Juju Charms Collection
keystone package

openstack-origin needs documentation for providing key option

Bug #1503440 reported by Ryan Beisner
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Low
Unassigned
OpenStack Keystone Charm 18.05
keystone (Juju Charms Collection)
Invalid
Low
Unassigned

Bug Description

The OpenStack charms (using Keystone here as an example) provide a config option to specify an arbitrary apt repo, but do not provide a mechanism for adding a corresponding public key.

If a user creates and hosts their own repo outside of launchpad, add-apt-repository does not add the public key to the node. This causes install hook failures, with underlying package authentication errors such as:

WARNING: The following packages cannot be authenticated!`

W: GPG error: http://local-mirror.company.com trusty-updates/juno Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF0123456789

Linking for reference:
http://askubuntu.com/questions/674882/how-do-i-add-a-public-key-for-a-private-debian-repo-when-using-juju-to-deploy-a

Tags: openstack
Revision history for this message
Billy Olsen (billy-olsen) wrote :

This actually isn't a problem. You can indeed import a public key from keyserver.ubuntu.com by appending the key to the deb url entry separated via a |.

e..g this will work:

 juju set openstack-origin nova-compute openstack-origin="deb http://ppa.launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"

The code is common across all the charms and can be found in charm-helpers here:

http://bazaar.launchpad.net/~charm-helpers/charm-helpers/devel/view/455.1.1/charmhelpers/contrib/openstack/utils.py#L314

However, the documentation in the config.yaml doesn't cover this detail and it should.

Changed in keystone (Juju Charms Collection):
status: New → Triaged
importance: Undecided → Low
Billy Olsen (billy-olsen)
summary: - openstack-origin option needs corresponding pub key option
+ openstack-origin option needs documentation for providing key option
summary: - openstack-origin option needs documentation for providing key option
+ openstack-origin needs documentation for providing key option
Revision history for this message
Edward Hope-Morley (hopem) wrote :

ftr this applies to all openstack charms (that carry the openstack-origin config option)

James Page (james-page)
Changed in charm-keystone:
importance: Undecided → Low
status: New → Triaged
Changed in keystone (Juju Charms Collection):
status: Triaged → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/566608
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=329c2c880ed54d61700b98f91772edb51eac1f3b
Submitter: Zuul
Branch: master

commit 329c2c880ed54d61700b98f91772edb51eac1f3b
Author: Neiloy Mukerjee <email address hidden>
Date: Mon May 7 15:13:13 2018 +0000

    Document archive key usage for openstack-origin

    An arbitarary repository can currently be specified, but it was not yet
    made clear in the documentation that a corresponding public key for
    accessing this repository could be added. This change specifies that
    under the description for the openstack-origin option. Public key can
    be added by appending to the deb url, so the below example would work:
    juju set openstack-origin nova-compute openstack-origin="deb http://ppa
    .launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"

    Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
    Closes-Bug: 1503440

Changed in charm-keystone:
status: Triaged → Fix Committed
James Page (james-page)
Changed in charm-keystone:
milestone: none → 18.05
David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.