From: DaanDeMeyer <daan.j.demeyer@gmail.com>
Date: Fri, 22 Aug 2025 14:58:40 +0000 (+0200)
Subject: rhel: Look up entitlement keys and certificates in sandbox
X-Git-Tag: v26~143
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fac3bd4bf16ca8ee36606b5ebf01decc9c8546a5;p=thirdparty%2Fmkosi.git

rhel: Look up entitlement keys and certificates in sandbox

Similar to how we handle rpm GPG keys, let's also look up the extra
stuff for RHEL in the sandbox in the same way.

Fixes #3854
---

diff --git a/mkosi/distributions/rhel.py b/mkosi/distributions/rhel.py
index 186fbba46..3e95a489a 100644
--- a/mkosi/distributions/rhel.py
+++ b/mkosi/distributions/rhel.py
@@ -8,6 +8,7 @@ from mkosi.context import Context
 from mkosi.distributions import centos, join_mirror
 from mkosi.installer.rpm import RpmRepository, find_rpm_gpgkey
 from mkosi.log import die
+from mkosi.run import exists_in_sandbox, glob_in_sandbox
 
 
 class Installer(centos.Installer):
@@ -30,45 +31,44 @@ class Installer(centos.Installer):
         if context.config.mirror:
             return None
 
-        p = Path("etc/rhsm/ca/redhat-uep.pem")
-        if (context.sandbox_tree / p).exists():
-            p = context.sandbox_tree / p
-        elif (Path("/") / p).exists():
-            p = Path("/") / p
-        else:
-            die("redhat-uep.pem certificate not found in host system or sandbox tree")
+        path = Path("/etc/rhsm/ca/redhat-uep.pem")
+        if not exists_in_sandbox(path, sandbox=context.sandbox()):
+            die(
+                f"redhat-uep.pem certificate not found in sandbox at {path}",
+                hint="Add the certificate to the sandbox with SandboxTrees= or mkosi.sandbox/",
+            )
 
-        return p
+        return path
 
     @staticmethod
     def sslclientkey(context: Context) -> Optional[Path]:
         if context.config.mirror:
             return None
 
-        pattern = "etc/pki/entitlement/*-key.pem"
-
-        p = next((p for p in sorted(context.sandbox_tree.glob(pattern))), None)
-        if not p:
-            p = next((p for p in Path("/").glob(pattern)), None)
-        if not p:
-            die("Entitlement key not found in host system or sandbox tree")
+        glob = "/etc/pki/entitlement/*-key.pem"
+        paths = glob_in_sandbox(glob, sandbox=context.sandbox())
+        if not paths:
+            die(
+                f"No entitlement keys found at {glob} in sandbox",
+                hint="Add an entitlement key to the sandbox with SandboxTrees= or mkosi.sandbox/",
+            )
 
-        return p
+        return paths[0]
 
     @staticmethod
     def sslclientcert(context: Context) -> Optional[Path]:
         if context.config.mirror:
             return None
 
-        pattern = "etc/pki/entitlement/*.pem"
-
-        p = next((p for p in sorted(context.sandbox_tree.glob(pattern)) if "key" not in p.name), None)
-        if not p:
-            p = next((p for p in sorted(Path("/").glob(pattern)) if "key" not in p.name), None)
-        if not p:
-            die("Entitlement certificate not found in host system or sandbox tree")
+        glob = "/etc/pki/entitlement/*.pem"
+        paths = [p for p in glob_in_sandbox(glob, sandbox=context.sandbox()) if "-key.pem" not in p.name]
+        if not paths:
+            die(
+                f"No entitlement certificates found at {glob} in sandbox",
+                hint="Add an entitlement certificate to the sandbox with SandboxTrees= or mkosi.sandbox/",
+            )
 
-        return p
+        return paths[0]
 
     @classmethod
     def repository_variants(cls, context: Context, repo: str) -> Iterable[RpmRepository]:
diff --git a/mkosi/installer/rpm.py b/mkosi/installer/rpm.py
index d9496d7bd..16a8bf756 100644
--- a/mkosi/installer/rpm.py
+++ b/mkosi/installer/rpm.py
@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 import dataclasses
-import subprocess
 import textwrap
 from pathlib import Path
 from typing import Literal, Optional, overload
@@ -9,7 +8,7 @@ from typing import Literal, Optional, overload
 from mkosi.context import Context
 from mkosi.distributions import Distribution
 from mkosi.log import die
-from mkosi.run import run
+from mkosi.run import glob_in_sandbox
 from mkosi.util import PathString
 
 
@@ -54,19 +53,10 @@ def find_rpm_gpgkey(
 ) -> Optional[str]:
     # We assume here that GPG keys will only ever be relative symlinks and never absolute symlinks.
 
-    globs = [
+    paths = glob_in_sandbox(
         f"/usr/share/distribution-gpg-keys/*/{key}*",
         f"/etc/pki/rpm-gpg/{key}*",
-    ]
-
-    paths = (
-        run(
-            ["bash", "-c", rf"shopt -s nullglob && printf '%s\n' {' '.join(globs)} | xargs -r readlink -f"],
-            sandbox=context.sandbox(),
-            stdout=subprocess.PIPE,
-        )
-        .stdout.strip()
-        .splitlines()
+        sandbox=context.sandbox(),
     )
 
     if paths:
diff --git a/mkosi/run.py b/mkosi/run.py
index d41cc5ed0..2e7bc7446 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -690,3 +690,37 @@ def finalize_interpreter(tools: bool) -> str:
         return exe
 
     return "python3"
+
+
+def glob_in_sandbox(
+    *globs: str,
+    sandbox: AbstractContextManager[Sequence[PathString]] = contextlib.nullcontext([]),
+) -> list[Path]:
+    return [
+        Path(s)
+        for s in run(
+            [
+                "bash",
+                "-c",
+                rf"shopt -s nullglob && printf '%s\n' {' '.join(globs)} | xargs -r readlink -f",
+            ],
+            sandbox=sandbox,
+            stdout=subprocess.PIPE,
+        )
+        .stdout.strip()
+        .splitlines()
+    ]
+
+
+def exists_in_sandbox(
+    path: PathString,
+    sandbox: AbstractContextManager[Sequence[PathString]] = contextlib.nullcontext([]),
+) -> bool:
+    return (
+        run(
+            ["bash", "-c", rf"test -e {path}"],
+            sandbox=sandbox,
+            check=False,
+        ).returncode
+        == 0
+    )