unixPb: GPG signature verification added to jdk downloads

[Haroon-Khel]

• commit message has one of the standard prefixes
• faq.md updated if appropriate
• other documentation is changed or added (if applicable)
• playbook changes run through VPC or QPC (if you have access)
• VPC/QPC not applicable for this PR
• for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

ref #2908

Added signature verification to the linux, alpine linux, solaris and mac jdk downloads in the unix playbook.
Refactored the linux and alpine linux tasks into one.
Can't get a signature file for jdk 10, api will not return release information for jdk 10, so verification is skipped for jdk 10.
Refactored tasks into blocks for easier management.
Removed duplicate code at the bottom.

[github-actions]

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

[Haroon-Khel]

vpc job https://ci.adoptium.net/job/VagrantPlaybookCheck/1640/console

[Haroon-Khel]

The api does not return a signature_link for jdk16 x64 mac it seems, causing it to fail. Using https://api.adoptium.net/q/swagger-ui/#/Assets/getLatestAssets

Request url: https://api.adoptium.net/v3/assets/latest/16/hotspot?architecture=x64&image_type=jdk&os=mac&vendor=eclipse

[sxa]

The api does not return a signature_link for jdk16 x64 mac it seems, causing it to fail.

GPG signatures were added to all current release lines last year so I would expect it will have excluded JDK16 on all platforms.

However, I believe (please verify this for all platforms - I'm confident linux is ok though) that all of the JDK17 builds are now bootstrapped with JDK17, so JDK16 is no longer required on the machines, in which case it can be removed from the playbooks. (Having said that, presumably we can't check them on JDK10 for bootstrapping 11 either)

[Haroon-Khel]

However, I believe (please verify this for all platforms - I'm confident linux is ok though) that all of the JDK17 builds are now bootstrapped with JDK17, so JDK16 is no longer required on the machines, in which case it can be removed from the playbooks.

@sxa You're right, i just checked. I've removed jdk16 from the playbook

[Haroon-Khel]

Latest vpc https://ci.adoptium.net/job/VagrantPlaybookCheck/1645/console

[sxa]

Can you adjust the first commit message so it has the correct unixPB: prefix please?

[Haroon-Khel]

Jdk8 s390x also does not have a signature file, so I've excluded the check for that platform

[Haroon-Khel]

Fails on Centos 6 in the vpc, but passes on Centos 6 in the github checks
https://ci.adoptium.net/job/VagrantPlaybookCheck/1645/

Rerunning on just Centos 6 https://ci.adoptium.net/job/VagrantPlaybookCheck/1651/console

[Haroon-Khel]

New vpc job centos6 only https://ci.adoptium.net/job/VagrantPlaybookCheck/1653/console

[Haroon-Khel]

I dont know why the vars arent being inherited from the block part of the task

  vars:
    ansible_python_interpreter: /usr/local/python2/bin/python2.7

12:02:33 TASK [adoptopenjdk_install : Download latest JDK 8 release (CentOS6)] **********
12:02:45 FAILED - RETRYING: Download latest JDK 8 release (CentOS6) (3 retries left).
12:03:01 FAILED - RETRYING: Download latest JDK 8 release (CentOS6) (2 retries left).
12:03:17 FAILED - RETRYING: Download latest JDK 8 release (CentOS6) (1 retries left).
12:03:33 fatal: [127.0.0.1]: FAILED! => {"attempts": 3, "changed": false, "msg": "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!"}

[Haroon-Khel]

New vpc https://ci.adoptium.net/job/VagrantPlaybookCheck/1654/console
If this still fails, I'm replacing the get_url task with a wget command

[Haroon-Khel]

Latest vpc https://ci.adoptium.net/job/VagrantPlaybookCheck/1656/console

[Haroon-Khel]

VPC looks good. I've removed one of the commits from earlier where I install libselinux-python for centos 6 (I found that it isnt needed). This pr is ready to merge

[sxa]

LGTM but can you adjust the description to say you've run VPC on it - currently the checkbox is for "Doesn't need to be run" :-)

[karianna]

Might be worth commenting each usage of the older API and why it is called

[Haroon-Khel]

New vpc https://ci.adoptium.net/job/VagrantPlaybookCheck/1657/console

[Haroon-Khel]

Jdk 10 binaries cannot be retrieved using api.adoptium.net, so ive kept them with api.adoptopenjdk.net

https://ci.adoptium.net/job/VagrantPlaybookCheck/1658/console

[sxa]

Jdk 10 binaries cannot be retrieved using api.adoptium.net, so ive kept them with api.adoptopenjdk.net

Yeah I'm not sure I like this extra complexity. I would recommend leaving as-is for the purposes of this PR and if there's a desire to use the different APIs then it can be done independently since this has nothing to do with enabling GPG verification.

In fact it may make more sense to consider having a separate adoptium_install role to make it cleaner since these variables covering both looks quite messy to me.

[Haroon-Khel]

Yeah I'm not sure I like this extra complexity. I would recommend leaving as-is for the purposes of this PR and if there's a desire to use the different APIs then it can be done independently since this has nothing to do with enabling GPG verification.

Ok, i'll leave the api as it is. Any update to it can happen in a separate pr

[karianna]

/thaw

Pull Request unblocked - code freeze is over.

[karianna]

Solaris Host is failing to connect

PLAY [Ansible Unix playbook] ***************************************************

TASK [Gathering Facts] *********************************************************
fatal: [127.0.0.1]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.\r\nssh_dispatch_run_fatal: Connection to 127.0.0.1 port 2222: incorrect signature", "unreachable": true}

PLAY RECAP *********************************************************************
127.0.0.1 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0

[Haroon-Khel]

@karianna Yes that has been a failure for sometime now. I'll raise an issue. Meanwhile this pr has passed the solaris 10 vpc check https://ci.adoptium.net/job/VagrantPlaybookCheck/1645/OS=Solaris10,label=vagrant/console