From 3524908910f7dcb44fd6a10996cdffdeb7514e1b Mon Sep 17 00:00:00 2001
From: Aaron Sheffield <ajs@sheffieldfamily.net>
Date: Thu, 25 Oct 2018 14:38:24 -0500
Subject: [PATCH] Blacklist Packages as an Extention of Apt

- Extends apt daemonset to remove packages.
  - Uses a list of packages in remove and automove, so if a
    package gets installed that should not be it will be
    uninstalled when Divingbell runs again.

Change-Id: Id5c7ccead399a8c78621a0e593033e55412ff315
---
 divingbell/templates/bin/_apt.sh.tpl      | 13 +++++++++++++
 divingbell/values.yaml                    |  7 +++++++
 tools/gate/scripts/020-test-divingbell.sh | 17 ++++++++++++++++-
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/divingbell/templates/bin/_apt.sh.tpl b/divingbell/templates/bin/_apt.sh.tpl
index 1112981..4d0cb7c 100644
--- a/divingbell/templates/bin/_apt.sh.tpl
+++ b/divingbell/templates/bin/_apt.sh.tpl
@@ -96,6 +96,19 @@ if [ ! -z "$INSTALLED_THIS_TIME" ]; then
     sort ${persist_path}/packages -o ${persist_path}/packages
 fi
 
+######################################################
+#Stage 4
+#Remove blacklisted packages in conf.apt.blacklistpkgs
+######################################################
+
+{{- if hasKey .Values.conf.apt "blacklistpkgs" }}
+{{- range .Values.conf.apt.blacklistpkgs }}
+  {{- $package := . }}
+  apt-get remove --autoremove -y {{ $package | squote }}
+{{- end }}
+apt-get autoremove -y
+{{- end }}
+
 exit 0
 EOF
 
diff --git a/divingbell/values.yaml b/divingbell/values.yaml
index 02a3594..eab75d4 100644
--- a/divingbell/values.yaml
+++ b/divingbell/values.yaml
@@ -24,6 +24,13 @@ images:
 conf:
   chroot_mnt_path: '/mnt'
   log_colors: False
+  apt:
+    blacklistpkgs:
+    - telnetd
+    - inetutils-telnetd
+    - telnetd-ssl
+    - nis
+    - ntpdate
 
 ##  data.values.conf.sysctl
 #  sysctl:
diff --git a/tools/gate/scripts/020-test-divingbell.sh b/tools/gate/scripts/020-test-divingbell.sh
index 2809f43..110ed17 100755
--- a/tools/gate/scripts/020-test-divingbell.sh
+++ b/tools/gate/scripts/020-test-divingbell.sh
@@ -54,6 +54,7 @@ APT_PACKAGE3=python-simplejson
 APT_VERSION3=3.8.1-1ubuntu2
 APT_PACKAGE4=less
 APT_PACKAGE5=python-setuptools
+APT_PACKAGE6=telnetd
 type lshw || apt -y install lshw
 nic_info="$(lshw -class network)"
 physical_nic=''
@@ -764,7 +765,8 @@ _test_apt_package_version(){
   local pkg_name=$1
   local pkg_ver=$2
   if [ ${pkg_ver} = "none" ]; then
-    if [[ $(dpkg -l | grep ${pkg_name}) ]]; then
+    # Does not include residual-config
+    if [[ $(dpkg -l | grep ${pkg_name} | grep -v ^rc) ]]; then
       echo "[FAIL] Package ${pkg_name} should not be installed" >> "${TEST_RESULTS}"
       return 1
     fi
@@ -846,6 +848,19 @@ test_apt(){
   get_container_status apt expect_failure
   _test_clog_msg 'E: Unable to locate package some-random-name'
   echo '[SUCCESS] apt test5 passed successfully' >> "${TEST_RESULTS}"
+
+  # Test blacklistpkgs
+  local overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set1.yaml
+  echo "conf:
+  apt:
+    packages:
+    - name: $APT_PACKAGE6
+    blacklistpkgs:
+    - $APT_PACKAGE6" > "${overrides_yaml}"
+  install_base "--values=${overrides_yaml}"
+  get_container_status apt
+  _test_apt_package_version $APT_PACKAGE6 none
+  echo '[SUCCESS] apt test6 passed successfully' >> "${TEST_RESULTS}"
 }
 
 # test daemonset value overrides for hosts and labels