EPEL GPG key not found on rhel/ubi8

geerlingguy / ansible-role-repo-epel

Ansible Role - EPEL Repository for RHEL/CentOS

https://galaxy.ansible.com/geerlingguy/repo-epel/

MIT License

185 stars 149 forks source link

EPEL GPG key not found on rhel/ubi8 #43

Closed mla-lbn closed 3 years ago

mla-lbn commented 3 years ago

Using geerlingguy/docker-ubi8-ansible:latest I am getting:

    TASK [geerlingguy.repo-epel : Check if EPEL repo is already configured.] *******
    Thursday 24 September 2020  11:07:41 +0200 (0:00:04.626)       0:00:15.583 ****
    ok: [rhel8]

    TASK [geerlingguy.repo-epel : Import EPEL GPG key.] ****************************
    Thursday 24 September 2020  11:07:45 +0200 (0:00:04.745)       0:00:20.329 ****
fatal: [rhel8]: FAILED! => changed=false
  msg: Not a valid key /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

[root@rhel8 /]# ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-redhat-beta  RPM-GPG-KEY-redhat-release

It would looks like the EPEL key is only available by default on Centos and not rhel/ubi ?

adamus1red commented 3 years ago

I just checked using a fresh CentOS 8 host and I get the same error.

[root@docker-1 rpm-gpg]# ls
RPM-GPG-KEY-centosofficial  RPM-GPG-KEY-centostesting
[root@docker-1 rpm-gpg]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)

triwats commented 3 years ago

Seeing this one too, for a work around we pinned 1.3.0

alanivey commented 3 years ago

Same here; I think it's because epel_repo_gpg_key_url is targeting a file instead of a remote URL, since the file does not exist on the system prior to epel-release being installed.

liquidat commented 3 years ago

We see the same here on RHEL 7:

TASK [geerlingguy.repo-epel : Import EPEL GPG key.] ****************************
fatal: [02d7-student1-attacker]: FAILED! => {"changed": false, "msg": "Not a valid key /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"}

To me it looks like commit https://github.com/geerlingguy/ansible-role-repo-epel/commit/9133e4544929ff98d2be67017a8c3758721cb700 is responsible for it. I must admit that I don't really get why this change was introduced: how should a machine have that key already before the repo is installed?

adamus1red commented 3 years ago

To me it looks like commit 9133e45 is responsible for it. I must admit that I don't really get why this change was introduced: how should a machine have that key already before the repo is installed?

It's related to #42 where I reported an issue with CentOS where the command to install the epel repo failed because Ansible wouldn't accept the "accept GPG key" prompt which is why the Install key was moved earler in the tasks.

liquidat commented 3 years ago

I see that - but I don't understand how that should fix such an issue?! In the end, we cannot import a key which is not there?! Anyway, multiple OSs were named in this thread where this role is not working anymore due to this change.

mamono210 commented 3 years ago

I have replaced geerlingguy.repo-epel with robertdebock.epel, and have no issue with CentOS7 / CentOS8.

geerlingguy commented 3 years ago

I believe this should be fixed in https://github.com/geerlingguy/ansible-role-repo-epel/pull/45 — new release coming shortly after CI passes.