Author
|
/azp run Azure.sonic-buildimage |
5 tasks
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I did it
There are two bugs in the
TRUSTED_GPG_URLSflow:The sonic-build-hooks Makefile logic that downloads the URLs in TRUSTED_GPG_URLS only reports a failure if the last URL in the list fails. Any other failures are silently ignored, and build proceeds.
The first URL in the current default flag value, https://packages.trafficmanager.net/debian/public_key.gpg, does not exist and seems like it has been broken for quite some time. This went unnoticed because of the first issue.
Work item tracking
How I did it
set -eat the beginning of the mini bash script responsible for downloading the URLs inTRUSTED_GPG_URLS, so fatal errors are noticed and reported.How to verify it
I've verified this fix under multiple scenarios:
make initwith no flagsThe single valid URL, https://packages.microsoft.com/keys/microsoft.asc, is downloaded successfully and build reports no errors
make initwithTRUSTED_GPG_URLS='https://packages.trafficmanager.net/debian/public_key.gpg,https://packages.microsoft.com/keys/microsoft.asc'Build fails as the first URL is broken. Note that this error was not caught in baseline code. The second URL is not downloaded.
make initwith the same URLs in opposite order (broken URL last)The first URL downloads. The second URL does not. The error is noticed and the build stops.
make initwith only the working URL (no other URLs or,in the variable)The key file downloads. Build reports success
make initwith only the broken URLThe 404 error is noticed and build aborts.
make initwith a URL that contains a non-existent domainThe connection failure is recognized and build fails.
make initwithTRUSTED_GPG_URLS=''No GPG keys are downloaded and the build proceeds
TRUSTED_GPG_URLSflag providedBuild was successful.
TRUSTED_GPG_URLS=''set at each stepBuild was successful.
Which release branch to backport (provide reason below if selected)
Needs to be backported as it's a build bug
Tested branch (Please provide the tested image version)
master @ d5bb539
Description for the changelog
[build] Fix TRUSTED_GPG_URLS bug
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)