juju bootstrap fail behind a proxy when a gpg key must be imported

Bug #1089389 reported by Pierre Amadio
80
This bug affects 16 people
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
Triaged
Critical
abhishek
Declined for Precise by Scott Moser

Bug Description

This is related to a Maas environment hosted behind a proxy.

I'm trying to use
juju 0.6.0.1+bzr603-0juju1~precise1

ubuntu@maas:~$ cat .juju/environments.yaml
environments:
  mymaas:
    type: maas
    maas-server: 'http://192.168.124.2:80/MAAS'
    maas-oauth: 'UP5Qay8Nsku8K98fqn:LjhnStY2HjfCeKfvmg:BxA586DWVNPKrT9ASNj9QasMvSPdgavt'
    admin-secret: 'nothing'
    default-series: precise
    juju-origin: ppa

When juju boostrap, things do not behave as expected on the zookeeper node.

Excerpt from the cloud-init-output.log:

W: GPG error: http://ppa.launchpad.net precise Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 376A290EC8068B11

On the zookeeper node, if i try to apt-add-repository , the needed gpg key is not injected, but the scrpit does not return any error code:

ubuntu@zookeeper:/var/log$ sudo mv /etc/apt/sources.list.d/juju-pkgs-precise.list /tmp/
ubuntu@zookeeper:/var/log$ sudo ls /etc/apt/sources.list.d/
ubuntu@zookeeper:/var/log$ sudo apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmpmlP7VA/secring.gpg' created
gpg: keyring `/tmp/tmpmlP7VA/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpgkeys: key A2EB2DEC0BD7519B7B38BE38376A290EC8068B11 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
recv failed
ubuntu@zookeeper:/var/log$ echo $?
0

Trying to inject key while setting the http_proxy environment variable works better:
ubuntu@zookeeper:/var/log$ sudo http_proxy=http://91.189.90.174:3128/ apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmp1pAd6X/secring.gpg' created
gpg: keyring `/tmp/tmp1pAd6X/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1pAd6X/trustdb.gpg: trustdb created
gpg: key C8068B11: public key "Launchpad Ensemble PPA" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
ubuntu@zookeeper:/var/log$ echo $?
0

On the zookeeper node, python-software-properties is version 0.82.7.3

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-software-properties 0.82.7.3
ProcVersionSignature: Ubuntu 3.2.0-34.53-generic 3.2.33
Uname: Linux 3.2.0-34-generic x86_64
ApportVersion: 2.0.1-0ubuntu15
Architecture: amd64
Date: Wed Dec 12 14:40:21 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: software-properties
UpgradeStatus: Upgraded to precise on 2012-05-14 (212 days ago)

Revision history for this message
Pierre Amadio (pierre-amadio) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

The key point above is that:
 sudo apt-add-repository ppa:juju/pkgs --yes
failed to import keys to apt, but
a.) exited success (0) meaning its caller did not even log error
b.) left /etc/apt/sources.list.d/<ppa>.list in place, meaning subsequent 'apt-get update' was guaranteed to fail.

Revision history for this message
Pierre Amadio (pierre-amadio) wrote :

same behaviour with raring:

ubuntu@rqring:~$ sudo ls /etc/apt/sources.list.d/
ubuntu@rqring:~$ sudo apt-add-repository ppa:juju/pkgs --yes
gpg: keyring `/tmp/tmp9kk_ey/secring.gpg' created
gpg: keyring `/tmp/tmp9kk_ey/pubring.gpg' created
gpg: requesting key C8068B11 from hkp server keyserver.ubuntu.com
gpgkeys: key A2EB2DEC0BD7519B7B38BE38376A290EC8068B11 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
ubuntu@rqring:~$ echo $?
0

ubuntu@rqring:~$ dpkg-query --show software-properties-common
software-properties-common 0.92.13

Scott Moser (smoser)
Changed in software-properties (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Andres Rodriguez (andreserl) wrote :

So we just hit this same issue. add-apt-repository cannot import a PPA behind a proxy. It seems it doesn't respect the fact that apt.conf has the proxy configured.

Changed in software-properties (Ubuntu):
importance: Medium → Critical
heri atmuji (heriatmuji)
Changed in software-properties (Ubuntu):
status: Confirmed → New
tags: added: cloud
Changed in software-properties (Ubuntu):
status: New → Fix Committed
fill (brak29)
Changed in software-properties (Ubuntu):
assignee: nobody → fill (brak29)
status: Fix Committed → New
status: New → Confirmed
Jonathan Davies (jpds)
Changed in software-properties (Ubuntu):
assignee: fill (brak29) → nobody
Changed in software-properties (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Maarten (mthibaut-f) wrote :

Hi,

Please add trusty and utopic as tags.

Thanks!
maarten

Changed in software-properties (Ubuntu):
assignee: nobody → abhishek (abhishekgc1992)
Revision history for this message
Scott Moser (smoser) wrote :

I filed https://bugs.launchpad.net/launchpad/+bug/1667725 which I think is a possible solution to this bug.

Revision history for this message
Scott Moser (smoser) wrote :

In an update to my own comment #2 above, we have made some progress:
 a.) FIXED: exited success (0) meaning its caller did not even log error (bug 1532855)
 b.) NOT FIXED: left /etc/apt/sources.list.d/<ppa>.list in place, meaning subsequent 'apt-get update' was guaranteed to fail. (bug 1671566)

Revision history for this message
Nate Mara (natemara) wrote :

I noticed that this problem can be fixed for me if the GPG_DEFAULT_OPTIONS variable on line 171 of ppa.py is changed. If I add these two properties to the list, then the problem goes away completely:

"--keyserver-options", "http-proxy=" + os.environ['http_proxy']

Obviously, you would want to check for the existence of this variable before you just went using it, but it looks like this is the problem. The PPA library does not forward the HTTP proxy settings along to GPG, so GPG tries and fails to make a direct connection to the keyserver. Am I missing something about the way this works, or can we make a similar change and resolve these proxy issues?

Revision history for this message
Scott Moser (smoser) wrote :

@Nate,
there is some suggestions about that in bug 1433761.

Revision history for this message
Rod Smith (rodsmith) wrote :

FWIW, I've run into what I believe to be this bug with MAAS 2.4 and Bionic, minus the juju aspect -- I'm unable to deploy when nodes must rely on a proxy for PPA access. It works without PPAs or when I enable NAT so that the nodes can retrieve the GPG keys without using a proxy.

tags: added: hwcert-server
summary: - juju bootstrap fail behind a proxy when a gpg key must be imported
+ Buy Xanax pills online for the treatment of mental health condition
description: updated
summary: - Buy Xanax pills online for the treatment of mental health condition
+ juju bootstrap fail behind a proxy when a gpg key must be imported
description: updated
diego (diegosmith23)
description: updated
diego (diegosmith23)
description: updated
summary: - juju bootstrap fail behind a proxy when a gpg key must be imported
+ Buy Ambien Online for Handling Short-Term Treatment of Insomnia
Colin Watson (cjwatson)
summary: - Buy Ambien Online for Handling Short-Term Treatment of Insomnia
+ juju bootstrap fail behind a proxy when a gpg key must be imported
description: updated
Jeff Lane  (bladernr)
tags: removed: hwcert-server
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.