salt: Can't auto-accept newly added repo's package signing key in SUSE.
Description of Issue/Question
Adding a new GPG-signed repo in SUSE Linux Enterprise Server 11 SP3 fails because there’s no option to auto-accept a new key.
Setup
repo-zabbix:
pkgrepo.managed:
- name: zabbix
- humanname: zabbix
- baseurl: https://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/
- gpgkey: https://download.opensuse.org/repositories/server:/monitoring/SLE_11_SP3/repodata/repomd.xml.key
- enabled: 1
- gpgcheck: 1
Steps to Reproduce Issue
Applied the above state to a SLES 11 SP3 minion and got:
2017-06-30 14:09:50,800 [salt.utils.lazy ][DEBUG ][31528] LazyLoaded pkg.mod_repo
2017-06-30 14:09:50,801 [salt.utils.lazy ][DEBUG ][31528] LazyLoaded pkgrepo.managed
2017-06-30 14:09:50,801 [salt.state ][INFO ][31528] Running state [zabbix]at time 14:09:50.801262
2017-06-30 14:09:50,802 [salt.state ][INFO ][31528] Executing state pkgrepo.managed for zabbix
2017-06-30 14:09:50,968 [salt.utils.lazy ][DEBUG ][31528] Could not LazyLoad pkg.expand_repo_def
2017-06-30 14:09:50,971 [salt.loaded.int.module.zypper ][DEBUG ][31528] Calling Zypper: zypper--non-interactive --xmlout mr --gpgcheck zabbix
2017-06-30 14:09:50,971 [salt.loaded.int.module.cmdmod ][INFO ][31528] Executing command ['zypper', '--non-interactive', '--xmlout', 'mr', '--gpgcheck', 'zabbix'] in directory '/root'
2017-06-30 14:09:51,022 [salt.state ][INFO ][31528] Configured package repo 'zabbix'
2017-06-30 14:09:51,023 [salt.state ][INFO ][31528] Completed state [zabbix] at time 14:09:51.022822 duration_in_ms=221.56
2017-06-30 14:09:51,025 [salt.utils.lazy ][DEBUG ][31528] LazyLoaded pkg.installed
2017-06-30 14:09:51,030 [salt.utils.lazy ][DEBUG ][31528] Could not LazyLoad pkg.ex_mod_init
2017-06-30 14:09:51,031 [salt.state ][INFO ][31528] Running state [zabbix-agent-package] at time 14:09:51.031073
2017-06-30 14:09:51,032 [salt.state ][INFO ][31528] Executing state pkg.installed for zabbix-agent-package
2017-06-30 14:09:51,032 [salt.loaded.int.module.cmdmod ][INFO ][31528] Executing command ['rpm', '-qa', '--queryformat', '%{NAME}_|-%{VERSION}_|-%{RELEASE}_|-%|EPOCH?{%{EPOCH}}:{}|\\n'] in directory '/root'
2017-06-30 14:09:51,731 [salt.utils.lazy ][DEBUG ][31528] Could not LazyLoad pkg.normalize_name
2017-06-30 14:09:51,736 [salt.utils.lazy ][DEBUG ][31528] Could not LazyLoad pkg.check_db
2017-06-30 14:09:51,737 [salt.loaded.int.module.zypper ][DEBUG ][31528] Calling Zypper: zypper--non-interactive refresh --force
2017-06-30 14:09:51,738 [salt.loaded.int.module.cmdmod ][INFO ][31528] Executing command ['zypper', '--non-interactive', 'refresh', '--force'] in directory '/root'
2017-06-30 14:09:54,561 [salt.minion ][INFO ][20757] User salt Executing commandsaltutil.find_job with jid 20170630140954550368
2017-06-30 14:09:54,562 [salt.minion ][DEBUG ][20757] Command details {'tgt_type': 'list', 'jid': '20170630140954550368', 'tgt': ['bs1f-lnx-sles11sm-x64-58'], 'ret': '', 'user': 'salt', 'arg': ['20170630140949451128'], 'fun': 'saltutil.find_job'}
2017-06-30 14:09:54,579 [salt.minion ][INFO ][31564] Starting a new job with PID31564
2017-06-30 14:09:54,593 [salt.utils.lazy ][DEBUG ][31564] LazyLoaded saltutil.find_job
2017-06-30 14:09:54,596 [salt.utils.lazy ][DEBUG ][31564] LazyLoaded direct_call.get
2017-06-30 14:09:54,599 [salt.minion ][DEBUG ][31564] Minion return retry timer set to 5 seconds (randomized)
2017-06-30 14:09:54,599 [salt.minion ][INFO ][31564] Returning information for job: 20170630140954550368
2017-06-30 14:09:54,600 [salt.transport.zeromq ][DEBUG ][31564] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/minion', 'bs1f-lnx-sles11sm-x64-58', 'tcp://172.20.0.24:4506', 'aes')
2017-06-30 14:09:54,600 [salt.crypt ][DEBUG ][31564] Initializing new AsyncAuth for ('/etc/salt/pki/minion', 'bs1f-lnx-sles11sm-x64-58', 'tcp://172.20.0.24:4506')
2017-06-30 14:10:04,776 [salt.minion ][INFO ][20757] User salt Executing commandsaltutil.find_job with jid 20170630141004769736
2017-06-30 14:10:04,776 [salt.minion ][DEBUG ][20757] Command details {'tgt_type': 'list', 'jid': '20170630141004769736', 'tgt': ['bs1f-lnx-sles11sm-x64-58'], 'ret': '', 'user': 'salt', 'arg': ['20170630140949451128'], 'fun': 'saltutil.find_job'}
2017-06-30 14:10:04,790 [salt.minion ][INFO ][31745] Starting a new job with PID31745
2017-06-30 14:10:04,804 [salt.utils.lazy ][DEBUG ][31745] LazyLoaded saltutil.find_job
2017-06-30 14:10:04,806 [salt.utils.lazy ][DEBUG ][31745] LazyLoaded direct_call.get
2017-06-30 14:10:04,808 [salt.minion ][DEBUG ][31745] Minion return retry timer set to 7 seconds (randomized)
2017-06-30 14:10:04,809 [salt.minion ][INFO ][31745] Returning information for job: 20170630141004769736
2017-06-30 14:10:04,809 [salt.transport.zeromq ][DEBUG ][31745] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/minion', 'bs1f-lnx-sles11sm-x64-58', 'tcp://172.20.0.24:4506', 'aes')
2017-06-30 14:10:04,810 [salt.crypt ][DEBUG ][31745] Initializing new AsyncAuth for ('/etc/salt/pki/minion', 'bs1f-lnx-sles11sm-x64-58', 'tcp://172.20.0.24:4506')
2017-06-30 14:10:05,299 [salt.loaded.int.module.cmdmod ][ERROR ][31528] Command '['zypper', '--non-interactive', 'refresh', '--force']' failed with return code: 4
2017-06-30 14:10:05,300 [salt.loaded.int.module.cmdmod ][ERROR ][31528] stdout: Forcing raw metadata refresh
Retrieving repository 'SUSE-Linux-Enterprise-Software-Development-Kit-11-SP3 11.3.3-1.69' metadata [.done]
Forcing building of repository cache
Building repository 'SUSE-Linux-Enterprise-Software-Development-Kit-11-SP3 11.3.3-1.69' cache [....done]
Forcing raw metadata refresh
Retrieving repository 'SLE11-Security-Module' metadata [....done]
Forcing building of repository cache
Building repository 'SLE11-Security-Module' cache [....done]
Forcing raw metadata refresh
Retrieving repository 'SLES11-SP3-Pool' metadata [....done]
Forcing building of repository cache
Building repository 'SLES11-SP3-Pool' cache [....done]
Forcing raw metadata refresh
Retrieving repository 'SLES11-SP3-Updates' metadata [....done]
Forcing building of repository cache
Building repository 'SLES11-SP3-Updates' cache [....done]
Forcing raw metadata refresh
Retrieving repository 'salt' metadata [..done]
Forcing building of repository cache
Building repository 'salt' cache [....done]
Forcing raw metadata refresh
Retrieving repository 'zabbix' metadata [.
New repository or package signing key received:
Key ID: A5C23697EE454F98
Key Name: server:monitoring OBS Project <server:monitoring@build.opensuse.org>
Key Fingerprint: 8F3BC8EFF549CDCDA918D981A5C23697EE454F98
Key Created: Mon Jun 13 19:49:28 2016
Key Expires: Wed Aug 22 19:49:28 2018
Repository: zabbix
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): r
error]
2017-06-30 14:10:05,300 [salt.loaded.int.module.cmdmod ][ERROR ][31528] stderr: Repository 'zabbix' is invalid.
[|] Valid metadata not found at specified URL(s)
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'zabbix' because of the above error.
Some of the repositories have not been refreshed because of an error.
2017-06-30 14:10:05,300 [salt.loaded.int.module.cmdmod ][ERROR ][31528] retcode: 4
2017-06-30 14:10:05,301 [salt.state ][ERROR ][31528] An error was encountered while installing package(s): Zypper command failure: Repository 'zabbix' is invalid.
[|] Valid metadata not found at specified URL(s)
Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'zabbix' because of the above error.
Some of the repositories have not been refreshed because of an error.
2017-06-30 14:10:05,301 [salt.state ][INFO ][31528] Completed state [zabbix-agent-package] at time 14:10:05.300786 duration_in_ms=14269.713
Versions Report
Minion version report:
Salt Version:
Salt: 2016.3.4
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.1
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.8
libgit2: 0.20.0
libnacl: Not Installed
M2Crypto: 0.22
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: 0.20.0
Python: 2.6.9 (unknown, Apr 7 2015, 08:28:12)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 15.2.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.4.2
ZMQ: 4.2.1
System Versions:
dist: SuSE 11 x86_64
machine: x86_64
release: 3.0.101-0.47.71-default
system: Linux
version: SUSE Linux Enterprise Server 11 x86_64
Master version report:
Salt Version:
Salt: 2016.11.6
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 1.5
docker-py: Not Installed
gitdb: 0.5.4
gitpython: 0.3.2 RC1
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: 1.2.3
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.6 (default, Oct 26 2016, 20:30:19)
python-gnupg: Not Installed
PyYAML: 3.10
PyZMQ: 14.0.1
RAET: Not Installed
smmap: 0.8.2
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.0.5
System Versions:
dist: Ubuntu 14.04 trusty
machine: x86_64
release: 3.13.0-123-generic
system: Linux
version: Ubuntu 14.04 trusty
For reference, someone else got into this as well: https://stackoverflow.com/questions/40663037/using-saltstacks-state-modules-to-accept-newly-added-repos-package-signing-key
Let me know if there’s more needed to document this issue. Thanks!
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 25 (10 by maintainers)
Current zypper support also
gpgkeyoption in the repository configuration. At least with Leap 15.3 it works. When using mod_repo withgpgautoimport: True, a refresh is called using --auto-import-gpg-keys, but it was not possible when you just want to call refresh_db() call. My PR add this option now. I think with this everything here in this issue should work.