UnixPB: Fix Insecure Downloads In RHEL/SLES playbooks. (adoptium#3355)

* Fix GPG Check on RHEL for docker. * SLES secure download fixes. * Update ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda_Toolkit/tasks/main.yml Co-authored-by: Stewart X Addison <6487691+sxa@users.noreply.github.com> --------- Co-authored-by: Stewart X Addison <6487691+sxa@users.noreply.github.com>
sxa · Jan 31, 2024 · dad0271 · dad0271
1 parent 001b17a
commit dad0271
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 19 deletions.
diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml
@@ -6,16 +6,10 @@
 #########################################
 # Configure Repos and Update the system #
 #########################################
-- name: Add Devel-Tools repository (SLES12, x86_64/ppc64le)
-  zypper_repository:
-    name: devel-tools
-    repo: 'https://download.opensuse.org/repositories/devel:/tools/SLE_12_SP5/'
-    auto_import_keys: yes
-    state: present
-  when:
-    - ansible_distribution_major_version == "12"
-    - (ansible_architecture == "x86_64") or (ansible_architecture == "ppc64le")
-  tags: patch_update
+
+## For SLES12 SP5, it is essential that the system has a valid support agreement in place, and that all
+## the subscription based repos are in place, as these are required to install packages,
+## now that the public repositories are no longer available.
 
 - name: Add Devel-Tools repository (SLES12, s390x)
   zypper_repository:
@@ -154,6 +148,24 @@
     - ansible_architecture == "x86_64"
   tags: build_tools
 
+## Install libelf0-debuginfo-32bit As This Is No Longer Available In Official repos
+
+- name: Download LibElf Debug 32 Bit Version
+  get_url:
+    url: https://ftp5.gwdg.de/pub/opensuse/discontinued/debug/distribution/12.3/repo/oss/suse/x86_64/libelf0-debuginfo-32bit-0.8.13-13.1.1.x86_64.rpm
+    dest: /tmp/libelf0-debuginfo-32bit-0.8.13-13.1.1.x86_64.rpm
+    mode: 0440
+    checksum: sha256:7ac907e5f955c76db7dd36c92a1f2c679add9aa981c9d4901284f7e6b1df835c
+  when:
+    - ansible_architecture == "x86_64"
+  tags: build_tools
+
+- name: Install LibElf Debug 32 Bit Version
+  command: rpm -i /tmp/libelf0-debuginfo-32bit-0.8.13-13.1.1.x86_64.rpm
+  when:
+    - ansible_architecture == "x86_64"
+  tags: build_tools
+
 ########
 # zlib #
 ########

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/vars/SLES.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/vars/SLES.yml
@@ -70,6 +70,7 @@ Additional_Build_Tools_SLES12:
 
 Additional_Build_Tools_SLES12_SP5:
   - libcurl-devel    ## Required To Install Git From Source
+  - zlib-devel
 
 Additional_Build_Tools_SLES12_NOT_SP5:
   - git-core
@@ -85,7 +86,6 @@ Additional_Build_Tools_SLES_x86:
   - glibc-devel-32bit             # a dependency required for executing a 32-bit C binary
   - libstdc++6-32bit              # a dependency required for executing a 32-bit C binary
   - libelf0-32bit                 # a dependency required for executing a 32-bit C binary
-  - libelf0-debuginfo-32bit       # a dependency required for executing a 32-bit C binary
   - libstdc++-devel-32bit         # a dependency required for executing a 32-bit C binary
   - libXtst6-32bit                # a dependency required for executing a 32-bit C binary
 

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Docker/tasks/rhel.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Docker/tasks/rhel.yml
@@ -16,7 +16,7 @@
     description: docker repository
     baseurl: "https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/stable"
     enabled: true
-    gpgcheck: false
+    gpgcheck: true
   when:
     - ansible_architecture == "x86_64" or ansible_architecture == "ppc64le"
 
@@ -26,6 +26,6 @@
     description: docker YUM repo s390x
     baseurl: https://download.docker.com/linux/rhel/{{ ansible_distribution_major_version }}/s390x/stable/
     enabled: true
-    gpgcheck: false
+    gpgcheck: true
   when:
     - ansible_architecture == "s390x"
diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda_Toolkit/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/NVidia_Cuda_Toolkit/tasks/main.yml
@@ -90,20 +90,30 @@
     - ansible_distribution_major_version == "12"
   tags: nvidia_cuda_toolkit
 
-- name: Enable NVidia CUDA toolkit Repo for SLES12 on x86_64
-  command: rpm -i /tmp/sles12_cuda9_repo.rpm
+- name: Download NVidia CUDA toolkit Repo Public for SLES12 on x86_64
+  get_url:
+    url: https://developer.download.nvidia.com/compute/cuda/repos/sles122/x86_64/7fa2af80.pub
+    dest: /tmp/sles12_cuda9_repo.key
+  when:
+    - cuda_installed.stat.islnk is not defined
+    - ansible_architecture == "x86_64"
+    - ansible_distribution == "SLES" or ansible_distribution == "openSUSE"
+    - ansible_distribution_major_version == "12"
+  tags: nvidia_cuda_toolkit
+
+- name: Enable NVidia CUDA toolkit Repo KEY for SLES12 on x86_64
+  command: rpm -import /tmp/sles12_cuda9_repo.key
   when:
     - cuda_installed.stat.islnk is not defined
     - ansible_architecture == "x86_64"
     - ansible_distribution == "SLES" or ansible_distribution == "openSUSE"
     - ansible_distribution_major_version == "12"
   tags:
     - nvidia_cuda_toolkit
-    #TODO: rpm used in place of yum or rpm_key module
     - skip_ansible_lint
 
-- name: Sed change gpgcheck for SLES12 on x86_64
-  command: sed 's/gpgcheck=1/gpgcheck=0/' -i /etc/zypp/repos.d/cuda.repo
+- name: Install NVidia CUDA toolkit Repo for SLES12 on x86_64
+  command: rpm -i /tmp/sles12_cuda9_repo.rpm
   when:
     - cuda_installed.stat.islnk is not defined
     - ansible_architecture == "x86_64"
@@ -114,7 +124,6 @@
     #TODO: rpm used in place of yum or rpm_key module
     - skip_ansible_lint
 
-
 - name: Install NVidia CUDA toolkit for SLES12 on x86_64
   zypper: pkg=cuda state=latest update_cache=yes
   when: