cisco repo unusable after cobbler install
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cisco Openstack |
Fix Released
|
Medium
|
Mark T. Voelker | ||
Havana |
Fix Released
|
Medium
|
Mark T. Voelker |
Bug Description
cobbler adds the havana repo to /etc/apt/
deb http://
but does not add the key for it:
# apt-key list
/etc/apt/
-------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12
pub 1024D/FBB75451 2004-12-30
uid Ubuntu CD Image Automatic Signing Key <email address hidden>
pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>
pub 4096R/EFE21092 2012-05-11
uid Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>
#
As a result, apt is left with a corrupted partially unverified cache
To fix, you have to
- add the key manually
echo '-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQENBE/
1hm0UuGQsi8pNzH
uqVjeMMXbZ4d+
67j99GaARYxHp8W
BF5Z0yaLqr+
Q3mGsD8wS9uyZcH
byBBUFQgcmVwbyA
BQJP6F1ZAhsDBgs
B/9WvQrBwxmIMV2
u3X0hKwRLeOppV0
zSi+35OQ6xXc38D
BTeoyQMWd6tpTwz
7bHIMD66uC1FKCp
xq/T6MM6+
THBS24RMaDHqg7H
IdVjLVDXcPfcp+
NJ5XMzMYI5z9/
rVVXRU/
PIc+bu1mXMQ+
AAGJAR8EGAECAAk
Sb+HHd/
BUIYyda/
IQBF6R7wOws0A0o
h1jP1GXFUIQDbcz
xKyLYs5m34d4a0i
UcXHbA==
=v6jg
-----END PGP PUBLIC KEY BLOCK-----' | apt-key add -
- then blow away the cached apt indices with:
apt-get clean
cd /var/lib/apt
rm -rf lists
mkdir -p lists/partial
apt-get clean
apt-get update
Without the key added, apt-get update will error with:
W: GPG error: http://
Once the key is added, without the manual cache clearing, any apt-get update will error with:
W: GPG error: http://
perhaps related is after cobbler and puppet are done we have duplicate entries between /etc/apt/
W: Duplicate sources.list entry http://
W: Duplicate sources.list entry http://
W: You may want to run apt-get update to correct these problems
(really a separate issue but I suspect fixing the cobbler will fix the above too)
Changed in openstack-cisco: | |
milestone: | none → h.0 |
So there are a couple of things to look at here....I think basically what we want to do is:
1.) In the preseed, deliver the key as well. It's currently allowed to load packages unauthenticated which works, but has obvious implications. sources. list.d/ ... instead of sources.list. That makes the puppet run later basically a no-op. I'd rather not remove the puppet code that adds the repo as that allows the repo to be set up on preconfigured nodes (e.g. nodes not provisioned by cobbler).
2.) In the preseed, figure out a way to get the repo set up in /etc/apt/
Alternately, we can change the puppet code to put the repo info in sources.list. That might theoretically be a bit easier since preseed is basically a travesty when it comes to flexibility and documentation. =)
If we do want to put the key in preseed: AFAIK you can't include a key directly in a preseed, but instead have to include a URL from which it can be fetched (I need to verify this). That will be ugly in no-net situations, so we'll probably want to provision it to the build node's http server as part of the build node profile, then serve it from there.