search

nasa / meza

Setup an enterprise MediaWiki server with simple commands
MIT License
18 stars 10 forks source link

epel-release does not install because GPG check FAILED #32

Closed cowen23 closed 6 months ago

cowen23 commented 1 year ago

Environment

VMware Red Hat Enterprise Linux release 8.8 (Ootpa) d103da8

Issue details

The epel-release package fails to install during getmeza.sh execution because the GPG check FAILED.

/opt/meza/src/scripts/getmeza.sh Enabling code-ready-builder and ansible repo for RHEL. This may take some time. Repository 'codeready-builder-for-rhel-8-x86_64-rpms' is enabled for this system. Repository 'ansible-2-for-rhel-8-x86_64-rpms' is enabled for this system. Updating Subscription Management repositories. Red Hat Ansible Engine 2 for RHEL 8 x8664 (RPM 3.3 MB/s | 2.5 MB 00:00 Red Hat CodeReady Linux Builder for RHEL 8 x86 11 MB/s | 8.8 MB 00:00 epel-release-latest-8.noarch.rpm 95 kB/s | 24 kB 00:00 Dependencies resolved.

Package Architecture Version Repository Size

Installing: epel-release noarch 8-18.el8 @commandline 24 k

Transaction Summary

Install 1 Package

Total size: 24 k Installed size: 35 k Downloading Packages: Public key for epel-release-latest-8.noarch.rpm is not installed Error: GPG check FAILED sed: can't read /etc/yum.repos.d/epel.repo: No such file or directory cp: cannot stat '/etc/yum.repos.d/epel.repo': No such file or directory

I believe this is because NASA-SPEC-2601OS.RHEL8, Red Hat Enterprise Linux 8 Security Configuration Specification has control "NASA-ASCS-20158: Ensure gpgcheck Enabled for Local Packages" which mandates "localpkg_gpgcheck=1" be set in the /etc/yum.conf file.

This means the public key of the epel-release package has to be imported first before it will install properly. My fix is to execute "rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8" before running getmeza.sh.

getmeza.ssh should import the RPM-GPG-KEY-EPEL-8 before attempting to install. NASA-SPEC-2601OS.RHEL8_v1.7.pdf

revansx commented 1 year ago

thanks. I will add this to the CMTE and schedule this for a fix

CMTE at https://www.mediawiki.org/wiki/Meza/Common_Meza_Test_Environment_(CMTE)

freephile commented 8 months ago

The getmeza.sh script could easily support installing the (appropriate, based on distribution) GPG key and Meza in general could be configured to run with localpkg_gpgcheck=1 in /etc/yum.conf

Right now, the key is installed in the base role

The current process appears to be "later" than desired since it is done on a deploy rather than on Meza installation. Since it is currently not done on Meza installation, that means the key can be skipped entirely on a controller host. So, it seems the proper way to meet the standard is to do what @cowen23 says:

getmeza.ssh should import the RPM-GPG-KEY-EPEL-8 before attempting to install. NASA-SPEC-2601OS.RHEL8_v1.7.pdf

Aside: it would be nice to import all the vocabulary terms in that standard into a wiki glossary

ndc-rkevans commented 6 months ago

this has been fixed in the 39.x branch. Not sure what exact commit fixed it, but it is fixed.