juju bootstrap fail behind a proxy when a gpg key must be imported

Bug #1089389 reported by Pierre Amadio on 2012-12-12
64
This bug affects 13 people
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
Critical
abhishek
Nominated for Precise by Alberto Salvia Novella

Bug Description

This is related to a Maas environment hosted behind a proxy.

I'm trying to use
juju 0.6.0.1+bzr603-0juju1~precise1

ubuntu@maas:~$ cat .juju/environments.yaml
environments:
  mymaas:
    type: maas
    maas-server: 'http://192.168.124.2:80/MAAS'
    maas-oauth: 'UP5Qay8Nsku8K98fqn:LjhnStY2HjfCeKfvmg:BxA586DWVNPKrT9ASNj9QasMvSPdgavt'
    admin-secret: 'nothing'
    default-series: precise
    juju-origin: ppa

When juju boostrap, things do not behave as expected on the zookeeper node.

Excerpt from the cloud-init-output.log:

W: GPG error: http://ppa.launchpad.net precise Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 376A290EC8068B11

On the zookeeper node, if i try to apt-add-repository , the needed gpg key is not injected, but the scrpit does not return any error code:

ubuntu@zookeeper:/var/log$ sudo mv /etc/apt/sources.list.d/juju-pkgs-precise.list /tmp/
ubuntu@zookeeper:/var/log$ sudo ls /etc/apt/sources.list.d/
ubuntu@zookeeper:/var/log$ sudo apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmpmlP7VA/secring.gpg' created
gpg: keyring `/tmp/tmpmlP7VA/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpgkeys: key A2EB2DEC0BD7519B7B38BE38376A290EC8068B11 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
recv failed
ubuntu@zookeeper:/var/log$ echo $?
0

Trying to inject key while setting the http_proxy environment variable works better:
ubuntu@zookeeper:/var/log$ sudo http_proxy=http://91.189.90.174:3128/ apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmp1pAd6X/secring.gpg' created
gpg: keyring `/tmp/tmp1pAd6X/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1pAd6X/trustdb.gpg: trustdb created
gpg: key C8068B11: public key "Launchpad Ensemble PPA" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
ubuntu@zookeeper:/var/log$ echo $?
0

On the zookeeper node, python-software-properties is version 0.82.7.3

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-software-properties 0.82.7.3
ProcVersionSignature: Ubuntu 3.2.0-34.53-generic 3.2.33
Uname: Linux 3.2.0-34-generic x86_64
ApportVersion: 2.0.1-0ubuntu15
Architecture: amd64
Date: Wed Dec 12 14:40:21 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: software-properties
UpgradeStatus: Upgraded to precise on 2012-05-14 (212 days ago)

Pierre Amadio (pierre-amadio) wrote :
Scott Moser (smoser) wrote :

The key point above is that:
 sudo apt-add-repository ppa:juju/pkgs --yes
failed to import keys to apt, but
a.) exited success (0) meaning its caller did not even log error
b.) left /etc/apt/sources.list.d/<ppa>.list in place, meaning subsequent 'apt-get update' was guaranteed to fail.

Pierre Amadio (pierre-amadio) wrote :

same behaviour with raring:

ubuntu@rqring:~$ sudo ls /etc/apt/sources.list.d/
ubuntu@rqring:~$ sudo apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmp9kk_ey/secring.gpg' created
gpg: keyring `/tmp/tmp9kk_ey/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpgkeys: key A2EB2DEC0BD7519B7B38BE38376A290EC8068B11 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
ubuntu@rqring:~$ echo $?
0

ubuntu@rqring:~$ dpkg-query --show software-properties-common
software-properties-common 0.92.13

Scott Moser (smoser) on 2012-12-12
Changed in software-properties (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Andres Rodriguez (andreserl) wrote :

So we just hit this same issue. add-apt-repository cannot import a PPA behind a proxy. It seems it doesn't respect the fact that apt.conf has the proxy configured.

Changed in software-properties (Ubuntu):
importance: Medium → Critical
heri atmuji (heriatmuji) on 2013-03-27
Changed in software-properties (Ubuntu):
status: Confirmed → New
tags: added: cloud
Changed in software-properties (Ubuntu):
status: New → Fix Committed
fill (brak29) on 2013-05-25
Changed in software-properties (Ubuntu):
assignee: nobody → fill (brak29)
status: Fix Committed → New
status: New → Confirmed
Jonathan Davies (jpds) on 2013-06-30
Changed in software-properties (Ubuntu):
assignee: fill (brak29) → nobody
Changed in software-properties (Ubuntu):
status: Confirmed → Triaged
Maarten (mthibaut-f) wrote :

Hi,

Please add trusty and utopic as tags.

Thanks!
maarten

Changed in software-properties (Ubuntu):
assignee: nobody → abhishek (abhishekgc1992)
Scott Moser (smoser) wrote :

I filed https://bugs.launchpad.net/launchpad/+bug/1667725 which I think is a possible solution to this bug.

Scott Moser (smoser) wrote :

In an update to my own comment #2 above, we have made some progress:
 a.) FIXED: exited success (0) meaning its caller did not even log error (bug 1532855)
 b.) NOT FIXED: left /etc/apt/sources.list.d/<ppa>.list in place, meaning subsequent 'apt-get update' was guaranteed to fail. (bug 1671566)

Nate Mara (natemara) wrote :

I noticed that this problem can be fixed for me if the GPG_DEFAULT_OPTIONS variable on line 171 of ppa.py is changed. If I add these two properties to the list, then the problem goes away completely:

"--keyserver-options", "http-proxy=" + os.environ['http_proxy']

Obviously, you would want to check for the existence of this variable before you just went using it, but it looks like this is the problem. The PPA library does not forward the HTTP proxy settings along to GPG, so GPG tries and fails to make a direct connection to the keyserver. Am I missing something about the way this works, or can we make a similar change and resolve these proxy issues?

Scott Moser (smoser) wrote :

@Nate,
there is some suggestions about that in bug 1433761.

Rod Smith (rodsmith) wrote :

FWIW, I've run into what I believe to be this bug with MAAS 2.4 and Bionic, minus the juju aspect -- I'm unable to deploy when nodes must rely on a proxy for PPA access. It works without PPAs or when I enable NAT so that the nodes can retrieve the GPG keys without using a proxy.

tags: added: hwcert-server
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers