You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As you may or may not know the functionality provided by key_url in salts pkgrepo.managed is deprecated in Debian Bullseye and replaced by explicitly defining the signing key in the repo definition. Ideally pkgrepo.managed would understand that this is Bullseye and create a keyring for us from the key_url, but this is not currently the case.
I need to use an internal mirrored repository of salt with mirrored version of the key_url and pkgrepo_keyring available, but the state salt-pkgrepo-install-saltstack-debian keeps on failing because salt can't apt-key add the key_url because the functionality is deprecated. salt-formula currently handles the keyring outside of pkgrepo.managed so everything should be fine as long as you provide the signed-by file in the repo definition.
The fix is easy however, either
Don't add the key_url kwarg in salt-pkgrepo-install-saltstack-debian for Debian Bullseye by default
...or give us a pillar configurable way to not use key_url in the state. I tried no value and '', but those are invalid values. Bullseye need to not have it set at all with the current pkgrepo.managed state.
Steps to reproduce the bug
Change to non-default pkgrepo and key_url on bullseye (or you could probably also just remove the existing global apt-key and repo and use the defaults in this state, but not tested)
[ERROR ] Command 'apt-key' failed with return code: 2 [ERROR ] stderr: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: no valid OpenPGP data found.
[ERROR ] retcode: 2
[ERROR ] Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/re
pository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage
local:
----------
ID: salt-pkgrepo-install-saltstack-debian
Function: pkgrepo.managed
Name: deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/repository/debian-bullsey
e-amd64-salt bullseye main
Result: False
Comment: Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com
/repository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
Started: 13:44:01.126825
Duration: 171.904 ms
Changes:
Expected behaviour
salt-pkgrepo-install-saltstack-debian should work on Debian Bullseye with custom pkgrepo and pkgrepo_keyring without the not needed key_url
Attempts to fix the bug
Just commenting out key_url in salt-pkgrepo-install-saltstack-debian in the formula removes the issue on Bullseye, but obviously this should be controlled by a toggle in os*.yaml or something.
hkbakke
changed the title
[BUG] Debian Bullseye pkgrepo.managed deprecation failure if non-default key_url is set on existing system
[BUG] Debian Bullseye pkgrepo.managed deprecation failure if non-default key_url and pkgrepo is set
Nov 4, 2021
## [1.9.5](v1.9.4...v1.9.5) (2021-11-05)
### Bug Fixes
* make it possible to not have key_url set ([97e1d1f](97e1d1f)), closes [#520](#520)
* update to modern defaults for Debian family ([a932a8c](a932a8c))
Your setup
Formula commit hash / release tag
1.9.4: 99b1469
Versions reports (master & minion)
Pillar / config used
pillar config:
Bug details
Describe the bug
As you may or may not know the functionality provided by key_url in salts pkgrepo.managed is deprecated in Debian Bullseye and replaced by explicitly defining the signing key in the repo definition. Ideally pkgrepo.managed would understand that this is Bullseye and create a keyring for us from the key_url, but this is not currently the case.
I need to use an internal mirrored repository of salt with mirrored version of the key_url and pkgrepo_keyring available, but the state
salt-pkgrepo-install-saltstack-debian
keeps on failing because salt can't apt-key add the key_url because the functionality is deprecated. salt-formula currently handles the keyring outside of pkgrepo.managed so everything should be fine as long as you provide the signed-by file in the repo definition.The fix is easy however, either
salt-pkgrepo-install-saltstack-debian
for Debian Bullseye by defaultSteps to reproduce the bug
Change to non-default pkgrepo and key_url on bullseye (or you could probably also just remove the existing global apt-key and repo and use the defaults in this state, but not tested)
Expected behaviour
salt-pkgrepo-install-saltstack-debian should work on Debian Bullseye with custom pkgrepo and pkgrepo_keyring without the not needed key_url
Attempts to fix the bug
Just commenting out key_url in
salt-pkgrepo-install-saltstack-debian
in the formula removes the issue on Bullseye, but obviously this should be controlled by a toggle in os*.yaml or something.Additional context
salt.asc was downloaded from this url: https://repo.saltproject.io/py3/debian/11/amd64/latest/SALTSTACK-GPG-KEY.pub
The text was updated successfully, but these errors were encountered: