`gpg --batch [...]` error caused by race in BootSourceCacheService

I keep seeing this too in my 1.7.0~beta4+bzr3139-0ubuntu1~trusty1

The best thing we can do is handle the error better, no way of stopping the error from occurring as the validation is on the simplestreams side.

<smoser> i dont think you're really seeing a invalid gpg signature
<smoser> i suspect download failed or proxy failed or something.
<smoser> race conditions should not be possible
<smoser> its a inline signed file that its verifiying

Heres some information that shoudl be useful:
a.) there is a bug (bug 1342807) where gpg is not thread safe.
     I don't think thats the problem though.
b.) If you do catch this error, the subprocess.CalledProcessError that is raised has stderr and stdout available.
    in download_boot_resources you could definitely catch the CalledProcessError and log its
     e.output[0] and e.output[1].
c.) simplestreams read_signed has a debug log with the stdout and stderr
    so just having python logging configured would get you the stdout /stderr also, and that would likely help in figuring this out.

d.) the simplestreams code mirror code is not threadsafe for multiple threads writing to a single mirror target
     (multiple threads downloading the same file and writing to the same location would not be protected).
     I know i've said this to gavin before.

If you can recreate this failure with any sort of regularity, enable debugging or change maas to log the output and that will help a lot.

Regarding race of the server side data (ie, you downloaded a file that had an invalid signature), that is pretty unlikely
a.) the simplestreams data format was designed for this to not happen. The only file you're checking a signature on is inline signed.
b.) the server side data should not be changing very often.

I've captured the output from one of these failures:
  gpg: fatal: can't create directory `/home/maas/.gnupg': No such file or directory

Sounds like GPGHOME is not getting set properly, and it's defaulting back to $HOME/.gnupg. And IIRC the packaging doesn't create a home dir for the maas user.

We already have provision in the download code for setting GNUPGHOME:

src/maasserver/bootresources.py
      env = {
            'GNUPGHOME': get_maas_user_gpghome(),
            }
        http_proxy = Config.objects.get_config('http_proxy')
        if http_proxy is not None:
            env['http_proxy'] = http_proxy
            env['https_proxy'] = http_proxy
        with environment_variables(env), tempdir('keyrings') as keyrings_path:
            # download stuff

And get_maas_user_gpghome() should return '/var/lib/maas/gnupg'.

It seems that this value isn't correctly propagated to the gpg call.

This problem seems to appear when both the services BootSourceCacheService (the service which cache boot source information, running every hour) and ImportResourcesService (boot resources, running every hour) run at the same time.

Both these services do:
        env = {
            'GNUPGHOME': <home>,
            'http_proxy': <proxy>,
            'https_proxy': <proxy>,
        }
        with environment_variables(env):
            # do stuff

environment_variables() is a context manager that sets and *unsets* the variables upon entry and exit (respectively).

The trick is that, since the variables are per-process, when one service exits the context manager, it *clears* GNUPGHOME for the other service (which is still running).

Possible solutions:
a) Set the GNUPGHOME once and for all at start-up. This will fix the immediate problem we have with GNUPGHOME. But a similar problem exists with 'http_proxy' and it cannot be set at startup because it's dynamic.
b) Have the context manager not clear the env variables when it exits. This means we can still run into conflicts (for instance when 'http_proxy' gets changed) like: have a service run partially with a value of 'http_proxy' and partially with another value of 'http_proxy'. The consequences of this conflict (given the fact that the services in question can be kicked off manually and are run periodically) are, I think, minor.
c) Have the services run the import code inside a different processes. This is probably too big a hammer for the problem we have.

I think we should go with b): it's very low risk and would fix this bug (plus the similar problem we have with 'http_proxy').

I'm curious if it would be possible to ensure that when the proxy is changed that the change is queued and only applied when no current context managers are currently running.

For the moment, in 1.7.1 I agree that doing b fixes the obvious problem.

I don't think changing the proxy mid-flight is a problem. It won't affect HTTP requests that are already in progress, it'll only affect the next one. It doesn't matter if one HTTP request comes via one proxy (or no proxy) and the next via another proxy (or no proxy), as long as the proxy is valid and/or the network routes correctly.

(The way to implement option ‘b’ IMHO would be to stop using a context manager for those environment variables and just manipulate the environment, not to patch the context manager.)

I don't suppose we could pass the proxy settings as parameters, e.g. with a change to simplestreams, so we don't need to mess with the environment at runtime?

> I don't suppose we could pass the proxy settings as parameters, e.g. with a change to simplestreams, so we don't need to mess with the environment at runtime?

That would be the cleanest way to fix this… but it seems like too big a change to me: a change to the signature of simplestream's methods and a change to how simplestreams works internally.

For the record: I just had a quick look and we *could* have passed these parameters on the command line, without any signature changes outside MAAS. The gpg error happens inside an overridable callback. We import it from simplestreams, then pass it (or a different one, depending) into simplestreams as the signature verification function.

So something we could do, if the current solution should turn out to be a problem, is write our own version of simplestreams' policy_read_signed (as either a closure or a callable object I guess) and prefix the gpg command line with our variables. That would also allow us to improve its error reporting, by the way — it wouldn't be hard to make it report "signature does not verify" differently from "I was unable to do my job."