search

python / psf-salt

PSF infrastructure configuration
MIT License
108 stars 57 forks source link

postgresql gpg key is "not readable by user '_apt' executing apt-key" #333

Closed cegerhardson closed 6 months ago

cegerhardson commented 6 months ago

This issue is in reference to PR #331:

With our salt-master provisioned for upgrade to Ubuntu 22.04, apt-key is deprecated with Ubuntu 22.04 under the pkgrepo.manage module. The recommended approach is to configure -aptkey: False to the package repo state, and set signed-by in the repo name.

Salt does some fancy repo key management magic, where it gets the gpg key from the package repo key_url, and creates the file in the described location, as noted by the signed-by parameter. When salt places the keys in the designated location, the file is assigned appropriate permissions 644, and the user _apt is able to read the file. For other packages that needed this configuration change, like datadog, it looks something like this: 

-rw-r--r-- 1 root root 4538 Jan 12 13:52 datadoghq.gpg

However, when the gpg key file gets created by salt for the postgresql package, the permissions are not set appropriately, only getting 640, leaving out the ability for the user _apt to read the file. 

-rw-r----- 1 root root 3494 Jan 12 13:52 postgresql.gpg

To reproduced the deprecation error associated with this refactor:

  1. bring up the salt-master, laptop:psf-salt user$ vagrant up salt-master
  2. in another window, ssh into the salt-master, laptop:psf-salt user$ vagrant ssh salt-master
  3. run sudo apt update

The expected postgres deprecation error:

W: http://apt.postgresql.org/pub/repos/apt/dists/jammy-pgdg/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.`

To reproduce _apt user permissions bug that comes with refactoring pgkrepo.managed:

  1. laptop:psf-salt user$ vim ./salt/postgresql/base/init.sls
  2. Under pkgrepo.managed configure -aptkey: False to the package repo state, and set signed-by in the repo name as [signed-by=/etc/apt/keyrings/postgresql.gpg arch={{ grains["osarch"] }}]
  3. Save this file and vagrant destroy and bring up the salt-master again.
  4. laptop:psf-salt user$ vagrant destroy-f
  5. laptop:psf-salt user$ vagrant up salt-master

The excepted error looks like this: 

    salt-master:           ID: postgresql-repo
    salt-master:     Function: pkgrepo.managed
    salt-master:         Name: deb [signed-by=/etc/apt/keyrings/postgresql.gpg arch=arm64]  http://apt.postgresql.org/pub/repos/apt jammy-pgdg main
    salt-master:       Result: False
    salt-master:      Comment: Failed to configure repo 'deb [signed-by=/etc/apt/keyrings/postgresql.gpg arch=arm64]  http://apt.postgresql.org/pub/repos/apt jammy-pgdg main': 
W: http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/keyrings/postgresql.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
ewdurbin commented 6 months ago

it looks like the salt pkgrepo state tries to validate configurations before finalizing which is what left the file in a 600 state. since the file here is asc and not gpg it never successfully validates.

it did take moving to manually copying the file with the correct extension, setting the correct perms, and using that directly rather than using key_url.