Misbehaviour on "yum check-updates" prompts

[waptaff]

I have this peculiar situation where a remote repository has changed GPG signing keys.

If I run the check_updates plugin as the nagios/nrpe user, I get a prompt to import a GPG key. Obviously when running unattended via nagios this prompt never gets a reply.

That makes check_updates either timeout or worse, report that there are no updates (whether true or not).

I can work around that issue by adding a --yum-arguments="--assumeno" option to check_updates.

I would strongly suggest adding the --assumeno option to yum check-update by default so that the plugin does not misbehave like this in similar situations.

Thanks!

[matteocorti]

Dear Patrice

I will look at the issue but I'm not yet convinced that assumeno ist the best option. I would like to be warned when something like that happens. Otherwise a repository would be ignored (I don't think that yum checks a repository if the key is not imported).

I would then rather catch the error and the then issue a warning.

I have to find the time to find an example an then implement a fix.

Matteo

[waptaff]

I don't think that yum checks a repository if the key is not imported

You're most likely right.

I would then rather catch the error and the then issue a warning.

That makes lots of sense.

To reproduce, create a /etc/yum.repos.d/gitlfs.repo with something like this in it:

[github_git-lfs]
name=github_git-lfs
baseurl=https://packagecloud.io/github/git-lfs/el/6/$basearch
repo_gpgcheck=1
gpgcheck=0
enabled=1
gpgkey=https://packagecloud.io/github/git-lfs/gpgkey
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

Then, as a non-root user:

$ yum check-update
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.dst.ca
 * centos-sclo-rh: mirror.calgah.com
 * centos-sclo-sclo: mirror.calgah.com
 * epel: mirror.dst.ca
 * epel-debuginfo: mirror.dst.ca
 * epel-source: mirror.dst.ca
 * extras: mirror.calgah.com
 * updates: mirror.calgah.com
github_git-lfs/signature                                 |  833 B     00:00
Retrieving key from https://packagecloud.io/github/git-lfs/gpgkey
Importing GPG key 0xDC282033:
 Userid: "https://packagecloud.io/github/git-lfs (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io>"
 From  : https://packagecloud.io/github/git-lfs/gpgkey
Is this ok [y/N]:

It just stalls there.

Contrast with --assumeno:

$ yum check-update --assumeno
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.dst.ca
 * centos-sclo-rh: mirror.calgah.com
 * centos-sclo-sclo: mirror.calgah.com
 * epel: mirror.dst.ca
 * epel-debuginfo: mirror.dst.ca
 * epel-source: mirror.dst.ca
 * extras: mirror.calgah.com
 * updates: mirror.calgah.com
github_git-lfs/signature                                 |  833 B     00:00
Retrieving key from https://packagecloud.io/github/git-lfs/gpgkey
Importing GPG key 0xDC282033:
 Userid: "https://packagecloud.io/github/git-lfs (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io>"
 From  : https://packagecloud.io/github/git-lfs/gpgkey
github_git-lfs/signature                                 | 1.0 kB     00:00 ...
https://packagecloud.io/github/git-lfs/el/6/x86_64/repodata/repomd.xml: [Errno -1] Gpg Keys not imported, cannot verify repomd.xml for repo github_git-lfs
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: github_git-lfs. Please verify its path and try again
$ 

Probably the [Errno -1] Gpg Keys not imported, cannot verify (sent via stderr) string could be matched to catch the problem.

Thanks,

[matteocorti]

Fixed: the STDERR output is now parsed. If the GPG key is not present the plugin exists with an "UNKNOWN" status and an error message