Docker installer: pgp key can't be retrieved #20022
Comments
nebelpfade
changed the title
|
This breaks everyone's automatic updates on ubuntu creating a major security problem. I had to disable the docker repo in sources to get the updates to complete. |
|
unfortunately, the sks-keyservers.net pool is not under our control, so I'm not sure we can do anything to improve that. It's weird thought, because unlike other reports, it doesn't tell the server is unreachable (e.g. #13555)? |
|
I've heard a few more reports for sks-keyservers.net having an outage today. I'm not sure what else could be done either, but it does suck that the docker install method breaks due to a third party service. |
|
One more:
|
|
@thaJeztah Would you accept a patch that tries another key server besides sks-keyservers if it fails? e.g. we can fail over to keyserver.ubuntu.com. |
|
pgp.mit.edu is another choice we can fallback to |
|
If there's a clean approach to poll multiple servers, I'm "+1" personally |
|
@thaJeztah Check out #20184 |
|
@nebelpfade if this is accepted and the install still fails, let me know. I'll add in yet another backup server. |
|
@thaJeztah since this is affecting people in production now, is there any way to backport #20184? |
|
@fkautz you might be able to use the direct link to the new file. Instead of |
|
@programmerq sure, that's easy for me to do manually, but doesn't help production scripts. sks-keyservers have been really flaky recently, hence the patch. E.g. @nebelpfade mentioned he is seeing this failure at 10-20% of his installations. Considering I ran into the same problem in other docker install scripts and had to script a workaround to replace the keyserver, I suspect others are experiencing this issue with higher frequency than is being reported. |
|
@fkautz just discussed it, and we're considering updating the script with your changes, but will do so manually, after the 1.10.1 release to not interfere with the release. Thanks again btw for opening that PR ❤️ feel free to ping me if the script hasn't been updated in a few days |
|
Great, thanks for the update! |
seems still some problems, but it was first failure since you release the fix |
|
@nebelpfade yeah, the change was applied to the script indeed, so not sure what more we can do 😢. Are you okay with closing this issue? |
|
@nebelpfade My guess, based on my previous experience with this issue, is your dns server might not be serving up the ip address properly. If you attempt to ping the key servers when this fails, I think you will find the domain will not resolve. We could try adding a third keyserver, but I don't think this will solve the root of the problem in your case. :( |
|
hm... our DNS servers are: 8.8.8.8 and 8.8.4.4 What do you think? |
|
Hello, it seems this fix was removed from get.docker.com: https://get.docker.com/
twice for today already |
|
@nebelpfade oh, that's strange. Possibly it got reverted during the 1.10.2 update, because it was updated manually after the previous release ping @tiborvass ^^ |
|
any updates here? installer without fallback fails a lot more that with fallback |
|
Will manually update it today. Sorry about this |
|
I see there was just a new implementation merged for this; perhaps we can use that one #20022 |
|
@tiborvass also blocking to me, has anything been done yet ? Thanks ! |
|
Here is no fallback still (again?): a lot of fails last weekends with: |
|
@tiborvass I see the updated version is present in the 1.11 bump branch, but not updated on test.docker.com, any idea why? |
|
This is still not working. In fact, if you manually search the key database on p80.pool.sks-keyservers.net via their web interface, and search for the key 58118E89F3A912897C070ADBF76221572C52609D -- you'll find none. It appears it's not a configuration issue, but your key is simply missing from their database. |
|
@bmarkovic not sure how to find it through their web-interface, but these all seem to work for me; |
|
using: I've received: using: I've received: don't know why, but it works |
|
Someone needs to report this upstream to see if there is any way to resolve this. The problem isn't with docker's setup script, although the setup script attempts to work around the problem by trying multiple servers. This appears to be some form of intermittent error which may be caused by any number of factors such as DNS misconfiguration, corporate firewall policies, or other environmental issues. |
|
Had the same issue, and I'm sitting behind my company's proxy. Solved it by manually passing the proxy to apt-key:
I successfully set the proxy for apt-get by creating the EDIT: Some users are suggesting to use |
|
@tianon do you think it would make sense to add that to the install script (i.e. if |
|
@thaJeztah I think it would make sense. Failover should continue to exist, since most users will not be running their own keyserver, but makes sense to include it. |
|
Someone good at bash, and willing to open a pull request? 😇 |
|
@hbrgnr : --keyserver-options http-proxy=$http_proxy This worked for me thanks :) |
|
@rishibamba 👍 thanks 😄 The below command should work, this ticket should be closed sudo apt-key adv --keyserver-options http-proxy='http://<domain>%5C<user>:<password>@<proxy_ip_or_name>:<port>/' --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609DIn my case it's below sudo apt-key adv --keyserver-options http-proxy='http://dev%5Cinfinityadmin:cannottell@meldevproxy.dev.tech.local:8080/' --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D |
|
Failing again. Having the same problem as @bmarkovic Can't event find the key using their webinterface. We are not behind a proxy. |
|
+1 can't find key http://p80.pool.sks-keyservers.net/pks/lookup?search=2C52609D |
|
Perhaps there is some form of network split with sks-keyservers.net. Assuming they work as a sort of CDN (hence the 'pool' in the URI) perhaps some nodes have the key, and others don't. Your ability to retrieve it would then depend on where you are geographically and/or who's your ISP. |
|
@jgleal It looks like you need to go through another path to get the key in the browser: |
|
I think this can be closed as the confusion about the web interface seems to be resolved and fallback servers are in place in the install script. |
|
I think https://docs.docker.com/engine/installation/linux/debian/ is still wrong. |
|
you can use other keyserver, i used hkp://keyserver.ubuntu.com:80, and works |
|
Hello, Regards |
|
@AndreFelipeMachado I'm not sure I understand as the docs you link to have the same command that you confirm as working for you. So the problem is that different servers are more stable at different times and for different users. We have retries in the install script but only the best server in the docs. Should we use cc @thaJeztah |
|
Hello |
|
Having the same problem. I could make it work giving 'sudo bash' |
|
Following worked for me, apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D |
|
Hi, |
|
Hello, this code worked for me.. FROM debian:stretch-slim
MAINTAINER NGINX Docker Maintainers "docker-maint@nginx.com"
ENV NGINX_VERSION 1.12.1-1~stretch
ENV NJS_VERSION 1.12.1.0.1.10-1~stretch
RUN apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
found=''; \
for server in \
ha.pool.sks-keyservers.net \
hkp://keyserver.ubuntu.com:80 \
hkp://p80.pool.sks-keyservers.net:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
apt-get remove --purge -y gnupg1 && apt-get -y --purge autoremove && rm -rf /var/lib/apt/lists/* \
&& echo "deb http://nginx.org/packages/debian/ stretch nginx" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y \
nginx=${NGINX_VERSION} \
nginx-module-xslt=${NGINX_VERSION} \
nginx-module-geoip=${NGINX_VERSION} \
nginx-module-image-filter=${NGINX_VERSION} \
nginx-module-njs=${NJS_VERSION} \
gettext-base \
&& rm -rf /var/lib/apt/lists/*
# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"] |
and others
Hello,
We are using docker for our agnostic platform, here we have been installing docker to customers' servers about 10 times every day.
The problem that about 10-20% of installation fails with error:
can it be fixed?
The text was updated successfully, but these errors were encountered: