search

geerlingguy / ansible-role-docker

Ansible Role - Docker
https://galaxy.ansible.com/geerlingguy/docker/
MIT License
1.85k stars 858 forks source link

Docker public key not avaiable, docker repository not signed #385

Closed berthin closed 1 year ago

berthin commented 2 years ago

Hi,

I am running the docker role on Ubuntu16.04.7 with python3.9, and I get the following:

'/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"       install 'docker-ce=5:20.10.7~3-0~ubuntu-xenial' 'docke
r-ce-cli=5:20.10.7~3-0~ubuntu-xenial' 'docker-ce-rootless-extras=5:20.10.7~3-0~ubuntu-xenial' 'containerd.io=1.4.6-1' --allow-downgrades' failed: E: There
were unauthenticated packages and -y was used without --allow-unauthenticated

and this fails after the key-registration step "successfully" ran.

apt-get update mentions that the key is not available:

pc@vbox-01:~$ sudo apt update
[sudo] password for pc:
Hit:1 http://nl.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 http://nl.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 http://nl.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:5 https://download.docker.com/linux/ubuntu xenial InRelease [66,2 kB]
Err:5 https://download.docker.com/linux/ubuntu xenial InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
Reading package lists... Done
W: GPG error: https://download.docker.com/linux/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
E: The repository 'https://download.docker.com/linux/ubuntu xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

but I see the key file in the file system:

pc@vbox-01:~$ ls /etc/apt/trusted.gpg.d/docker.asc
/etc/apt/trusted.gpg.d/docker.asc

however it seems that it's not recognized/loaded?

pc@vbox-01:~$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   4096R/C0B21F32 2012-05-11
uid                  Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

pub   4096R/EFE21092 2012-05-11
uid                  Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>

pub   4096R/991BC93C 2018-09-17
uid                  Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Some extra logs about how the docker role "registers" the key.

TASK [geerlingguy.docker : Add Docker apt key.] ********************************
ok: [vbox-01] => {
    "changed": false,
    "checksum_dest": "f5b5bd1487cefc0c53c947e11ca202e86b33dbad",
    "checksum_src": "f5b5bd1487cefc0c53c947e11ca202e86b33dbad",
    "dest": "/etc/apt/trusted.gpg.d/docker.asc",
    "elapsed": 0,
    "gid": 0,
    "group": "root",
    "md5sum": "1afae06b34a13c1b3d9cb61a26285a15",
    "mode": "0644",
    "owner": "root",
    "size": 3817,
    "src": "/home/pc/.ansible/tmp/ansible-tmp-1667835238.2178092-1724672-61343658955030/tmp2rlsasei",
    "state": "file",
    "status_code": 200,
    "uid": 0,
    "url": "https://download.docker.com/linux/ubuntu/gpg"
}

MSG:

OK (3817 bytes)

TASK [geerlingguy.docker : Ensure curl is present (on older systems without SNI).] ***
skipping: [vbox-01] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}

TASK [geerlingguy.docker : Add Docker apt key (alternative for older systems without SNI).] ***
skipping: [vbox-01] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}

TASK [geerlingguy.docker : Add Docker repository.] *****************************
ok: [vbox-01] => {
    "changed": false,
    "repo": "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable",
    "state": "present"
}

TASK [geerlingguy.docker : Install Docker packages.] ***************************
skipping: [vbox-01] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}

TASK [geerlingguy.docker : Install Docker packages (with downgrade option).] ***
fatal: [vbox-01]: FAILED! => {
    "cache_update_time": 1667835220,
    "cache_updated": false,
    "changed": false,
    "rc": 100
}

STDOUT:

Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  docker-scan-plugin git git-man liberror-perl pigz
Suggested packages:
  aufs-tools cgroupfs-mount | cgroup-lite git-daemon-run | git-daemon-sysvinit
  git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs git-mediawiki
  git-svn
Recommended packages:
  slirp4netns
The following NEW packages will be installed:
  containerd.io docker-ce docker-ce-cli docker-ce-rootless-extras
  docker-scan-plugin git git-man liberror-perl pigz
0 upgraded, 9 newly installed, 0 to remove and 181 not upgraded.
Need to get 111 MB of archives.
After this operation, 491 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  containerd.io docker-ce-cli docker-ce docker-ce-rootless-extras
  docker-scan-plugin

STDERR:

E: There were unauthenticated packages and -y was used without --allow-unauthenticated

MSG:

'/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"       install 'docker-ce=5:20.10.7~3-0~ubuntu-xenial' 'docke
r-ce-cli=5:20.10.7~3-0~ubuntu-xenial' 'docker-ce-rootless-extras=5:20.10.7~3-0~ubuntu-xenial' 'containerd.io=1.4.6-1' --allow-downgrades' failed: E: There
were unauthenticated packages and -y was used without --allow-unauthenticated

PLAY RECAP *********************************************************************
vbox-01                 : ok=27   changed=1    unreachable=0    failed=1    skipped=83   rescued=0    ignored=0
berthin commented 2 years ago

Hi @geerlingguy: I did some experiments, and found out that the docker.asc approach doesn't work with old versions of Ubuntu (e.g. Ubuntu16.04). I understand that Ubuntu16 is no longer supported and has reached it's EOL, but is there a way to introduce a fix for that version? If so, I could submit a PR proposing a fix for older systems.

I have a kernel driver that depends on that version of Ubuntu and upgrading the OS is not an option for me.

berthin commented 2 years ago

UPD:

@geerlingguy: I have submitted a PR (https://github.com/geerlingguy/ansible-role-docker/pull/386) that adds an extra condition to use apt-key if we are on an old version of Ubuntu. I tested the change locally and it fixes the issue. Please, let me know what you think

stale[bot] commented 1 year ago

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

stale[bot] commented 1 year ago

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

github-actions[bot] commented 1 year ago

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.