search

srl-labs / containerlab

container-based networking labs
https://containerlab.dev
BSD 3-Clause "New" or "Revised" License
1.56k stars 266 forks source link

Fix GitHub CLI GPG key expiration in older clab-devcontainer releases #2278

Closed FloSch62 closed 1 week ago

FloSch62 commented 2 weeks ago

Description Users working with older releases of clab-devcontainer (e.g., version 0.56.0) are encountering issues due to an expired GitHub CLI GPG key. When these older containers are launched in environments like GitHub Codespaces, particularly when the devcontainer.json includes commands that use apt-get, the container fails to initialize properly and falls back to recovery mode.

The error appears as:

GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI [opensource+cli@github.com](mailto:opensource+cli@github.com)
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Impact

Current Implementation In these older releases, the Dockerfile sets up the GitHub CLI repository using:

RUN sudo mkdir -p -m 755 /etc/apt/keyrings \
    && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null```

Proposed Solution Update the Dockerfile in a new release to use the githubcli-archive-keyring package for managing GPG keys:

RUN apt-get update && apt-get install -y --no-install-recommends \
    github-cli \
    githubcli-archive-keyring
hellt commented 2 weeks ago

@FloSch62 help me understand this a bit better. The clab-devcontainer is built once -- during the container build at the clab release time. At that time the gpg key is valid.

I can see how the key becomes invalid later, but since the image is already built it doesn't try to make use of the key either. So I wonder when is the failure happenning?

Is it with any apt update that you trigger during the devcontainer startup or smth else?

FloSch62 commented 2 weeks ago

Yes exactly, as soon the key is expired like in devcontainer 0.56, any apt update will fail. This "only" gets a problem if you need to install something on top like Ansible. Clab itself is not impacted