On Thu, Apr 08, 2021 at 04:32:37PM +0000, Jarosław Wygoda wrote: > I tried to add complete key on debian 10 and it turns out it requires > gnupg. Here's a relevant cloud-init config and error. > apt: > preserve_sources_list: true > sources: > docker.list: > source: "deb [arch=amd64] > [1]https://download.docker.com/linux/debian $RELEASE edge" > key: | > -----BEGIN PGP PUBLIC KEY BLOCK----- > ... > Cloud-init v. 20.2 running 'modules:config' at Thu, 08 Apr 2021 15:33:51 > +0000. Up 16.04 seconds. > 2021-04-08 15:33:52,098 - cc_apt_configure.py[ERROR]: failed to add apt > GPG Key to apt keyring > Traceback (most recent call last): > File > "/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py", > line 553, in add_apt_key_raw > util.subp(['apt-key', 'add', '-'], data=key.encode(), target=target) > File "/usr/lib/python3/dist-packages/cloudinit/util.py", line 2192, in > subp > cmd=args) > cloudinit.util.ProcessExecutionError: Unexpected error while running > command. > Command: ['apt-key', 'add', '-'] > Exit code: 255 > Reason: - > Stdout: > Stderr: E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one > of them is required for this operation > 2021-04-08 15:33:52,133 - util.py[WARNING]: Running module apt-configure > (<module 'cloudinit.config.cc_apt_configure' from > '/usr/lib/python3/dist-packages/cloudinit/config/cc_apt_configure.py'>) > failed
There are a couple issues here. First, cloud-init should stop using apt-key to add keys provided via this mechanism. That's tracked upstream at https://bugs.launchpad.net/cloud-init/+bug/1836336 Second, if the file is provided in ASCII-armored format inline in cloud-config, as you've shown here, then cloud-init *should* install it to /usr/share/keyrings/ and the deb sources line should be specified to include a signed-by directive, as documented in the third-party apt sources list best practices. [1] In order for that to work, though, the key needs to be available in *binary* format. So we still do need gpg to do the conversion. For now, to work around this in our cloud images, I recommend using a cloud-config "packages:" entry to install gpg, and then use a script similar to the one shown at [2] as a user-data script. Alternatively, you can use a bootcmd cloud-config directive to install gpg early in your instance's boot process, which will make it available in time for the apt-configure module's execution. noah 1. https://wiki.debian.org/DebianRepository/UseThirdParty 2. https://github.com/docker/docker.github.io/issues/11625#issuecomment-751388087
signature.asc
Description: PGP signature
