ceph_client role fails verifing keys when deploying behind a proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Jonathan Rosser |
Bug Description
When deploying OSA rocky 18.1.2-16 behind a proxy it fails to verify the apt keys for ceph_client packages due to apt-key not supporting using a proxy.
This was fixed in the rocky cycle of OSA for galera and rabbit mq
Patch for galera:
https:/
I modfied the ceph client role to use a local provided key and it deploys flawlessly.
here is the patch for ubuntu only
diff -Naur /etc/ansible/
--- /etc/ansible/
+++ /etc/ansible/
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: keyserver.
+
+mQINBFX4hgkBEA
+lCtYd3Ol9f9+
+pjvnwua7c2YrA4
+llsWOD6RnMdcqh
+YIwU9u6DWWqXyb
+J+606g2UH86QUm
+O7puzXR7A1f5sH
+DqUEtXhVfY5qjT
+LBH4/a/
+807MtSlQyYaXUT
+cmVsZWFzZSBrZX
+BwMCBhUIAgkKCw
+RZ3Gv/
+dq1Hv8u03vjnGT
+wfVKSOr740Q4J4
+XmSS0uxl3p+
+u72qDRFBnR3jao
+yvZ7930vB2UpCO
+Q8nNMR/
+ZH4J/mFGKzOltf
+MHGPptlxFuN9uf
+PUTjjEGOVgeA
+=/Tod
+-----END PGP PUBLIC KEY BLOCK-----
diff -Naur /etc/ansible/
--- /etc/ansible/
+++ /etc/ansible/
@@ -22,38 +22,26 @@
when:
- ceph_pkg_source == 'ceph'
-- name: Add ceph apt-keys
- block:
- - name: Add keys (primary keyserver)
- apt_key:
- id: "{{ item.hash_id }}"
- keyserver: "{{ item.keyserver | default(omit) }}"
- data: "{{ item.data | default(omit) }}"
- url: "{{ item.url | default(omit) }}"
- state: "present"
- register: add_keys
- until: add_keys is success
- retries: 5
- delay: 2
- with_items: "{{ ceph_gpg_keys }}"
- when:
- - ceph_pkg_source == 'ceph'
+- name: If a keyfile is provided, copy the gpg keyfile to the key location
+ copy:
+ src: "gpg/{{ item.id }}"
+ dest: "{{ item.file }}"
+ mode: '0644'
+ with_items: "{{ ceph_gpg_keys | selectattr(
+ when:
+ - ceph_pkg_source == 'ceph'
- rescue:
- - name: Add keys (fallback keyserver)
- apt_key:
- id: "{{ item.hash_id }}"
- keyserver: "{{ item.fallback_
- url: "{{ item.fallback_url | default(omit) }}"
- state: "present"
- register: add_keys_fallback
- until: add_keys_fallback is success
- retries: 5
- delay: 2
- with_items: "{{ ceph_gpg_keys }}"
- when:
- - ceph_pkg_source == 'ceph'
- - item.fallback_
+- name: Install gpg keys
+ apt_key: "{{ key }}"
+ with_items: "{{ ceph_gpg_keys }}"
+ loop_control:
+ loop_var: key
+ register: _add_apt_keys
+ until: _add_apt_keys is success
+ retries: 5
+ delay: 2
+ when:
+ - ceph_pkg_source == 'ceph'
- name: add ubuntu cloud archive key package
apt:
diff -Naur /etc/ansible/
--- /etc/ansible/
+++ /etc/ansible/
@@ -19,10 +19,8 @@
# Ceph GPG Keys
ceph_gpg_keys:
- - key_name: 'ceph'
- keyserver: 'hkp://
- fallback_keyserver: 'hkp://
- hash_id: '0xe84ac2c0460f
+ - id: 460F3994
+ file: /etc/ssl/ceph-key
# The apt-key command won't del a key when you give it the hash_id, so we have
# to use the short key ID here instead.
Changed in openstack-ansible: | |
assignee: | nobody → Jonathan Rosser (jrosser) |
Changed in openstack-ansible: | |
status: | New → In Progress |
Changed in openstack-ansible: | |
assignee: | Stuart Grace (stuartgrace) → Jonathan Rosser (jrosser) |
Fix proposed to branch: master /review. openstack. org/636711
Review: https:/