search

ilbers / isar

Integration System for Automated Root filesystem generation
Other
177 stars 72 forks source link

multiple gpg-agent daemons running #73

Closed wadimklincov closed 2 years ago

wadimklincov commented 2 years ago

Hi,

with the gpg-agent changes on next I'm unable complete the do_bootstarp function in the isar-bootstrap-target task. With multiple keys defined in THIRD_PARTY_APT_KEYS, it fails because gpg-agent keeps running when adding multiple keys:

| + find /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/aptkeys/ -type f
| + read keyfile
| ++ basename /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/aptkeys/gpg
| + kfn=gpg
| + cp /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/aptkeys/gpg /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/rootfs/tmp/gpg
| + chroot /build/tmp/work/bullseye-adas-amd64/isar-bootstrap-target/1.0-r0/rootfs /usr/bin/gpg-agent --daemon -- /usr/bin/apt-key --keyring /etc/apt/trusted.gpg.d/third_party.gpg --homedir /tmp/gpghomejBqtIkKAiA add /tmp/gpg
| gpg-agent[8992]: Note: '--keyring' is not considered an option
| gpg-agent[8992]: Note: '--homedir' is not considered an option
| gpg-agent[8992]: directory '/tmp/gpghomejBqtIkKAiA/private-keys-v1.d' created
| gpg-agent[8993]: gpg-agent (GnuPG) 2.2.27 started
| Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
| OK
| + rm /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/rootfs/tmp/gpg
| + read keyfile
| ++ basename /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/aptkeys/somekey
| + kfn=some.key
| + cp /build/tmp/work/bullseye-adas-amd64/isar-bootstrap-target/1.0-r0/aptkeys/some.key /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/rootfs/tmp/some.key
| + chroot /build/tmp/work/bullseye-amd64/isar-bootstrap-target/1.0-r0/rootfs /usr/bin/gpg-agent --daemon -- /usr/bin/apt-key --keyring /etc/apt/trusted.gpg.d/third_party.gpg --homedir /tmp/gpghomejBqtIkKAiA add /tmp/some.key
| gpg-agent[9033]: Note: '--keyring' is not considered an option
| gpg-agent[9033]: Note: '--homedir' is not considered an option
| gpg-agent: a gpg-agent is already running - not starting a new one
| + bb_exit_handler
| + ret=2
| + echo WARNING: exit code 2 from a shell command.
| WARNING: exit code 2 from a shell command.
| + exit 2
| gpg-agent[8993]: parent process died - shutting down
| gpg-agent[8993]: gpg-agent (GnuPG) 2.2.27 stopped

It works only on one machine, but I assume it's because all apt-key operations are running quite slowly there.

amikan commented 2 years ago

Thanks for reporting. This was happening because the first gpg-agent process was actually finished after the second supposed to be started. Fixed in [PATCH] isar-bootstrap: Remove GNUPGHOME sharing by making every gpg-agent working in separate dir:

diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index b8af6760..08b1486b 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -331,23 +331,22 @@ do_bootstrap() {
         mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d"
         install -v -m644 "${WORKDIR}/isar-apt.conf" \
                          "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf"
-        if [ -n "${@get_distro_needs_gpg_support(d)}" ]; then
+        find ${APT_KEYS_DIR}/ -type f | while read keyfile
+        do
             MY_GPGHOME="$(chroot "${ROOTFSDIR}" mktemp -d /tmp/gpghomeXXXXXXXXXX)"
             echo "Created temporary directory ${MY_GPGHOME} for gpg-agent"
             export GNUPGHOME="${MY_GPGHOME}"
             APT_KEY_APPEND="--homedir ${MY_GPGHOME}"
-        fi
-        find ${APT_KEYS_DIR}/ -type f | while read keyfile
-        do
+
             kfn="$(basename $keyfile)"
             cp $keyfile "${ROOTFSDIR}/tmp/$kfn"
             chroot "${ROOTFSDIR}" /usr/bin/gpg-agent --daemon -- /usr/bin/apt-key \
                 --keyring ${THIRD_PARTY_APT_KEYRING} ${APT_KEY_APPEND} add "/tmp/$kfn"
             rm "${ROOTFSDIR}/tmp/$kfn"
-        done
-        if [ -n "${MY_GPGHOME}" ]; then
+
+            echo "Removing ${MY_GPGHOME}"
             rm -rf "${ROOTFSDIR}${MY_GPGHOME}"
-        fi
+        done

         if [ "${@get_distro_suite(d)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then
             install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \

The fix was sent to isar-users maillist and will be merged after passing review.

wadimklincov commented 2 years ago

Thanks a lot for the quick fix, it works!