OpenStack-Ansible

LXC container create fails: ERROR: Unable to fetch GPG key from keyserver.

Bug #1609479 reported by Jesse Pretorius
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Jesse Pretorius
OpenStack-Ansible newton-3

Bug Description

Sometimes, especially with restricted internet access through proxies of firewalls, the LXC container creation fails when using the download template. This happens during the lxc_hosts role execution as part of the container cache preparation.

When trying the container cache creation manually, the error is exposed:

root@server:/opt/openstack-ansible# /usr/bin/lxc-create --name LXC_NAME --template download --bdev dir -- --dist ubuntu --release trusty --arch amd64 --force-cache --server images.linuxcontainers.org
Setting up the GPG keyring
ERROR: Unable to fetch GPG key from keyserver.
lxc_container: lxccontainer.c: create_run_template: 1084 container creation template for LXC_NAME failed
lxc_container: lxc_create.c: main: 274 Error creating container LXC_NAME

This can be worked around by creating the cache manually with no gpg validation:

root@server:/opt/openstack-ansible# /usr/bin/lxc-create --name LXC_NAME --template download --bdev dir -- --dist ubuntu --release trusty --arch amd64 --force-cache --no-validate --server images.linuxcontainers.org
Downloading the image index
WARNING: Running without gpg validation!
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

The default download keyserver is shown here:
https://github.com/lxc/lxc/blob/9fd38724d9cedc0ce110c8efdf6bfe2ea772d372/templates/lxc-download.in#L37

This is changed if a proxy is used:
https://github.com/lxc/lxc/blob/9fd38724d9cedc0ce110c8efdf6bfe2ea772d372/templates/lxc-download.in#L59

It is likely better for us to ensure that we use the same keyserver as is used when using a proxy, as that will be more generally accessible in most environment. Ideally there should be a fallback keyserver used too if the first fails.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-lxc_hosts (master)

Fix proposed to branch: master
Review: https://review.openstack.org/350684

Changed in openstack-ansible:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-lxc_hosts (master)

Reviewed: https://review.openstack.org/350684
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-lxc_hosts/commit/?id=319e37c8f5a7b8c66120ed3fadb172944631b7ca
Submitter: Jenkins
Branch: master

commit 319e37c8f5a7b8c66120ed3fadb172944631b7ca
Author: Jesse Pretorius <email address hidden>
Date: Wed Aug 3 17:34:12 2016 +0100

    Implement primary and secondary keyserver usage for cache prep

    Sometimes, especially with restricted internet access through
    proxies or firewalls, the LXC container creation fails when using
    the download template.

    The failure is due to the inability to access the gpg keyserver
    and therefore the inability to validate the downloaded image.

    This patch implements the usage of a primary and secondary
    keyserver, and uses a primary keyserver which is more likely
    to be accessible in restricted environments as it's accessed
    on port 80.

    Change-Id: Ic1ca3d9f3c7d720e9715b6dcc67a7888910e6d0d
    Closes-Bug: #1609479

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-lxc_hosts 14.0.0.0b3

This issue was fixed in the openstack/openstack-ansible-lxc_hosts 14.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.