When overriding (in this case) EPEL repository baseurl and metalink parameters, the module attempts to install 'yum-utils' package before the /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 file and RPM GPG import of Fedora GPG key. This causes yum/dnf to fail because the Fedora/EPEL GPG key is not yet installed.
Running the puppet agent a second time results in success because the GPG keys were installed.
What behaviour did you expect instead
yum-utils package should be installed only after the yum repo files along with the supporting GPG keys have been installed for all managed repositories.
Output log
[root@rhel8gold-template root]# puppet agent -t --environment=125_fix_epel_repository_gpg_keys_for_first_run_puppet
Info: Caching catalog for rhel8gold-template.example.com
Info: Applying configuration version 'my-puppet-01p-125_fix_epel_repository_gpg_keys_for_first_run_puppet-49fbe586e0c'
Notice: /Stage[main]/Yum/Yumrepo[epel]/ensure: created
Info: Yumrepo[epel](provider=inifile): changing mode of /etc/yum.repos.d/epel.repo from 600 to 644
Error: Execution of '/bin/dnf -d 0 -e 1 -y install yum-utils' returned 1: warning: /var/cache/dnf/epel-4e013a157d455c5b/packages/libzstd-1.4.4-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]
Error: /Stage[main]/Yum/Package[yum-utils]/ensure: change from 'purged' to 'present' failed: Execution of '/bin/dnf -d 0 -e 1 -y install yum-utils' returned 1: warning: /var/cache/dnf/epel-4e013a157d455c5b/packages/libzstd-1.4.4-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 [Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]
Notice: /Stage[main]/Yum/Yum::Gpgkey[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]/File[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]/ensure: defined content as '{sha256}cd1db21a863185127f2e3b264c97fb1c6c44c316385707999041ea475c110d1c'
Notice: /Stage[main]/Yum/Yum::Gpgkey[/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]/Exec[rpm-import-/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8]/returns: executed successfully (corrective)
Notice: /Stage[main]/Yum/Exec[package-cleanup_oldkernels]: Dependency Package[yum-utils] has failures: true
Warning: /Stage[main]/Yum/Exec[package-cleanup_oldkernels]: Skipping because of failed dependencies
Info: Class[Yum]: Unscheduling all events on Class[Yum]
Notice: Applied catalog in 7.84 seconds
[root@rhel8gold-template root]# puppet agent -t --environment=125_fix_epel_repository_gpg_keys_for_first_run_puppet
Info: Using environment '125_fix_epel_repository_gpg_keys_for_first_run_puppet'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for rhel8gold-template.example.com
Info: Applying configuration version 'my-puppet-01p-125_fix_epel_repository_gpg_keys_for_first_run_puppet-49fbe586e0c'
Notice: /Stage[main]/Yum/Package[yum-utils]/ensure: created
Notice: Applied catalog in 8.24 seconds
[root@rhel8gold-template root]#
Any additional information you'd like to impart
cat /etc/yum.repos.d/epel
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
baseurl=http://internalEPELrepo.example.com/repos/epel/8/Everything/$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Use case: I have an internal mirror of EPEL and my clients cannot get out to the internet so I need to override the baseurl: path in /etc/yum.repos.d/epel.repo to point to my internal mirror. In addition, the metalink parameter needs to be removed because I don't want the clients trying to go out to the Internet to reach EPEL. The issue only happens with both baseurl: and metalink: absent are assigned values. If either parameter is omitted, the module succeeds.
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
When overriding (in this case) EPEL repository baseurl and metalink parameters, the module attempts to install 'yum-utils' package before the /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 file and RPM GPG import of Fedora GPG key. This causes yum/dnf to fail because the Fedora/EPEL GPG key is not yet installed.
Running the puppet agent a second time results in success because the GPG keys were installed.
What behaviour did you expect instead
yum-utils package should be installed only after the yum repo files along with the supporting GPG keys have been installed for all managed repositories.
Output log
Any additional information you'd like to impart
cat /etc/yum.repos.d/epel
Use case: I have an internal mirror of EPEL and my clients cannot get out to the internet so I need to override the baseurl: path in /etc/yum.repos.d/epel.repo to point to my internal mirror. In addition, the metalink parameter needs to be removed because I don't want the clients trying to go out to the Internet to reach EPEL. The issue only happens with both baseurl: and metalink: absent are assigned values. If either parameter is omitted, the module succeeds.