Bug #8867

yumrepo type does not support multiple gpgkey entries

Added by Jascha Lee almost 2 years ago. Updated over 1 year ago.

Status:AcceptedStart date:08/09/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:yumrepo
Target version:-
Affected Puppet version:2.6.6 Branch:
Keywords:

Description

According to yum.conf(5) for gpgkey: Multiple URLs may be specified here in the same manner as the baseurl option (above). If a GPG key is required to install a package from a repository, all keys specified for that repository will be installed.

However, if multiple gpgkey entries are added to a yumrepo manifest, the following error occurs:

err: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate parameter ‘gpgkey’ for on Yumrepo[tivo-coxrtltivoqa2sp01.tivo.com] at /etc/puppet/modules/yum/manifests/init.pp:12 on node coxrtltivoqa2hd01.tivo.com

init.pp - module init.pp manifest w/ multiple gpgkey entries (893 Bytes) Jascha Lee, 08/12/2011 10:58 am

History

#1 Updated by James Turnbull almost 2 years ago

  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Jascha Lee

Can you show me the manifest you used here? Did you try to use multiple basurls also BTW? From the code I don’t think either will work. Thanks!

#2 Updated by Jascha Lee almost 2 years ago

  • File init.pp added
  • Assignee changed from Jascha Lee to James Turnbull

I’ve attached the manifest. It utilizes a custom fact, but this doesn’t affect the behavior. I tried formatting gpgkey as a list value (guessing at syntax), but that didn’t help. Looking at the code (as a Ruby neophyte), it appears to want a single value (in the same way as baseurl as you noticed). I have not tried specifying multiple baseurls.

I did discover something important if and when this gets fixed, and that is to pay attention to the warning about specifying entries. The yum repo config file must specify multiple values this way:

gpgkey=<url1>
       <url2>

and not

gpgkey=<url1>
gpgkey=<url2>

The gpgkey doc mentions that you need to specify it in the same way as baseurl. But for some reason, that didn’t register correctly with me and I was doing it the 2nd way and thinking yum was buggy about importing keys.

#3 Updated by K Hightower almost 2 years ago

My Environment

Facter: 1.6.0 
Puppet: 2.7.3rc1
OS: CentOS Linux release 6.0

Work around

After reading the man page for yum.conf, it seems yum supports multi-line gpgkey and baseurl values. I have updated your init.pp as follows:

class yum {
  $yumvar_reponame = "yum.puppet.labs.com"

  # puppet supports multi-line strings \o/
  $gpgkeys = "http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-CentOS-5
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY.dag.txt
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-remi
  http://$yumvar_reponame/yum/GPG/REPO-GPG-PUBLIC-KEY
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-MySQL
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-MariaDB
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-EPEL
  http://$yumvar_reponame/yum/GPG/RPM-GPG-KEY-passenger.rhel5"

  yumrepo {
    "tivo-coxrtltivoqa2sp01.tivo.com":
    descr    => "TiVo repo coxrtltivoqa2sp01.tivo.com",
    baseurl  => "http://$yumvar_reponame/yum/rpms",
    gpgkey   => "$gpgkeys",
    gpgcheck => "1",
    enabled  => "1";
  }
}

This seems to produced the desired results:

root@agent ~]# cat /etc/yum.repos.d/tivo-coxrtltivoqa2sp01.tivo.com.repo 
[tivo-coxrtltivoqa2sp01.tivo.com]
name=TiVo repo coxrtltivoqa2sp01.tivo.com
baseurl=http://yum.puppet.labs.com/yum/rpms
enabled=1
gpgcheck=1
gpgkey=http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-CentOS-5
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY.dag.txt
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-remi
    http://yum.puppet.labs.com/yum/GPG/REPO-GPG-PUBLIC-KEY
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-MySQL
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-MariaDB
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-EPEL
    http://yum.puppet.labs.com/yum/GPG/RPM-GPG-KEY-passenger.rhel5

#4 Updated by Jascha Lee almost 2 years ago

I can confirm that specifying gpgkey as a multi-line value does work, so this may be a doc/usage issue. One caveat: the indenting in the (generated) repo config file is important. If the additional keys are not indented, I get the following error on subsequent puppet runs:

Aug 15 18:45:56 coxrtltivoqa2hd01 puppet-agent[28004]: (/Stage[main]/Yum/Yumrepo[tivo-coxrtltivoqa2sp01.tivo.com]) Could not evaluate: /etc/yum.repos.d/tivo-coxrtltivoqa2sp01.tivo.com.repo:7: Can’t parse ‘http://coxrtltivoqa2sp01.tivo.com/yum/GPG/RPM-GPG-KEY.dag.txt’

#5 Updated by Jascha Lee almost 2 years ago

Note: indenting (at least one space) is necessary for yum to import all the keys, so indenting is not a suggestion.

#6 Updated by James Turnbull over 1 year ago

  • Status changed from Needs More Information to Accepted
  • Assignee deleted (James Turnbull)

Also available in: Atom PDF