apt update errors out on https redirect on 22.04.3

[agherzan]

Issue Description

I have a local installation following the official instructions for Ubuntu 22.04: https://podman.io/docs/installation

Lately, I saw that apt complains about the redirect for the podman source:

Ign:5 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Unstable  InRelease
Err:6 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Unstable  Release
  Redirection from https to 'http://download.opensuse.org/repositories/devel:kubic:libcontainers:/unstable/Debian_Unstable/Release' is forbidden [IP: 195.135.223.226 443]
Reading package lists... Done
E: The repository 'https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Unstable  Release' does not have a Release file.

Steps to reproduce the issue

Steps to reproduce the issue

1. run a ubunt:22.04 container
2. follow Debian install steps in https://podman.io/docs/installation
3. apt update

Describe the results you received

apt update fails for the podman source.

Describe the results you expected

apt update should work using the podman source. installation steps should work on 22.04

podman info output

The issue affects installing podman.

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[enescakir]

I'm experiencing a similar issue.

Get:13 http://ports.ubuntu.com/ubuntu-ports focal/main arm64 libidn11 arm64 1.33-2.2ubuntu2 [45.3 kB]
Get:14 http://ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 dnsmasq-base arm64 2.80-1.1ubuntu1.7 [296 kB]
Get:15 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  containers-common 100:1-22 [52.4 kB]
Err:16 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  criu 3.18-1
  Redirection from https to 'http://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/arm64/criu_3.18-1_arm64.deb' is forbidden [IP: 195.135.223.226 443]
Err:17 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  crun 100:1.2-2
  Redirection from https to 'http://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/arm64/crun_1.2-2_arm64.deb' is forbidden [IP: 195.135.223.226 443]
Err:18 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  buildah 100:1.22.3-2
  Redirection from https to 'http://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/arm64/buildah_1.22.3-2_arm64.deb' is forbidden [IP: 195.135.223.226 443]
Err:19 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  catatonit 0.1.7-1
  Redirection from https to 'http://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/arm64/catatonit_0.1.7-1_arm64.deb' is forbidden [IP: 195.135.223.226 443]
Get:20 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  conmon 100:2.1.2~0 [30.9 kB]
Get:21 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  fuse-overlayfs 100:1.5.0-2 [38.2 kB]
Err:22 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  podman-plugins 100:1.2.0-1
  Redirection from https to 'http://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/arm64/podman-plugins_1.2.0-1_arm64.deb' is forbidden [IP: 195.135.223.226 443]

I tried to install on Ubuntu 20.04 ARM.

REPO_URL="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable"
sh -c "echo 'deb ${REPO_URL}/xUbuntu_20.04/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
wget -nv https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key -O Release.key
apt-key add Release.key
apt-get update
apt-get -y install podman buildah skopeo

[rodnymolina]

Same here while trying to install on Ubuntu 20.04 ARM:

------
 > [base  4/20] RUN echo "Installing podman ..."     && mkdir -p /etc/apt/keyrings     && curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" | gpg --dearmor | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg] https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null     && apt-get update -qq     && apt-get -qq -y install podman:
0.263 Installing podman ...
8.229 E: The repository 'https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_22.04  Release' does not have a Release file.
------
Dockerfile.kind:87
--------------------
  86 |
  87 | >>> RUN echo "Installing podman ..." \
  88 | >>>     && mkdir -p /etc/apt/keyrings \
  89 | >>>     && curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" | gpg --dearmor | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null \
  90 | >>>     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg] https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null \
  91 | >>>     && apt-get update -qq \
  92 | >>>     && apt-get -qq -y install podman
  93 |
--------------------
ERROR: failed to solve: process "/bin/sh -c echo \"Installing podman ...\"     && mkdir -p /etc/apt/keyrings     && curl -fsSL \"https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key\" | gpg --dearmor | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null     && echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg] https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /\" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null     && apt-get update -qq     && apt-get -qq -y install podman" did not complete successfully: exit code: 100

[suslmk-lee]

I tried the method listed on the openSUSE official download page, but the same issue occurred. This is Ubuntu20.04.

$ echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /
$ curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_stable.gpg > /dev/null
$ sudo apt update
Hit:1 http://mirror.kakao.com/ubuntu focal InRelease
Hit:2 http://mirror.kakao.com/ubuntu focal-updates InRelease
Hit:3 http://mirror.kakao.com/ubuntu focal-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:5 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease [1642 B]
Ign:6 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_20.04  InRelease
Err:7 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_20.04  Release
  Redirection from https to 'http://download.opensuse.org/repositories/devel:kubic:libcontainers:/unstable/xUbuntu_20.04/Release' is forbidden [IP: 195.135.223.226 443]
Reading package lists... Done
E: The repository 'https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_20.04  Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

How can I solve this?

[seantywork]

It seems to me like an issue with CRIO repository so I opened an issue there

https://github.com/cri-o/cri-o/issues/7479

[olaoyeleye]

CRIO repository is not working for me as well. CRIO team should try to fix this urgently. please. is there any work around??

[seantywork]

Okay, I got it working by doing just one thing

within my installation script I've changed the below part

echo "deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list

mkdir -p /usr/share/keyrings
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-archive-keyring.gpg
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg

to below one (note the https -> http)

echo "deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list

mkdir -p /usr/share/keyrings
curl -L http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-archive-keyring.gpg
curl -L http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg

So, my cautious suggestion for those who try to update CRIO, please try changing the protocol specified in files within /etc/apt/sources.list.d/ directory and then see what happens

[kwilczynski]

An update from the CRI-O team: we are looking at the problem, and we are reaching out to SUSE, who maintains the package mirrors as part of their The Open Build Service (OBS) service, which they kindly provide to Open Source projects.

(CC @saschagrunert @haircommander)

[saschagrunert]

Please don't downgrade to HTTP, that's not a valuable workaround for security reasons.

[seantywork]

for all of you out there who just might have followed the https->http trick

It's clearly a temporary "WORKAROUND" for cases in urgency, not a FIX.

Some obvious risks ensue though I fell short of mentioning them before @saschagrunert brought it up

[kwilczynski]

Everyone,

The issue should be resolved now.

Please verify that the HTTPS works correctly for you - both the main repository URL and the local mirrors (where the requests would be redirected to) should be using HTTPS endpoints now.

I also encourage everyone who eagerly went ahead and made updates to use plain HTTP to revert the changes back to use HTTPS, if possible.

[saschagrunert]

Closing for now.

[agherzan]

Both "testing" and "unstable" seem to still error out:

Ign:14 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Unstable  InRelease
Err:15 https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Unstable  Release
  Redirection from https to 'http://download.opensuse.org/repositories/devel:kubic:libcontainers:/unstable/Debian_Unstable/Release' is forbidden [IP: 195.135.223.226 443]

[kwilczynski]

@agherzan, good catch! I checked stable only.

Reported this to SUSE folks for them to have a look.

[Luap99]

@lsm5 FYI Also I think stable is not even maintained as @lsm5 only maintains the unstable repo AFAIK but maybe he can clarify what the actual status for the kubic repos is.

[lsm5]

@agherzan, good catch! I checked stable only.

Use stable at your own risk. While those may be installable, they are very old and probably not immune to recent CVEs.

Reported this to SUSE folks for them to have a look.

SUSE folks aren't involved in this. It has mostly been me (and one other person on the crio side). RE: maintaining the unstable repo, I have noticed issues with the build dependencies and I'm distracted by other tasks to spend time on this. So, I strongly suggest fetching podman through other repos. I will update the official docs to remove any references to this unstable repo.

[kwilczynski]

SUSE folks aren't involved in this.

@lsm5, I am not sure what are you talking about. Perhaps, we aren't talking about the same thing.

Unless it's up to you to control what local mirror will be returned for me for Japan (e.g., http://mirrorcache-jp.opensuse.org/, etc.) from the OBS (using the main URL), then SUSE folks were definitely involved, at least they confirmed the issue on the IRC channel.

[agherzan]

@agherzan, good catch! I checked stable only.

Reported this to SUSE folks for them to have a look.

This is why this issue should stay open until we fix the docs or fix the issue.

[muety]

Error still occurring for me.

[Timost]

@lsm5

First of all thank you for maintaining the unstable repos up until now. 🙏

I'm distracted by other tasks to spend time on this. So, I strongly suggest fetching podman through other repos. I will update the official docs to remove any references to this unstable repo.

For Debian/Ubuntu users can you recommend alternative repos ?

[kwilczynski]

@agherzan @muety, I don't see any more issues with the redirects on my side.

Hopefully, you won't have any more problems.

[agherzan]

I can't confirm that it works as expected now. Thanks.