Fuel for OpenStack

fuel doesn't install gpg keys for fuel-infra repos

Bug #1649058 reported by Roman Sokolkov on 2016-12-11

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Won't Fix	High	Fuel build team	Fuel for OpenStack 11.0
Mitaka	Won't Fix	High	Fuel build team	Fuel for OpenStack 9.2
Newton	Won't Fix	High	Fuel build team	Fuel for OpenStack 10.1

Bug Description

Starting from MOS9 Fuel enables package sign checks ("AllowUnauthenticated 0").

But instead of putting gpg keys for fuel-infra repos it skips checks in puppet apt provider [1].

Later on cloud operators will see:

W: GPG error: http://mirror.fuel-infra.org mos9.0-holdback Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BCE5CC461FA22B08
W: GPG error: http://mirror.fuel-infra.org mos9.0-security Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BCE5CC461FA22B08
W: GPG error: http://mirror.fuel-infra.org mos9.0-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BCE5CC461FA22B08

1 - https://github.com/openstack/fuel-library/blob/stable/mitaka/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb#L71

Tags:

Dmitry Pyzhov (dpyzhov) on 2016-12-13

Changed in fuel:
milestone:	none → 9.2
milestone:	9.2 → 11.0
assignee:	nobody → Fuel Sustaining (fuel-sustaining-team)
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Ruslan Khozinov (rkhozinov) wrote on 2016-12-16:

I've found the same problem during update Fuel 9.0 -> 9.1 -> 9.2

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2016-12-16:

Build team, for trigger signing fuel repos from puppet we need to download it in format like

http://mirror.fuel-infra.org/mos-repos/ubuntu/%VERSION%/archive-mos%VERSION%.key

but this approach is not acceptable for 11 version, right now it is called master. Can you comment here?

Changed in fuel:
assignee:	Fuel Sustaining (fuel-sustaining-team) → Fuel build team (fuel-build)

Revision history for this message

Roman Vyalov (r0mikiam) wrote on 2016-12-16:

you can find the keys in the mos-repos reposiotries:
for example : http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/archive-mos9.0.key

also for master (fuel 11) you can find the key in the master repos:
http://mirror.fuel-infra.org/mos-repos/ubuntu/master/archive-mosmaster.key

Changed in fuel:
assignee:	Fuel build team (fuel-build) → Oleksiy Molchanov (omolchanov)

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2016-12-19:

Roman,

I don't think that fetching key for fuel 11 with name master will work good. What will happen when fuel 12 will be master? It will break the deployment.

Changed in fuel:
assignee:	Oleksiy Molchanov (omolchanov) → Fuel build team (fuel-build)

Revision history for this message

Roman Vyalov (r0mikiam) wrote on 2016-12-19:

Oleksiy, the mos 9 and mos 10 repositories were created and i dont understand why you move this bug to build team.
According to the openstack workflow , the next openstack version is contained in the master branch (before the creation of branches). Because of this we are using the master repository for master openstack

Revision history for this message

Roman Vyalov (r0mikiam) wrote on 2016-12-19:

when we will prepare the mos 11 (Fuel ocata) release, we create the mos11 repos

Changed in fuel:
status:	Confirmed → New
assignee:	Fuel build team (fuel-build) → Oleksiy Molchanov (omolchanov)

Oleksiy Molchanov (omolchanov) on 2016-12-20

Changed in fuel:
assignee:	Oleksiy Molchanov (omolchanov) → Fuel Sustaining (fuel-sustaining-team)

Oleksiy Molchanov (omolchanov) on 2016-12-21

tags:	added: area-library
Changed in fuel:
status:	New → Confirmed

Revision history for this message

Vladimir Kuklin (vkuklin) wrote on 2016-12-22:

This bug consists of 2 issues:

1) absence of ability to safely transport fuel-infra repos public key - this should be done on infra side
2) after #1 is finished - we need to add a stanza in provsioning manifests to import this public key into the base and bootstrap image.

Thus, we need to create an https endpoint or distribut our public key over public trusted pgp servers or set up our own pgp server to do this. After that we will create required stanza on the provisioning side.

Changed in fuel:
assignee:	Fuel Sustaining (fuel-sustaining-team) → Fuel build team (fuel-build)

Revision history for this message

Alexander Evseev (aevseev) wrote on 2016-12-23:

We have package mos-release. I guess we should place PGP keys to this package.

Revision history for this message

Roman Vyalov (r0mikiam) wrote on 2016-12-23:

Guys,
we had the epic related to this task (PROD-4849) and i propose to close this feature-bug.

Changed in fuel:
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.